Inappropriate E−mail

 Before performing any investigation on e−mail, you need to ensure that corporate policy allows
it. New electronic privacy laws protect the privacy of electronic communications.
 If corporate policy specifically states that all computers and data stored on them belong to the
corporation, then you are probably on safe ground.
 Be sure that there is such a policy and that the employee under investigation has read the policy
before proceeding. Although this is one of the easiest investigations, this type of investigation
should be done strictly by the book.
 If the corporate policy does not contain the rights to the employee's e−mail, then you and your
corporation could be subject to a lawsuit for invading the privacy of an employee.
 If the reason for an investigation is that there was inappropriate use of e−mail, either through
the act of sending offensive material or for personal and non−work−related use, there is yet
another set of questions that should be asked.
 These questions will help determine if there was inappropriate utilization of the company's
e−mail systems and if further investigative action is required.
1. What was sent?
2. Can you obtain a copy from the complainant or recipient?
3. Is a copy available from the automated e−mail archive system?
4. Was someone offended? (This could be an harassment issue and require HR
involvement.)
5. Who if anyone else received the material?
6. Was the individual under investigation the originator of the e−mail, or was it someone
else?
7. How were you able to (or can you) validate this?
8. Could someone else have sent the e−mail, using the ID of the individual under
investigation?
9. Are screen−saver passwords used?
10. Could someone else use the PC of the individual under investigation?
11. Was the time that the e−mail was sent during the time the individual under investigation
had access to e−mail?
12. Is auto−forwarding of e−mail used? Available? Activated?
13. Was a group list used?
14. Are there patterns or history to the e−mail usage?
15. Have there been previous warnings to the individual under investigation about the
e−mail usage?
16. If so, are these warnings documented?
17. What was the intent of /the e−mail?

Non−Work−Related Usage of Company Resources

If the reason for the investigation is about non−work−related use of company resources (i.e., PC, e−mail,
or access to the Internet), the above questions apply, but there are additional questions that should be
asked, including:

1. What exactly occurred? (Was the individual under investigation using his or her PC to engage in
"moonlighting" work, e−mail for personal use, etc.?)
2. When did the incident occur?
3. How was it documented?
4. How often or how much does this happen?
 5. Is the individual under investigation the only person engaged in this activity, or is there others?
6. How can you determine this?
7. Is the action a widely accepted company practice, albeit a violation of company policy?
8. Did the individual under investigation take the action for personal financial gain?
9. Was the non−work−related usage for personal use?
10. Is there a liability to the company due to the unauthorized use of company property?
Theft of Information
The theft of information raises the intensity and seriousness of an investigation to levels that may
exceed those established in previously discussed scenarios. The intensity of an investigation into the
theft of information will vary, depending on what type of information was stolen, its significance to the
company's ability to remain competitive, the nature and sensitivity of the information stolen, and what
was done with the stolen information. Some of the previously mentioned questions can be applied to
this type of investigation. However, there are additional questions that relate specifically to the theft of
information, including:
1. What type of information was stolen?
2. How has this been (or can this be) verified?
3. How much information was stolen?
4. How was the information stolen?
5. What is the impact or cost of the loss?
6. How can this loss be quantified?
7. How can this be substantiated?
8. Is the cost of the loss tangible or intangible (competitive information can be intangible)?
9. Has the goodwill of the company been damaged as a result of the theft?
10. Has the company lost a competitive edge due to the theft?
11. Was the information totally lost (e.g., copied and then erased or destroyed), or was it copied?
12. Was another company's information, beyond your own, compromised?
13. What was the level of security surrounding the information lost?
14. Who had access to the stolen information?
15. Can this be verified?
16. Are access logs available?
17. Are they free from potential, external tampering?
18. Were there procedures in place for the safe handling/accessing of the lost information?
19. Was the information proprietary, confidential, or restricted?
20. How was this classification determined and communicated?
Non−Liturgical Forensic Examination

When you have obtained the go−ahead from management to begin an investigation, you will
find the steps and procedures for many types of investigations in this chapter.
The most common and main type of investigation that this chapter discusses is the
non−liturgical examination.

 Isolation of equipment
 Isolation of files
 Tracking of Web sites visited
 Tracking of log−on duration and times
 Tracking of illicit software installation and use, and
 How to correlate the evidence found.

Isolation of Equipment
Should you need to isolate or quarantine equipment as a part of your investigation, you need to take a
few steps to:
 Ensure the protection of the equipment
 Isolate and protect data from tampering
 Secure the investigation scene
First, you need to ensure that you have the authority to take the equipment. If you are taking any
equipment, you should first get authorization from management. If you take working equipment, they
will need to make arrangements to replace it while you conduct your investigation.

Chain of Evidence
Log must be kept under safe custody.
Who has access to the equipment?
Who retains control over the log?
Where the log is stored?
One of the first things you should do with the PC is "ghost it." This means that you should back
up everything on the PC. This way, you can ensure that you will not lose the data when you
conduct your investigation. This also preserves the original data that might be disturbed during
the investigation.
It is very important for the backup of any data under investigation that the programs used to
perform this backup be independent and have integrity. That is, the programs should not be
under the influence or control of any person or other program or system that is outside the
investigation team.
The integrity of the data and equipment needs to be ensured by the use of programs that will
not alter the original data in any way, either intentionally or accidentally.

