Your HR director has just called. Kevin in accounts has been
accused of harassment by another member of staff. "We need to do
something right away," says the HR manager. Tina who works in
operations has alleged that Kevin has been sending her
inappropriate e-mails and instant messages. "Never mind about
protocol, we need to get the dirt and get rid of him
quick."
All too often investigations are compromised by the involvement
of a "helpful" IT department, writes Matthew Parker of Ernst
& Young. The common mistake is to attempt to perform the
investigation yourself without understanding the ramifications of
doing so. Even the simple act of booting a PC affects many hundreds
of system files on the hard drive, changing their date and time
stamp forever. This could hamper the investigation and throw
accountability for a lot of the activity on the PC out of the
window.
Standard procedure
Upon receiving the call from HR, you should consult your
incident response plan to confirm the actions that you should
take.
The plan should clearly state that you are required to hold a
meeting with key internal personnel to discuss the approach
required. You should gather all relevant parties together to
discuss how best to manage this incident.
Your legal counsel acknowledges that all employees, including
Kevin, have signed the corporate policy stating that they
acknowledge their PC activities, including internet, instant
messaging and e-mail, can be monitored and reviewed if required. So
the policy is in place to allow you to perform an
investigation.
Your procedures should ensure that you follow the ACPO
(Association of Chief Police Officers) guidelines on handling
electronic evidence. This will ensure that, if required, your
evidence would stand up in court.
Your HR team and legal counsel should then decide on what to
search for. Using the details of the allegations, they can draw up
a shortlist of key words, dates, times, and the specific activities
that they wish to look for. The forensic investigation can then
take place.
For such an incident, following procedures would determine that
you cannot wait to perform an out-of-hours investigation, so the
finance team would be asked to leave the office for the afternoon.
While they are out, a forensic technician can take a forensically
sound copy of Kevin's hard drive, and a back-up. Ensuring finance
staff are not present avoids potential claims of harassment. The
examiner should also take a copy of Tina's PC and ask you to ensure
all server logs are retained in case any further corroborating
evidence is required.
The forensic analysis is then performed to determine whether
Kevin had indeed been sending inappropriate e-mails and instant
messages to Tina and/or whether he had also been visiting websites
that were not allowed by the internet usage policy.
Kevin can then be summoned to the HR director's office and
presented with the evidence against him; he will have no option but
to accept his dismissal on the grounds of gross misconduct.
Allowing the right people to perform the analysis has saved the
company time and potential reputational damage from any
embarrassing lawsuits, and ensures that this particular individual
exits without recompense.
Of course, this is what you would have done anyway - isn't
it?
Matthew Parker, CISSP, is a computer forensic
professional and manager at Ernst & Young
Security Zone: read more advice from (ISC)2 qualified security
professionals >>