March 6, 2015
Digital Forensics for Private & Corporate Investigators
We’ve recently received a few inquiries from our partners in private investigations asking about the services we offer, our capabilities insofar as mobile forensic data extraction and other related services. It dawned on me that the potential for private investigators to utilize a trained digital forensic examiner is huge and mostly untapped. Further, there are areas of corporate investigations that Human Resources and IT staff can utilize digital forensics to help bolster their cases of company violations of acceptable computer/mobile device usage, intellectual property theft and internal information security breaches. So for the benefit of colleagues working in those industries, we’ll detail some cases in which our digital forensic expertise can help you & your clients and, in many cases, close the door to potential civil liability.
For legal reasons I won’t bore my readers with, when I left law enforcement, I immediately became a certified Private Investigator. As such, I also belong to a statewide group of Private Investigators who meet every other month to exchange ideas, tactics, expertise, knowledge, etc. And while I don’t own or operate a Private Investigations firm, the overlap of digital forensics into Private Investigations is something that I felt should be embraced and marketed toward. However (and at the risk that some of my colleagues in the group will read this), I will note that many of my contemporaries in Private Investigations are older, retired former law enforcement. Some of them have been retired for 20 years or more, long before the advent of main stream digital forensics, especially in the private sector. This article is not specifically for them, but for all private investigators who feel their cases may be lacking in real, solid evidence to help their clients.
Another repeated theme in this blog is the noted differences between information technology (IT) and digital forensics. As part of this article, my hope is also to get IT and Human Resource personnel in corporate environments thinking about how a trained, experienced digital forensic practitioner can really help them in the unfortunate event they have an employee who violates one or more of several policies. Frankly, calling in a digital forensic examiner will likely be the best decision you make to help “cover your ass” from potential litigation following an incident.
Digital Forensics for Private Investigators
There are many different types of private investigators. To be sure, the networking group I belong to has corporate private investigators who work for larger law firms all the way down to the ‘lone wolf’ private investigator who conducts hours of surveillance on cheating spouses, insurance fraud suspects and other miscellaneous misanthropes. In the end, their jobs all boil down to one thing: clients and/or corporations are paying the private investigators to perform work that the police either won’t do or can’t do because of any number of limitations. So if the police routinely use digital forensics in their investigations, why shouldn’t private investigators do the same?
Of course, I know the answer is cost. However, there are many things that motivate clients. Fear, money, revenge, power and plain ole ego are just a few. The level of desperation and/or motivation in your client will dictate how much money they are willing to spend to help prove (or disprove) their case. For example, if a wife suspects her husband of cheating and she stands to gain a large sum of money through potential divorce proceedings, there could be a ton of usable, verifiable data on her husband’s old cell phone that could help prove the case. Text messages, pictures, email, video, web history, voicemail – all of these are potentially recoverable artifacts If the client stands to gain thousands (or millions) of dollars in the divorce, the cost of $1000-1500 for a digital forensic exam on the old phone could be a proverbial drop in the bucket compared to the potential benefit. What’s more, when the data is extracted properly & reported, it can’t be manipulated. It is what it is, right there in black-and-white. That old phone that was thrown in a desk drawer now becomes the key evidence in your divorce case.
Decidedly less “seedy” is the potential for digital forensics to help in other civil law cases like texting-while-driving and distracted driving personal injury cases. Most smart phones contain a feature (or more than one) to catalog all of the activity on the device. When a private investigator is hired by a law firm to investigate a personal injury case where the accusation is the responsible party was texting while driving, the proper extraction & analysis of the data on the phone will show all activity leading up to and right around the time of the accident. In the totality of circumstances, this can add value to the attorney’s case and force a cleaner settlement faster. Again, the cost for these services could be negligible compared to the overall scope of the law suit.
I’ve seen over time that the biggest challenge for a private digital forensic practitioners is to get potential clients, such as attorneys and private investigators, into the mindset of simply thinking about digital evidence and how it can help add value to their cases. These examples are just a few, but they represent a huge contingent of private investigations.
