Computer Forensics / Electronic Discovery

Care And Expertise Are Needed When Evaluating Electronic Evidence

January 2007
Library Sections:

Computer forensics can be used to determine whether an employee violated company policies. In making these determinations, one must be careful to understand and interpret alternative explanations of what has occurred. Failure to do so can result in false accusations and related claims of wrongful termination.

For example, during a recent examination, we recovered approximately 50 low-resolution pornographic images from an employee’s hard drive. At first glance, it appeared that the employee violated our client’s computer usage policy. Further analysis, however, led us to conclude otherwise.

In order to determine whether an employee has intentionally visited pornographic websites, it is important to establish patterns of use. A person who frequents such sites would usually have remnants of hundreds, if not thousands, of images on their hard drive. In contrast, a small number of offending images can occur as follows:

  1. Web pop-ups can redirect a person to a site without the user realizing the nature of the destination. An accidental browse could place a small number of undesired images or other remnants on a computer. Consequently, a few inappropriate images are not sufficient to establish intent or patterns of use.

  2. Viruses called hijackers can redirect traffic to adult websites. These viruses might also change a user’s homepage to an adult site or cause periodic pop-up ads. The existence of relevant virus protection software can help evaluate whether such culprits are involved.

To determine intent, a complete examination should include information other than the pictures themselves. The examination should also include:

  1.  The computer’s registry. The registry stores URLs and search terms even if the user cleared the internet history. In the example cited above, there was no evidence that the employee typed in either inappropriate search terms or an adult-oriented URL. His internet history was intact from before the time the images were downloaded, indicating there was no effort to cover his tracks. His browsing history included only one site that appeared to be adult-oriented. The most likely culprit was an accidental redirect from another page.

  2. The size (resolution) of the images.  Most websites show low-resolution (aka thumbnail) images for faster downloading. The presence of both a high-resolution picture and the related thumbnail likely indicates that the user clicked on a thumbnail to see a larger picture, thus establishing intent.

  3. The location of the files. Inappropriate files found outside the normal internet history folders likely demonstrate intentional activity.

  4. The date of the files. Many companies do not completely wipe information from a computer before reassigning it to a new employee. If this happens, inappropriate content may have been present when the employee acquired the computer.

  5. Whether more than one person has access to a particular computer. Care must be taken when trying to identify the individual who downloaded the inappropriate content. Forensic analysis can help determine which users performed which actions on a computer, although pattern of use determinations become more difficult.

Computer forensics requires special hardware and software. Once an image of a disk is made, additional experience and expertise continues to be required to ensure that findings are interpreted thoughtfully.

 

Fulcrum Inquiry performs electronic discovery assistance and computer forensic examinations.