In this scenario, I am going to assume that the inappropriate content was pornography. To collect the information we require, we must track the employee’s movement to and from the building (if possible), which computers she used and where/when, what credentials she used, what was the full extent of the actions she committed, and finally the number of pornographic materials she created. Next, the IT department will make sure nothing malicious got into the network or computer during the incident, and an extensive audit of her network and company actions as well as her departments’. Finally, her computer and office would have to be extensively searched, as well as confiscated.
This extensive evidence-gathering phase must be adequately controlled, and an excellent method of doing so is by following the chain of custody; this will account for all of the people who obtained the evidence, when and where it was collected, who was in possession or control of it, and where it was stored. For the first step, recording each item collected as evidence is crucial. Next, recording who gathered this information with the time and date will help reduce the risk of lost evidence or a break in the chain of custody. A written description of the evidence obtained, such as the computer and its contents, the surrounding scene, the pornographic material she created, and her items on her desk should be developed. By recording the message digest (hash) values in all documentation, the digital chain of custody can be strengthened and made viewable. All obtained evidence must be securely transported to and from protected facilities, and all movement must be documented and signed for.
For this scenario, the most crucial aspect would be to immediately put an end to the employee in questions’ network user privileges and building access. Next, the computers and printers she used must be thoroughly checked, documented, and secured. There could be a virus or further pornographic material, so an audit of her actions on these devices must be performed. An interrogation of the accused employee must be quickly held to preserve the memories of those involved and limit the possibility of outside interference on her beliefs. Witnesses of the event, members of the IT department, and the accused employee’s friends and supervisor should be interrogated as well. By viewing the computer’s keystrokes, internet history, and other forms of logs, enough evidence will be able to be collected to easily prove she is guilty. A review of the company’s policies should also be consulted; it must be clear what laws or rules were broken, if any. These steps must be done at the proper time, with the appropriate personnel, and at the correct locations per the company’s policies that are already set in place. Once the computer and network are deemed safe, the area is cleared, and the evidence is transported to a secure location, the investigation will begin. After the data and evidence are looked at, a decision will be made based on the results of the investigation.
If there is any failure in the chain of custody, any information gained could be deemed worthless. For example, if an unauthorized person had access to the accused employee’s portable hard drive at any time after the accused employee used it, a case could be made that it could have been tampered with. No matter how strong the evidence is against someone, one little mistake like this can bring the entire investigation to a halt. By following these steps, the employee’s total involvement in this incident will be found, as well as the extent of any financial/emotional damage she caused. If the employee committed the crime, proving she is guilty will be a simple process if the case was handled with care and the proper chain of custody was maintained.
Scalet, S. (2005, December 01). How to Keep a Digital Chain of Custody. Retrieved June 04, 2020, from http://www.csoonline.com/article/2118807/investigations-forensics/how-to-keep-a-digital-chain-of-custody.html.
Nelson, B., Phillips, A., & Steuart, C. (2019). Guide to Computer Forensics and Investigations. Boston, MA: Cengage Learning.