Monday, February 4, 2013

Why it is crucial to perform IT or computer forensic in a forensically sound manner?

One does not need to be a CSI fan to know that before a search can be performed, a warrant is required for the law enforcement to enter a premise. In a crime scene, it is crucial for the law enforcement to properly handle the evidence to avoid tampering or contamination. The same principles apply when it comes to IT/Computer forensic. This story will show you why....

They story begins like this: Information security chap was invited to an emergency meeting to discuss about a potential dismissal  of an employee that was suspected of breaching the company's policy. The meeting was called by a senior manager who was the department head of the suspected employee.  

Mr. Senior Manager:  Ladies and gentlemen, thank you for coming to this meeting. I'm sorry for the short notice, but let me assured you that this can't no longer wait. Let me bring you up to the speed. Two weeks ago, we suspected that Mr. White was involved in a fraud. Upon our investigation,, we managed to find evidence that linked him to the fraud. I would like to thank our Miss System Admin here. Great job!. Now we shall discuss how can we proceed to dismiss this employee as soon as possible.

Information Security chap: Thank you for the letting me know now. Before we proceed, may I ask Miss System Admin, how did you perform the investigation and how did you gather those evidence?

Miss System Admin: I was approached by Mr. Senior Manager here couple of weeks ago. He asked if I can connect to Mr. White's PC, access his file remotely, copy out all the files and perform analysis. Of course I can do that. I'm the system admin right? I have admin right that allows me to connect to everywhere. So, I did exactly what was asked. I copied all his files and emails to my laptop, then I went through them on my laptop.

Information Security chap: I see. And I assume that you got all the approvals to do so.....

Miss System Admin: I think so. It was Mr. Senior Manager who asked me to do it, since he is the boss of the suspect. Therefore, there is no problem right?

Mr. Senior Manager: Yes, I asked her to do it.

Information Security chap: < * starting to worry...* > Mr. Senior Manager, you did check with HR, legal, data protection etc before you proceed right?

Mr. Senior Manager: Nope. Should I? I'm his boss, I think I have the right to do so.

Information Security chap: Hmm... now things just get very complex. We may not be able to dismiss that employee. Not before fighting a tricky legal battle. I'm not a legal expert, should Mr. White decide to take this to the court, I'm pretty sure we would lose the lawsuit on technical grounds. Not only that, you and Miss System Admin her might be incriminated as well.

Mr. Senior Manager: What are you saying exactly?