Computer Forensics in Internal Company Investigations

For all businesses, big and small, a time will come when there will be a need for computer forensics, electronic discovery, or data recovery. All businesses should assess their needs, and if necessary should consult, ahead of time, with professionals who specialize in these area. Some of the areas of concern for a business in matters relating to computer forensics in the business environment include:

•  Using computer forensics in the business work environment
  
• Employee privacy concerns, that is, how much privacy should your employees expect in the daily use of a business' computing assets?
  
• Does your company have a fair use policy of company computing assets such as Internet access and personal e-mail correspondence?
  
• Are warning banners displayed on your business' computers when they are logged on to by your employees? And, do you have written policies establishing that employees have no expectation of privacy in the work place computing environment?
  

If you have answered no to any of these basic questions, you should consider establishing clear concise computing use practices, policies and procedures for your organization. Include a clear statement of the privacy expectations of the employees in the use of company owned/leased computing assets. By establishing these practices you can better protect your business from serious problems.

To begin with, what might constitute an investigation and who should conduct investigations in a business?

Ideally, a company has an employee or employees who have been assigned and trained to conduct investigations. In a small company, this may not be their only duty, but they should none-the-less have some training on handling these types of matters.

The application of computer or digital forensics examinations for collecting evidence for internal company investigations can range from internal theft, employee conflicts to industrial espionage. As technology available in the workplace increases and evolves, computers and networks are becoming the common places where information is stored. A company investigator should always consider the possibility that valuable evidence supporting an investigation might be stored somewhere such as in e-mail, network backup servers, local external drives or other data storage media. Company investigators should have available to them the services of a trained computer forensics specialist to collect potential evidence. For small organizations that typically have limited resources, investigations should be at least coordinated between management, human resource department, and the legal staff. As part of any investigation employee training records should be reviewed to verify if employees had received appropriate security briefings and training prior to any interviews.

Types of investigations that might involve computer forensics for data evidence collection are:

• Employee termination, both good and not so good.
  

• Hostile workplace situations.

• Policy conformance audits, for example Sarbanes-Oxley (SOX), International Traffic in Arms Regulations (ITAR), and Export Administration Regulations (EAR).

• Industrial espionage and trade secret loses.

This list is not exclusive; it is designed to provide guidance on what types of situations may warrant the services of a computer forensics examiner.

The computer forensic examination, sometimes called an audit, should be considered for a terminating employee, even if the termination is the employee's decision and he or she is leaving on good terms. The reason for this is to help identify what exactly the employee has been working on that might be company sensitive or trade secret information. Information gained from such an audit can be used as part of the exit interview of the employee. For the not so good terminations, an audit too can provide additional insight as to why there was a problem.

Because of the technology improvements in the work environment more commonly now hostile workplace situations are instigated through the use of e-mail and instant messages. To appropriately collect and preserve this evidence a computer forensics specialist should be employed.

Presently there are many government regulations that many businesses must comply with in their daily operations such as SOX, ITAR, and EAR. SOX obviously for publicly traded companies and ITAR (International Traffic of Arms Regulations) and EAR (Export Compliance Regulation) for companies with export sales and services, but don't assume that ITAR and EAR don't apply to your company. Read the labels and warnings that came with the purchase of your company's computers and the software installed on your company's computers.

Because of these regulations businesses must be aware of what is going on inside their company. By using computer forensics and electronic discovery processes audit trails can be used to quickly identify if errors in failing to comply with these regulations are made. The faster these errors are identified for a business the lesser the challenge will be to correct it with the government.

In today's competitive market industrial espionage is a fact of life. A company's trade secrets are its most valuable assets and must be protected or else the business could suffer significant competitive business losses. By applying audit reviews or security procedures and computer forensics audits a company will know better where all there trade secret data is located. Knowing where and who has access to your data better protects you from theft of trade secrets.

If your are considering running your own computer forensics operation within your company or contracting services there are several things to consider. The first thing to identify is, what is your business, what do you sell or service? That is, what you sell or service is your primary business, computer forensics is not your primary business. Computer forensics is a function that is suppose to promote your business continuity, integrity, and minimize liabilities.

When considering the use of computer or digital forensics for your business you will need to consider some of the following questions:

• Should you have your own staff perform digital forensics? What amount of investigation support is anticipated? 

• Should you contract it from a reliable vendor? Should a computer forensics firm be put on retained? Should a computer forensics firm be used ad hoc?

If you are considering creating your own internal computer forensics capability your first consideration should be the cost and the expected need for this service. That is, the occurrences of incidents that would dictate the need for computer forensics. Do you expect weekly, monthly or semi-annual incidents needing investigations?

If your computer forensics workload is less then two or three incidents/investigations per month your internal costs to maintain the necessary staff and skills, might be higher than contracting the service. The expense of running your own computer forensics operation can easily escalate into significant costs. Costs beyond the salary of an employee assigned to perform computer forensics can easily run in excess of $10,000 a year. This cost would include several days of specialized training annually, dedicated hardware and software and periodic relicensing of software tools, secure facilities, and potentially unique supplies. Additionally unless the employee is performing at least a couple of examinations a month, his or her hands on skills may not be well maintained, even if they attend appropriate training regularly. For small to medium size businesses contracting service might be a more cost effective choice.

If you have decided you need to retain a computer forensic examiner either a full-time employee or an external firm to perform your internal investigations, you should look to the experience of the examiner(s) in internal company investigations.

• Considerations in Retaining a Computer Forensics Examiner
• Importance of Computer Forensics to Criminal Defense
• Computer Forensics in Internal Company Investigations

In today's competitive market industrial espionage is a fact of life. A company's trade secrets are its most valuable assets and must be protected or else the business could suffer significant competitive business losses.
By applying audit reviews or security procedures and computer forensics audits a company will know better where all there trade secret data is located. Knowing where and who has access to your data better protects you from theft of trade secrets.