March 14,
2017
Digital Forensic Discussion: So You Fired An Associate
Every
company at every level has had to perform the unenviable task of forcefully
off-boarding an associate or employee.
Usually, this is initiated by management and executed by Human
Resources. Somewhere in this process,
the associate is informed of the decision, sometimes placed on suspension
pending adjudication and often terminated when the final decision is made. It is at that point when company property,
such as computers and cell phones, is often collected from the newly-former
employee and generally recycled to be used by a successor or other company
representative.
Terminations
can be executed for a variety of reasons.
Violations of non-compete clauses, intellectual property theft, gross
violation of company policy or breach of contract are just a few reasons why a
company may decide they no longer need the services of an associate. However, several crucial elements should
enter into this timeline of events, particularly surrounding the collection,
preservation and use of company electronic devices.
Timing is Crucial
When an
internal investigation is conducted, corporate and/or H.R. representatives
often don’t have the luxury of acquiring the company’s assigned digital devices
as part of the investigation prior to suspension or termination. This
makes the timing of collection of these items crucial. If you wait too long, valuable information
could be destroyed. If you collect too
soon, the subject of the inquiry could be tipped off about what is going on and
that could jeopardize the integrity of the investigation. So when should you acquire the company’s
digital assets for analysis? We suggest doing
it at the time the target of the investigation is made aware that they are
being investigated, which is generally at the time of initial suspension. Unless union or other policy dictates targets
be made aware of the investigation as soon as it is initiated, there is no
better time than notification to the target that you have compiled enough
information to act upon to seize the digital devices.
After the
devices have been collected, they should be locked away in a safe place with
limited access until a digital forensic expert -- not information technology
staff -- can be called, consulted and respond as appropriate. Cell phones should be placed in airplane mode
and disconnected from all networks immediately.
The question has been asked, why not
use IT staff, they know all about the computers, right? Suppose the person whom you have been
investigating and are potentially going to terminate works in the IT
department. You would then be putting their
friends and/or co-workers in a difficult position taking part in an
investigation against their soon-to-be-former co-worker. Beyond that, most IT staff do not have the requisite
training and experience in forensic data acquisition and analysis. It is analogous to consulting a general practice
urgent care doctor to treat your cancer.
A specialist is recommended always for best results.
What Does the
Forensicator Need to Know?
Digital
forensic investigation and analysis is not unlike standard types of investigation
in that we need to know the facts.
Helpful information such as:
- Who is the target of the investigation and were they the only ones with access to the device(s)?
- What devices are relevant and what data might we be looking for?
- Where have the devices been in use before they were re-possessed and where have they been since
- When is the time frame of any suspected/alleged malfeasance
- How did they access the data on the devices? Passcodes to mobile devices and passwords for any encrypted hard drives and/or mobile devices are very important
- Why do you think evidence exists to support the allegation?
Whenever
possible, human resources, management and IT staff should refrain from “fishing”
through devices to find evidence to support the investigation. It’s understandable that investigations like
this can sometimes be salacious and everyone is curious to find out what was
going on, but this violates the integrity of the evidence and opens the door to
claims of unfair treatment in its various forms as the case progresses.
Information
is important for a few different reasons.
First, detailed information helps us develop a strategy for the analysis
that will best serve finding the truth in the case. Second, it helps us whittle down the facts of
the case and only spend time looking for what is relevant. Finally, providing your digital forensic
consultant detailed information will save the company money and time in the
long run.
Why is All of This
Necessary?
Why do you
need to keep appropriate timing & collection of company devices always in
mind? Why do you need to call an outside
forensic consultant to conduct the analysis & forensic investigation? Because in our litigious society, when
someone is terminated from a company – be it a large, medium or small company –
it is the corporation’s responsibility to prepare
for the worst and hope for the best.
By that we mean, always approach the case as if it will go to
litigation. Litigation will require discovery,
production of documentation, depositions and yes, forensic data analysis in a
legally defensible manner. You cannot
assume the terminated associate will simply find a new job and go away. Even if they find a new job, there is no
guarantee they won’t file suit. Always
remember, anyone can sue anyone else for anything. It’s the American way. So as remaining corporate representatives, it
is your responsibility to prepare for the eventuality that you’ll have to
defend the company’s position. The data
on the corporate digital devices doesn’t lie, so what better position to be in as
a company than to have the digital forensic ace-in-the-hole when and if the
case comes to litigation?
Author:
Patrick J.
Siewert
Principal
Consultant
Professional
Digital Forensic Consulting, LLC
Virginia
DCJS #11-14869
Based in
Richmond, Virginia
Available
Globally
We Find the Truth for a
Living!
Computer Forensics -- Mobile Forensics -- Specialized
Investigation
About the Author:
Patrick Siewert is the Principal
Consultant of Pro Digital Forensic Consulting, based in Richmond,
Virginia. In 15 years of law
enforcement, he investigated hundreds of high-tech crimes, incorporating
digital forensics into the investigations, and was responsible for
investigating some of the highest jury and plea bargain child exploitation
investigations in Virginia court history. Patrick is a graduate of SCERS, BCERT, the
Reid School of Interview & Interrogation and multiple online investigation
schools (among others). He continues to hone his digital forensic expertise in
the private sector while growing his consulting & investigation business
marketed toward litigators, professional investigators and corporations, while
keeping in touch with the public safety community as a Law Enforcement
Instructor.
