A digital forensics investigation can expose employees’ misuse of technology.

By Tamara Lytle Jan 1, 2012
December Cover

If an employee slipped out of your company with enough confidential paperwork to fill 16,000 inch-thick books, surely someone would notice.

But an employee carrying a 16-gigabyte thumb drive holding that amount of information could walk out unnoticed with the 2-inch device in his pocket. And a company's trade secrets, client lists, pricing information or other sensitive data could walk out with that employee.

"More and more, a company's value is not contained in physical things, it's in intellectual property," says Rich Plansky, senior managing director of business and intelligence investigations for Kroll, a risk consulting company.

Advances in technology that make work easier also make it simpler to steal information, harass co-workers, spend the workday looking at pornography or engage in other misdeeds.

Brett Barson, SPHR, human resources director of Wadman Corp., a construction management company in Ogden, Utah, says his employer has experienced data breaches as a result of these technology advances. "Data was leaking out of our company like a sieve," he says. The breaches prompted stiffer rules on personal use of work computers and on taking information out of the office.

New technology is also being deployed by Barson and other HR leaders to investigate employees who engage in illegal, unethical or inappropriate conduct.

"The forensic evidence is often so compelling that the accused doesn't really stand a chance in court," says Glenn Dardick, director of the Association of Digital Forensics Security and Law. Dardick also conducts investigations and is an associate professor of information systems at Longwood University in Virginia.

A growing field called digital forensics is offering employers an enticing menu of options to investigate problems with employees. Not long ago, the field was known as computer forensics. But with smart phones, networks and other devices besides computers holding so much information these days, it's now called digital forensics.

In the early 1990s, there were no college programs to train students in digital forensics. Now there are dozens, says Mark Pollitt, retired FBI chief of the Computer Analysis Response Team. Today, he's an associate professor teaching digital forensics and security at Daytona State College in Florida.

Pollitt says companies collect and store more information electronically than they ever did on paper. He points out, for example, that instead of one final report, multiple drafts are now stored electronically.

The demand for digital investigations has grown because of the surge in the amount of information, as well as federal court civil procedures that now require electronic data to be included in the discovery process at the beginning of lawsuits.

Specialists in digital forensics can help with a range of issues, but one of the most important is when confidential information is involved.

Typical Cases

Dardick once investigated a financial services manager who left for a competitor, taking company data with him. The investigation found that the manager was e-mailing client information and company forms to the competitor from his personal account before he quit. Dardick showed that the manager had taken his old employer's forms and changed the logo to that of the new company. The case was quickly settled out of court.

Employers can get to the bottom of fraud problems with computer investigations. Pollitt says there's a wealth of information available for cases such as travel voucher fraud and procurement scams.

Plansky's investigators even found one employee with a tidy Excel spreadsheet of his kickbacks on his work computer. "It made for a very interesting interview," Plansky says. In another case, a female employee was suspected of having an inappropriate relationship with a vendor. Investigators helped prove she lived with the vendor by showing she had created her resume on his home computer, Plansky says.

A digital investigation helped Barson when an employee came back from vacation and soon found the gossip mill churning with private information about her. Barson asked the co-worker who had covered for her during the vacation—and who had had access to her e-mail—whether she was still reading the employee's e-mails.

The denial only lasted until Barson showed her that someone was reading the absent employee's e-mails while she was out of the office and on lunch breaks.

"We pretty much caught her red-handed," Barson says. Key to the investigation was his ability as HR manager to present evidence.

Harassment cases can also lend themselves to digital digging. Rachel Womack, vice president of Stroz, Freidberg law firm in Dallas, says her team investigated an employee who denied stalking a colleague. But his Internet history log showed he had searched for the woman's home address, which helped the employer resolve the case quickly.

Forensics experts can see far more than what pops up on the screen for an average user. Even deleted files often aren't truly gone. Each computer has unallocated space; when something is deleted, it lives on in that area. When the unallocated space runs out, something else will write over it, so managers must quickly investigate.

Investigators have access to metadata about electronic information, which shows when a file was created, how long a person worked on it and when it was deleted. Sleuths look for spikes in deletions that could indicate a worker trying to cover his tracks.

Plansky says the economic downturn has created more motivation for employees to commit fraud and theft, so HR executives need to be prepared.

HR's Role

Digital investigations often start with a tip to the HR department. But even before that, HR leaders have a crucial role: They need to make sure their companies have policies on how employees use their electronic devices and on what sort of privacy, or lack thereof, workers can expect when using them.

"Set the expectations upfront," says Alec Yasinsac, dean of computer and information systems at the University of South Alabama.

