Do's and Don'ts of Forensic Computer Investigations

John Colbert's Forensics Guidelines for IT Staff
The IT professional should consider these seven guidelines when requested to conduct a computer investigation or legal discovery request:
1. Ask questions: Inquire as to the nature of the request. The more you know about the investigation, the more effective your fact-finding will be. Ensure that you are fully aware of the intentions of management: What decisions will management need to make based upon your findings? What are the confidentiality concerns? What are the time concerns, and how should time constraints be balanced against the thoroughness of the investigations? How do they want you to report your findings?
2. Document thoroughly: No matter how simple the request from management, write it down—even if you're not sure if you will perform that aspect of work. Recognize that when working for legal counsel, the communications and findings to counsel are usually protected under the attorney-client privilege, which includes your notes and e-mail. However, this privilege may be lost if your chain of command or communication strays from legal counsel.
Click here for a list of links to information on U.S. law-enforcement technology.
3. Operate in good faith: Generally, you should follow instructions from management in the course of an investigation. However, it is possible that some investigative actions could be illegal. For instance, reverse hacking or "hack back" tactics could be a violation of law. Seizing or copying the computer of a non-employee third party could also be illegal. It is important to raise such concerns with management should they arise.
4. Don't get in over your head: Investigations are sexy, challenging and fun, but the environment that surrounds them can quickly become unfamiliar and outside your area of expertise. If any of the following conditions are true—or become true during an ongoing investigation—the organization will need to make a crucial determination as to whether to retain a professional computer forensic investigator or contact law enforcement:
The investigation involves a crime. Fraud, theft, hacking, threats, certain types of harassment. It is acceptable—and often good practice—for an organization to be the first responder, but when the commission of a crime is readily apparent, it is advisable to contact law enforcement. The investigation will likely result in serious discipline or termination of an employee. It is often advisable to have an outside consultant to provide court testimony or prepare critical investigation reports to be relied upon by senior management or outside auditors. The investigation requires that documents are prepared for court or a government investigative body. A legal discovery request may be required for civil lawsuits or during events such as mergers and acquisitions. This also includes requests for information from the Securities Exchange Commission for public companies. Large-scale investigations—investigations that cross many different boundaries, and people—should be conducted by experienced investigators.5. Make the decision to investigate: Before moving any further forward, you should consider that an investigation of an employee should involve your HR department. They are experts on employee law and can be very helpful. Rest assured they would be very interested. If you are now comfortable that you can go forward in good faith, then do so. Here are a few situations that you may encounter:
Worms, viruses and hacks. These problems are usually detected by employees and IT personnel. Unauthorized use of applications, software or Internet. These policy infractions are normally associated with minor discipline, though, in some circumstances they can result in termination. Be sure to evaluate the discipline level before going forward. Unauthorized use of e-mail. These investigations normally originate from a complaint. Be sure to analyze the intent of HR and/or management regarding discipline and remember the points made above.6. Treat everything as confidential: Regardless of who knows—or the rumors that surface—keep all information confidential and only disclose the information to those who need to know.
7. File it: Keep your documentation and file it. It's a good idea to have the information maintained by HR or legal, but be sure to file it in an organized manner regardless.
Those are the seven guidelines created by Colbert to help IT managers and staffs stay out of trouble when asked to conduct in investigation.