Investigating Computer System AbuseHelp for Human Resources

Dan Michaluk and Kathryn BirdHRPA 2011February 2, 2011

Investigating Computer System Abuse

Outline

• Investigation basics

• Sources of digital evidence

• Why digital evidence is different

• Preservation best practices

• Interview tips

• Managing the investigation record

Investigating Computer System Abuse

Investigating Computer System Abuse

Investigation Basics

• Your objectives

• To gather relevant evidence

• To weigh the reliability of the evidence

• To draw one or more reliable conclusions of fact

• To appear neutral throughout

Investigating Computer System Abuse

Investigation Basics

• Process flow

• Receive complaint or identify problem

• Define questions of fact

• Investigate covertly (identify, gather and preserve)

• Interview respondent employee

• Investigate response as necessary

• Draw conclusions

Investigating Computer System Abuse

Investigation Basics

• Employer access to employer systems

• Generally okay with a “no expectation of privacy”

policy, but personal use is changing expectations

• But a policy that sets out an audit right and an

investigation right is good practice

• Identify how investigations are authorized

• Treat information gathered with a view to scrutiny

Investigating Computer System Abuse

Sources of Digital Evidence

• Your pre-confrontation sources

• Your servers• E-mail• Voice mail• Mobile messaging

Investigating Computer System Abuse

Sources of Digital Evidence

• Your pre-confrontation sources

• Your network “clients”• Stored information• Specially captured information*

*Beware: highly intrusive

Investigating Computer System Abuse

Sources of Digital Evidence

• Your post-confrontation sources

• Thumb drives, cameras and other peripherals

• Media cards on mobile devices

• Peer to peer mobile communications• Messaging applications• Transfers through other applications

• Home computers

Investigating Computer System Abuse

Sources of Digital Evidence

• Third-party sources

• Internet service providers

• Telecommunications carriers

Investigating Computer System Abuse

Why Digital Evidence is Different

• Proving authenticity can be very difficult

• Can be readily altered

• Alternations may not be testable

Investigating Computer System Abuse

Why Digital Evidence is Different

• People think it’s private

• Conversations are now stored

• E-mail is bad, chat is worse

• Chat is becoming more prevalent

• E-mail and chat are producible

Investigating Computer System Abuse

Preservation of Digital Evidence

• Preservation through collection

• Decide who will collect• Is it a forensics case?• What’s at stake?• Is your IT staff qualified?• Will the person collecting be available?• Will the person collecting be a good witness?

• Preserve a copy before you review!

Investigating Computer System Abuse

Preservation of Digital Evidence

• Record the chain of custody

• Identify where the copy came from

• Identify the physical object by description

• Record the time and date

• Sign it

• Secure it

Investigating Computer System Abuse

Preservation of Digital Evidence

• Preserving web pages

• Difficult to do a true forensic capture

• There are services and software tools, but they need

to be applied with care

• If it is about words on the screen periodically printing

and signing or taking a screen capture may suffice

• But otherwise, get help

Investigating Computer System Abuse

Preservation of Digital Evidence

• Exit procedures are important

• Computers should be held for a cooling off period

• Mobile devices can be remotely wiped

• Routine preservation may often be warranted

Investigating Computer System Abuse

Interview tips

• Basic tips

• Build rapport and stress neutrality

• Sit face to face, not behind a desk

• Take notes, don’t tape

• Save the interrogation for interview #2

Investigating Computer System Abuse

Interview Tips

• Show the witness the records

Investigating Computer System Abuse

Interview Tips

• How to handle, “Someone must have accessed my computer!”

• Who knew your password?

• Who had access to your office?

• Where were you? Were you with someone else?

• Consider circumstantial evidence (e.g. content of

communication, timing of e-mails)

• Go through every event

Investigating Computer System Abuse

Interview Tips

• Turn logs into usable evidence

• Probe at…

• …time period

• …frequency

• …volume

• …and other contextual facts shown by logs

Investigating Computer System Abuse

Interview Tips

• Turn logs into usable evidence

• This shows sixty downloads in the month of May.

Does that accurately represent your activity over

that period?

• You mostly downloaded from a site called “BT

Junkie” correct?

Investigating Computer System Abuse

Managing the Investigation Record

• Records produced in the course of an investigation will not be privileged except in the most extraordinary circumstances

• So everything you create may be producible

Investigating Computer System Abuse

Managing the Investigation Record

• Tips for keeping a “tight” record

• Don’t conclude before you conclude

• Interview notes have factual observations only

• Don’t think over e-mail

• Don’t send draft reports by e-mail

Investigating Computer System Abuse

Managing the Investigation Record

• The logic of the written report

• Conclusions and recommendations

• Facts

• Evidence• What’s relevant• What’s reliable• What’s compelling

Investigating Computer System AbuseHelp for Human Resources

Dan Michaluk and Kathryn BirdHRPA 2011February 2, 2011