Investigating the contents of someones system, files and e-mail is a serious thing, not to be taken lightly. IT professionals who are unprepared for the techniques and challenges of conducting a forensic computer investigation can easily ruin the suspects data and make a case impossible to prosecute. They might even find themselves subject of an investigation, followed by a lawsuit filed by the target of the original investigation.
Earlier this week I was talking with John Colbert, president and CEO of Guidance Software, a publisher of tools and provider of professional services used in computer investigations. Colbert is an ex-cop with long experience in computer-related crime who joined Guidance five years ago. Before recently becoming president and CEO, he ran the companys professional services group.
I learned a great deal from our conversation, and my hope is this series of two columns will keep IT staffers with no investigative experience out of trouble and perhaps inspire some to further study in this fascinating area of computer science.
Colbert told me the story of a well-meaning IT worker who was hired to investigate a computer as part of a divorce action. Using “standard” techniques, while finding information relevant to the case, the investigator rendered the hard drive inadmissible as evidence and managed to destroy information that might have been deleted but was still recoverable, using proper tools. The IT guy ended up being sued by the person who hired him for bungling the case.
While this was a divorce case, it might as easily have been an internal corporate investigation that unexpectedly turned up something requiring the attention of law enforcement. There is always the possibility of discovering a criminal act whenever an investigation has begun.
If you dont know anything about how to do a proper forensic investigation of a computer system, I want to offer one strong word of advice: dont. As in dont even power the machine on or off without the advice of a qualified forensics person. The usual set of IT disk utilities are more than useless in an investigation—theyll actually destroy evidence and may make any evidence discovered inadmissible in court.
Fortunately, avoiding problems isnt terribly difficult once you are aware they exist. Even a few hours of forensics training can teach an IT staffer how to copy information without altering the original copy, a necessary step in any investigation.
Colbert and I talked about this for more than an hour. We covered so much ground that I realized my notes didnt really capture the information I wanted to present. So I asked him to create a set of bullet points that could help an IT staff stay out of trouble.
In response, Colbert sent me a document outlining seven guidelines and seven practices for IT staffs faced with the need for an investigation. In this column, Ill present the guidelines.
John Colberts Forensics Guidelines for IT Staff
The IT professional should consider these seven guidelines when requested to conduct a computer investigation or legal discovery request:
1. Ask questions: Inquire as to the nature of the request. The more you know about the investigation, the more effective your fact-finding will be. Ensure that you are fully aware of the intentions of management: What decisions will management need to make based upon your findings? What are the confidentiality concerns? What are the time concerns, and how should time constraints be balanced against the thoroughness of the investigations? How do they want you to report your findings?
2. Document thoroughly: No matter how simple the request from management, write it down—even if youre not sure if you will perform that aspect of work. Recognize that when working for legal counsel, the communications and findings to counsel are usually protected under the attorney-client privilege, which includes your notes and e-mail. However, this privilege may be lost if your chain of command or communication strays from legal counsel.
3. Operate in good faith: Generally, you should follow instructions from management in the course of an investigation. However, it is possible that some investigative actions could be illegal. For instance, reverse hacking or “hack back” tactics could be a violation of law. Seizing or copying the computer of a non-employee third party could also be illegal. It is important to raise such concerns with management should they arise.
4. Dont get in over your head: Investigations are sexy, challenging and fun, but the environment that surrounds them can quickly become unfamiliar and outside your area of expertise. If any of the following conditions are true—or become true during an ongoing investigation—the organization will need to make a crucial determination as to whether to retain a professional computer forensic investigator or contact law enforcement:
- The investigation involves a crime. Fraud, theft, hacking, threats, certain types of harassment. It is acceptable—and often good practice—for an organization to be the first responder, but when the commission of a crime is readily apparent, it is advisable to contact law enforcement.
- The investigation will likely result in serious discipline or termination of an employee. It is often advisable to have an outside consultant to provide court testimony or prepare critical investigation reports to be relied upon by senior management or outside auditors.
- The investigation requires that documents are prepared for court or a government investigative body. A legal discovery request may be required for civil lawsuits or during events such as mergers and acquisitions. This also includes requests for information from the Securities Exchange Commission for public companies.
- Large-scale investigations—investigations that cross many different boundaries, and people—should be conducted by experienced investigators.
5. Make the decision to investigate: Before moving any further forward, you should consider that an investigation of an employee should involve your HR department. They are experts on employee law and can be very helpful. Rest assured they would be very interested. If you are now comfortable that you can go forward in good faith, then do so. Here are a few situations that you may encounter:
- Worms, viruses and hacks. These problems are usually detected by employees and IT personnel.
- Unauthorized use of applications, software or Internet. These policy infractions are normally associated with minor discipline, though, in some circumstances they can result in termination. Be sure to evaluate the discipline level before going forward.
- Unauthorized use of e-mail. These investigations normally originate from a complaint. Be sure to analyze the intent of HR and/or management regarding discipline and remember the points made above.
6. Treat everything as confidential: Regardless of who knows—or the rumors that surface—keep all information confidential and only disclose the information to those who need to know.
7. File it: Keep your documentation and file it. Its a good idea to have the information maintained by HR or legal, but be sure to file it in an organized manner regardless.
Those are the seven guidelines created by Colbert to help IT managers and staffs stay out of trouble when asked to conduct in investigation. In my next column Ill share Colberts seven best practices for novice (and not-so-novice) sleuths.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis.