Your company’s employees use the Internet for all sorts of super-cool, productivity-enhancing things, like... well... doing their jobs, mostly. With a little bit of socializing and entertainment mixed in for good measure, of course.
But every so often one will wander over to the dark side of the Internet and do something that puts your company or other people at risk. Something like malicious hacking, stalking, viewing illegal pornography, manipulating stock prices, and threatening or extorting other people. Remove the shackles of polite society with a little bit of Internet anonymity and some people turn to the dark side faster than you can say “Emperor Palpatine.”
Now, sometimes you won’t have to do anything in these matters. Some very polite and well-dressed folks from the FBI will arrive at your office one day and demonstrate the finer points of data forensic techniques, such as computer disk image acquisition.
Your liability in these matters will vary greatly, depending on what your employee did. You’re not really responsible if your employee was threatening the President via Facebook on company time or belongs to a terrorist organization such as the DMV. But if your employee was stalking someone or stealing sensitive information from your customers or other employees, you may have a real mess on your hands. Consequences include, but are not limited to, brand damage through bad publicity, financial penalties levied by governing bodies, and third-party lawsuits from your employee’s victims.
Even if law enforcement shows up to inform you of your employee’s alleged evil ways, you’ll want to conduct an investigation of your own to better understand what happened. This will no doubt involve a forensic analysis of the subject’s computer hard drive.
For most companies, the need to conduct a forensic analysis of one of its own computer hard drives is a rare occurrence. Over time, however, it is a likely occurrence, more of a “when” it will happen as opposed to an “if” it will.
The responsibility for conducting the internal investigation will vary as much as the reasons why it must be done. But one thing is for certain: If you haven’t done it before, you’re likely to make a few common mistakes.
You’ll want to think the process through end to end, involving all the players. Consider multiple common scenarios, such as: law enforcement knocks on the door, IT reports an incident involving an employee that may have legal repercussions, a news van pulls up in the parking lot.
Any given case will involve a lot of different people in your company, such as HR, legal, PR, audit, compliance, executive, and of course, IT. You should know in advance which parts of an investigation will be handled internally, which will be outsourced and to whom, and about how much it will cost. Depending on the size of your company and the maturity of your internal security program, you might also consider conducting a practice exercise in which a hypothetical incident is handled end to end.
The problem with doing or even managing something complicated but infrequent, such as an internal investigation, is that each time you attempt it, it can be like starting over, like doing it for the first time again. By practicing it you’ll not only uncover potential “gotchas” but also make handling the actual incident a lot easier when it happens.
You should also review your company’s policies regarding acceptable computer use. I have recently observed a trend of employees utilizing anti-forensic tools such as “Evidence Eliminator” in an effort to frustrate any future analysis of the system. This, of course, is done in the name of privacy. However, it goes well beyond what is required for personal privacy by destroying data artifacts useful in retracing a user’s steps in an investigation. Use of such utilities or techniques should be prohibited by policy and should be, I think, cause for dismissal if used to wipe a company machine prior to or during an investigation.
There are plenty of ways to ensure personal privacy without wiping company property -- taking care of your personal business on your own time, for instance.
Employers should also not rely solely on the computer hard drive to reconstruct a user’s activity. Network-based detective controls such as proxies and centralized log servers should be used to help keep a record of users’ actions on the Internet while at work. As an employer, you could be held liable or suffer the consequences of what your employees do on the Internet while at work, so it’s a worthwhile effort to understand and manage it.
— Gideon J. Lenkey, co-founder of Ra Security Systems