Follow the data-paved road
You wake up in the morning and hit the stop button on your mobile that you use as an alarm clock. While eating breakfast you turn on Foxtel and watch the news. You then leave the house and set…
You wake up in the morning and hit the stop button on your mobile that you use as an alarm clock. While eating breakfast you turn on Foxtel and watch the news. You then leave the house and set the alarm with your code and this is relayed to the monitoring station.
It is now only 9am and you have left at least 23 electronic records of your movements. As this scenario suggests, many of us carry a built-in tracking device. It's also possible to profile people based on the types of websites they visit. What you touch remembers you.
And with an economic downturn, now is the time people can resort to misadventure or sometimes outright fraud, or maybe just a little white lie to cover a mistake that becomes a major incident that causes more economic harm than has already been inflicted.
Misadventure these days will often involve technology: someone changing a bank record, manipulating a word document, sending an email or text message or - worse still - downloading valuable intellectual property for their own use.
As with the scenario above, the actions of people are being tracked and forensically all these electronic records can be extracted to provide valuable evidence for any misdeed - be it a fraud, intellectual property theft or other action - that results in litigation and calls for supporting evidence.
The legal profession will often be the first to encounter such a situation when a client calls with a problem and requires advice, or worse, the problem exists within the firm. It is important to understand the need to provide the correct advice. The E.forensic tools that now exist allow for the capture of information in a manner that is consistent with the laws of evidence. These tools can extract current and deleted information and often provide the valuable and missing evidence needed in support of a case.
If someone is to be suspended because some misadventure has occurred or someone resigns unexpectedly then it is vital to remember three actions: isolate, seize and preserve.
Isolate the person from the network, so they can't copy, modify or delete data. Seize any items they may have that could already be the recipient of evidence, then preserve all these for e.forensic processing, by an e.forensic expert. DON'T call the IT department.
Merely starting up a computer can alters hundreds of files, causing contamination to the data, thereby providing an opportunity for the other party to offer a defence or suggest deliberate interference with the evidence. The quality of electronic evidence does diminish with further use, so preservation is critical.
Consider that it may be too late and the culprit may have already taken the data via a USB device or VPN access (the weakest link) and copied it down the network over the last few months. VPN and remote email access should be deactivated immediately and, if the person is an IT staff member, the network should be assessed for backdoors that may have been left open for subsequent access.
The sources of much of the data in need of referral may not be freely available and hence may require a Search Warrant, Anton Piller Order or other Order of the Court to render the items available for acquisition.
Once the evidence has been encapsulated forensically, an expert can extract relevant data or prove user activity and provide expert testimony in support.
It is important to consider the hidden evidence and remember that "Big Brother" is out there.
Allan Watt is head of e-forensics at eLaw