Web based evidence on social media
Social media and web based communication has become part of our daily lives, both personally and professionally and the speed at which dialogue is exchanged and the range of content shared means that social media use tends to be more informal and uninhibited.
However, many people forget that their social media activity may be seen by unintended recipients and the work/private life boundaries become blurred. According to law firm Speechly Bircham, 25% of workers aged 18-29 spend 3+ hours a week on social networking websites during working hours.
This article addresses the intellectual property threats that employers face from web based communications, the challenges that forensic investigators face when investigating wrongdoing and how employers can mitigate risk in their organisations.
Whilst reduced staff productivity is a risk that employers face when allowing access to web based applications, far riskier is the ability to easily leak or steal confidential information using these tools. The primary function of applications such as Webmail, Facebook, Linkedin and Twitter is to share information in real time and while this provides many companies with new communication and networking opportunities, these same environments are being used for wrongdoing. It is no surprise that evidence will naturally be found wherever people communicate and given this, wrongdoers such as employees looking to set up in competition or a disgruntled sales rep seeking to trade away their current employer's secrets are increasingly using these less traditional methods of communication to hide their actions.
Until recently, the Internet history on a user's hard drive provided a plethora of juicy information easy for forensic experts to extract. Early days of Facebook chat, for example, could provide log in profile ID's, message content, time values from Facebook servers and 'to' and 'from' user names. Popular webmail applications would indicate whether an email had been read, provide sender and, potentially multiple, receiver email addresses, subject lines, message content, attachments and time stamps. Due to advances in technology, such as cloud based applications and hardware formatting, this information has become harder to obtain as less data is landing on the physical hard drives making the search for this critical information more challenging.
Organisations, which find themselves needing to investigate misconduct face many challenges when analysing web based evidence and it is important for firms to understand what can be expected from a computer forensic investigation.
For the most reliable investigation any forensic investigator will advise that they need to analyse digital evidence as close to the original source/environment as possible and this is no different when dealing with web based data. The web host servers where the data was created and resides will be where we 'should' start the process; however, obtaining that data quickly is often not a realistic option. Given the urgency at which evidence often needs to be isolated and contained, there is little time to obtain the necessary court orders which organisations like Hotmail, Yahoo or Facebook require before they will consider providing any information. This is not to mention the jurisdictional, logistical and data protection headaches one may encounter when actually trying to collect the data from these organisations.
From a computer forensic perspective those who allow access to social media sites should firstly consider the devices they provide their staff - the suspect's laptop, PC, mobile device or tablet where information may reside in the internet cache, on the hard drives or memory of the device. Forensic software can search hard drives, live RAM, or files for internet related evidence and in many IP theft cases they provide a useful place for an investigator to search. Social networking communications, messenger chat histories and popular webmail applications can leave behind evidence of an individual's contact base, location, activities, future plans and communications. This evidence alone could be enough to persuade the court to authorise a wider search on other historical systems such as back-up tapes, servers etc for evidence relating to the matter.
Despite the diversity of information sources, it is still perfectly possible for forensics experts to capture data used across social media and multiple hardware platforms. The key is to ensure that organisations maintain an accurate map of all devices used by staff and communicate a clear policy on how these devices can be used in the workplace - particularly for accessing social media sites.
As part of this policy, employers need to make individuals aware that when they use company property to communicate and coordinate their personal activity they run the risk of leaving behind evidence of their actions. Finding existing or deleted data from web based sources is an increasingly complex process, but the experts who are dedicated to keeping up with the latest technologies will always ensure that there is nowhere to hide.
Graham Jackson (pictured), business development consultant at Kroll Ontrack