Within the workplace, there is a certain amount of trust between employers and employees, part of this trust is that employees will use the provided work resources for work purposes. When it comes to suspicions of employees using work resources for personal purposes, such as running their own business, it is important to properly gather evidence to substantiate the claim. Without hard evidence, it is likely that if the employee challenged any disciplinary action, such as being suspended of fired, they would succeed. As such it is imperative that evidence be collected correctly, and in a legal way (Kasper & Laurits, 2016).
There are a variety of different sources of digital information that can be collected electronically and used as evidence. These include computer documents, emails, transactions, text/instant messages, internet history and images. When collecting digital evidence, it should only be done by individuals who have had specific training in collecting this type of evidence. In the case of collecting evidence against the employee, the main sources that will be used are that of those pertaining to the workplace, such as their work computer, any sites access on that computer and/or their work cellphone (Ballou, 2010). To prevent contamination of the evidence the first step is to create a copy of the original storage device, which is then stored on another form of media, such as a clean CD or external hard drive. This ensures the integrity of the original (Hart, Ashcroft, & Daniels, 2004).
Then the analyst will install a write-blocking software, this ensures that data can only be viewed, but not altered in any capacity. Next the analyst will use extraction software to sort through and extract the key components to be used for evidence. The type of software depends on the evidence to be extracted, and on the type of data which is being search (Forensic Science Simplified, 2014). Examples of programs types include file analysis tools, internet analysis tools, email analysis tools, network forensics tools and database forensics tools (Carrier, 2002). Analysts will also search and retrieve obscured files, which may have had their file location recently changed.
In addition, analysts will search for hidden and/or inaccessible files and folders. These types of files may have been hidden by the employee to hide their activities. They will also search and try to recover destroyed evidence and deleted files which may have been moved to the recycle bin. Even if a deleted file has been removed from the recycle bin it may still be possible to retrieve this information using commercial data recovery tools. As well, using a technique known as data carving, evidence can still be retrieved even if the hard rive or the storage device (external hard rive or USB) was recently formatted. In data carving, a sequential examination of the complete content of the hard drive is conducted and artifacts of previous files. Unlike data recovery, which use a signature-search algorithm, carving looks for incomplete signatures and patterns to identify areas of the disk which may contain data of interest (Gubanov, 2014).
There are many common mistakes that are often made when collecting digit evidence. Three common mistakes are using their own it department to collect evidence, not following the correct process of collection for criminal instead of civil proceedings, and waiting and not collecting evidence right away. As mentioned earlier, it is important that digital evidence be collected by properly trained individuals, therefore it should not be collected by the IT department of the company, unless these individuals are properly trained. Even if employees are trained, there is a risk of potential bias, therefore an outside company/individual should be contracted to collect the evidence. If the evidence is not collected properly it could be inadmissible which would result in the employer being found culpable of wrongful dismissal of the employee (Forensic Science Simplified, 2014). The second mistake that is often made is not following the collection procedures for criminal investigations. Often, companies may assume that only a civil case will be launched. However, by following the more stringent guidelines required from criminal proceedings this ensures that if a criminal case is necessary, the evidence is already collected and not contaminated (Kasper & Laurits, 2016). The third common mistake is that of waiting to collect digital evidence. In terms of cost, it is always more cost efficient to begin collecting evidence immediately after a suspicious behavior has been identified. As well, overtime it can become more and more difficult to retrieve the evidence, this means that there will be increased cost for the employer. Furthermore, while most information can be retrieved, it is possible that overtime some evidence may be lost, therefore the case may not be as strong as if the evidence was collected immediately.
Overall, when it comes to collecting digital evidence it is important that proper procedures be followed and that all evidence be collected by a trained and certified analyst. Furthermore, analysis should be conducted immediately in order to have the best chance of recovering sufficient evidence. Conducting the analysis in a timely fashion will also reduce the risk of the employee becoming suspicious and attempt to obscure the data. In addition, it will also reduce the cost of the analysis. In conclusion because of the severity of the allegations against the employee, and the lack of other proof, it is important that sufficient digital evidence be collected so that any action taken will be corroborated by good quality hard evidence.
- Ballou, S. (2010). Electronic crime scene investigation: A guide for first responders: Diane Publishing.
- Carrier, B. (2002). Open source digital forensics tools: The legal argument: stake.
- Forensic Science Simplified. (2014). A simplified Guide to Digital Evidence. from http://www.forensicsciencesimplified.org/digital/DigitalEvidence.pdf
- Gubanov, Y. (2014). Retrieving Digital Evidence: Methods, Techniques and Issues. Retrieved on July.
- Hart, S. V., Ashcroft, J., & Daniels, D. J. (2004). Forensic examination of digital evidence: a guide for law enforcement. National Institute of Justice NIJ-US, Washington DC, USA, Tech. Rep. NCJ, 199408.
- Kasper, A., & Laurits, E. (2016). Challenges in Collecting Digital Evidence: A Legal Perspective The Future of Law and eTechnologies (pp. 195-233): Springer.