The key role of computer forensics is the protection, adducing and presentation of evidence, in that order. In all abuse cases, protection of the evidence is both critical and central to the organisations ability to investigate and take action against the abuser.
Once abuse is suspected it is important to assess the likely route of action. One of the first decisions to make is to determine the nature of the abuse and whether the investigation will result in criminal, civil or internal disciplinary action.
If the nature of the abuse warrants either of the first two options, protection of all evidence is of utmost importance as, frequently, the defences best case is based on the admissibility of computer based evidence. Even when internal disciplinary action is being taken, it may pay to protect the evidence to the same degree as in a criminal or civil cases as an industrial tribunal may consider the employers case more favourably if proper evidential practices have been observed.
What exactly does "protecting the evidence" mean?
Let us assume that an employee is suspected of downloading illegal pornography (the definition of what is "legal" pornography would take more space to discuss than this article has!) from the internet. Perhaps not surprisingly, this is far from uncommon and can leave an organisation legally culpable courtesy of the fact that a company and its officers hold a vicarious responsibility for the deeds and actions of its employees.
Most organisations would take one of two possible actions. Either a member of the security team would be tasked with making a backup of the users hard disk which would then be restored onto a blank drive. Or the users computer would be taken away by the support department where one of the technicians would be asked to search the disk for image files and print them off.
Unfortunately, both these actions will harm the organisations ability to
a) defend itself against potential legal action and
b) invalidate the submission of any evidence against the user which may have been present on the users computer.
Whilst the above actions would appear on the surface to be adequate methods of determining the presence of incriminating evidence, they are both fatally flawed in their execution.
Elizabeth Sheldon is a director of Evidence Talks, One of the most highly regarded computer forensics consultancies in the UK, Evidence Talks lead the way with unique solutions to some of the problems faced by industry today. More information visit- http://www.evidencetalks.com/