Once you’ve identified what potential evidence you have after an incident, here’s what to do next:
1. Secure the evidence immediately
Remove the computer, drive, or device from service and place it in a secure location, a locked office or closet with limited, documented key access is usually sufficient.
2. Document the chain of custody
Start a chain of custody document right away. (If you’d like, we have a free form you can use, let us know.)
This should include:
- Manufacturer, model, and serial number of the device(s)
- The name of the user the device was assigned to
- The date and time it was secured
This document must stay with the evidence and be updated every time the evidence is accessed or its possession changes.
Why does this matter?
If your case ends up in court, whether it’s about data theft, insider theft, intellectual property disputes, or something similar, you’ll be dealing with judges, juries, and opposing counsel. Without a clear record of who touched what and when, you risk having the investigation portrayed as sloppy, or worse, leaving the door open to claims that evidence was planted or altered.
3. When should you bring in outside investigative help?
An outside investigator should typically be involved as soon as you suspect something is wrong, especially before interviews start.
Why? Because:
- An outside investigator is an unbiased third party.
- They bring experience and training in proper investigative interviews, not a scripted set of HR questions, but tailored, probing approaches that get to the truth.
- They keep personal familiarity, office politics, and emotions out of it, which is tough for in-house staff like HR or even internal counsel.
At a minimum, consult with a qualified digital forensic investigator right away. In many cases, an interview might not even be the right first step. You may need more fact-finding before you start asking questions that could tip off a suspect.
Up next
In our next post, we’ll talk about what happens to the evidence after it’s been secured, and how the investigation process continues. #DigitalEvidence
About Swailes Computer Forensics
Swailes Computer Forensics provides expert digital forensic services to law firms, corporations, and organizations nationwide. Our work includes investigations into intellectual property theft, employee misconduct, data breaches, and more. With decades of experience and a commitment to integrity and clarity, we help clients uncover critical evidence and take informed action.
If you’re facing a potential case of employee data theft or have concerns about unauthorized activity, contact us for a confidential consultation.