Digital Investigation (2005) 2, 239e243

www.elsevier.com/locate/diin

The unique challenges of collecting corporateevidence

Jim Kent*, Byrne Ghavalas

‘‘If your organisation was asked to producereliable evidence of what has happened withinits computers, perhaps after a suspected crime orattack, or to resolve a legal dispute e how wellwould it respond?’’ This is the question asked ina white paper titled ‘‘Directors and CorporateAdvisors’ Guide to Digital Investigations and Evi-dence’’ prepared by Peter Sommer for the In-formation Assurance Advisory Council.1

The paper points out that ‘‘Nearly all organisa-tions underestimate how often they may be calledon to produce reliable evidence of what hashappened in and around their information andcommunication technology (ICT) systems. Theyalso underestimate the demands that the legalsystem makes in terms of ensuring the admissibil-ity and reliability of digital evidence. Both of thesecan have a profound impact on business welfare.’’2

This article discusses issues surrounding corpo-rate evidence collection. The views and opinionsare based on our experience and findings from ourwork in the field.

The corporate world is slowly realising theimportance and implications of computer basedor digitally based evidence but many organisationsbelieve that the challenges surrounding the

* Corresponding author. Tel.: þ44 870 600 1667; fax: þ44 870600 1668.

E-mail addresses: james.kent@7safe.com (J. Kent),byrne.ghavalas@7safe.com (B. Ghavalas).

1 http://www.iaac.org.uk.2 Directors and Corporate Advisors’ Guide to Digital Investiga-

tions and Evidence; September 2005, Sommer, Peter, IAAC.

1742-2876/$ - see front matter ª 2005 Published by Elsevier Ltd.doi:10.1016/j.diin.2005.10.003

collection and production of corporate evidenceare unique to them, differing with those of otherorganisations and law enforcement. We feel thatwhile there are certainly situations that can createadditional complexities, the issues are not neces-sarily unique; we believe that the processessurrounding evidence collection and productionwithin a corporate environment have many com-mon traits and characteristics with those utilisedby law enforcement. Perhaps the biggest problemand therefore challenge, is the lack of forensicreadiness within organisations today.

It is probably fair to say that the approaches toevidence collection and production adopted by lawenforcement are different to those of the majorityof organisations. These differences stem from thefact that law enforcement has had a head start inthe field of computer forensics and over the pastfew years has established very high standardsregarding the preservation and presentation ofevidence found on digital media. In our experi-ence, a large number of organisations do not haveany processes or procedures in place for handlingevents that result in the requirement to producereliable evidence. When compared to the corpo-rate world, law enforcement is generally, but notexclusively, task orientated and the need to beproactive in the same sense as the corporate worlddoes not exist.

There are strict procedures and guidelines gov-erning law enforcement and computer forensicscovering aspects such as evidence continuity, bestpractice and procedures. Many of these proceduresand practices should be adopted by the private

240 J. Kent, B. Ghavalas

sector as they provide an excellent foundation forcorporate organisations. Adoption of a common setof policies, procedures and practices would helpensure continuity and smoother transfers of evi-dence from the corporate environment across tothe law enforcement environment, in the event lawenforcement involvement is required.

In our experience, a large number of organisa-tions have not considered the issues surroundingincidents that require the production of evidenceand have no plans or procedures for handling theevidential requirements that result from them.When such an incident does occur, these organ-isations tend to end up following a fire-fightingapproach. When fire-fighting, there are oftenrequirements to make snap decisions with little in-formation or other difficult decisions based on thecircumstances of the case. It is very easy and oftenthe case that fundamental mistakes are madewhen attempting to do the ‘right thing’ while han-dling the event and in the worst case scenario thiscan have serious detrimental effects on the col-lected evidence and perhaps worse, on the runningand functioning of the organisation.

