Be Very Careful When Doing An Investigation

Dan Morrill Expert Author Article Date: 2008-06-19

It is heart rendering to find something illegal, horrifically illegal on a person's computer when doing an investigation.

The investigator will run the whole gamut of emotions from disgust to moral outrage, but in a cautionary tale over at dark reading, it is vitally important that the investigator does not make wild accusations, and that what they are saying is the absolute cold fact, not an interpretation of the facts, or embellished at all.

Cases like Fiola's -- where an infected machine leads to an assumption of the user's guilt -- are becoming all too common, experts say. Much of this has to do with the technical knowledge gap in the mainstream, they say. It's not the same as when someone gets arrested for possession of drugs in their vehicle: "I've seen this before," says Alex Eckelberry, CTO of Sunbelt Software. "A completely innocent guy gets caught up with this mentality... a forensic investigator who didn't know what he was doing, or had a lack of the technical concepts." Source:Dark Reading
Of course the flip side of that issue is "malware made me do it" is common in many investigations, but the credibility of the investigator in doing the due diligence in finding out exactly what the issue was is equally as important as proving innocence or guilt in an investigation.

Many companies just simply do not have the ability to do a police level forensic investigation of a computer. Many police departments do not have the same ability to do the same thing. The key to keeping the company safe from liability when making accusations is to have forensically trained personnel available, either through in house due diligence training, working with local law enforcement, or working with an outsource company that has credentialed investigators.

Companies can open themselves up to a serious lawsuit if they get the investigation wrong, and an innocent person goes down. The lawsuit from those wronged will take a look at company procedures, training, investigation methods, and the conduct of the investigator just to name a few immediately obvious things.

Investigators must be above reproach, have the right trained skills, and have the time and ability to truly run down the cause of why something is on a computer, either through user action or through improper systems management, or any number of reasons why something is on a computer. The Dark Reading tale is well worth reading at all levels of the organization, from the CEO on down.

Comments

About the Author:
Dan Morrill runs Techwag, a site all about his views on social media, education, technology, and some of the more interesting things that happen on the internet. He works at CityU of Seattle as the Program Director for the Computer Science, Information Systems and Information Security educational programs.


Be Very Careful When Doing an Investigation