COMPUTER FORENSICS ASSISTANCE TO HUMAN RESOURCES/EMPLOYMENT PROCEEDINGS

Computer forensics analysis is becoming increasingly useful to businesses. Computers can contain
evidence in many types of human resources proceedings, including sexual harassment suits, allegations
of discrimination, and wrongful termination claims. Evidence can be found in electronic mail systems, on
network servers, and on individual employee’s computers. However, due to the ease with which
computer data can be manipulated, if the search and analysis is not performed by a trained computer
forensics specialist, it could likely be thrown out of court.

Employer Safeguard Program

As computers become more prevalent in businesses, employers must safeguard critical business
information. An unfortunate concern today is the possibility that data could be damaged, destroyed, or
misappropriated by a discontented individual. Before an individual is informed of their termination, a
computer forensic specialist should come on-site and create an exact duplicate of the data on the
individual’s computer. In this way, should the employee choose to do anything to that data before
leaving, the employer is protected. Damaged or deleted data can be re-placed, and evidence can be
recovered to show what occurred. This method can also be used to bolster an employer’s case by
showing the removal of proprietary in-formation or to protect the employer from false charges made by
the employee. Whether you are looking for evidence in a criminal prosecution or civil suit or determining
exactly what an employee has been up to, you should be equipped to find and interpret the clues that
have been left behind. This includes situations where files have been deleted, disks have been
reformatted, or other steps have been taken to conceal or destroy the evidence. For example, did you
know

 What Web sites have been visited

 What files have been downloaded

 When files were last accessed

 Of attempts to conceal or destroy evidence

 Of attempts to fabricate evidence

 That the electronic copy of a document can contain text that was removed from the final printed
version

 That some fax machines can contain exact duplicates of the last several hundred pages received

 That faxes sent or received via computer may remain on the computer indefinitely That email is rapidly
becoming the communications medium of choice for businesses

 That people tend to write things in email that they would never consider writing in a memorandum or
letter

 That email has been used successfully in criminal cases as well as in civil litigation that email is often
backed up on tapes that are generally kept for months or years that many people keep their financial
records, including investments, on computers.
COMPUTER FORENSICS SERVICES

No matter how careful they are, when people attempt to steal electronic information (everything from
customer databases to blueprints), they leave behind traces of their activities. Likewise, when people try
to destroy incriminating evidence contained on a computer (from harassing memos to stolen
technology), they leave behind vital clues. In both cases, those traces can prove to be the smoking gun
that successfully wins a court case. Thus, computer data evidence is quickly becoming a reliable and
essential form of evidence that should not be overlooked. A computer forensics professional does more
than turn on a computer, make a directory listing, and search through files. Your forensics professionals
should be able to successfully perform complex evidence recovery procedures with the skill and
expertise that lends credibility to your case. For example, they should be able to perform the following
services:

 Data seizure

 Data duplication and preservation

 Data recovery

 Document searches

 Media conversion

 Expert witness services

 Computer evidence service options

 Other miscellaneous services

Data Seizure

Federal rules of civil procedure let a party or their representative inspect and copy designated
documents or data compilations that may contain evidence. Your computer forensics experts, following
federal guidelines, should act as this representative, using their knowledge of data storage technologies
to track down evidence. Your experts should also be able to assist officials during the equipment seizure
process. “

Data Duplication and Preservation

When one party must seize data from another, two concerns must be addressed: the data must not be
altered in any way, and the seizure must not put an undue burden on the responding party. Your
computer forensics experts should acknowledge both of these concerns by making an exact duplicate of
the needed data. Because duplication is fast, the responding party can quickly resume its normal
business functions, and, because your experts work on the duplicated data, the integrity of the original
data is maintained.

Data Recovery
 Using proprietary tools, your computer forensics experts should be able to safely recover and analyze
otherwise inaccessible evidence. The ability to recover lost evidence is made possible by the expert’s
advanced understanding of storage technologies. For example, when a user deletes an email, traces of
that message may still exist on the storage device. Although the message is inaccessible to the user, your
experts should be able to recover it and locate relevant evidence.

