Most investigations begin with a suspicion. Someone suspects that something has occurred on a computer and wants to determine what it is or what significance it has. Sooner or later, the computer ends up in our laboratory for examination. Whether it’s “sooner” or “later” may have a dramatic impact on the complexity and corresponding cost of the investigation.
Suppose, for example, that you suspect that an employee may be stealing company secrets – intending to work for a competitor. You make a mental list of competitors that might be interested in your intellectual property and set to work to confirm your suspicions.
You search through the internet history visible from within Internet Explorer during the evenings, after they have left work. When you don’t recognize a site, you visit to determine what it is.
You enter the names into the Windows Search box to see if anything comes up and review any document with any results in it.
You browse through folders on your network that contain your files and try and determine if the “Last Accessed” date is later than it should be. You open any document with a “Last Accessed” date later than you expect and print it.
Whether you think you’ve found it or not, you realize you should hire licensed investigators to prepare a legal case and the computer works its way to us.
You explain your suspicions, provide us with a list of competitors and relevant access dates and project names. We begin our investigation.
Almost immediately, we find a slew of relevant data. Indeed, it seems as if everything you’ve suspected is present on the computer! This computer was used to search for your project names, research your competitors, it accessed many sensitive documents on your network – we may have a suspect!
During a conference call with you to report our preliminary findings, you mention that these were all your actions. Here’s the first problem – are they all your accesses? In order to determine that, we need to know when you accessed things and what you did during those times.
You think back and try and recall what you’ve done, but you never made any notes about it – was it you who searched that term on that date?
As you can likely conclude, not only does this complicate the investigation itself, but it can be a nightmare in court. The opposition’s counsel can call into question every unfavorable result as a potential “contamination” by you – rather than unauthorized activity by the employee. With enough ambiguity, even a winning case can be lost to doubt on the jury’s part.
REMEMBER: If possible, do not access a device you intend to have investigated. If you must access it, document the start and end times (according to the computer’s clock) and exactly what actions you’ve taken.