Protecting Employers through Proactive Computer Forensics --- Online Security

Online Security, a global provider of computer forensics and information technology risk mitigation since 1997

Go back

Protecting Employers through Proactive Computer Forensics

Protecting Employers through Proactive Computer Forensics
Posted: Oct 16 2003
Glen Hastings, Director of Business Development, OnlineSecurity

How often has this happened to you or your client? Six months after an individual leaves a company, a lawsuit arises regarding that individual. It may be a wrongful termination suit brought by an employee who was let go, or it could be a theft of intellectual property matter brought against an employee who is now at a key competitor. Regardless of the matter, internal documentation needs to be assembled and reviewed, but there is a problem. The individual’s computer is either missing or is now being used by someone else, and the evidence that was on the computer is no longer readily accessible. Depending on what evidence was on the computer, this turn of events could imperil the company’s chances of prevailing in the litigation, or at the least could significantly raise their litigation costs. As is often the case in situations such as this, an ounce of prevention, i.e. proactive evidence preservation, is worth a pound of cure, i.e. reactive evidence recovery.

So why does this happen in the first place? Generally speaking, while human resources and the legal department are concerned with the legal implications of employees leaving, it is uncommon for the IT department to consider potential legal complications. When terminating an employee, human resources will construct a detailed dossier demonstrating that the individual was terminated for cause. When a key technical or executive leader departs, legal will generally consider structuring a non-compete agreement (if one is not already in place) for that individual. The IT department, on the other hand, will typically take the individuals computer and repurpose it. This could include selling or giving it away (if it is an older computer), returning the computer to a leaser (if it was leased), providing it to another employee, or placing it in excess inventory. Often, unless the computer is going to a designated successor to the individual, the IT department will clean up the computer, delete user files, and return the hard drive to its default corporate image.

Repurposing of computer systems creates significant challenges for counsel if there had been any evidence on the system. The first challenge is finding the computer which can be impossible if the company no longer possesses the computer and quite hard if it is a large company with thousands of computers. The second challenge is recovering the evidence from the system which raises the unique nature of electronic, as compared to physical, evidence. Electronic evidence is simultaneously indelible and fragile; it is quite difficult to completely eliminate, but can be easily altered or damaged. On a repurposed system, evidence will rarely be intact and accessible (user files having been deleted and possibly overwritten), and the recovery of the evidence will require extensive and oftentimes expensive computer forensics. Nevertheless, given enough time, money and forensic expertise, evidence may be recovered and events reconstructed. The third challenge will be presenting the evidence in court which will require the expert witness testimony of your computer forensics investigator as to the integrity of the evidence.

These challenges could be minimized if at the time the employee left the company, the information on his or her computer was preserved. Unless the individual took purposeful steps to destroy any evidence, which in of itself would be highly suspicious, any evidence on the computer would be intact and readily accessible. There would be no need for the deep and expensive forensic recovery required on repurposed systems. Computer forensics would be limited to authenticating and examining the evidence present on the system, and there would be fewer challenges in court to the integrity of the evidence.

It should be noted that the majority of the time, by repurposing computers, the IT department is acting quite prudently. It is only when litigation ensues that repurposing can create potentially significant problems for the corporation. Therefore, any proactive approach to evidence preservation should not necessarily prevent the IT department from efficiently repurposing the computers; thus, preserving the whole system (by not repurposing it) or removing the hard drive are not ideal solutions. Generally speaking, there are two alternatives to preserving the evidence without impeding the prudent repurposing of the system by the IT department: ghosting and forensic preservation.

Ghosting is the process of copying all the information on one hard drive to a new hard drive. It is very useful for backup and restore operations, and if used correctly, it can be useful in proactively preserving evidence. With ghosting, proper process and procedures become essential for the preservation of evidence as the technique itself does not protect the evidence from being altered. It is simply a working copy of the information on the hard drive, and in order for the evidence to be useful in court, the processes and procedures used to obtain, store, and analyze the evidence must demonstrate that the evidence remained unaltered. This can be difficult even for experienced computer forensics professionals which is why the majority use forensic software to preserve evidence.

