Once you’ve determined what potential evidence you have from an incident, the evidence should be removed from service and put in a secure location (locked office or closet with limited documented key access should suffice). Once the computer/drive/device is secured, a chain of custody document should be used (a link to our free form is here). On it, note the particulars of the device(s); manufacturer, model and serial number as well as the user to whom it was issued should be documented. Once this chain of custody document is created, it should remain with the evidence and should be updated anytime the evidence is accessed or its possession changes. Why? First of all, when beginning any sort of investigation, we must consider where it may end up. In the case of data theft, insider theft, intellectual property theft, or anything of this nature, at the end of the road we may end up in court, dealing with a judge, jury and opposing counsel for the accused party. In the absence of knowing who touched what and when (i.e. no chain of custody form), opposing counsel will likely paint a story of either incompetence in the investigation or the possibility of creation of evidence in order to exonerate their client.
In terms of when to involve outside parties, an outside investigator should typically be called in at the outset of suspicion or when interviewing is involved, you need an experienced investigator who is a disinterested 3rd party. It’s oftentimes hard for a company employee (HR or even in house counsel) to be objective. Remove familiarity with the subject and emotion from the scenario. The outside investigator will do this, additionally they have training and experience in interviewing, not a formulaic series of questions that one might use for an exit interview or a traditional corporate investigation which might be generalized. At the very least, consultation with an experienced forensic investigator should be considered as an interview may not even be appropriate without fact finding first. It’s that simple.
The following post will be the next steps in the process of the investigation including what happens to the evidence. #DigitalEvidence