IT personnel are still too often ignorant of the need for preserving electronic evidence of wrongdoing, says specialist forensic investigator Chris Budge.
Addressing a management breakfast of the New Zealand's Computer Society's Wellington branch last week, Budge, who heads eCrime (nz) Ltd., a private investigative company he founded in August 2000 after his retirement from the NZ Defense Force, says many organisations also have shortcomings in the proactive deterrence of offences, he says.
In between half and two-thirds of investigated cases that have come to Budge's attention, some degree of contamination of the evidence has occurred. This has been due to clumsy in-house investigation and a lack of proper controls and proper record keeping of such investigative steps, he says.
Any resulting doubts about the evidence are likely to be seized on in any legal defence and may result in a guilty offender being acquitted.
A need for training is evident and the IT department should consider providing their staff with appropriate software and hardware tools to assist any investigations, if need be requesting from management extra budget to do so.
Investigations and preventative steps in the IT department may not only be needed in matters of "e-crime" in the narrow sense, Budge says. Since the passing this month of the Health and Safety Act, an employer may be legally liable for employee misdemeanours such as sending abusive or harassing e-mails to workmates, unless a policy forbidding this has been clearly stated.
Budge says the first lesson is not to expose a data store that could contain evidence to any possibility of writing. Merely rebooting a computer could write to as many as 640 system files, some of which may contain crucial data relating to what was done in the course of a suspected crime.
Write-protect all involved removable media and dump activity logs and other pertinent evidence to a CD, which you take care to read only from a drive which cannot write to the disk, he counsels. Specialist computer forensics companies supply devices that can take dumps from hard drives dependably and securely against future tampering 0 for example, the Fastbloc device from California-based Guidance Software.
Staff faced with a possible electronically mediated crime should "buy a clean notebook and write down everything that is done (in the cause of preserving evidence)", Budge says. Such a notebook may be produced as part of the evidence in court.
"If you don't know what you're doing, don't do it," he says. Call in a specialist.
Theft of intellectual property is a burgeoning area in e-crime, Budge says; "I've had four or five cases since the beginning of this year." The company that suspects its IP may have been dishonestly disseminated will have to be able to document any instances when relevant data could have moved offsite, and be able to provide evidentially clean copies of relevant files and logs.
When it comes to proactive deterrence, it is important not only for the company to have a clear "acceptable use" policy, but to ensure employees are regularly reminded of it, bearing in mind potential employer liability. Many organisations have policies set out, he says, "but they're on the Z: drive", where few employees will look after their first week in the job.
He recommends a digest of AUPs be put on a pop-up to appear every time the employee restarts the PC. They should be required to click an OK button to close the pop-up before commencing work. Then there can be no excuse for saying "I didn't know" and causing legal health and safety problems for management, he says.
Another aspect that organisations often overlook is to have appropriate filters and run regular audits on laptops that employees may take home and use outside the guidelines.
Any undesirable material found on such a machine and any e-mails sent from it under the company address can end up getting the company into hot water.
No good employer should try to be "Big Brother". Employees' insistence on privacy at work "is eroding", but companies should still extend some latitude in that respect, he says.