Preserving Digital Evidence Before Your Digital Forensics Professional Arrives

Preserving Digital Evidence Before Your Digital Forensics Professional Arrives

In the world of digital forensics and e-discovery, the timely collection of potentially responsive information is of utmost concern to companies looking to protect their interests, especially when future litigation is a possibility.   

In this post, we will discuss some methods that IT departments can use to collect employee data even before a digital forensics professional is brought in. (Please keep in mind that you should always use a computer forensics professional anytime you know you will need to preserve evidence for potential litigation!)

In Cases of Employee Separation

Whenever a company experiences employee turnover, it is common practice for IT departments to repurpose an employee’s computer by installing a fresh disk image on the computer, providing a clean operating system along with typically-used applications.

In effect, this action makes the previous employees data inaccessible. Obviously, you don’t want to bring in a digital forensics examiner when there is no reason to suspect bad behavior on the part of a departing employee, but that doesn’t mean that you should routinely destroy employee’s digital workspaces. 

The advice that we have is simple: preserve your employee’s data for a period of time, say 12 months. You can do this very easily by removing the employee’s workstation hard drive and installing a replacement. Label and isolate the employee’s hard drive, storing it for the designated time period. 

In a world of cheap storage, the cost of this insurance might be about $100. By keeping the hard drive safely in storage, you are preserving potentially discoverable information that could aid you down the line.  

Should you need to initiate or respond to litigation, you’ll be glad that you preserved this data set. At any point, you can call in a digital forensics expert to retrieve the stored drive and create a forensically-sound copy that is suitable for e-discovery activities.

Investigating a Current Employee

What about investigating potentially malicious behavior in a current employee? 

There may be instances that you need to investigate a bad actor in your workforce without tipping them off to your activities. We can recommend two potential approaches that don’t require an onsite forensics visit: 

The Cloning Approach 

Let’s suppose you want to inspect the hard drive of an employee you suspect of bad behavior. Using the cloning approach, you can ask your IT department to create a remote clone of your employee’s hard drive. This can be accomplished by software (like Norton’s Ghost) that many IT departments already use to create default installation images. Once your clone is created and copied to a replacement drive, you can remove the original drive and install the replacement.

Keep in mind that the cloned copy will only appear to be identical to the original drive, but will not contain data found in deleted space or unallocated sectors – this is known as a “logical” copy. However, your employee should never know anything has changed. If done right, you can perform the entire switcheroo during a lunch break. 

Now that you have the original physical drive in your possession, you have time to bring in a digital forensics expert to create a forensic copy for preservation purposes. 

The Remote Preservation 

Another, more direct method you can use is a “remote forensic capture”. In this method, your digital forensics experts can ship an encrypted USB drive to you that comes preloaded with forensic imaging software.  Once you receive the drive, you will give your forensics pro a call who will guide you through the process of connecting the drive to the workstation. They will take it from there and complete the duplication tasks. The result will be an encrypted and forensically sound hard drive image. When finished, disconnect the drive and ship it back to the forensic examiner.  

In Conclusion 

In this post, we have shown you a few ways that you can preserve digital evidence even if you can’t bring a digital forensics professional in immediately. Of course, there are many more methods that can be used to preserve and protect data even before you become aware that you may need it. Give Data Narro a call to discuss proactive practices that IT departments can use to aid in e-discovery and information governance strategies! 

(RELATED ARTICLE: In a previous article, we discussed 7 do’s and don’t of preserving evidence for civil litigation. Check it out!)

Cover Photo Illustration by Data Narro. Photo by Quenani Leal from Pexels.