It’s not uncommon for us to conduct a forensic investigation to discover that the requesting organisation have inadvertently destroyed or altered the evidence which they were hoping to rely on. Well intentioned actions by staff inexperienced in handling evidence can result in a situation where there is very little relevant data left to analyse. While each case is unique, we’ve produced the lists below advising on general best practice which, if followed, will help us to help you.
Top 10 IT forensic dos
- Secure the device so that no unauthorised person has access to it
- If the device is off, leave it off
- If the device is on, leave it on
- If the device is on, unplug any network cable and turn off Wi-Fi and/or Bluetooth connections
- If this is not possible pull the plug (shut down if a server) or remove the battery
- Do not inform anyone other than necessary that an investigation is underway
- Makes notes; of people involved, allegations, evidence, dates and times, etc.
- Gather any item which you have legal access to that may contain evidence; e.g., USB drives, CDs, paperwork, laptops, cameras, etc.
- If possible, do not tell the subject that they are under investigation
- Seek advice of a computer forensic company on further steps on analysing the data
Top 10 IT forensic don’ts
- Don’t be tempted to ‘have a look’ and operate the device at all
- Don’t use your IT department unless they are familiar with electronic evidence handling
- Don’t use your IT department unless they are familiar with legal admissibility standards
- Don’t delay; the sooner you respond the better the chance of preserving evidence
- Don’t arouse suspicion; don’t tell anyone about the investigation unless necessary
- Don’t ignore your HR department in this process; they can advise on legal matters
- Don’t guess about best actions; if in doubt call a computer forensic company
- Don’t hesitate in contacting the police if you think a crime may have been committed
- Don’t be tempted to destroy any data; this can usually be traced and has serious legal consequences
- Do not run anything on the computer or do anything which may modify it in any way
Top 10 IT forensic readiness tips
- Ensure that every user has an individual user profile. Do not use generic accounts e.g. ‘admin’
- Every user profile should be protected by a password that is not shared
- All network devices should have sufficient logging/auditing switched on
- Event logs should be backed up to secure location
- Does your back-up procedure do what you thought it did? Verify it. Can it be restored?
- Ensure that all users have signed up to your computer/internet acceptable use policy
- Keep to hand the phone number of a reliable computer forensic company
- Ensure staff are familiar with the correct procedures; start with the top 10 forensic dos and don’ts
- Make sure all devices on your network are using the correct (and same) time and date
- Consider installing an intrusion detection system
The above lists are generic advice and may not necessarily be appropriate in your situation.
For tailored advice call 020 7193 3324