Adopting a more proactive approach naturallyresults in improved handling of incidents. Beingproactive may mean that an organisation elects totrain certain members of staff in the area ofcomputer forensics so that they are able to handlethe incidents in the correct manner. Some draw-backs to this option are the training and equipmentcosts and the potential issue of a lack of impartialityresulting from staff being investigated by theirpeers or the investigation being tainted becausethe investigator is friendly with the suspect. Analternate option that organisations may consider isto employ an external forensic firm or investigator.A good firm or investigator will bring experience,training and independence to the table but theseattributes can carry a high price tag. Whatever theapproach, all organisations should also ensure thatthey adopt practices that help them become foren-sically ready; failure to do so could result in missed,lost or contaminated evidence or the mishandlingof suspects, any of which could in turn potentiallyresult in a large financial loss for the business.

The idea of being proactive in this field is notnew but one which is taking time to filter throughto organisations and is only really being acted uponafter an incident has raised these issues. Alongwith many of the suggestions covered in the IAACpaper prepared by Peter Sommer, some organisa-tions are also considering the idea of obtainingforensically sound ‘snapshots’ of random com-puters within the organisation. These snapshotsare then analysed in terms of the organisation’s

acceptable usage policies (naturally, private dataand emails are not examined). This approach canbe compared to the random drugs tests that areconducted in the professional sporting arena, withthe same obvious benefits. Further, when a mem-ber of staff leaves the organisation, it makes soundsense to take an image of the drive before wiping,reinstalling and handing the system over to thenew member of staff. Clearly, before this processcan be implemented, the organisation will have toensure that the necessary policies and proceduresare updated to reflect that this approach isfollowed and further that members of staff shouldbe made aware that from time to time there willbe ‘dip’ sampling of the computer systems. Thisway it is fair to both the users and the organisationleaving no one in doubt and being mindful ofhuman rights and data protection issues.

The lack of forensic readiness is a commonproblem. Let us consider a hypothetical (but fairlycommon) scenario. This scenario is based on someof our experiences but should by no means beconsidered a detrimental view of any organisationor any individuals; it is an opportunity to highlightthe need for sound planning and forensic readi-ness. In our scenario we will consider inappropri-ate material, but there are numerous reasons as towhy digital evidence needs to be secured, rangingfrom fraud or industrial espionage to harassment,blackmail or network compromises, to name a few.The advancement of technology has been a fantas-tic leap but it has also introduced the ability tocarry out old style crimes in a new way.

We receive a telephone call from an organisa-tion, during the call they explain that they thinkone of their members of staff is accessing in-appropriate material, what should they do next?

The first point to take into consideration is whohas made the call and why. Once this has beenestablished and contact with the correct individ-ual has been made, maintaining this single pointof contact is crucial for the integrity of theinvestigation.

After a few questions, it becomes clear thatbefore the call was made, several mistakes havealready been made. The laptop was given to the ITDepartment so that they could examine it to locatemore evidence. Once it was clear to the IT De-partment that there were a large number offolders containing inappropriate material, the HRdepartment was approached by the manager ofthe staff member and discussions were held as tohow to handle the case. It was decided thatdisciplinary action should be taken; it was alsodecided that an external company should becontacted for assistance ‘just in case’.

The unique challenges of collecting corporate evidence 241

The above process is not uncommon but severalproblems have been introduced. It is possible thatevidence has been destroyed, compromised ormissed, for example neither the PDA nor themobile telephone was obtained. It is also highlylikely that someone in the IT Department hasstamped their digital footprints all over the datathat are to be secured, for example, the variousdate and time stamps associated with the files andfolders containing the inappropriate material.While this is not insurmountable, it causes un-necessary complications to the investigation.

The call has also highlighted how many peoplein the organisation are now aware of the issue; theorganisation has not really given much thought asto how well these people know the offending useror the potential issues that may result if details ofthe investigations are leaked to this user (such asthe removal of evidence from network servers orhome computers if they are involved). This natu-rally brings the potential legal requirements of theevidence and the admissibility of the evidence intothe equation, should it go to a civil or criminalextent.

