Computer Forensics Deserve A Place In Your Human Resource Toolkit

June 2008

Library Sections:

• Expert Testimony
• Damages Analysis
• Investigations and Forensic Accounting
• Computer Forensics / Electronic Discovery
• Sarbanes-Oxley and Nonprofit Whistleblower Solutions
• Valuations and Appraisals
• Financial Reporting
• Tax Advice and News
• Other Current Events and Economic Commentary
• Interactive Tools and Personal Financial Advice

Computers contain evidence useful in many human resource circumstances. Allegations of discrimination, sexual harassment, and unfair discharge are serious threats that are better understood by knowing what an employee did. Since computers are such a pervasive part of most employees’ work lives, analysis of data stored on these computers helps address these issues. Human resource and/or legal department investigations are incomplete without computerized information.

Benefits of using computerized data

Computers record massive amounts of information about user activities that are useful, if not determinative, in employee investigations. Both applications and the operating system record relevant information, sometimes in more than one location. Because of this, computer forensics can trace the steps used by a misbehaving or dishonest employee to provide you the evidence needed for fair and resolute decisions. Typically, the issues involve:

1. Whether a departing employee has honored his obligations to keep confidential and proprietary information from his next employer (e.g., theft of trade secrets). In most cases, the stolen information is stored on computers, with computers used to initiate the theft.
2. Whether an employee suspected of not performing his work, or performing other conduct not allowed under company policies, is guilty of your suspicions.

Much of this evidence is difficult to eliminate. A computer user that wishes to cover his tracks can clear some of this information, but some subjects are careless, unsophisticated, and/or surprised by your investigation. However, even crafty and sophisticated people will have trouble eliminating everything. Even the act of eliminating information will leave tracks.

What you can find on your employee’s computer hard disk

When dealing with those crafty and determined people that think they can cover their tracks, the “magic” of computer forensics is well worth its cost. A forensic image of a disk is a “bit level” copy. It includes all information on the disc regardless of whether the computer operating system recognizes the data as an existing file. In most investigations, here is the type of information you will receive:

1. Deleted files (or portions thereof) that remain on the disk because subsequent activity has not yet overwritten them.
2. A listing of deleted file names, even if the files themselves cannot be recovered. This is useful in showing use of unauthorized programs, or files with suspicious names.
3. Internet sites visited, regardless of the browser settings or deletion of the browser history. This information is stored in hidden system files, parts of the Windows registry, and as remnants of web addresses that remain in “unoccupied” file space.
4. Information and graphics from internet sites visited (we often find images that are clearly against almost every company’s policies).
5. The existence of suspicious applications, or the fact that they were used. Examples of troubling applications are those used to transmit files, communicate with unauthorized remote computers, prevent data recovery, crack passwords, encrypt files, or perform computer hacking.
6. Information remaining in swap files, page files and other temporary Windows files. These files generally show what the user was working on recently, even if not otherwise saved.
7. Information contained in hidden and password protected files from just about any well-known file type.

Although perhaps obvious, an investigator can sort and search computerized text and numeric data. This allows the investigator to find information rapidly, using key word searches.

Balancing employee morale with the need for employee monitoring

Employee monitoring requires striking a balance between identifying inappropriate employee conduct, and not going overboard to the point where employee morale of productive employees is hurt. For example, there are a number of spyware programs that an employer can install on each employee’s computer, and which will automatically send reports to a central source/supervisor. These programs can record all details of computer use, including:

1. Website activity, including specific websites visited, and when
2. Emails sent & received
3. Instant messenger conversations
4. Application usage, including the amount of time for each
5. Print jobs executed
6. Recording all keystrokes, including passwords

Employers have good reason for such monitoring. Most studies of employee conduct show that more than a fifth of available work time is spent on personal shopping & correspondence, social networking, and reviewing internet sites that is contrary to company policy.

As a general rule, employers may review their employees’ e-mail messages and other communications, provided that the employer provides sufficient notice that there is no expectation of privacy in using the company’s systems. Before any routine monitoring occurs, ensure that your personnel policies (i) communicate expectations regarding the lack of employee privacy when using company computers and electronic systems, and (ii) warn that the employer can monitor activities that use company-owned equipment. Your policies should also include a statement regarding a code of conduct or acceptable use policy with respect to the company’s systems. Employees should confirm their knowledge of these policies, preferably in writing. Most companies already do this as part of their overall HR practices.

However, just because continual monitoring is legal does not mean that it is a good idea. Depending upon the software used and how tech-savvy any employee is, spyware may be detected by employees. Employers will generally have an uncomfortable time explaining to a larger employee group why widespread monitoring is occurring.

