What if an employee visits the Human Resources Department with allegations that a colleague sent them offensive emails? What if the suspected employee deleted certain files from their computer? What would you do?
Digital forensics can retrieve deleted files and allow HR professionals to make decisions based on facts. The above scenario is just one example of an incident that HR professionals might encounter within their organisation.
Suspected employee misconduct is sometimes not fully investigated to confirm or deny any allegations, it is important for HR professionals to understand the nature of IT evidence. Simply browsing an employee’s computer or asking the IT staff to supply email files for HR review will sometimes not be sufficient to uncover the real facts in a case.
Whenever IT is involved, an employee investigation should follow the chain of custody procedures where the original evidence should never be analyzed or tampered with but secured in a forensics manner, in most cases a forensic copy of the original evidence must be used in an investigation.
Following the chain of custody procedures is not an option but a rule which every organization must be compliant with in order to ensure admissibility of evidence in a court of law.
The following are just a few selected examples of HR incidents that might require digital forensics analysis:
• Fraudulent activities
• Unfair dismissal
• Breach of contract
• Intellectual property theft
• Offensive communication
• Viewing inappropriate material
Even the most careful and articulate employee will leave traces showing their actions and intentions. The key is to collect and preserve this information and then identify the suspect’s IT related activities that will establish facts and a timeline related to the allegations.
There are a variety of different potential sources that might contain relevant digital evidence. Examples of corporate IT equipment used by employees include computers, mobile phones, servers, tablets such as iPads. Examination of company owned devices can show and explain the – who, what, when, why and where.
It is important to develop a set of standard operating procedures for HR investigations so that untrained individuals know what to do during these situations. HR Professionals should work with the IT department to ensure that IT evidence is retrieved in a forensically sound manner. This must be done by trained staff or external consultants.
It is important that the individual covering this takes down detailed notes from the beginning to ensure all actions taken are fully documented – preferably in a notepad with numbered pages, in addition the time and date should also be recording for each action/step. This will help ensure that if this information is admissible in court.
Once you have identified a potential risk it is important to get advice from a forensic expert to ensure the situation is dealt with correctly. It is important to minimize access to the IT evidence to avoid the risk of losing potential evidence.
HR Professionals should be aware of the role of digital forensics and how it can help confirm or deny employee allegations of misconduct. Adhering to digital forensic procedures that are based on the chain of custody rule will also protect the organization in case of legal or noncompliance proceedings.