Before we can advise the client, we first have toestablish what current policies and proceduresthey have in place as well as the impact on theorganisation, such as loss of productivity, dataloss, possible compromise of records and theoverall impact to the reputation of the company,amongst others. It is clear that they do not havepolicies and procedures to deal with this incident,but we need to understand their other policies andprocedures so that we can ensure we meet anylegal obligations that result from them.

There are of course other points that need to beestablished as part of the initial investigationprocess and reviewed as the investigation pro-ceeds, such as the recipient of the initial reports,the implications of any findings for the organisa-tion and the next step in the investigation,especially if the investigation has to be handedover to law enforcement. It is then necessary toidentify what steps are required to identify andsecure the relevant digital evidence; informationabout the physical location, for example a laptop,desktop or network storage and information aboutthe geographical location must be established, forexample the user may be located in the UK but theuser’s data are stored on a server in the USA. Thisinformation is important and can have real impli-cations for any investigation as it can have a bear-ing on which way the investigation progresses.Understanding management’s objectives through-out the investigations is also important as it isoften the case that during the investigation their

objectives may change as the investigationevolves.

A crucial part of any investigation is ensuringproper evidence collection and a proper chain ofcustody of the suspect computer systems, harddrives, PDAs or mobile telephones. The investiga-tors need to be sure that they can identify whoseized the evidence, what the evidence is, thetime and date it was seized and from where it wasseized. If evidence changes hands multiple times,then this must be documented and signed as bestpractice dictates the necessity to keep track of allitems.

When a 3rd party is involved in an investigation,as with this scenario, the investigators will usuallyrequire an area in which they can complete theirprocedures for acquiring the evidence and possiblyfor conducting interviews. This often presentsproblems as not all areas are necessarily appropri-ate. We have found ourselves in the buildingbasement and we have also found ourselves inthe middle of an open office in a glass meetingroom where all eyes are on the investigators.Ideally, the area should be sterile and securefrom other members of staff. It may also benecessary or appropriate on occasions to havea back up story to explain the presence of theinvestigators, for example, explaining that theyare assisting with a generic upgrade to the soft-ware or hardware; this may at least deflect themajority of the questions from the ever inquisitivestaff.

The acquisition of evidence may involve a num-ber of decisions, and it is perhaps some of thesedecisions that corporate organisations feel areunique when compared to those taken by lawenforcement. It is commonly believed that lawenforcement has to take systems away for imag-ing or that they will take images of all systemseven if it is financially detrimental to an organi-sation, such as an eCommerce server running24 � 7. While this may have been the case inthe past, law enforcement is very much awareof the implications of their actions and will cer-tainly review alternate possibilities for obtainingbest evidence.

While corporate organisations may have somecomplex issues, such as large RAID arrays or24 � 7 � 365 services that require additional con-sideration, the majority of items containing digitalevidence are not unique to them. There are a num-ber of options that can be considered when lookingto acquire evidence from within an organisation;the appropriate option will depend upon the organ-isation’s requirements. For example, can the orga-nisation continue to operate without the offending

242 J. Kent, B. Ghavalas

machine or must it remain in operation? Can theoffending machine be reviewed during office hours,or is there a requirement for this to take place(covertly) after hours? It is possible, when dealingwith systems that must remain in operation, to con-duct a live analysis and obtain evidence in compli-ance with accepted guidelines (such as the ACPOguidelines e Good Practice Guide for Computerbased Electronic Evidence; http://www.nhtcu.org/media/documents/publications/). In the ma-jority of cases, including our scenario, it is usuallypossible to image the suspect workstation but serv-ers that contain data can only be accessed out ofworking hours or using a live analysis technique.

There are many ways to create a forensicallysound image of the digital media using tried andtested software. We do not wish to discuss thevarious software products that can be utilised forthis purpose, but rest assured that there area number of products that are all used regularlyall over the world and are acceptable in courts oflaw, should the investigation go that far.

