The source of computer forensic enquiries range from the mundane to the ridiculous, with a particularly memorable enquiry coming from a client after part of a large cargo ship sunk in international waters. The client called for computer forensics experts to recover and analyse the computer log files associated with the ship’s loading processes. Analysis of the metadata – specifically the “created” and “modified” dates – associated with the log files revealed that the log files were altered after the ship sunk and one month before the computers were to be turned over for inspection.
However, by far the most common source of enquiries for assistance with computer forensic expertise comes from employment matters. Whether the instruction comes from a HR director suspecting an employee of accessing inappropriate material from a work computer, or an employment solicitor attempting to take out an injunction to stop his client’s ex-employee from using company IP to help them at a new company, the scope for detecting and investigating malfeasance in employment scenarios is almost unlimited.
The key reason we are instructed in employment disputes is to provide third party independence. It is nearly always inappropriate for the employer to commence disciplinary proceedings against an employee and also to produce the evidence to prove their case.
We had a case recently where the HR department at a multinational bank headquartered in the City of London were so keen to remain impartial and show that there was no scope for evidence tampering that they invited us to the very first meeting with the employee. We waited outside the meeting room whilst the employee was interviewed and the allegation of data theft was raised with him. We then commenced a chain of custody procedure on the employee’s work laptop and mobile device having taken them directly from the employee, so the bank’s bias or any potential interference could never be called into question.
We brought the devices back to our offices and conducted an initial investigation to get some immediate results that the bank and legal advisors could use. Within a few days of that initial meeting we had an email from the HR contact at our client’s organisation saying “as a result of our investigation the custodian was determined to be guilty and has since paid all legal and investigation costs to the bank.”
The above is a good example of how a sound forensic process and a proactive approach instructing external investigators can lead to a sound investigation and an early admission of guilt.
It is more regular for us to encounter the scenario where an employee is dismissed on only an inference of guilt and the evidence of wrongdoing is not produced until tribunal proceedings are already well advanced, by which time a lot of potentially unnecessary time and costs have been expended. Or in a worst-case-scenario, we have many cases where we hear the dreaded phrase “I’ve had a quick look myself and I’m pretty sure they did it”. The act of conducting an amateur investigation changes a number of system times/dates and opens the employer up to allegations that the employee was framed.
Of course, companies will be aware of the fact that they too will at times be in the firing line. In a discrimination case, employees can rely on electronic evidence to support claims. We should not forget the famed case of Lara Zubulake who relied on email evidence to substantiate her claims. In that employment discrimination suit, the court concluded that one of Europe’s largest banks had wilfully deleted relevant emails despite contrary court orders. The court sanctioned the bank in the form of an adverse inference instruction, which ordered the jury to assume that emails discarded by the bank would have negatively impacted the bank’s case. After three years of litigation, the trial culminated with the jury finding that the bank had discriminated against Zubulake, and awarding more than US$29 million in total damages.
In our experience, a computer forensic investigation can be invaluable in assessing the validity or otherwise of the claims being made against an employer. In one case, an employee claimed his computer had crashed making it impossible to produce notes made in a diary about alleged discrimination. A computer forensic investigation determined that the diary feature was not available on the email system during the time the employee claimed to have created the notes, making the employee’s claim void.
We therefore always advise that an organisation has the necessary clauses in their employment contracts to ensure that devices such as laptops and work phones can be removed from an employee and investigated. It is also essential to have appointed staff with some knowledge of forensic first response procedures to ensure that evidence bearing devices are handled correctly and all potential evidence is preserved. Lastly, we do recommend that they engage with a third party expert at the earliest stage for some initial advice.