Spyware is rarely a cultural fit with any employer that encourages trust, empowerment, independence, or creativity. For this reason, it is generally a better idea to limit monitoring to circumstances where concerns already exist regarding productivity, security, or safety. Where a specific concern exists, investigations of individual employees will likely cause fewer problems.

Best practices for employee investigations and data preservation

Because of the morale issues caused by routine use of spyware, computer forensics provides a more targeted and less offensive solution. Employers should obtain an image of computer disks and other storage media in the following situations:

1. To investigate a potential termination for an underperforming employee as part of your proactive HR decisions - Evidence found through the computerized information can confirm suspicions or provide explanations that explain the need for disciplinary action.
2. To document conduct of an employee departing because of claimed discrimination, constructive discharge, or claimed employer misconduct.
3. To memorialize for future investigation the activities of any key employee or sales person leaving to work for a competitor.

When associated with a departing employee, the disk image should be created before the computer is given to another employee. Through routine ongoing use by the next employee, the integrity of the evidence from the former employee will be compromised. Alternatively, the disk from the departing employee’s computer can be removed, and a replacement disk placed in the computer for the next employee.

Do not confront the suspect until you have considered covert options. Once an employee is aware of your suspicions, significant electronic information can be deleted or altered by the suspect. Although “deleted” information may be recoverable, do not take that chance. By acting before the suspect makes attempted erasures, covert investigation provides a greater opportunity to collect irrefutable evidence, at an overall lower cost.

Electronic evidence must be handled properly to be usable

Finding the “smoking gun” will be of little value if you fail to establish that the data was not tampered with or otherwise corrupted. Electronic evidence is fragile, and can be easily altered or erased without proper handling. Specialized computer forensic software and hardware addresses these issues by ensuring that the subject’s computer is not altered in any way during the evidence acquisition process.

The process of data collection should address:

1. Even when data may be easy to retrieve (e.g., files that remain intact, recycle bins, browser history and temporary files), you still need to be able to prove that the subject is the one responsible for the evidence. All files opened before evidence is cataloged show an access date/time that proves someone other than the subject employee had access to the files. Without use of the right tools and procedures, it is difficult to establish that the suspect employee was responsible for whatever you find.
2. The mere act of turning on a computer, looking at directories and opening files will cause the operating system to write information on the hard drive, thus overwriting information that might otherwise be useful. For example, merely booting the subject computer in a Windows environment will alter critical date stamps, erase temporary data, and cause hundreds of writes to the drive.
3. Deleted (but not yet overwritten), disguised, or hidden information is easily overlooked. Some of this information is stored in normally inaccessible areas of the hard drive.

To prove that no data has been altered, a hash signature or “digital fingerprint” is used. The fingerprint is created using an algorithm which calculates a value based on the exact contents of the drive that was imaged. If any data on the image changes, even something as little as the addition of a single keystroke or changing the case of a single character, the electronic signature changes. Although not the only algorithm, the most common is called MD5 (Message-Digest algorithm 5). The signature from an MD5 algorithm is a 128-bit hash value. There are so many possible combinations that there is no practical chance of having a duplicate or “collision” when all 32 digits are used. This provides irrefutable evidence that the data is not altered.

What Will This Cost and What Reports Will I Receive?

The cost of properly collecting and analyzing this evidence is miniscule compared to what your company is already paying for such incidents. When done properly, computer forensics generates significant savings.

When our work is performed in Fulcrum’s offices, the labor charges for creating a forensic image and performing an initial battery of recovery and processing tasks currently costs around $1,000 per disk (varies slightly based on the type and size of disk). The image includes evidence documentation, preservation, and related storage. For this fixed cost, we generate a report that identifies:

1. Websites visited(Including the date of the most recent visit)
2. Web cookies
3. Website Favorites
4. Files downloaded
5. List of most recently accessed files
6. Instant Messaging friends list
7. Instant Messaging chat histories if available
8. Installed Software (This allows identification of suspicious software that is not normally part of what the employer provides to its employees
9. A list of graphic files that remain on the computer (e.g., porn-related files)

For additional cost, we can tailor our search and analysis to meet your specific needs. If you want to do inspections of certain information yourself, we will send you the relevant files.

Disk imaging is most cost effectively performed in our forensic lab. This requires that the subject hard drive be unplugged from the computer and sent to us, or that the entire computer be delivered to our office. If a disk image is to be gathered after-work hours at your location as part of a covert investigation, then the cost will be substantially greater. The additional cost is for travel time and waiting time while the entire disk is captured. Imaging time depends on the size and speed of the disk we are imaging. Generally, a 250GB disk will take several hours to image. Larger drives are proportionately more time consuming.

Fulcrum Inquiry performs computer forensics, electronic discovery, and forensic accounting. We are regularly involved in trade secret theft cases.