Forensic Analysis: A Guide for Employers
Forensic analysis can yield valuable evidence in cases of suspected wrong-doing involving the use of electronic devices. This brief overview is intended to provide employers with guidance on the types of information that can be recovered. However, such recovery, and subsequent use as potential evidence, is dependent on an organization’s preparation. First, an organization’s privacy policy can be critical in weighing the rights of the suspected wrongdoer against those of the organization. Such a policy helps employers and employees define a reasonable expectation of privacy. Second, when potential wrongdoing is suspected, all relevant electronic devices (e.g., employee work laptops or work cell phones) should be immediately isolated and quarantined. Any use of these devices following the suspected wrongdoing can degrade the quality of the data that can be recovered through forensic analysis.
The Forensic Image
A forensic analyst first takes a forensic image of the electronic device. This forensic image is essentially a snapshot of the files, folders, and unallocated memory of the device at that moment in time. It is this image that is used for the forensic analysis. This ensures that the integrity of the original system is preserved, and that critical date stamps and other useful information are not changed by the forensic analysis itself.
Forensic Information Sources
For Windows-based systems, there are certain files and techniques that are especially useful in a forensic analysis. (Apple systems have analogous files and techniques.)
- The Master File Table (MFT) contains information about every file and directory on the device. It is essentially a table of contents for the device. Forensic programs can recover the data contained in the MFT, yielding information such as several date/time stamps, size, name, and directory path for every file or directory on the system (and, under certain circumstances, information about every file or directory that was ever on the system);
- LNK files are shortcut files, with their own time stamps, saved to the computer during file use that can be used to show which files or drives an employee accessed and when they were accessed;
- Unallocated space in memory (or unused memory) can be combed by forensic programs to recover files or portions of files that have been deleted, but not yet written over; and
- Servers and even work laptops often have logging systems that can yield useful information about the date and time of system use by an employee.
Potentially Recoverable Information (Forensic analysis can put this information together in helpful ways.)
- If there is information in the MFT about a file, but the software can no longer detect that file on the device, the file has been deleted;
- LNK files may be able to show that an external storage device was connected at the same time suspect files were being accessed, providing at least some circumstantial evidence of potential file copying;
- Logging files together with LNK files may show that an organization’s server was being accessed at the same time an external memory storage device was connected to the employee’s laptop.
There are limitations to what forensic analysis can show. As noted, such analysis relies upon the information being physically present in the device. Data that was never recorded or data that has been overwritten will be unlikely to play a role in a forensic investigation. Copying of files is also difficult to detect through forensic analysis because the computer system generally does not need to retain information regarding copying for its own functioning.
Forensic analysis can yield important information about the electronic activity of a suspected wrongdoer. There are multiple levels or depths of forensic analysis that can be performed, depending on an organization’s needs in a particular case. The sooner a suspect device is locked down and isolated after suspected wrongdoing, the better the chances of forensically capturing important information regarding the use of that device.