Investigating an Internal Policy Violation: Email
Scenario: You’re investigating an internal policy violation when you find an e-mail about a serious assault for which a police report needs to be filed. What should you do? Who in your company do you need to talk to first and what evidence must be turned over to the police?
Investigating and controlling computer incident scenes in private-sector environments is significantly easier than in crime scenes. In the private sector, the incident scene is regularly a workplace, such as a controlled office or manufacturing area, where a policy violation is being investigated. Everything from the computers used to violate a company policy to the surrounding facility is underneath a controlled authority — that is, company management. More Often Than Not, businesses have inventory databases of computer hardware and software. Having access to these databases and being aware and informed of what applications are on suspected computers help identify the forensics tools needed to analyze a policy violation, and the clearest way to conduct the analysis. Private-sector investigators are, therefore, concerned mainly with protecting company assets, such as intellectual property. Finding evidence of a criminal act during an investigation turns the investigation from an internal civil matter to an external criminal matter, such as in this case.
Step 1: Case Description
The investigator must gather all the evidence regarding the email, plus if there is any other incriminating evidence, gather it. Evidence includes an electronic copy of the offending email that contains message header data, email server log records, and/or access to a central server. After this, the investigator contacts the company attorney and relays all the information about the evidence he has obtained from the suspect's computer. Next, determine whether this case meets the criteria for getting law enforcement involved in a criminal investigation. It seems as if this person has or will assault someone, so this case is now a public criminal case. Next, inform the company’s management about this employee’s activity and after that, obtain details about the location of the computer when the email was sent. After gathering all the needed evidence and data, the investigator needs to file a report.
Step 2: Permission of Investigation and Gathering the Evidence
The company attorney general will be contacted about the investigation and the investigator will ask him or her for permission to investigate more thoroughly by looking into the employee's file and network logs. The investigator will then obtain the IP address of the computer to obtain details about the computer and the location where the email was sent. We will need other evidence alongside the IP to make this case solid. From the email, the investigator can see the name of the person who created the account and the email ID of the suspect. Next, find a list of employees who have come in contact with and thus are associated with the email ID, and the investigator could use the process of elimination that way. When contacting law enforcement, bring a printed copy of the email, details of the email ID and list, and all associated evidence.
Step 3: Report the Evidence
The investigator makes a report and sends it to law enforcement. The investigator will submit the email address and the incriminating assault email, plus all the information gathered during the corporate investigation. If law enforcement concludes that the evidence is strong enough, they will obtain a search warrant for the email ID. Then we give the search warrant to the suspect's ISP (internet service provider) to obtain the details about the location in which the email account was opened and activated. With all these steps completed, the suspect has enough evidence against them to be arrested and put on trial.
References
Chegg.com. Solved: There are no data files to extract for this chapter’s proj… | Chegg.com. (n.d.). https://www.chegg.com/homework-help/data-files-extract-chapter-s-projects-create-work-chap05-pro-chapter-4-problem-2hop-solution-9781337671095-exc.
Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to Computer Forensics and Investigations, Cengage Learning.