Forensic preservation is similar to ghosting in that it copies all the information from one hard drive to a new hard drive, but it also minimizes many of the process and procedures issues related to ghosting. Forensic preservation utilizes computer forensics software which locks the image of the original hard drive on the new disk, and preserves the hash values, both for files and for the disk image itself. A forensic copy allows evidence to be examined, probed, and recovered from unallocated space without altering any of the data or meta-data in the image – this cannot be said for a ghosted image. Forensic software has also been recognized by the courts as an accepted and proven means of collecting, authenticating, preserving, examining, and recovering evidence from computer systems.

Process and procedures are still important with forensics preservation, but they are not the sole guarantors of evidential integrity as they are with ghosting. Nevertheless, without proper process and procedures, it is possible to taint the evidence collected through forensics. Thus, in any contentious litigation, the opposing counsel will typically grill one’s computer forensics expert to look for flaws in their technique that may allow evidence to be thrown out. Thus, it is generally best to use an experienced computer forensics firm as opposed to the internal IT staff (who are not trained as expert witnesses) for forensic preservation. An additional benefit of using an external firm is that they are considered a neutral party which reduces the opportunity for opposing counsel to claim a bias in the collection and preservation of the evidence.

Using an external computer forensics firm for the proactive preservation of evidence from systems raises the obvious question of how much does this “ounce of preservation” cost? Forensic collection and preservation is relatively inexpensive, usually less then one quarter of the cost of the typical or simple forensics analysis of evidence which would be required in most matters where evidence will be presented from a computer system. This ratio shifts dramatically if we compare the collection and preservation cost against a complex and difficult forensic analysis such as is required to recover evidence from a repurposed system. Oftentimes, the complex and deep forensics required on such a system will cost ten or fifteen times as much as the original collection and preservation would have cost.

A good rule of thumb is that if there is a 20% chance that an individual system may have critical evidence for a future litigation, the system should be forensically collected. Generally speaking, this would include the computers for key business and technical leaders (by virtue of their value to competitors) or for employees being terminated for cause. In the latter situation, human resources is likely to have a good idea of who may or may not be a problem; typically if HR suspects that an individual may seek legal action post termination, they will be extra diligent in documenting their case. Proactive evidence preservation is simply another aspect of that due diligence.

To conclude, I offer the example (based on a real situation) of two companies both of which are facing similar circumstances.

Six months ago three key technical leaders left the company and three months ago all three joined a smaller but important competitor.

Two months after these three individuals joined the competitor, the competitor launched a new product that is almost identical to a product that the original company had just launched. All three of these individuals had previously worked on this project at the original company.

The company sues the three individuals and the competitor for intellectual property theft and patent infringement.

At company A, they do not have a program to proactively preserve evidence.

After filing the lawsuit, the general counsel of company A approaches the IT department to find the computers for the three individuals. No one is exactly sure where they are.

Three months later, three of the workstations and two of the three laptops for the individuals have been located. All five computers have been repurposed to some degree.

A discovery request is filed to obtain information from the competitor, but the request gets delayed as the opposing counsel labels the request as a “fishing expedition” as there is no information to tie the competitor to the individuals.

A computer forensics firm is hired, and they start the time intensive process of trying to recover information from the repurposed computers. The third laptop has still not been located.

After many weeks of intensive and expensive examination, the forensics firm is able to find portions of what appear to be emails between the three individuals and the competitor. None of the emails are complete, but it appears that the individuals may have uploaded files to an FTP site. There is no direct evidence of files being moved.

The information provides enough evidence to proceed but not necessarily to prevail in court, and after a long and costly litigation, a settlement is reached without any admission of guilt by the competitor.

At company B, they do have a program to proactively preserve evidence.

After filing the lawsuit, the general counsel of company A approaches the external forensics company, and the next day the forensic images of all six computers are analyzed.

The analysis reveals that the three individuals all deleted Outlook PST files within 48 hours of turning in their resignation, but as this information was not overwritten, the PST files are extant.

Analyzing the PST files reveals that all three individuals had been uploading engineering files to a FTP site for the 8 weeks prior to their departure.

As the registry has not been overwritten and reformatted, the forensics engineer is able to document which files where uploaded and which were not.

On one of the laptops, forensics analysis reveals a memo between the three individuals and the competitor detailing the terms of their industrial espionage. This document had been deleted, but versions were found in the temp file space.

Confronted with the weight of evidence collected from the preserved systems, the competitor, to avoid criminal sanction, agrees to settle, pay damages, and fire the three employees. All three individuals also plead guilty to industrial espionage and intellectual property theft.

Click here for a bio on Glen Hastings.

Go Top