A company can experience numerous situations which may require their company-owned digital assets to be preserved and analyzed. Examples include both internal and external forces, such as:
Internal and External Forces Examples
Internal Investigations
Internal investigations involving human resources, including, harassment (both sexual and general), employee misconduct, data or property theft, embezzlement, financial fraud, discrimination, retaliation, workplace violence, and violations of company policy. A breach of your network resulting in the theft of customer personally identifiable information (PII), protected health information (PHI) and/or proprietary data.
External Investigations
Government investigations may be criminal (targeting the company or individual employees), civil, or involve Qui Tam actions, sometimes initiated by whistleblowers. These investigations may also relate to intellectual property disputes or lawsuits. These types of external investigations may require imposed litigation holds on data held on company owned digital devices such as servers, laptops, cellphones, and email.
These situations are not the time to rely on your in-house IT specialists or contracted third-party IT managed services providers to preserve and analyze digital evidence. Whereas an IT specialist may be well versed and experienced with network engineering, user administration, email settings, and user helpdesk support, they are typically not knowledgeable of the rules of criminal and civil procedure, evidentiary rules, digital forensic acquisition and analysis. All of which are essential for submitting digital evidence in a court of law.
Sample Scenerio
Imagine a situation where, instead of engaging the services of a trained digital forensics examiner, your IT department is tasked with obtaining evidence. For example, suppose you suspect an employee in your finance department of creating fictitious invoices to a company they own in order to embezzle funds. As part of the internal investigation, their company-owned laptop and cell phone were taken by the IT department and stored in an unlocked closet. Company counsel instructs them to review the items for evidence. The IT specialist turns on the laptop, enters the employee’s credentials and starts going through the computer – reviewing files, and exporting anything relevant to an external thumb drive the IT specialist attached to the laptop. Similarly, they enter the PIN code to the cell phone and manually starts reviewing text messages, apps, video, photographs, etc. The IT specialist also takes screenshots on the phone of anything relevant and sends them to their phone or email address.
The scenario above is full of missteps. Let’s break them down:
- No chain of custody was established: The laptop and cell phone were placed in an unlocked closet without any written documentation. There is no record identifying the devices—such as make, model, or serial number—or noting who took control of them. Because the closet was unlocked, multiple individuals could have accessed the devices. And since no identifying information was recorded, there’s no way to confirm that the devices later examined by the IT specialist were the same ones originally stored. Nor can it be definitively stated that the data remained unchanged or that the devices weren’t tampered with.
- No training: While the IT specialist likely has training and continuing education in information technology, they probably lack formal training, education, and experience in digital forensics. Digital forensics is a specialized field within both the public and private sectors. Examiners in this field are trained to extract evidence from digital devices without altering data—or only minimally—using established forensic protocols. The procedures and processes the digital forensics examiners use enable the evidence recovered to be admissible in court.
- Data on laptop and cell phone destroyed: The steps taken by the IT specialist, as outlined above, resulted in the destruction of data on both the laptop and the cell phone. On the laptop, numerous forensic artifacts have been irreparably altered including, but not limited to, last login date/time, system shutdown date/time, file dates/times, Windows Event logs, and a host of Windows Registry files. As for the cell phone, the dynamic memory is constantly moving data and overwriting deleted data. Actions such as taking screenshots or sending texts and emails changes data on the phone. It adds new files (photographs, text messages and emails) which can overwrite deleted ones, add entries to databases (which may have size limitations), and can push out older database entries.
Takeaways
For all the reasons above, it is highly likely that any evidence developed by the IT specialist will not be admissible in criminal or civil proceedings. Opposing counsel would have strong grounds to challenge the evidence, and a judge would likely rule in their favor. Therefore, if your company—or one you represent—needs to preserve company-owned digital devices for an internal or external investigation, do not cut corners by assigning the task to an IT specialist. Instead, have a clear plan in place for conducting internal investigations, including procedures for preserving critical evidence on company-owned digital assets. This task should be conducted by a trained digital forensic examiner, as the risk of altering or destroying data and thereby the spoilation of evidence is too great, and opens the company to possible consequences.
Contact Us
Contact Withum’s Cybersecurity Services Team to ensure your evidence is preserved properly and admissible in court.
