In this scenario, the employee who is suspected of the access and creation of pornographic material was on company property at the time of the incident and did so using company property. Due to the employee using computers and printers which are connected to a network to accomplish this incident, the information and evidence of this infraction should be simple to both collect and prove.
For this scenario, we must track the employee’s movement to and from the building (if possible), which computers he/she used and where/when, what credentials he/she used, what was the full extent of the actions he/she committed, and finally the number of pornographic materials he/she created. Next, the IT department will make sure nothing malicious got into the network or computer during the incident, and an extensive audit of his/her network and company actions as well as his/her departments’. Finally, his/her computer and office would have to be extensively searched, as well as confiscated.
This extensive evidence-gathering phase must be adequately controlled and an excellent method of doing so is by following the chain of custody; this will account for all of the people who obtained the evidence, when and where it was collected, who was in possession or control of it, and where it was stored. For the first step, recording each item collected as evidence is crucial. Next, recording who gathered this information with the time and date will help reduce the risk of lost evidence or a break in the chain of custody. A written description of the evidence obtained, such as the computer and its contents, the surrounding scene, the pornographic material he/she created, and his/her items on their desk should be developed. By recording the message digest (hash) values in all documentation, the digital chain of custody can be strengthened and made viewable. All obtained evidence must be securely transported to and from protected facilities, and all movement must be documented and signed for.
For this scenario, the most crucial aspect would be to immediately put an end to the employee in questions’ network user privileges and building access. Next, the computers and printers he/she used must be thoroughly checked, documented, and secured. There could be a virus or further pornographic material, so an audit of his/her actions on these devices must be performed. An interrogation of the accused employee must be quickly held to preserve the memories of those involved and limit the possibility of outside interference on their beliefs. Witnesses of the event, members of the IT department, and the accused employee’s friends and supervisor should be interrogated as well. By viewing the computer’s keystrokes, internet history, and other forms of logs, enough evidence will be able to be collected to easily prove he/she is guilty. A review of the company’s policies should also be consulted; it must be clear what laws or rules were broken if any. These steps must be done at the proper time, with the proper personnel, and at the proper locations per the company’s policies that are already set in place. Once the computer and network are deemed safe, the area is cleared, and the evidence is transported to a safe location, the investigation will begin. After the data and evidence are looked at, a decision will be made based on the results of the investigation.
If there is any failure in the chain of custody, any information gained could be deemed worthless. For example, if an unauthorized person had access to the accused employee’s portable hard drive at any time after the accused employee used it, a case could be made that it could have been tampered with. No matter how strong the evidence is against someone, one little mistake like this can bring the entire investigation to a halt. By following these steps, the employee’s total involvement in this incident will be found, as well as the extent of any financial/emotional damage he/she caused. If the employee committed the crime, proving he/she is guilty will be a simple process if the case was handled with care and the proper chain of custody was maintained.
“How to Keep a Digital Chain of Custody.” Sarah D. Scalet. CSO Online. www.Csoonline.com. Web. 01 Dec 2005. 05 April 2017 .http://www.csoonline.com/article/2118807/investigations-forensics/how-to-keep-a-digital-chain-of-custody.html
“CompTIA Security+ Exam SY0-401 Exam Guide 4th Edition.” W.M. Arthur Conklin. Gregory White. 04 April 2017.