John Colberts Forensics Guidelines for IT Staff The IT professional should consider these seven guidelines when requested to conduct a computer investigation or legal discovery request:2. Document thoroughly: No matter how simple the request from management, write it downeven if youre not sure if you will perform that aspect of work. Recognize that when working for legal counsel, the communications and findings to counsel are usually protected under the attorney-client privilege, which includes your notes and e-mail. However, this privilege may be lost if your chain of command or communication strays from legal counsel. Click here for a list of links to information on U.S. law-enforcement technology. 3. Operate in good faith: Generally, you should follow instructions from management in the course of an investigation. However, it is possible that some investigative actions could be illegal. For instance, reverse hacking or "hack back" tactics could be a violation of law. Seizing or copying the computer of a non-employee third party could also be illegal. It is important to raise such concerns with management should they arise. 4. Dont get in over your head: Investigations are sexy, challenging and fun, but the environment that surrounds them can quickly become unfamiliar and outside your area of expertise. If any of the following conditions are trueor become true during an ongoing investigationthe organization will need to make a crucial determination as to whether to retain a professional computer forensic investigator or contact law enforcement:
1. Ask questions: Inquire as to the nature of the request. The more you know about the investigation, the more effective your fact-finding will be. Ensure that you are fully aware of the intentions of management: What decisions will management need to make based upon your findings? What are the confidentiality concerns? What are the time concerns, and how should time constraints be balanced against the thoroughness of the investigations? How do they want you to report your findings?
- The investigation involves a crime. Fraud, theft, hacking, threats, certain types of harassment. It is acceptableand often good practicefor an organization to be the first responder, but when the commission of a crime is readily apparent, it is advisable to contact law enforcement.
- The investigation will likely result in serious discipline or termination of an employee. It is often advisable to have an outside consultant to provide court testimony or prepare critical investigation reports to be relied upon by senior management or outside auditors.
- The investigation requires that documents are prepared for court or a government investigative body. A legal discovery request may be required for civil lawsuits or during events such as mergers and acquisitions. This also includes requests for information from the Securities Exchange Commission for public companies.
- Large-scale investigationsinvestigations that cross many different boundaries, and peopleshould be conducted by experienced investigators.
- Worms, viruses and hacks. These problems are usually detected by employees and IT personnel.
- Unauthorized use of applications, software or Internet. These policy infractions are normally associated with minor discipline, though, in some circumstances they can result in termination. Be sure to evaluate the discipline level before going forward.
- Unauthorized use of e-mail. These investigations normally originate from a complaint. Be sure to analyze the intent of HR and/or management regarding discipline and remember the points made above.