Isolation of Files
Not all the data needed for an investigation will reside on a user's PC. Therefore, you need to
gain access to the same files and directories that the user has access to. The first thing to do is
to disable the user's ID. First, ensure that the administrator verifies what action (or actions) will
occur to the user's profile and accounts if the user's ID were to be disabled. Only after verifying
that no data will be lost, altered, or destroyed by disabling the ID, should the administrator
proceed to disable the user's ID.
Tracking of Web Sites Visited
If your investigation requires that you track what Web sites have been visited by an employee,
you need to begin by reviewing the following items
 Cookies
 Bookmarks
 History buffer
 Cache
 Temporary Internet files
Cookies
 Cookies are messages given to a Web browser by a Web server. The browser stores
the message in a text file called cookie.txt. The message is then sent back to the server
each time the browser requests a page from the server.
Bookmarks
 A bookmark is a marker or address that identifies a document or a specific place in a
document.
 Bookmarks are Internet shortcuts that users can save on the Web browser. Thus, users
do not have to remember or write down the URL or location of Web sites they might like
to revisit in the future.
 Nearly all Web browsers support a bookmarking feature that lets users save the address
(URL) of a Web page so that they can easily revisit the page at a later time.
History Buffer
 A buffer is a temporary storage area, usually in RAM. The purpose of most buffers is to
act as a holding area, enabling the CPU to manipulate data before transferring it to a
device (e.g., a printer, external device, etc.).
Cache
 Cache can be either a reserved section of main memory or an independent high−speed
storage device.
 Two types of caching are commonly used in personal computers:
 Memory caching
 Disk caching
 A memory cache, sometimes called a cache store or RAM cache, is a portion of memory
made of high−speed static RAM (SRAM) instead of the slower and cheaper dynamic
RAM (DRAM) used for main memory.
 Memory caching is effective because most programs access the same data or
instructions over and over. By keeping as much of this information as possible in SRAM,
the computer avoids accessing the slower DRAM.
 Disk caching works under the same principle as memory caching; but instead of using
high−speed SRAM, a disk cache uses conventional main memory.
Temporary Internet Files
Temporary Internet Files are those files that are "image captures" of each screen/site that you visit
when you access the Internet or an intranet.
Tracking of Logon Duration and Times
If you need to review logon duration and times for a given user, you should contact the
organization's network operations group (or similarly named/empowered department). This group
can provide reports on any given IP address, user ID, and the times that the IP address and ID was
logged into the network.
Recent Documents List
The recent documents list can show you the latest documents that a user has accessed. There
are two ways to see this list of documents, but only one shows you when the items on the list
were accessed. First, you can see the documents from the Start menu, under the Documents
"tab"/selection.
Tracking of Illicit Software Installation and Use
If you are investigating a user who may be loading illegal, illicit, or non−work−related software on his or
her PC, there are a number of places to check within the PC in question to prove or disprove these
unauthorized (and maybe even illegal) actions. Some of these key places include the System Registry,
System Information, and by simply viewing the hard drive's contents.
The System Review
The system review can be conducted using some automated methods. One of these methods is
to use the System Registry files. There are several System Registries. We discuss the two
primary Microsoft registry files. One is a list of all software loaded on the PC; the other is a more
comprehensive list of what is loaded, when it was loaded and how it is configured. Both can be
used to verify that illegal or non−work−related software or hardware was loaded onto a given
PC.
The Manual Review
One of the reasons for conducting the Manual Review as well as the System Review is to
ensure you have covered all of the bases. What the Manual Review will tell you, that the System
Review will not, is what actual applications reside on the PC.
Hidden Files
A hidden file is a file with a special hidden attribute turned on so that the file is not normally
visible to users. For example, hidden files are not listed when you execute the DOS DIR
command. However, most file management utilities allow you to view hidden files.
How to Correlate the Evidence
In other words, you need to ensure that the employee under investigation actually had access to
the equipment on the dates and times listed in the evidence.
For example, if the employee had a desktop PC and did not come to work on the date that
illegal software was downloaded on his PC, then you might need to look for other supporting
evidence (e.g., access logs indicating potential access from an external/remote location).
Be advised that the investigator must obtain solid evidence that the employee under
investigation actually had an opportunity and was actually using the PC at the time that the
unauthorized action took place. Failing to link the employee to the PC and to corroborate and
substantiate the evidence, in an irrefutable manner, will result in an inability to hold the
employee accountable for his or her actions and further to prosecute the employee via the
existing legal system.

Also, you need to ensure that you can adequately explain how the employee under review was
able to commit the offense, illegal act, unauthorized action, etc., and also be able to present
evidence/proof of how it was done. This proof should be simple to follow so that there is no
doubt that the offense was committed.