Departing Employees and
Workplace Investigations
COMPUTER FORENSICS AND LEGAL IMPLICATIONS
Companies frequently have to deal with departing em-ployees
who try to take confidential information to a
competitor and/or use the company’s confidential in-formation
to poach its clients and customers. Electronic
evidence – emails, USB file-transfers and cloud storage – often
forms the most important and compelling evidence available in in-vestigating
and preventing these situations.
There are five important steps companies can and should take to
preserve electronic evidence and protect their interests.
1. IDENTIFY SOURCES OF DATA
Many employees will have access to multiple devices and loca-tions,
each of which can hold important evidence. These typically
include hard drives, email and document servers, cloud storage
services and mobile devices. Where owned or paid for by the com-pany,
these can usually be accessed and reviewed.
2. MOVE QUICKLY TO QUARANTINE DEVICES
For both legal and technical reasons, it is essential to immediate-ly
quarantine and prevent any access to the devices at issue. From
a technical standpoint, continued access to and use of a computer
significantly increases the chances that key evidence will be inad-vertently
deleted or over-written, especially if it is assigned to a
new user. The kind of electronic evidence forensic searches can re-veal
is regularly over-written by the operating system and, in the
case of mobile devices, is typically wiped entirely when the device
is reset. Legally speaking, the company must be able to demon-strate
that the evidence was immediately quarantined and that
there was minimal risk of contamination. Failing to move quick-ly
can also prejudice the company’s ability to seek relief in court if
that is ultimately necessary.
3. FORENSICALLY IMAGE DEVICES
A forensic image is an exact duplicate of a computer at a given
point in time. It cannot be altered in any way. Server data and mo-bile
devices can also be forensically collected. A forensic image
is essential both to conducting an investigation and to protect-ing
the company if legal proceedings become necessary. It assures
the court that an independent expert has carefully preserved the
evidence and undermines any argument that the company has
tampered with the files. It also avoids the common problem that
important evidence is inadvertently deleted or written over in the
course of the investigation. Creating a forensically sound copy is
usually not expensive, but it does require specific expertise.
4. FORENSIC SEARCHES
Using the forensic image, several forensic searches can be done
(in addition to the email or document review the company might
otherwise undertake). First, an expert can search the device’s “un-allocated
space” to recover files that the employee deleted – this
By Aniko Kiss and Matthew Law
legal words
bestfoto77 / Shutterstock.com
HRPROFESSIONALNOW.CA ❚ FEBRUARY 2018 ❚ 13
/HRPROFESSIONALNOW.CA