One does not need to be a CSI fan to know that before a search can be performed, a warrant is required for the law enforcement to enter a premise. In a crime scene, it is crucial for the law enforcement to properly handle the evidence to avoid tampering or contamination. The same principles apply when it comes to IT/Computer forensic. This story will show you why....
They story begins like this: Information security chap was invited to an emergency meeting to discuss about a potential dismissal of an employee that was suspected of breaching the company's policy. The meeting was called by a senior manager who was the department head of the suspected employee.
Mr. Senior Manager: Ladies and gentlemen, thank you for coming to this meeting. I'm sorry for the short notice, but let me assured you that this can't no longer wait. Let me bring you up to the speed. Two weeks ago, we suspected that Mr. White was involved in a fraud. Upon our investigation,, we managed to find evidence that linked him to the fraud. I would like to thank our Miss System Admin here. Great job!. Now we shall discuss how can we proceed to dismiss this employee as soon as possible.
Information Security chap: Thank you for the letting me know now. Before we proceed, may I ask Miss System Admin, how did you perform the investigation and how did you gather those evidence?
Miss System Admin: I was approached by Mr. Senior Manager here couple of weeks ago. He asked if I can connect to Mr. White's PC, access his file remotely, copy out all the files and perform analysis. Of course I can do that. I'm the system admin right? I have admin right that allows me to connect to everywhere. So, I did exactly what was asked. I copied all his files and emails to my laptop, then I went through them on my laptop.
Information Security chap: I see. And I assume that you got all the approvals to do so.....
Miss System Admin: I think so. It was Mr. Senior Manager who asked me to do it, since he is the boss of the suspect. Therefore, there is no problem right?
Mr. Senior Manager: Yes, I asked her to do it.
Information Security chap: < * starting to worry...* > Mr. Senior Manager, you did check with HR, legal, data protection etc before you proceed right?
Mr. Senior Manager: Nope. Should I? I'm his boss, I think I have the right to do so.
Information Security chap: Hmm... now things just get very complex. We may not be able to dismiss that employee. Not before fighting a tricky legal battle. I'm not a legal expert, should Mr. White decide to take this to the court, I'm pretty sure we would lose the lawsuit on technical grounds. Not only that, you and Miss System Admin her might be incriminated as well.
Mr. Senior Manager: What are you saying exactly?
Information Security chap: First mistake that could lead to legal issue. From data protection's perspective. The local law is pretty tough on that, one cannot access another person's personal data without first obtaining the consent from the person. In this case, it is obvious that the consent was not obtained. So, both of you might have committed a legal offence. Not only that, you might have issues with worker's council as well, as investigation on employee may require their approval.
Second mistake, the evidence was not acquired in a forensically sound manner. For one, it was acquired without a proper method ensuring there was no tampering during the acquisition. A write blocker was not used. In a layman's term, it is just like you are not wearing a glove when you autopsied a body. Any defense lawyer worth his salt will frantically ride on this point to stop the admission of the evidence.
Miss System Admin: <* starting to sweat like hell *> Wow...WAIT. Please don't scare me. I've done nothing wrong. I just follow orders....
Information Security chap: My advice for you now would be to engage our legal department immediately. You may be able to get away on the legal offence, but for sure the evidence you captured would not stand. You should have contacted information security team immediately so that we can do this right from the beginning. We have people that can perform IT and digital forensic in a forensically sound manner. We also have the right tools.
Moral of the story?
1. Make sure you have a proper clearance before you perform digital forensic. Most important, seek legal approval. It is for your own protection as the investigator.
2. Ensure that the acquisition process is done in a forensically manner. The last thing you want is for your hard work to be deemed as useless and not admissible.
Ain't security fun? ;)