Workplace investigations can detect the source of lost funds, identify employee misconduct and possible culprits, as well as help recover losses. They are usually undertaken when there is alleged employee misconduct, or a rumor of something amiss comes to the attention of the employer which requires action. Investigations must be undertaken in a fair and reasonable manner without bias.
Investigations into employee misconduct can cause significant problems. They can also be expensive, time-consuming and disruptive to organisational morale. Investigations which are not conducted in an ethical and transparent manner, with the utmost care and confidentiality, can lead to a number of legal issues and other unexpected complications. Well-done workplace investigations can provide a solid defence to legal challenges raised by dismissed or disgruntled employees.
In most workplaces serious misconduct such as fraud, harassment, violations of company policy, theft of intellectual property and the use of proprietary information for personal gain incorporates the use of electronic devices.
Collecting digital evidence
The collection of digital evidence is one of the most important initial steps in an investigation and it is important for employers to understand at least the basics of securing data. Having a reputable computer forensic investigator involved in the early stages of an investigation can avoid jeopardising data, the outcome and reduce problems further on down the track.
As electronic data within a business is forever changing it is imperative that steps to secure the data are taken in a timely manner as soon as a situation becomes apparent. While data is often recoverable there are no guarantees that it won't be overwritten as time goes on.
The use of computer forensics which includes identifying, preserving, validating and analysing of electronic data is commonly used in these investigations.
Once the devices relevant to the investigation are identified the data is preserved by creating a read-only forensic image, or 'clone', of electronic media to a standard that any evidence obtained from them would be admissible in Court. Possible devices incude servers, cloud storage, computers, phones, tablets, iPads, portable hard drives, thumb drives and DVDs.
A forensic image is an exact 'bit-by-bit' copy of the entire contents of the original storage media performed with write-blocking equipment to ensure the data is not altered in any way. It copies the contents of all of the unused areas on the hard disk as well as the areas that currently contain data. The unused data often contains data that has been deleted by a user but still resides on the device and is important to capture.
As part of a correct forensic process a hash algorithm, or 'digital fingerprint', of the acquired media is generated. Both the original device and resulting digital image are analysed to generate matching source and target hash values. With the use of the digital fingerprints, any tampering or manipulation of the cloned data is readily detectable.
Backup copies or ghost images, as often generated by an IT person, are not a true forensic image. While these backups are critically important to perform for the purpose of data recovery, they only contain current data that the user can 'see'.
Email correspondence is a major tool in the workplace and is an important part of electronic evidence. When an individual sends an email, a retrievable copy is most likely stored in more than one device or location. These include computers/laptops (work and/or home), tablets, mobile phones, workplace servers and the emailer's hosting server such as Gmail and Hotmail. Computer forensics can be utilised to extract existing emails as well as potentially retrieving deleted emails.
Collection of data
Once data is secured a computer forensic investigator utilises software tools to analyse and extract data relevant to the investigation. The recovery of data includes the retrieval of documents, images, emails, chat logs, social media and internet usage history, call logs, text messages and contacts. Data can be collected about when documents were created, altered or deleted as well as any devices which have been connected to a computer/laptop.
The information that is retrieved by the use of computer forensics could make the difference between a successful and unsuccessful workplace investigation.
Beyond the financial damage and risk to a business' reputation, responding to instances of workplace misconducts draws on critical resources, particularly management, and impacts the business' culture so it is imperative that a prompt and professional investigation is performed.
McDonald Vague works closely with Tina Payne, Computer Forensic Investigator. Tina authored this article.