Use of Computer
Forensics in Workplace Investigations
Computer
forensics services provide an extremely valuable tool in conducting
workplace investigations into employee misconduct. Computer forensics are
used in investigations relating to sexual harassment, trade-secret
violations, intellectual property rights, violation of company policy, and
poor work performance. For example, in February of 2000, Northwest Airlines
searched flight attendant's home computers and obtained e-mails showing
that the workers had coordinated an illegal sick-out.
When
disciplining staff for misconduct, employers increasingly have to deal with
issues that involve evidence from computers, networks, and other devices
such as PDAs. In order to best handle these
issues, employers need to use forensically sound procedures for retrieval
of information and have policies in place to cope with the current
technology.
What Can A Computer Forensic Expert Find?
Employees
often believe that simply because they clicked "delete" they have
actually permanently deleted a file or e-mail. In reality, this is not the
case. If the employer is using an exchange server, the deleted information
may be recoverable on the server. Even on a personal computer, simply
clicking "delete" does not erase all information. The information
is simply moved to the recycle bin, and, after that is emptied, is stored
in the computer's memory.
Specialized
forensic software allows investigators to retrieve data that an employee
believes he or she has deleted or erased. The software allows the
investigator to make a bit- by- bit copy of the data and then analyze it.
Forensic software can narrow the search to terms that are unique to the
specific situation. For instance, an investigator can search for the word
"adult" and come up with all files with that word, including, possibly,
pornographic images downloaded from the Internet. It will also locate
drafts of documents, back-up files, and auto-saves. Graphic files can also
be identified and copied. Forensic investigators can even identify attempts
to hide files.
In
addition to recovering deleted data, forensic software also allows
investigators to obtain critical information from non-deleted intact files.
Digital evidence in intact files includes such information as the creation
date, when the file was last accessed and by whom, the number of times the
file was edited, for how long and by whom, and even the revisions that were
made.
Time
and date stamps are often critical to an investigation allowing the
employer to pinpoint when alleged misconduct took place and to verify
witness accounts. Time and date stamps can be recovered and reviewed using
forensic software. Furthermore, print spooler files, with time and date of
print jobs, can be reviewed.
Of
increasing importance is the ability of computer forensic experts to recover
web history and web cookies. Web cookies will show a history of Internet
usage and sometimes maintain permanent information. Time and date of
Internet sites accessed can be compiled.
Critical
to the success of computer forensic investigations is to gain access to the
relevant media as quickly as possible in order to preserve it. Some
evidence will remain on the computer for years while other will disappear
rapidly.
What to Look for in a Computer Forensics Expert
When
looking to hire a computer forensics service for a workplace investigation,
it is important to consider the possible course the investigation might
take, including the possibility of litigation and trial. The expert chosen
must be well versed in both the nuances of computer forensics and the
proper handling of evidence.
According
to Mike Graham, Vice -President of Advantura, LLC
(www.advantura.com), an accredited expert in computer forensics, it is
important to use a firm whose forensic investigator has been accredited as
an expert witness and has significant experience testifying in both state
and federal court. The forensic expert should conduct the investigation in
such a manner as to preserve its evidentiary value for trial.
It
is also helpful to have an expert who has received training in law
enforcement techniques and manners of preservation in the event that the
workplace investigation needs to be passed on to law enforcement as a
potential criminal manner. For instance, personnel at Advantura,
LLC have provided forensic services for criminal cases where a special
master has requested an outside expert. Advantura
personnel also use EnCase as their primary
forensic tool. EnCase is used by law enforcement
personnel to recover data from cds, hard drives,
Palm PDAs and so forth.
If
the case may head to litigation, computer forensic experts should be able
to assist counsel in assessing discovery requests and extracting
information relevant to litigation. Qualified experts with extensive
litigation experience should be able to provide support in identifying the
most practical means of producing what can be a mountain of information.
Furthermore, computer forensic experts can provide assistance in drafting
discovery requests, conducting on-site examinations of the opposing party's
computer system, evaluating the sufficiency of the opposing party's efforts
in producing responsive documents, and preparing for the deposition of the
opposing party's computer expert or internal information technology
specialist.
How Employer Policies Can Help
It
is important that employers have policies regarding the use of electronic
media. Properly drafted employer policies regarding the use of electronic
media will eliminate any assertion of privacy by the employee in the
retrieval of information.
Employers
should have policies that inform the employee that any form of electronic
communication is company property and not intended for personal use. The
policy should state that any electronic information created by an employee
using any means of electronic communication remains company property and
that the use of personal passwords does not change the ownership of the
information. The policy should state that the company will override
personal passwords if necessary for any reason. It should further state that
the company reserves the right at its discretion to monitor, access and
review electronic files, messages, communications, mail and digital
archives to make sure that there is no misuse or violation of company
policy or of any law.
Repeated
notice to employees of any electronic communication policy is preferred.
Moreover, a signed and dated acknowledgment that the employee has reviewed
the policy should be obtained.
Conclusion
With
the growing desire to use computer forensics in workplace investigations,
employers should be advised as to the benefits of such use, how to choose
an expert, and how to implement and enforce policies regarding the use of
electronic media.
|
