Security Zone: Forensics - don’t hamper the investigation

All too often investigations are compromised by the involvement of a "helpful" IT department, writes Matthew Parker of Ernst & Young. The common mistake is to attempt to perform the investigation yourself without understanding the ramifications of doing so.

Your HR director has just called. Kevin in accounts has been accused of harassment by another member of staff. "We need to do something right away," says the HR manager. Tina who works in operations has alleged that Kevin has been sending her inappropriate e-mails and instant messages. "Never mind about protocol, we need to get the dirt and get rid of him quick."

All too often investigations are compromised by the involvement of a "helpful" IT department, writes Matthew Parker of Ernst & Young. The common mistake is to attempt to perform the investigation yourself without understanding the ramifications of doing so. Even the simple act of booting a PC affects many hundreds of system files on the hard drive, changing their date and time stamp forever. This could hamper the investigation and throw accountability for a lot of the activity on the PC out of the window.

Standard procedure

Upon receiving the call from HR, you should consult your incident response plan to confirm the actions that you should take.

The plan should clearly state that you are required to hold a meeting with key internal personnel to discuss the approach required. You should gather all relevant parties together to discuss how best to manage this incident.

Your legal counsel acknowledges that all employees, including Kevin, have signed the corporate policy stating that they acknowledge their PC activities, including internet, instant messaging and e-mail, can be monitored and reviewed if required. So the policy is in place to allow you to perform an investigation.

Your procedures should ensure that you follow the ACPO (Association of Chief Police Officers) guidelines on handling electronic evidence. This will ensure that, if required, your evidence would stand up in court.

Your HR team and legal counsel should then decide on what to search for. Using the details of the allegations, they can draw up a shortlist of key words, dates, times, and the specific activities that they wish to look for. The forensic investigation can then take place.

For such an incident, following procedures would determine that you cannot wait to perform an out-of-hours investigation, so the finance team would be asked to leave the office for the afternoon. While they are out, a forensic technician can take a forensically sound copy of Kevin's hard drive, and a back-up. Ensuring finance staff are not present avoids potential claims of harassment. The examiner should also take a copy of Tina's PC and ask you to ensure all server logs are retained in case any further corroborating evidence is required.

The forensic analysis is then performed to determine whether Kevin had indeed been sending inappropriate e-mails and instant messages to Tina and/or whether he had also been visiting websites that were not allowed by the internet usage policy.

Kevin can then be summoned to the HR director's office and presented with the evidence against him; he will have no option but to accept his dismissal on the grounds of gross misconduct.

Allowing the right people to perform the analysis has saved the company time and potential reputational damage from any embarrassing lawsuits, and ensures that this particular individual exits without recompense.

Of course, this is what you would have done anyway - isn't it?

Matthew Parker, CISSP, is a computer forensic professional and manager at Ernst & Young


Security Zone: read more advice from (ISC)2 qualified security professionals >>

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close