Document Searches

Your computer forensics experts should also be able to search over 200,000 electronic documents in
seconds rather than hours. The speed and efficiency of these searches make the discovery process less
complicated and less intrusive to all parties involved.

Media Conversion

Some clients need to obtain and investigate computer data stored on old and un-readable devices. Your
computer forensics experts should extract the relevant data from these devices, convert it into readable
formats, and place it onto new storage media for analysis.

Expert Witness Services

Computer forensics experts should be able to explain complex technical processes in an easy-to-
understand fashion. This should help judges and juries comprehend how computer evidence is found,
what it consists of, and how it is relevant to a specific situation (see sidebar, “Provide Expert Consultation
and Expert Witness Services”).

Computer Evidence Service

Options Your computer forensics experts should offer various levels of service, each de-signed to suit
your individual investigative needs. For example, they should be able to offer the following services:

o Standard service

o On-site service

o Emergency service

o Priority service

o Weekend service

Standard Service

Your computer forensics experts should be able to work on your case during nor-mal business hours
until your critical electronic evidence is found. They must be able to provide clean rooms and ensure that
all warranties on your equipment will still be valid following their services.
On-Site Service

Your computer forensics experts should be able to travel to your location to per-form complete
computer evidence services. While on-site, the experts should quickly be able to produce exact
duplicates of the data storage media in question. Their services should then be performed on the
duplicate, minimizing the disrup-tion to business and the computer system. Your experts should also be
able to help federal marshals seize computer data and be very familiar with the Federal Guide-lines for
Searching and Seizing Computers.

Emergency Service

After receiving the computer storage media, your computer forensics experts should be able to give your
case the highest priority in their laboratories. They should be able to work on it without interruption
until your evidence objectives are met.

Priority Service

Dedicated computer forensics experts should be able to work on your case during normal business
hours (8:00 A.M. to 5:00 P.M., Monday through Friday) until the evidence is found. Priority service
typically cuts your turnaround time in half.

Weekend Service

Computer forensics experts should be able to work from 8:00 A.M. to 5:00 P.M., Saturday and Sunday, to
locate the needed electronic evidence and will continue working on your case until your evidence
objectives are met. Weekend service depends on the availability of computer forensics experts.

Other Miscellaneous Services

Computer forensics experts should also be able to provide extended services. These services include

 Analysis of computers and data in criminal investigations

 On-site seizure of computer data in criminal investigations

 Analysis of computers and data in civil litigation.

 On-site seizure of computer data in civil litigation

 Analysis of company computers to determine employee activity

 Assistance in preparing electronic discovery requests

 Reporting in a comprehensive and readily understandable manner

 Court-recognized computer expert witness testimony

 Computer forensics on both PC and Mac platforms

 Fast turnaround time

The computer forensics specialist should take several careful steps to identify and attempt to retrieve
possible evidence that may exist on a subject’s computer system. For example, the following steps
should be taken:

1. Protect the subject computer system during the forensic examination from any possible
alteration, damage, data corruption, or virus introduction

2. Discover all files on the subject system. This includes existing normal files, deleted yet
remaining files, hidden files, password-protected files, and encrypted files

3. Recover all (or as much as possible) of discovered deleted files

4. Reveal (to the greatest extent possible) the contents of hidden files as well as temporary or
swap files used by both the application programs and the operating system

5. Access (if possible and legally appropriate) the contents of protected or encrypted files

6. Analyze all possibly relevant data found in special (and typically inaccessible) areas of a
disk. This includes but is not limited to what is called unallocated space on a disk (currently
unused, but possibly the repository of previous data that is relevant evidence), as well as
slack space in a file (the remnant area at the end of a file in the last assigned disk cluster, that
is unused by current file data, but once again, may be a possible site for previously created
and relevant evidence).

7. Print out an overall analysis of the subject computer system, as well as a listing of all
possibly relevant files and discovered file data.

8. Provide an opinion of the system layout; the file structures discovered; any discovered data
and authorship information; any attempts to hide, delete, protect, and encrypt information;
and anything else that has been discovered and appears to be relevant to the overall computer
system examination

9. Provide expert consultation and/or testimony, as required [v]