It’s a fair question. You might think something has happened on an electronic device, and maybe it’s something really dodgy. So why not just go ahead and look at it and see if you’re right? Maybe get your IT staff to do it if you’re a bit unsure? I mean, once you confirm your suspicion that Mary in Accounts has been ordering Oreos for her elevenses using the company accounts can’t you just decide to do something about it then?
There are a few problems with the “jump right in and see what we’re dealing with” approach.
Firstly, if it does turn out to be the case that Mary has been channeling her inner crime lord, you’ve just trampled all over the crime scene and given her some “reasonable doubt” that her legal people will happily use in her defence. Just by wandering in and poking around you will have altered data, added and deleted files, updated timestamps etc. Most of the time this will be happening without you knowing it.
Secondly, you have now placed yourself front and centre in any future investigation. All your actions will need to be explained in any legal proceedings. This will be necessary to mitigate against the efforts of Mary’s defence team as they accuse you of interfering with evidence in what they will paint as your blatant attempt to set her up. You always had it in for her since she wouldn’t share her Fig Rolls with you that one time, right? You’ll find yourself making statements to investigators and possibly sitting in a witness box being cross-examined in front of a crowd. Ask anyone who has been in that situation before and you’ll quickly confirm that it’s a hard place to be. It’s difficult enough for those who really know their evidence inside out, but can be excruciating for those trying to explain actions they took based on little understanding.
Thirdly, the chances are you will miss the important stuff if you just have a nose around in the file system. Most of the interesting stuff is hidden from view, in system files and on the disk drive marked for deletion. There are places you just can’t see without using forensic tools. Unless Mary has left a smoking gun in her “My Documents” folder, you’re likely to miss the good stuff.
So, what can forensics do for you?
The answer to this one is quite broad. Anything from just securing potential evidence, right up to a securing it and analysing every last piece of data on the device (or devices). The most important part is to secure the evidence. A forensics expert can obtain a forensic image of the device(s) and at that point the evidence is secure. From there you can decide how far you need to go in investigating. The forensic image can now be used to investigate, generate activity reports, for eDiscovery, to extract data etc. Whatever you decide you need to do, you are in the right starting place. The original suspect device can be put securely away in a safe and any further action is taken with the forensic image rather than the original device.
The important thing is that you have the foundation in place for whatever action it turns out you need to take when things become clearer, as they usually do over time. You’re not putting yourself in that uncomfortable witness box, and if Mary has indeed been committing snacks crimes you have the best possible chance of stopping her in her tracks!
Next time out: I’ve asked a forensics bod to do some work for me. What should I expect back from them?
Colm Gallagher is the head of CommSec’s forensics business division.