Can't our IT person take a look?

A number of organizations still rely on their IT staff to examine computers for misuse but don't provide their staff with any specialized tools and/or training. This is a recipe for disaster.

Disclaimer: I'm not exactly a neutral party in this discussion because I have a financial interest in getting organizations to hire me to perform their examinations. That said, I'm actually supportive of organizations keeping a forensics function in house as long as they do it the right way.

Computer forensics is a highly specialized function and the results of a computer/device examination can have serious consequences including termination and/or arrest depending on the circumstances. It's very important to carry out the examination the right away and that requires specialized software, training and hardware. If your organization handles a lot of forensic investigations (e.g. one a month or more) it may be best to develop the capability in-house.

Back to the topic at hand: why can't your regular IT staff perform at least a preliminary investigation?

Problem #1: Preservation of Evidence

One of the most important pieces of a computer forensics investigation is preservation of evidence. A trained examiner will take a number of steps to preserve evidence for future litigation; untrained IT staff will not. One of the first steps that a forensic examiner will take is to make an "image" of the target computer using a forensic imaging program and a write blocker. This ensures that the examiner captures all of the data on the computer, including deleted files, and that the copy is a verifiable, exact copy of the original drive. A computer technician may log directly into the computer or, if you're lucky, attach the drive to his/her own computer and start looking through files. This can inadvertently change a number of important digital artifacts including:

  • Changing "last accessed times" on files.

  • Changing the "most recent" file lists for applications such as Windows Media Player or Office.

  • Adding images to the Windows or Mac OS X "Quick Look" thumbnail databases.

  • Adding other evidence of access to a file where none existed previously.

  • Inadvertently erasing deleted files that would have been recoverable.

  • Adding hidden system files or folders to the drive (e.g. .Trashes, .fseventsd on Mac).

In short, a careless examination can ruin timelines and spoil evidence.

Problem #2: Interpretation of Evidence

I've learned that a surprising number of investigations either don't implicate the original party or don't pan out at all. To a lay person, the mere existence of contraband images (pornography at work, child pornography anywhere) is enough to establish guilt. A trained examiner, however, will work carefully to establish a timeline for the activity in question and to look for artifacts indicating that one or more users are responsible for the activity.

In one of the first cases that I worked on, the timeline established that the employee we initially suspected (his account and computer were used) was not responsible. He was away several hours away when the questionable activity occured but had not logged out of his computer the previous day. One of my employees (in my IT Director role) came to us from another school district and relayed a story with a very different result. At that district, one of the IT staff discovered that a female teacher had pornography on her computer. The teacher asserted that she knew nothing about it; they believed her and she was not disciplined. A few weeks later law enforcement visited the school because was suspected of soliciting minors online. It turns out that she may have been using pornography to "groom" minors for sexual activity. A trained forensic examiner might have been able to establish a timeline and evidence of access to the pornographic material which would have enabled the school to take action before law enforcement showed up.

Problem #3: Litigation

One of the most important pieces of advice that I've heard with respect to digital forensics is to always think about the worst case scenario (usually meaning a trip to court) when starting an investigation/examination. For a criminal investigation, the worst case is that a crime was committed and someone will be charged wtih that crime. For an misuse/HR investigation, the worst case is that an employee will be terminated and later sue the employer for wrongful termination. Thinking about this in advance enables an examiner to prepare appropriately. Not only will the examiner take care to properly preserve and interpret the evidence, he or she will also document the steps taken and maintain chain of custody for the evidence.

Suppose one of your employees is accused of misuse and that you will need to fire the employee if he or she is guilty. How sure would you want to be that the employee is guilty before making that decision? What would happen if the employee sued for wrongful termination and the judge threw out the evidence showing that the termination was justified because it was poorly preserved, the examination process was not documented, and there was an inadequate chain of custody? If you go to court, will the IT staffer or forensic examiner who examined the computer be able to successfully withstand cross examination? Litigation is risky and often expensive, even for the winner.


In the short term, it is cheaper to have your IT staff just "take a look" but it increases the long-term risk for the organization. Are you willing to risk a six or seven figure judgment a few years from now in order to save a few thousand dollars today? Are you willing to risk firing an innocent person or keeping a guilty one? Ethically and financially, I think it makes more sense to do things right the first time. But, don't take my word for it. Ask your attorneys.

#computerforensics #digitalforensics #evidence

Featured Posts
Recent Posts
Search By Tags
No tags yet.
Follow Us
  • Facebook Basic Square
  • Twitter Basic Square
  • Google+ Basic Square