The background:
Mary from Accounts, having fallen under suspicion for her snack purchases, has been responsible for kicking off a major internal investigation in your company. It looks like she may have misused her company laptop and muddied the line between corporate and personal spending. So you’ve had the forensics people in, and they’ve taken a forensic image of her company PC.
The gathering:
There are a couple of ways they might have done this. In the olden days, 3 or 4 years ago, they might have come in under cover of darkness, popped the drive out of her computer and imaged it in an hour or two before carefully putting everything back in place – hoping that she hasn’t outsmarted them by leaving a strategically placed hair that will alert her to the intrusion when she finds it has been moved. Mary is a big fan of Arthur Conan Doyle’s writings.
Anyway, now that technology has moved on, those forensics persons will more likely have simply reached across the corporate network and pulled out a bit by bit image of her hard disk drive and RAM, with no way for her to detect it. They probably even did it as she was sitting at her desk. Now the game’s afoot!
The preservation:
At this point your investigation is on solid ground. The evidence has been secured and that’s the most important part of the investigation. Without the evidence, the investigation is dead in the water. If it was gathered in a non-forensic way, you’re probably looking at the same result. The bottom line – if the integrity of the data can’t be guaranteed, it will have a big target on its back in any future litigation and could be deemed completely inadmissible.
In this case, we’ve legally secured a proper “will stand up in court” forensic image. Phew! Now you have options. You may want to simply preserve the evidence for now, pending decisions being taken elsewhere on how to proceed. If that’s the case, you should receive the original device(s) back from the forensic expert, along with forensic images of those devices and a report detailing actions taken with them such as how they were forensically imaged, how their integrity can be verified by an independent expert, and chain of custody while they were out of your possession. This might be as far as you need to go in cases where the possibility of litigation has been flagged (but not yet confirmed) and preservation of evidence is the only action required of you at the moment.
The investigation:
So, let’s say that HR, Legal, DPO et al have decided that Mary’s actions vis-à-vis biscuits and company accounts warrant a full-on investigation. In that case you will want the forensic image you obtained earlier to be fully investigated. Your forensic expert can do this now that the forensic image has been secured. They will examine a copy of the forensic image rather than the original device. They can load that disk image into their forensic examination suite and examine files, extract web history, search for keywords, show timelines, recover deleted documents and much more. From this they will provide you with copies of all the relevant data they were able to extract, plus a comprehensive forensics report outlining their actions and detailing their findings. Their report should speak to several audiences. There should be an executive summary for those who don’t want to be overwhelmed with technical minutiae, as well as full technical detail provided in a format which can withstand independent verification. The report provided to you should be of sufficient quality to ultimately stand up in any court.
The path to best value:
The chances are that your forensic investigator is not an expert in your business. This is particularly the case where your investigator is not in-house. In a simple case it may be that you can task the investigator with checking for the existence of some particular activity. No problem, it’s either there or it’s not. But in a more complex enquiry it will be of enormous benefit to your organisation if you engage fully with the investigator. Appoint a knowledgeable single point of contact who can assist the investigator with context. Someone who knows the policies, procedures, and general practices in your organisation will be able to greatly assist the investigator in focusing on what is relevant.
The upshot:
So, from a preservation only you should see a forensic image with a report covering its provenance. From a full investigation, you should get that plus a full investigation report which is ready for board, IT, and court.
For best results, stay engaged.
Colm Gallagher is the head of CommSec’s forensics business practice.