CYFOR Blog

Workplace investigations undertaken by HR departments and senior management can be a lengthy and time-consuming process. This can be alleviated with digital forensics expertise.

Workplace investigations are typically undertaken when there are reports of suspicious behaviour or allegations of employee misconduct. Conducted correctly, they can evidence malicious activities and substantiate internal misconduct allegations.

Examples of internal misconduct

• Intellectual property data theft
• Fraud
• The use of proprietary information for personal gain
• Harassment
• Exfiltration of company data
• Company policy violations
• Social media misconduct
• Downloading and transfer of inappropriate media

Workplace investigations can be time-consuming, expensive, and organisationally disruptive. If conducted correctly they can provide a legitimate defence to any legal challenges raised by disgruntled former employees. However, a workplace investigation that is not conducted in a confidential and ethical manner can lead to significant complications and legal issues. In most cases, serious workplace misconduct involves the use of electronic devices, such as smartphones, computers, and USBs. This is where a digital forensics expert can help identify the digital evidence at the heart of the matter, improving the efficiency of the investigation.

Retrieval of digital evidence

During a workplace investigation, the retrieval of digital evidence is one of the most critical initial steps. Without following the correct forensic steps pivotal evidence could be missed or overlooked. With technology and digital communications being a critical part of business operations, it is almost a necessity that a reputable digital forensic expert is involved from the start of an HR investigation that involves digital media.

Depending on the circumstances, the primary source of evidence can take many different forms. As a primary tool in the workplace, emails are a main contender during HR investigations. When an employee sends an email, a retrievable copy is most likely stored in one or more devices or locations. Digital forensics can be utilised to extract existing emails as well as potentially retrieve deleted emails. Other forms consist of computer and mobile phone data, as well as the authentication and analysis of documents.

When an investigator is briefed on the background of a case, they must identify relevant evidence in the context of the investigation. They can compile a list of relevant data sources, and review devices for file activity during a specific date range. As evidence resides in many locations within digital media, a forensics expert will use specialised tools and techniques to identify evidence and ascertain the activities of the perpetrator, examples of which are:

• If CCleaner software was run on a company laptop, or it was factory reset.
• If a personal cloud storage platform was used to upload company intellectual property.
• Was a flash drive/USB connected to a computer to exfiltrate confidential business data?
• Investigate employee data theft to determine if proprietary intellectual data has been exfiltrated when an employee exited their job, and how this was accomplished.
• Identify and potentially recover deleted data.

At a base level, employers must understand the basics of securing evidence on digital devices. Although electronic data is recoverable in most instances, it is important to ensure the integrity of that evidence by refraining from searching themselves. This will help ensure any evidence is not overwritten or altered.

A word of warning

Digital forensics is a very specialised field, and an IT technician is not a Digital Forensics Investigator. Years of training and ongoing development are standard, forensic imaging devices, analysing the data recovered using specialist forensic software and examining metadata is a complex process. To have any electronic device involved in a case should be viewed as an absolute asset, as the quantity, variety, and potential value of data stored on the hard drive can be invaluable. However, if best practice guidelines are not followed, and forensic experts are not deployed, evidence can be lost forever, or it becomes inadmissible in court or at tribunals.

Backup copies or ghost images that an in-house IT person often generates are not true forensic images. Although these backups are critically important for the purpose of data recovery, they only contain current data that the user can ‘see’. Instructing a digital forensic specialist at the early stages of an investigation will ensure the integrity of the data, and its admissibility in court should the matter escalate.

What is metadata?

Metadata interrogation can be a vital instrument for ascertaining the authenticity of digital evidence. When an electronic document is created and stored on a digital device, ‘hidden’ intrinsic data is created. This is referred to as metadata and details information such as:

• Creation date
• When it was last edited
• Last saved timestamps
• File author

Metadata is a blanket term. There are many types of metadata; for example, EXIF (Exchangeable Image File) data is a type of metadata found within image files and is very useful for digital forensic analysis. When accessing documents as a normal user it is not possible to alter or ‘tamper’ with metadata. However, there are specialist tools readily available that can make this possible in the hands of someone with sufficient knowledge. When files are out of a ‘native’ environment, metadata can only be taken at face value; there is no way of determining any metadata manipulation.

Applying digital forensic expertise

Digital forensics at its core is the identification, preservation, collection, and analysis of electronic data taken from devices such as computers, laptops, tablets, mobile phones, servers, cloud storage, portable hard drives, and USB flash drives.

Utilising specialist tools, a forensics expert can extract data relevant to workplace investigations in the form of emails, documents, images, chat logs, social media and internet usage history, call logs, text messages and contacts. Data can be collected and can tell when documents were created, altered, or deleted as well as any devices which have been connected to a computer/laptop.

Devices identified as relevant to an investigation have their data preserved by creating a forensic image. This is a forensically sound method to create an exact ‘bit-by-bit’ copy or ‘clone’ of the entire contents of the original storage media and is created to such a standard that the evidence obtained from them is admissible in court.

The forensic image is performed using write-blocking equipment, which ensures that the data is not altered in any way and copies the contents of all the unused areas on the hard disk as well as the areas that currently contain data. The unused data often contain data that has been deleted by a user but still resides on the device and is important to capture. With the correct digital forensic processes in place, any tampering or manipulation of the cloned data is readily detectable.

The digital evidence that is retrieved using digital forensics expertise could make the difference between a successful and unsuccessful outcome of a workplace investigation.

Why CYFOR Forensics?

CYFOR Forensics have been instructed on thousands of digital forensic cases, including workplace investigations. Our dedicated Corporate Forensics division is equipped with the knowledge and expertise to scope any workplace investigation and assist clients every step of the way. If you or a client are concerned about possible employee misconduct, please get in touch with our consultants.