As a special feature of our blog –special guest postings by experts, clients, and other professionals –please enjoy the second part of a three part blog series by digital forensics expert Jim Vaughn, a Managing Director of Intelligent Discovery Solutions.
By Jim Vaughn
This post is designed to build on Part 1 of this three part series on digital forensics. Part 1 addressed the subject of BYODs ("Bring Your Own Devices) in the workplace.
Staying on the subject of BYODs, what are the company policies and rules for these hybrid-devices? Does your company have well written policies, such as whether the employer can remotely “wipe” the entire device (business and personal data) if the device is lost, or if the employee and the company part ways? Have you considered how to deal with that issue before it happens?
IT departments originally focused on managing infrastructure, (tier 1 support), but this causes new challenges as employees use a greater variety of devices to access data in both the employer’s network (or cloud) and from their own personal sources.
From a digital forensic perspective, this may have implications that counsel should address. If a company does not ban BYOD outright, they should try to manage the risk of security breaches, prepare for the worst, and manage employee expectations.
In addition to implementing and reinforcing a culture of security, and reserving the ability to "wipe" devices if they are lost or stolen; companies should also consider ongoing training, annual acknowledgements, and otherwise set and manage employee expectations about the privacy they will have to surrender in exchange for the convenience of using their personal devices for work.
Privacy? Aren’t employees already mixing personal and business information? Yes, they are. But in a non-BYOD environment, this is typically an employee putting personal information on a portable work device. This does not trouble privacy experts and judges as much as an employee putting work information on a portable personal device.
Should the need to examine portable devices arise, what are some of the artifacts one could look for to ensure confidential company data has not been taken, or no longer resides on a departed employee’s device? In my Part 1 post I mentioned backup jobs created by portable computing devices, such as Blackerry’s, iPhones/iPads or Android devices.
Let’s assume you have reason to inspect a portable computing device (e.g. your forensic examiner found applicable backup jobs on the departed employee’s work computer).
Examples of artifacts to look for may include; attachments that have been broken apart from an email and saved to the device, installed software that allows a direct connection to a company computer that may bypass a particular security protocol, names of file attachments that may exist within personal email accounts on the device, pictures that may have been taken of a trade secret document in lieu of the actual file being taken, Internet history and/or text messages, just to name a few. The data on the actual device may differ from the last backup, especially if the device is used more frequently and more recently than the last backup.
Similar to an official BYOD policy – what about the usage of personal or home computers for work? It is not uncommon for employers to allow employees to utilize home computers for work, whether they realize they are allowing it or not. Some of the ways this occurs is by enabling web access to company email; allowing a personal computer to connect to a company network through a virtual private network connection (aka VPN connection); by allowing access to personal email accounts while at work; by allowing access to personal cloud storage areas while at work; or by allowing un-controlled portable devices to be used on work computers with no controls in place.
Many of these access rights can be monitored, limited or excluded, according to your needs and situation. For example, USB ports can be configured as read-only, essentially preventing the exportation of data.
What if the user is actually someone who is granted certain administrative rights within the company because it is part of their job responsibility, but they have then allegedly abused those rights post-employment or prior to departure?
In a recent case, an employee is actually accused of setting up Dropbox™ on the company server before leaving the company and having the software automatically backup (export) the company data on a near-real-time basis.
In my experience as a forensic expert (I am not an attorney), there has always been a delicate balance of interest by courts regarding the importance of preserving potentially relevant data from home computers while maintaining individual privacy concerns. Sometimes referred to as proportionality, sometimes referred to as the balance between relevancy and prejudice.