Digital investigators say that managers in many organizations warn workers that any information on their work-owned computers or phones can be accessed, for any reason, by the company. That includes texts sent on a work phone and personal e-mail sent through a company network.

Spikes in deletions could indicate a worker trying to cover his tracks.

Dardick says HR professionals need to put technology use policies in writing and make employees sign forms acknowledging that everything done on work equipment belongs to the company.

Roy A. Ginsburg of Dorsey & Whitney law firm in Minneapolis adds that HR professionals should train managers not to undermine policies by giving employees a different message about what's allowed.

Steps and Tools

When trouble brews and a digital investigation can help get to the bottom of the case, where do you start? Here's a step-by-step guide to launching a digital forensics investigation:

  • Gather a preformed incident team that includes lawyers, information technology staff and HR professionals.
  • Check for what company rules the employee may have broken and what sort of privacy the worker can assume to have on his or her electronic devices.
  • Scope out what information is relevant. HR professionals have an important role here since they know the organizational chart, the details of workers' jobs and probably even who interacts on a social level at work. In a sea of bits and bytes, that intelligence can help investigators narrow what they are looking for.
  • Investigators often look for e-mails to competitors. Some employees think that by using personal accounts, the transmission of confidential documents cannot be detected. But when those e-mails are sent via the company's network or on company-owned computers, screen shots of a worker's inbox and even some e-mails can be captured deep in the electronic memory.
  • Make a forensic mirror-image copy of the worker's computer, called a bit-stream image. This is crucial in preserving evidence so it can be presented in court, if necessary. It requires specific hardware and software so that the evidence shows exactly how the computer looked the last time the employee used it. Often, this is done at night without the employee even knowing it. Womack says it's tempting for officials to start "poking around" in the worker's computer but that's a bad idea until a forensic copy is made. Even just opening a file to look at it can spoil evidence.
  • Search for what information might have left the company. Better yet, set up systems to block crucial secrets from being transmitted, using e-mail audits and other tools. IT departments can set up programs that flag suspect behavior such as when large amounts of data are sent or any time a particular type of document, such as a client list, is sent or transferred.
  • Barson has blocked his office staff from transferring information to portable devices. That helps when clients ask how he protects sensitive information about buildings being constructed for them. "We consider data a valuable asset, and we are going to protect that," he says.
  • Use tools that can look at stored data to find information and look at the flow of data between computers. Separate tools can analyze phones, which carry increasingly more data as they get "smarter."
  • Contact a law enforcement agency if there's evidence of criminal behavior, such as child pornography.

Hire Outside Experts?

Whether to do an investigation with in-house IT staff or hire outsiders depends on many factors. Is your company big enough to need forensic experts on staff because of frequent problems or because of the value of the information being protected? Is the case likely to end up in court and thus benefit from the impartial testimony of outside experts? Are company officials comfortable with a contractor having access to confidential information? Is the IT department already overbooked?

Cost represents a major reason to use in-house workers. Making a forensic image of a single computer can cost from several hundred dollars to $2,000, Womack says. The overall cost of an investigation depends on the complexity and type of information involved.

Key reasons to opt for outside experts: They have the tools and experience to make sure all possible data are found and aren't accidentally corrupted along the way.

Outside investigators also prepare reports at the end of investigations. If the case ends up in court, the company needs a report that sums up the bad behavior in a way that judges and juries—who may not be computer-savvy—can understand, Yasinsac says.


Pitfalls of digital investigations include the cost, the impact on employee morale if cases aren't handled correctly and possible violations of employee privacy.

Barson got complaints when he barred gambling, pornography and social media from company computers. But within seven months, people were accustomed to the rules.

Plansky, at Kroll, says HR professionals are key in smoothing over any morale problems that crop up during investigations.

"There is definitely a human management side," Plansky says. "An investigation can't be so disruptive you can't do business."

The clash of company rights vs. employee privacy is being sorted out in state and federal courts. The U.S. Supreme Court, in City of Ontario v. Quon, said it was loath to make too broad a ruling on the topic because of the "rapid pace of technological change. … It is uncertain how workplace norms, and the law's treatment of them, will evolve."

That case involved a California city SWAT team officer who used his work pager to text lewd messages to his wife and his paramour, a fellow officer. He claimed his privacy was violated when the police department went through everyone's text messages. The justices sided with the employer.

But the biggest pitfall for HR professionals is to not conduct digital forensic investigations at all, Pollitt says.

"Don't think of digital forensics as someone else's problem," he says. "You can either plan for it or have it hit you over the head" when something goes bad.

The author is a freelance writer in the Washington, D.C., area.


Job Finder

Find an HR Job Near You
Post a Job


CA Resources at Your Fingertips

View all Resources Now


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect