Preservation is Key

by Rob Fitzgerald

The other day, I received a call from a new client telling me that he needed our services.  This was an attorney that we had met at a presentation on digital forensics.  He seemed anxious as he discussed with me the matter.  Here is the synopsis:

An employee of his client quit and went to work for a competitor.  Not only that, this happened a few months ago and it now looks like another employee of the client is helping the ex-employee… possibly getting ready to leave.  (NOTE: This is standard MO.  When 1 employee leaves, almost always another will follow a few months later.)

At this point in time, I asked the attorney 3 questions:

1.       How quickly can we make forensic images of the computers used by the ex-employee and existing employee?

2.       How quickly can we make a forensic collection of the company email store and network drive?

3.       Can we have a copy of the clients’ corporate Employee Acceptable Use policy sent to us?

The attorney, sounding a upset, continued his story.  He told me that the company doesn’t have a strict email policy and that many employees use gmail or hotmail accounts instead of the company email.  He also went on to say that the computer the ex-employee used was “recycled” to another employee.  Fortunately, though, the IT department used Norton Ghost to image his machine before they reformatted his hard drive and gave it to someone else.  (NOTE: This is a VERY typical, and unfortunate, scenario.)

The attorney was calling us because he remembered the presentation and that we could restore deleted data and review emails and he had an image… so he thought.

I explained to the attorney that we would do what we could, however, there were going to be some significant hurdles.  The biggest hurdle was that the Norton Ghost image was not a forensic image, it was a copy of selected live data using non-forensic tools by an individual that is inherently biased, as he worked directly for the client.  I explained to the attorney that we could take a forensic image of the existing employee’s computer and work with that.  I also explained that using webmail accounts, can create additional issues for both email reconstruction and identifying account ownership.  After discussing these issues with the attorney, he asked me what could we do with the evidence that was left.  These are the steps I gave him:

1)      Forensically image the computer used by the existing employee

2)      Review the data from Norton Ghost

3)      Forensically image the recycled computer (not likely to obtain results, but protect form any further damage)

4)      Review network storage for any activity

The BIGGEST thing to remember is that to be preserved, data needs to be forensically imaged.  It is critical that when employees leave, data be properly preserved – even if the client doesn’t suspect a lawsuit will arise.  Some of the lawsuits we have seen arise AFTER an employee has left involve:

·         Breach of Contract

·         IP Theft

·         Sexual Harassment

·         Discrimination

·         Financial Mismanagement

Forensic preservation of electronic data is important for both eDiscovery and MEDiscovery.