March 6, 2015
Digital Forensics for Private & Corporate Investigators
We’ve recently received a few inquiries from our partners in
private investigations asking about the services we offer, our capabilities
insofar as mobile forensic data extraction and other related services. It dawned on me that the potential for
private investigators to utilize a trained digital forensic examiner is huge
and mostly untapped. Further, there are
areas of corporate investigations that Human Resources and IT staff can utilize
digital forensics to help bolster their cases of company violations of acceptable
computer/mobile device usage, intellectual property theft and internal
information security breaches. So for
the benefit of colleagues working in those industries, we’ll detail some cases
in which our digital forensic expertise can help you & your clients and, in
many cases, close the door to potential civil liability.
Background
For legal reasons I won’t bore my readers with, when I left
law enforcement, I immediately became a certified Private Investigator. As such, I also belong to a statewide group
of Private Investigators who meet every other month to exchange ideas, tactics,
expertise, knowledge, etc. And while I
don’t own or operate a Private Investigations firm, the overlap of digital
forensics into Private Investigations is something that I felt should be
embraced and marketed toward. However
(and at the risk that some of my colleagues in the group will read this), I
will note that many of my contemporaries in Private Investigations are older,
retired former law enforcement. Some of
them have been retired for 20 years or more, long before the advent of main stream
digital forensics, especially in the private sector. This article is not specifically for them,
but for all private investigators who feel their cases may be lacking in real,
solid evidence to help their clients.
Another repeated theme in this blog is the noted differences
between information technology (IT) and digital forensics. As part of this article, my hope is also to
get IT and Human Resource personnel in corporate environments thinking about
how a trained, experienced digital forensic practitioner can really help them
in the unfortunate event they have an employee who violates one or more of several
policies. Frankly, calling in a digital
forensic examiner will likely be the best decision you make to help “cover your
ass” from potential litigation following an incident.
Digital Forensics for Private Investigators
There are many different types of private
investigators. To be sure, the
networking group I belong to has corporate private investigators who work for
larger law firms all the way down to the ‘lone wolf’ private investigator who conducts
hours of surveillance on cheating spouses, insurance fraud suspects and other
miscellaneous misanthropes. In the end,
their jobs all boil down to one thing: clients and/or corporations are paying
the private investigators to perform work that the police either won’t do or
can’t do because of any number of limitations.
So if the police routinely use digital forensics in their
investigations, why shouldn’t private investigators do the same?
Of course, I know the answer is cost. However, there are many things that motivate
clients. Fear, money, revenge, power and
plain ole ego are just a few. The level
of desperation and/or motivation in your client will dictate how much money
they are willing to spend to help prove (or disprove) their case. For example, if a wife suspects her husband
of cheating and she stands to gain a large sum of money through potential
divorce proceedings, there could be a ton of usable, verifiable data on her
husband’s old cell phone that could help prove the case. Text messages, pictures, email, video, web
history, voicemail – all of these are potentially recoverable artifacts If the client stands to gain thousands (or
millions) of dollars in the divorce, the cost of $1000-1500 for a digital
forensic exam on the old phone could be a proverbial drop in the bucket
compared to the potential benefit. What’s
more, when the data is extracted properly & reported, it can’t be
manipulated. It is what it is, right
there in black-and-white. That old phone
that was thrown in a desk drawer now becomes the key evidence in your divorce
case.
Decidedly less “seedy” is the potential for digital
forensics to help in other civil law cases like texting-while-driving and
distracted driving personal injury cases.
Most smart phones contain a feature (or more than one) to catalog all of
the activity on the device. When a private
investigator is hired by a law firm to investigate a personal injury case where
the accusation is the responsible party was texting while driving, the proper
extraction & analysis of the data on the phone will show all activity leading
up to and right around the time of the accident. In the totality of circumstances, this can
add value to the attorney’s case and force a cleaner settlement faster. Again, the cost for these services could be
negligible compared to the overall scope of the law suit.
I’ve seen over time that the biggest challenge for a private
digital forensic practitioners is to get potential clients, such as attorneys
and private investigators, into the mindset of simply thinking about digital
evidence and how it can help add value to their cases. These examples are just a few, but they
represent a huge contingent of private investigations.
Digital Forensics in Corporate Investigations
Perhaps even more ubiquitous in the overall scope of work in
America is the potential for employee violations of varying degree while at
work. It’s a tried and true concept
that, as a business owner, your employees will account for the majority of your
theft, data liability and loss. This is
true for the clerk at 7-11 all the way up to the Administrative Assistant to
the President of Acme Company with 25 years of service. Indeed, I’ve seen embezzlement happen within
law enforcement agencies, so no industry is immune.
