written 6.8 years ago by | modified 6.6 years ago by |
Subject: Digital Forensics
Topic: Preserving and Recovering Digital Evidence
Difficulty: Medium
written 6.8 years ago by | modified 6.6 years ago by |
Subject: Digital Forensics
Topic: Preserving and Recovering Digital Evidence
Difficulty: Medium
written 6.6 years ago by |
Private-sector organizations include businesses and government agencies that aren’t involved in law enforcement.
ISPs can investigate computer abuse committed by their employees, but not by customers.
ISPs and other communication companies now can investigate customers’ activities that are deemed to create an emergency situation.
An emergency situation under the Patriot Act is the immediate risk of death or personal injury, such as finding a bomb threat in an e-mail message.
In the private sector, the incident scene is often a workplace, such as a contained office or manufacturing area, where a policy violation is being investigated.
Everything from the computers used to violate a company policy to the surrounding facility is under a controlled authority —that is, company management.
Businesses have inventory databases of computer hardware and software.
Having access to this database and knowing what applications are on suspected computers help identify the computer forensics tools needed to analyze a policy violation and the best way to conduct the analysis.
To investigate employees suspected of improper use of company computing assets, a corporate policy statement about misuse of computing assets allows corporate investigators to conduct covert surveillance with little or no cause and access company computer systems without a warrant, which is an advantage for corporate investigators.
A well-defined corporate policy should state that an employer has the right to examine, inspect, or access any company-owned computing assets.
As a standard practice, companies should use both warning banners and policy statements. With a policy statement, an employer can freely initiate any inquiry necessary to protect the company or organization.
If a corporate investigator finds that an employee is committing or has committed a crime, the employer can file a criminal complaint with the police.
If you discover evidence of a crime during a company policy investigation, first determine whether the incident meets the elements of criminal law.
You might have to consult with your corporate attorney to determine whether the situation is a potential crime.
Next, inform management of the incident; they might have other concerns, such as protecting confidential business data that might be included with the criminal evidence.
In this case, coordinate with management and the corporate attorney to determine the best way to protect commingled data.
After you submit evidence containing sensitive information to the police, it becomes public record.
Public record laws do include exceptions for protecting sensitive corporate information; ultimately, however, a judge decides what to protect.
After you discover illegal activity and document and report the crime, stop your investigation to make sure you don’t violate Fourth Amendment restrictions on obtaining evidence.
If you follow police instructions to gather additional evidence without a search warrant after you have reported the crime, you run the risk of becoming an agent of law enforcement.
Your next step is to work with the corporate attorney to write an affidavit confirming your findings.
The attorney should indicate in the affidavit that the evidence is commingled with company secrets and releasing the information will be detrimental to the company’s financial health.
When the affidavit is completed, you sign it before a notary, and then deliver the affidavit and the recovered evidence with log files to the police, where you make a criminal complaint.
At the same time, the corporate attorney goes to court and requests that all evidence recovered from the hard disk that’s not related to the complaint and is a company trade secret be protected from public viewing. You and the corporate attorney have reported the crime and taken steps to protect the sensitive data.
In the evidence you’ve turned over to the police, the detective notices that the suspect is collecting most of his contra-band from e-mail attachments.
The prosecutor instructed the detective to ask you to collect more evidence to determine whether the suspect is transmitting contraband pictures to other potential suspects.
In this case, you should immediately inform the detective that collecting more evidence might make you an agent of law enforcement and violate the employee’s Fourth Amendment rights.