Digital Forensics in Corporate Investigations
Perhaps even more ubiquitous in the overall scope of work in America is the potential for employee violations of varying degree while at work. It’s a tried and true concept that, as a business owner, your employees will account for the majority of your theft, data liability and loss. This is true for the clerk at 7-11 all the way up to the Administrative Assistant to the President of Acme Company with 25 years of service. Indeed, I’ve seen embezzlement happen within law enforcement agencies, so no industry is immune.
But the fact remains that no company can function adequately in 2015 without technology. Whether you’re a small one or two-man operation or a huge multinational bank, technology makes business easier and saves us time, but it also creates another potential area for loss. It also gives employees another outlet to waste company time, which is yet another form of loss. So how can digital forensics help? No company wants to fire their employees. But there will come a time when, as a business owner, corporate investigator and/or human resource practitioner, you will have to discipline and/or terminate one or more employees because of inappropriate activity or behavior. The biggest fear when this happens is civil liability – “If I fire this person, will they sue me civilly?”
For example, if you work in human resources or corporate investigations for First National Bank and you get an internet activity report that one of your employees in the call center has bypassed the web filters and is looking at pornography while at work, that’s an obvious violation of acceptable use policy. But how do you investigate and prove that? If there is any potential (and there is always a potential) for civil liability, a trained digital forensic examiner can be called in to seize the evidence, examine the evidence, report the evidence and help solidify your case for suspension and/or termination. This evidence is vital to helping to close the door on potential litigation and it bears repeating – there is ALWAYS a potential for litigation for wrongful suspension, termination, etc. It doesn’t matter if you’re a multi-national corporation or a small LLC, you have to take the appropriate steps to make sure you are covered when and if you get served with civil suit papers. Conversely, if your company has been served with a lawsuit which claims some sort of damage related to use of electronic devices, a digital forensic examiner can be called in to help determine if any liability exists and to what extent.
Most data security breaches also happen from the inside, not from external hackers as we often see in the media. Whether intentional or not, the potential for an employee to plug a malware-laden USB thumb drive into your system, thus affecting the entire network, is real and happens quite often. Once the malware, worm or other virus-like program spreads its way through your network, there’s no telling what type of data loss could occur before detection. Once these incidents are discovered, it’s important to find out where they originated because 1) the origination date, time & location helps determine how much loss is associated with your data breach and 2) it helps prevent further breaches from the same source. If the attack was intentional and perhaps caused by a disgruntled employee, there could be legal (criminal & civil) implications as well. In cases like this, I can’t stress enough the importance for a digital forensic expert to be called immediately. It’s very much like first-aid for your corporate network – the network has been “injured”, now you need to call an ambulance (i.e., a digital forensic examiner). To be frank, IT staff may find out about the breach and be able to tell you some things about how the breach affected the network, but they aren’t generally equipped to handle digital evidence, examine data and testify in official proceedings.
Wouldn’t it give you some real peace-of-mind to know the digital evidence of these types of incidents is right there in the employee file? If litigation should take place, even years later, when your attorney shows the opposing party the signed acceptable use policy and the digital evidence, backed by an experienced, trained digital forensic examiner, your suit will virtually melt away. Again, the data doesn’t lie.
The examples listed here are just a few among the dozens of areas where a digital forensic examiner can help both private investigators and corporate representatives in companies of any size. The key is to get in the right mindset from the start. There will almost always be a moment where you, as the investigator, jilted spouse, human resource professional, IT representative or corporate investigator are shocked at what you’ve discovered. Once that initial shock wears off, that is the time to start thinking about what to do next. One of your first thoughts should be to do what is necessary to secure the evidence you need to take appropriate action and call a professional to handle that evidence. From there, it’s up to the proper selection of the people you want and need to help in your case.
I hate clichés, but sometimes clichés are cliché for a reason… And it’s very true that an ounce of prevention is worth a pound of cure. Contact us to find out how we can help you get closer to your pound of cure.
Patrick J. Siewert, SCERS, BCERT, LCE
Professional Digital Forensic Consulting, LLC
Based in Richmond, Virginia