Correct procedure for computer forensics

Alan Neilson’s blog posted an article on security policy enforcement. What should be the management’s behavior if an employee is suspected of wrongdoing? According to the post, “there may be several forms of evidence available to a firm, which can exist in many locations within a computer system, or even an external storage device such as a CD or Zip drive.”

The quest to secure reliable evidence is not only based on ensuring a conviction of an employee, but also on protecting the firm against a civil claim of wrongful dismissal. A hasty dismissal of an employee would be unwise: the firm will not know his modus operandi, his passwords, and once the employee knows that his actions have been discovered, he may be able to trigger the deletion of all evidence. By contrast, if the firm employs surveillance techniques (by using Trojans or key loggers, for example) then the firm can discover the employee’s modus operandi and passwords.

The next stage involves the gathering of evidence, which can be stored in numerous places, and the firm must be aware of this possibility.

Manual searches may not be particularly useful because stolen documents may have had their filenames changed, and file-type altered. Where forensic software is employed, however, it is the structure of the file itself which is searched, rather than its name or file-type, and this may prove fruitful for the firm.

The evidence may not be on the computer at all: it may be on the firm’s server if it was sent by e-mail. This can prove an excellent source of evidence because of a common misconception that e-mail messages are impermanent. In fact, it is more difficult to remove e-mail than most believe, and on most systems, permanently deleting e-mail is a complex process.

When evidence has been obtained, the firm must undertake a certain procedure to ensure that the evidence is made suitable for use in court. This involves tagging the evidence, bagging it, logging it, copying it and finally securing it.

If a firm adopts such an approach to computer forensics where an employee is suspected of acting illegally, then it maximises its chance of securing a conviction of the employee, and protects itself against the possibility of an unfair dismissal claim.

To make a deep inspection into employees’ files, you can use specific security software. FindProtected is an effective security solution that allows you to enforce an intelligent data security policy across the organization. With FindProtected, you can properly identify protected files and relocate them if necessary.

This blog is run by the authors of FindProtected.

Leave a Reply