Collecting Digital Evidence in a Workplace Investigation

Delays and carelessness can jeopardize both the data and the outcome of a case

Posted by Dawn Lomer in on December 17th, 2013

The collection of digital evidence can be one of the most important initial steps in an investigation. Mistakes made during this phase can sink an entire case. And because digital evidence, especially email, is now part of almost every internal investigation, it’s important for investigators to understand at least the basics of collection and the importance of having an expert in digital forensics involved in the process.

“Additionally, as a corporate email requirement, backups are made on a regular basis so those may store email for a longer term.”
Aside from the obvious sources of digital information, such as laptop computers, desktop computers, smart phones and cell phones, digital evidence can also be found in the cloud, on email services, on tablet computers, and even on home computers if employees log in in from home. “All these places can be repositories for email,” says Andrew Neal, a Texas-based expert in digital forensics and information security. “Additionally, as a corporate email requirement, backups are made on a regular basis so those may store email for a longer term.”

Planning to Collect Digital Evidence

FREE Investigation Report Template

Prepare thorough, consistent investigation reports with our free report template.

Download Template

The key to success in any investigation is the initial scoping, says Neal. In this phase, the investigator identifies:

  • the company’s IT resources
  • time frame for the investigation
  • possible sources of information
  • typical dwell time for data (for example, the company may have a 90-day purge cycle on its email server)

“The initial scoping call, where we sit down and discuss the environment, holes and time frames, clues us in as to where we need to look,” says Neal. Usually this takes the form of a story, during which the client outlines the situation, who they suspect was involved, what they think the person did and the timing of the incident.

“Usually during the story of the case we can start to develop a timeline for the incident in question, and that focuses on what’s going on. It also clues us in to what kind of information we’re looking for and how to track that down,” says Neal.

Social Media Evidence

Whether or not a search for digital evidence should include social media accounts is normally driven by the needs of the case.

“For an insurance case or maybe even an intellectual property case, if somebody is a blogger, or they have a very active LinkedIn page or FaceBook page that’s public, we may look at that,” says Neal. “Unless the custodian will allow us their credentials, and it’s formally agreed, we can only get what’s publicly available. That being said, if they have accessed their FaceBook account from a work computer, they may have left some traces behind on a resource that’s actually owned by the company.”

In these cases, as long as the company has a policy in place that says that data on company resources belongs to the company, an investigator may be able to access social media information that would otherwise be considered private. This depends on the agreements that are in place between the employer and the employee.

Sooner is Better

When it comes to digital evidence, acting quickly increases the chances that the forensic investigators will be able to recover useful data.

“The sooner the process starts, the sooner we can stop the degradation of the data and start the collection,” says Neal. “When we get the story a piece at a time, the scope may start creeping, or we may find that an incident happened 18 months ago. Those situations make it difficult to have a successful outcome.”

Acting quickly to preserve and collect digital evidence before it can be damaged, degraded or destroyed can make the forensic investigator’s job easier and cheaper and increase the chance of a successful outcome to a case.


Dawn Lomer
Dawn Lomer

Managing Editor

Dawn Lomer is the managing editor at i-Sight Software and a Certified Fraud Examiner (CFE). She writes about topics related to workplace investigations, ethics and compliance, data security and e-discovery, and hosts i-Sight webinars.

Want to conduct better investigations?

Sign up for i-Sight’s newsletter and get new articles, templates, CE eligible webinars and more delivered to your inbox every week.