Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Dos and Donts of Forensic Computer Investigations

    Written by

    David Coursey
    Published September 15, 2004
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      Investigating the contents of someones system, files and e-mail is a serious thing, not to be taken lightly. IT professionals who are unprepared for the techniques and challenges of conducting a forensic computer investigation can easily ruin the suspects data and make a case impossible to prosecute. They might even find themselves subject of an investigation, followed by a lawsuit filed by the target of the original investigation.

      Earlier this week I was talking with John Colbert, president and CEO of Guidance Software, a publisher of tools and provider of professional services used in computer investigations. Colbert is an ex-cop with long experience in computer-related crime who joined Guidance five years ago. Before recently becoming president and CEO, he ran the companys professional services group.

      I learned a great deal from our conversation, and my hope is this series of two columns will keep IT staffers with no investigative experience out of trouble and perhaps inspire some to further study in this fascinating area of computer science.

      Click here to learn about a key tool in fighting crime through better statistical analysis for the NYPD.

      Colbert told me the story of a well-meaning IT worker who was hired to investigate a computer as part of a divorce action. Using “standard” techniques, while finding information relevant to the case, the investigator rendered the hard drive inadmissible as evidence and managed to destroy information that might have been deleted but was still recoverable, using proper tools. The IT guy ended up being sued by the person who hired him for bungling the case.

      While this was a divorce case, it might as easily have been an internal corporate investigation that unexpectedly turned up something requiring the attention of law enforcement. There is always the possibility of discovering a criminal act whenever an investigation has begun.

      If you dont know anything about how to do a proper forensic investigation of a computer system, I want to offer one strong word of advice: dont. As in dont even power the machine on or off without the advice of a qualified forensics person. The usual set of IT disk utilities are more than useless in an investigation—theyll actually destroy evidence and may make any evidence discovered inadmissible in court.

      Fortunately, avoiding problems isnt terribly difficult once you are aware they exist. Even a few hours of forensics training can teach an IT staffer how to copy information without altering the original copy, a necessary step in any investigation.

      For more insights from David Coursey, check out his Weblog.

      Colbert and I talked about this for more than an hour. We covered so much ground that I realized my notes didnt really capture the information I wanted to present. So I asked him to create a set of bullet points that could help an IT staff stay out of trouble.

      In response, Colbert sent me a document outlining seven guidelines and seven practices for IT staffs faced with the need for an investigation. In this column, Ill present the guidelines.

      Next Page: Colberts seven forensic guidelines.

      Page 2

      John Colberts Forensics Guidelines for IT Staff

      The IT professional should consider these seven guidelines when requested to conduct a computer investigation or legal discovery request:

      1. Ask questions: Inquire as to the nature of the request. The more you know about the investigation, the more effective your fact-finding will be. Ensure that you are fully aware of the intentions of management: What decisions will management need to make based upon your findings? What are the confidentiality concerns? What are the time concerns, and how should time constraints be balanced against the thoroughness of the investigations? How do they want you to report your findings?

      2. Document thoroughly: No matter how simple the request from management, write it down—even if youre not sure if you will perform that aspect of work. Recognize that when working for legal counsel, the communications and findings to counsel are usually protected under the attorney-client privilege, which includes your notes and e-mail. However, this privilege may be lost if your chain of command or communication strays from legal counsel.

      Click here for a list of links to information on U.S. law-enforcement technology.

      3. Operate in good faith: Generally, you should follow instructions from management in the course of an investigation. However, it is possible that some investigative actions could be illegal. For instance, reverse hacking or “hack back” tactics could be a violation of law. Seizing or copying the computer of a non-employee third party could also be illegal. It is important to raise such concerns with management should they arise.

      4. Dont get in over your head: Investigations are sexy, challenging and fun, but the environment that surrounds them can quickly become unfamiliar and outside your area of expertise. If any of the following conditions are true—or become true during an ongoing investigation—the organization will need to make a crucial determination as to whether to retain a professional computer forensic investigator or contact law enforcement:

      • The investigation involves a crime. Fraud, theft, hacking, threats, certain types of harassment. It is acceptable—and often good practice—for an organization to be the first responder, but when the commission of a crime is readily apparent, it is advisable to contact law enforcement.
      • The investigation will likely result in serious discipline or termination of an employee. It is often advisable to have an outside consultant to provide court testimony or prepare critical investigation reports to be relied upon by senior management or outside auditors.
      • The investigation requires that documents are prepared for court or a government investigative body. A legal discovery request may be required for civil lawsuits or during events such as mergers and acquisitions. This also includes requests for information from the Securities Exchange Commission for public companies.
      • Large-scale investigations—investigations that cross many different boundaries, and people—should be conducted by experienced investigators.

      5. Make the decision to investigate: Before moving any further forward, you should consider that an investigation of an employee should involve your HR department. They are experts on employee law and can be very helpful. Rest assured they would be very interested. If you are now comfortable that you can go forward in good faith, then do so. Here are a few situations that you may encounter:

      • Worms, viruses and hacks. These problems are usually detected by employees and IT personnel.
      • Unauthorized use of applications, software or Internet. These policy infractions are normally associated with minor discipline, though, in some circumstances they can result in termination. Be sure to evaluate the discipline level before going forward.
      • Unauthorized use of e-mail. These investigations normally originate from a complaint. Be sure to analyze the intent of HR and/or management regarding discipline and remember the points made above.

      6. Treat everything as confidential: Regardless of who knows—or the rumors that surface—keep all information confidential and only disclose the information to those who need to know.

      7. File it: Keep your documentation and file it. Its a good idea to have the information maintained by HR or legal, but be sure to file it in an organized manner regardless.

      Those are the seven guidelines created by Colbert to help IT managers and staffs stay out of trouble when asked to conduct in investigation. In my next column Ill share Colberts seven best practices for novice (and not-so-novice) sleuths.

      Check out eWEEK.coms Security Center for the latest security news, reviews and analysis.

      Be sure to add our eWEEK.com developer and Web services news feed to your RSS newsreader or My Yahoo page

      David Coursey
      David Coursey
      One of technology's most recognized bylines, David Coursey is Special Correspondent for eWeek.com, where he writes a daily Blog (blog.ziffdavis.com/coursey) and twice-weekly column. He is also Editor/Publisher of the Technology Insights newsletter and President of DCC, Inc., a professional services and consulting firm.Former Executive Editor of ZDNet AnchorDesk, Coursey has also been Executive Producer of a number of industry conferences, including DEMO, Showcase, and Digital Living Room. Coursey's columns have been quoted by both Bill Gates and Steve Jobs and he has appeared on ABC News Nightline, CNN, CBS News, and other broadcasts as an expert on computing and the Internet. He has also written for InfoWorld, USA Today, PC World, Computerworld, and a number of other publications. His Web site is www.coursey.com.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×