While the corporate environment may offera few additional complexities associated withthe gathering of digital evidence from somedevices, it also offers a number of resources thatmay contain useful information that can greatlyassist an investigation. For example, most organ-isations deploy centralised resources, such asemail servers, authentication servers and fileservers. In addition to these resources, organisa-tions often deploy perimeter security devices suchas firewalls and proxy servers. Many of thesedevices provide some form of logging. These logfiles can prove to be invaluable in an investigation.They can often be used to corroborate or clarifyfindings.

In our scenario we were able to obtain a numberof log files that help demonstrate that the suspecthad repeatedly retrieved inappropriate material.The log file entries could be matched up with thetimes and dates of the items on the workstation.The logs also showed that the user was utilisingthe system at the time these items were actuallyretrieved. We did, however, experience issueswith the log files that affected the time requiredto complete the investigation as well as theoverall complexity of the investigation. The orga-nisation did not synchronise the time for thevarious resources in use in the organisation. Theproxy server, firewall and authentication serversall had differing time configurations, indeed oneof the devices was configured for an incorrecttime zone!

The investigation turned out to be fairlystraightforward in our scenario, but not all cases

turn out that way. Sometimes, during analysis,certain events may unfold or new issues may beraised. For example, the investigator may discoverillegal content, such as paedophilia, in which casethe evidence must be handed over to law enforce-ment. We have seen cases in which a number ofstaff are implicated, such as in the case of fraud,rapidly changing the face and complexity of theinvestigation. We have also seen cases that startedas simple disciplinary hearings turn into civil orcriminal cases. It is essential that all processesprior to this point are forensically sound andcomply with the accepted guidelines and princi-ples (such as the ACPO guidelines) so that theinvestigation is not compromised.

Although there were some minor issues sur-rounding the evidence in our case, such as thefact that the IT Department had tramped aroundthe digital scene and the lack of time synchroni-sation amongst network resources, it was stillpossible to demonstrate that the member of staffhad contravened the acceptable usage policies. Asall work was conducted in a forensically soundmanner, the case would stand up in a court of law.The organisation was able to complete the disci-plinary action without incident.

Our hypothetical (but fairly typical) organisa-tion learned some valuable lessons from theexperience. They have since implemented a num-ber of policies and procedures that map to the bestpractice forensic guidelines. They are now readyfor the next incident e they have become foren-sically ready.

The future is in planning. The white paperrecently released by the Information AssuranceAdvisory Council, titled ‘‘Directors and CorporateAdvisors’ Guide to Digital Investigations and Evi-dence’’, prepared by Peter Sommer, aims ‘‘to helpdirectors, senior managers and their legal advisersto understand the key strategic and managementissues. It is designed to anticipate the need forprovision of digital evidence and investigations bysetting up management procedures, acquiringappropriate resources and identifying third-partysources of emergency assistance.’’ This guide iswell worth reading and serves as an excellentstarting point.

Although the field of computer forensics, data,transfer speeds, and storage sizes appears togrow daily it is almost impossible to predictwhat the future holds; however, negligence isnot an option as it is only a matter of time beforeyour organisation could be thrown into the grip ofsecuring digital evidence and be held account-able for it. It is time to become forensicallyready!

The unique challenges of collecting corporate evidence 243

Jim Kent (CRFP Assessor, Expert Witness Approved, CSTP, CFIA)is a forensic practitioner for 7Safe e an independent, Informa-tion Security practice (ISO 27001 certified) delivering an innova-tive portfolio of services including: Forensic Investigation, ISO27001 Consulting, Penetration Testing and Information SecurityTraining.

Byrne Ghavalas (CSTP, CFIA, GCFA) is a forensic practitionerfor 7Safe e an independent, Information Security practice(ISO 27001 certified) delivering an innovative portfolioof services including: Forensic Investigation, ISO 27001Consulting, Penetration Testing and Information SecurityTraining.