But the fact remains that no company can function adequately
in 2015 without technology. Whether you’re
a small one or two-man operation or a huge multinational bank, technology makes
business easier and saves us time, but it also creates another potential area
for loss. It also gives employees
another outlet to waste company time, which is yet another form of loss. So how can digital forensics help? No company wants to fire their
employees. But there will come a time when,
as a business owner, corporate investigator and/or human resource practitioner,
you will have to discipline and/or terminate one or more employees because of
inappropriate activity or behavior. The
biggest fear when this happens is civil liability – “If I fire this person,
will they sue me civilly?”
I suggest the answer lies in your early and appropriate use of
a trained digital forensic expert. As a
brief side note, you may think your IT person has these skills & abilities,
but I can assure you most of them do not (see previous article on selecting a
Digital Forensic Examiner here: http://prodigital4n6.blogspot.com/2015/02/selecting-competent-digital-forensic.html)
For example, if you work in human resources or corporate
investigations for First National Bank and you get an internet activity report
that one of your employees in the call center has bypassed the web filters and
is looking at pornography while at work, that’s an obvious violation of acceptable
use policy. But how do you investigate
and prove that? If there is any
potential (and there is always a potential) for civil liability, a
trained digital forensic examiner can be called in to seize the evidence,
examine the evidence, report the evidence and help solidify your case for
suspension and/or termination. This
evidence is vital to helping to close the door on potential litigation and it
bears repeating – there is ALWAYS a potential for litigation for wrongful
suspension, termination, etc. It doesn’t
matter if you’re a multi-national corporation or a small LLC, you have to take
the appropriate steps to make sure you are covered when and if you get served
with civil suit papers. Conversely, if
your company has been served with a lawsuit which claims some sort of damage
related to use of electronic devices, a digital forensic examiner can be called
in to help determine if any liability exists and to what extent.
Most data security breaches also happen from the inside, not
from external hackers as we often see in the media. Whether intentional or not, the potential for
an employee to plug a malware-laden USB thumb drive into your system, thus
affecting the entire network, is real and happens quite often. Once the malware, worm or other virus-like
program spreads its way through your network, there’s no telling what type of
data loss could occur before detection.
Once these incidents are discovered, it’s important to find out where
they originated because 1) the origination date, time & location helps
determine how much loss is associated with your data breach and 2) it helps
prevent further breaches from the same source.
If the attack was intentional and perhaps caused by a disgruntled
employee, there could be legal (criminal & civil) implications as
well. In cases like this, I can’t stress
enough the importance for a digital forensic expert to be called immediately. It’s very much like first-aid for your
corporate network – the network has been “injured”, now you need to call an
ambulance (i.e., a digital forensic examiner). To be frank, IT staff may find
out about the breach and be able to tell you some things about how the breach
affected the network, but they aren’t generally equipped to handle digital
evidence, examine data and testify in official proceedings.
Wouldn’t it give you some real peace-of-mind to know the
digital evidence of these types of incidents is right there in the employee
file? If litigation should take place,
even years later, when your attorney shows the opposing party the signed acceptable
use policy and the digital evidence, backed by an experienced, trained digital
forensic examiner, your suit will virtually melt away. Again, the data doesn’t lie.
Conclusions
The examples listed here are just a few among the dozens of
areas where a digital forensic examiner can help both private investigators and
corporate representatives in companies of any size. The key is to get in the right mindset
from the start. There will almost
always be a moment where you, as the investigator, jilted spouse, human
resource professional, IT representative or corporate investigator are shocked
at what you’ve discovered. Once that
initial shock wears off, that is the time to start thinking about what to do
next. One of your first thoughts should
be to do what is necessary to secure the evidence you need to take appropriate
action and call a professional to handle that evidence. From there, it’s up to the proper selection
of the people you want and need to help in your case.
I hate clichés, but sometimes clichés are cliché for a
reason… And it’s very true that an ounce of prevention is worth a pound of
cure. Contact us to find out how we can
help you get closer to your pound of cure.
Author:
Patrick J. Siewert, SCERS, BCERT, LCE
Principal Consultant
Professional Digital Forensic Consulting, LLC
Based in Richmond, Virginia
Available Globally
Web: www.ProDigital4n6.comTwitter: ProDigital4n6
