Organisations run internal investigations for a variety of reasons, from untangling damage inflicted by a disgruntled employee to uncovering the facts following a whistleblowing incident. Whatever the reason, running an investigation requires sensitivity and rigour. In this new, two-part series, we set out two key elements of the investigative process. In this first article, Katarina Zotovic delves into the importance that digital evidence plays in today’s technical workplace. In the second piece, we will share the non-technical aspects of the investigation, including conducting interviews and email reviews.
It has become widely accepted that internal investigations today typically involve evidence extracted from digital sources. Mobile phones, computers, and online accounts facilitate a large proportion of the working day for most employees, creating numerous avenues for gathering data that may prove useful when investigating an issue. Frequently, however, we find that digital forensics experts are called in too late – evidentiary logs have been overwritten, devices have been wiped, or data access issues persist. Here are three key questions for business leaders responsible for setting up and running an internal investigation.
1. What are the sources of evidence I should consider obtaining?
This depends on the nature of your investigation, but phones, computers and email accounts are the most common types of digital sources we encounter in internal investigations, with an increasing focus on data stored in the cloud.
Today, more and more businesses are migrating from on-premises servers to the cloud, meaning emails and files are handled via the organisation’s cloud platform of choice (e.g., Microsoft 365, Google Cloud, Dropbox). Corporate email accounts (and often instant-messaging platforms like Microsoft Teams or Skype) are typically managed by the organisation in their cloud environment, and access is often provisioned for the forensic experts by the IT team. These evidence sources can provide insight into the user’s login history, geolocation information, files and folders that they have accessed, deleted, or downloaded, and other user activity which aids in timelining a series of events for your investigation.
Additionally, organisations may issue company-managed devices such as laptops or phones to their employees. These devices may contain valuable communications data (e.g., SMS, WhatsApp, iMessage or Telegram), web browsing history, or other user data such as calendars, call logs, and geolocation information, all of which can be valuable evidence in identifying parties involved, relevant timeframes, or related content for the investigation.
Once the sources of evidence have been identified, digital forensics practices can be applied to each source to not only analyse the data which exists, but to also identify methods an individual may have used to attempt to hide or destroy evidence of misconduct. This often looks like working to recover deleted data such as files, web browsing history, emails, and instant messaging communications. Therefore, perhaps paradoxically, a key source of enquiry you may want consider in your investigation is (attempted) destruction or concealment of digital evidence.
When evidence sources are identified, they need to be preserved in a manner which is forensically sound and allows for the data and their respective findings to be admissible in legal proceedings. Because of this, we recommend that digital forensics experts are called upon alongside the investigation team to ensure that data handling (such as preservation and storage) maintain their integrity and legal admissibility, and can withstand scrutiny during any disciplinary, tribunal, or court proceedings.
Key takeaway
At the start of an investigation, create a list of any and all potentially relevant sources of digital data used by the target individual(s). Consult digital forensics experts, as you never know where messages, files, or logs may exist which can be helpful to your investigation. And remember, evidence destruction is still evidence.
2. How do I make sure I can get access to the evidence I need?
The first point outlines the evidence ideally available for an investigation, but ultimately the availability of evidence is greatly dependent on the policies and infrastructure in place in the organisation prior to the investigation starting. Consider if your organisation has implemented clear policies which enable you to access the devices and accounts necessary for your investigation. If yes, do you have established relationships with trusted digital forensics experts to conduct the evidence preservation and analysis?
As more time passes, the risk increases of a user deleting or tampering with evidence to deliberately obstruct an investigation. Additionally, default data retention policies can often be very limited; for example, logs can be retained for as little as 24 hours or seven days, and are therefore often unavailable by the time an investigation kicks off. Increasing log retention policies to a period of six months or more will increase the likelihood of crucial logs being available during an investigation. Consequently, irrespective of the log retention policy, every day spent navigating evidence access obstacles, or planning the investigation, equates to a day of visibility that may be lost from your investigation.
Finally, implementing management software on corporate-issued laptops and mobile phones can be crucial in ensuring access to evidence. Management software provides a level of control that, when data stored on a mobile or laptop device is required, policies are in place which permit the locking down of a user’s access to prevent the deletion or tampering of data. We recommend that organisations encourage collaboration between their various departments (e.g., HR, legal, and IT) to enact proper policies for data retention, device access, and account privileges so that when you need to get your hands on a particular set of data, you are able to do so.
Key takeaway
Timeliness of an internal investigation is critical to mitigate against the loss or destruction of evidence. Data policies and management software will dictate how much control and access you have over a device or account necessary for your investigation.
3. This case is particularly sensitive and I need to keep it as concealed as possible – is there a way I can do that?
This is a common question which we are asked a lot. Consider when an investigation involves a senior member of the organisation - perhaps the CEO or Head of IT is under investigation. How does an organisation navigate this effectively, while ensuring that individual(s) only become aware of the investigation at the appropriate time?
As previously mentioned, gaining access to the digital evidence necessary for an investigation can have its challenges, and increasing layers of concealment can pose new ones to your investigation. Internal investigations typically require that several teams work together; however, we encounter internal matters that, due to their sensitive nature, often require that the parties “in the know” be minimal. In other words, the trusted circle of individuals involved in the investigation should be small and on a need-to-know basis as the risk of evidence tampering or destruction increases if individuals become aware they may be subject to an investigation.
We recommend that organisations consider their readiness for sensitive and, at times, covert investigations. One key example from a digital evidence perspective is ensuring that there is redundancy across access to the organisation’s infrastructure. We often encounter cases where access to the necessary evidence is held by senior members of IT or the C-suite, who may end up being subject to investigation. A key factor in ensuring that you are able to conduct an investigation when critical parties are involved is provisioning access to multiple, trusted people throughout an organisation to mitigate a ‘single point of failure’. While this is generally best security practice, it is particularly integral when running sensitive investigations.
Key takeaway
Keeping a circle small during a particularly sensitive investigation is important and retains the integrity and availability of evidence. Obtaining the digital evidence to facilitate the investigation without notifying those involved need not be a limiting factor if the correct measures are in place.
Digital evidence is all around us, and it is often a cornerstone of internal investigations. If you would like to improve your readiness for internal investigations, to understand the potential sources of evidence and ensure you have the requisite technical measures and policies in place to facilitate preservation and analysis of the data, please reach out to our Digital Forensics team for a consultation.
