The cardinal rule of a computer forensic investigator is that an investigation is never performed on the original evidence, i.e. the computer, according to SSC's Amit Gavish.

In the past, corporations have failed to take most computer misconduct cases seriously, unwilling to spend the time, money or effort to do a thorough investigation. As allegations of corporate theft and internal data breaches continue to increase, corporations are paying a high price by ignoring the problem. Fraud and other corporate crimes cost U.S organizations more than $400 billon annually. The average organization loses approximately 6 percent of its total annual revenue to fraud and abuse committed by its employee.

Unfortunately, when computer misconduct occurs, management’s first reaction is to peruse the computer for evidence – a critical error. Next, management will go to the people within the organization who know the most on the subject: The chief security officer or the chief information officer or the IT department. While an internal department may be able to conduct a preliminary investigation, IT professionals are often limited in the tools they have at their disposal and their knowledge in detecting wrongdoing.

While a security or IT professional may be able to recover certain items like documents, e-mail and Internet history from a computer, that person may unintentionally overwrite or even accidentally erase incriminating evidence. This can occur simply by starting the computer. For example, if a document file were opened, viewed and closed without editing, certain file attributes will be changed, such as the last access date. Thus, the data has been changed.


Forensics investigators take a different approach. The cardinal rule of a computer forensic investigator is that an investigation is never performed on the original evidence, i.e. the computer. Instead, an image of a computer hard drive is made using specialized software that prevents changes to files contained on the hard drive, even operating system files. This image is then examined using computer forensic software. This procedure leaves the original computer in the same state as when it was last shutdown.

Security and IT departments may fail to recover incriminating data if an employee has tried to cover his or her tracks by changing file names, file extensions or by intentionally deleting data and would likely be stymied when password-protected files are encountered.


Forensic investigators have the necessary tools to swiftly recover data. The two most popular brands of forensic software, The Forensic Toolkit by Access Data and Encase by Guidance Software, are commonly used by investigators to root out data concealed through a number of means. Further, using this specialized software, the forensic investigator can expedite the process by harnessing the power of multiple computers to perform recovery functions.

These tools, costing $3,000-$4,000 for one seat license, are typically not used by IT departments because of the cost factor. Without these tools, it would be almost impossible to find data hidden or destroyed by a user with knowledge of these techniques. Another consideration would be that the time required to become proficient in such software programs would take the IT department away from its day-to-day duties.

When dealing with computer-assisted employee malfeasance, management should take the view that litigation is a potential end result. The overriding issue of utilizing the IT department is this: IT professionals are not trained in computer forensic investigation or it is a collateral duty at best.

Just as important, the rules of evidence pertaining to the chain of evidence, security of evidence and thorough documentation of the results of the examination may be completely ignored. Further, should a case of computer misconduct end up in litigation, an IT specialist will likely not have the credentials to be certified by the court as an expert in data recovery greatly diminishing his or her credibility in the eyes of the judge or jury.

When all things are considered, it doesn’t seem worth the risk for IT departments to try to handle computer investigations.

About the Source

Amit Gavish joined SSC, Inc. as a senior corporate advisor for international security issues in 2007 and was recently promoted to managing director, corporate intelligence and investigations. Before joining SSC, he served as a senior counter terrorism consultant for the Boston-based security company where he provided counterterrorism services, risk assessments or vulnerability assessments to Logan International Airport, Boston University Medical Center, Yankee Gas and Foxwoods Casino, among other organizations.