Private Sector Investigations Flashcards
Understanding Private-Sector Investigations
-Private-sector investigations involve private companies and lawyers who address company policy violations and litigation disputes
+Example: wrongful termination
-Businesses strive to minimize or eliminate litigation
-Private-sector crimes can involve:
+E-mail harassment, falsification of data, gender and age discrimination, embezzlement, sabotage, and industrial espionage
-Businesses can reduce the risk of litigation by publishing and maintaining policies that employees find easy to read and follow
-Most important policies define rules for using the company’s computers and networks
+Known as an “Acceptable use policy”
-Line of authority - who has the legal right to initiate an investigation, who can take possession of evidence, and who can have access to evidence
-Businesses can avoid litigation by displaying a warning banner on computer screens
+Informs end users that the organization reserves the right to inspect computer systems and network traffic at will
Understanding Private-Sector Investigations Continued
-Businesses are advised to specify an authorized requester who has the power to initiate investigations. Should be incorporated into the Incident Response Plan.
-Examples of groups with authority
+Corporate security investigations
+Corporate ethics office
+Corporate equal employment opportunity office
+Internal auditing
+The general counsel or legal department
-During private investigations, you search for evidence to support allegations of violations of a company’s rules or an attack on its assets
-Three types of situations are common:
+Abuse or misuse of computing assets
+E-mail abuse
+Internet abuse
-A private-sector investigator’s job is to minimize risk to the company
-The distinction between personal and company computer property can be difficult with cell phones, smartphones, personal notebooks, and tablet computers
-Bring your own device (BYOD) environment
+Some companies state that if you connect a personal device to the business network, it falls under the same rules as company property
+Weigh your personal privacy before agreeing
Maintaining Professional Conduct
-Professional conduct - includes ethics, morals, and standards of behavior
-An investigator must exhibit the highest level of professional behavior at all times
+Maintain objectivity
+Maintain credibility by maintaining confidentiality
-Investigators should also attend training to stay current with the latest technical changes in computer hardware and software, networking, and forensic tools
Preparing a Digital Forensics Investigation
-The role of digital forensics professional is to gather evidence to prove that a suspect committed a crime or violated a company policy
-Collect evidence that can be offered in court or at a corporate inquiry
+Investigate the suspect’s computer
+Preserve the evidence on a different computer
-Chain of custody
+Route the evidence takes from the time you find it until the case is closed or goes to court
Overview of Company Policy Violation
-Employees misusing resources can cost companies millions of dollars
-Misuse includes:
+Surfing the Internet
+Sending personal e-mails
+Using company computers for personal tasks
Private-Sector High-Tech Investigations
-As an investigator, you need to develop formal procedures and informal checklists
+To cover all issues important to high-tech investigations
+Ensures that correct techniques are used in an investigation
Employee Termination Cases
-The majority of investigative work for termination cases involves employee abuse of corporate assets
-Incidents that create a hostile work environment are the predominant types of cases investigated
+Viewing pornography in the workplace
+Sending inappropriate e-mails
-Organizations must have appropriate policies in place
Internet Abuse Investigations
+Recommended steps
-Use standard forensic analysis techniques and procedures
-Use appropriate tools to extract all Web page URL information
-Contact the network firewall administrator and request a proxy server log
-Compare the data recovered from forensic analysis to the proxy server log
-Continue analyzing the computer’s disk drive data
Email Abuse Investigations
-To conduct an investigation you need:
+An electronic copy of the offending e-mail that contains message header data
+If available, e-mail server log records
+For e-mail systems that store users’ messages on a central server, access to the server
+Access to the computer so that you can perform a forensic analysis on it
+Your preferred computer forensics analysis tool
Industrial Espionage Investigations
-All suspected industrial espionage cases should be treated as criminal investigations
-Staff needed
+Computing investigator who is responsible for disk forensic examinations
+Technology specialist who is knowledgeable of the suspected compromised technical data
+Network specialist who can perform log analysis and set up network sniffers
+Threat assessment specialist (typically an attorney)
-Guidelines when initiating an investigation
+Determine whether this investigation involves a possible industrial espionage incident
+Consult with corporate attorneys and upper management
+Determine what information is needed to substantiate the allegation
+Generate a list of keywords for disk forensics and sniffer monitoring
+List and collect resources for the investigation
Interviews and Interrogations in High-Tech Investigations
-Becoming a skilled interviewer and interrogator can take many years of experience
-Interview
+Usually conducted to collect information from a witness or suspect
*About specific facts related to an investigation
-Interrogation
+Process of trying to get a suspect to confess
-Role as a computing investigator
+To instruct the investigator conducting the interview on what questions to ask
*And what the answers should be
-Ingredients for a successful interview or interrogation
+Being patient throughout the session
+Repeating or rephrasing questions to zero in on specific facts from a reluctant witness or suspect
+Being tenacious
Understanding Data Recovery Workstations and Software
-Investigations are conducted on a computer forensics lab (or data-recovery lab)
+In data recovery, the customer or your company just wants the data back
-Computer forensics workstation
+A specially configured PC
+Loaded with additional bays and forensics software
-To avoid altering the evidence use:
+Write-blockers devices
*Enable you to boot to Windows without writing data to the evidence drive
Conducting an Investigation
-Gather resources identified in investigation plan
-Items needed
+Original storage media
+Evidence custody form
+Evidence container for the storage media
+Bit-stream imaging tool
+Forensic workstation to copy and examine your evidence
+Securable evidence locker, cabinet, or safe
Gathering the Evidence
-Avoid damaging the evidence
-Steps
+Meet the IT manager to interview him
+Fill out the evidence form, have the IT manager sign
+Place the evidence in a secure container
+Carry the evidence to the computer forensics lab
+Complete the evidence custody form
+Secure evidence by locking the container
Understanding Bit-Stream Copies
-Bit-stream copy
+Bit-by-bit copy of the original storage medium
+Exact copy of the original disk
+Different from a simple backup copy
*Backup software only copy known files
*Backup software cannot copy deleted files, e-mail messages or recover file fragments
-Bit-stream image
+File containing the bit-stream copy of all data on a disk or partition
+Also known as “image” or “image file”
