Today’s organizations rely heavily on the use of electronic data to run their day-to-day operations. Employees frequently access and use computers, email accounts, file shares, customer databases, various cloud accounts, and other sources of electronically stored information (ESI). These sources of ESI often contain confidential and proprietary data that are core to an organization’s competitive strategy. When dealing with legal and compliance issues, these sources of ESI also contain evidence that relates to a multitude of internal matters, such as Foreign Corrupt Practices Act compliance, financial and compliance audits, harassment, trade secret theft, and breach of fiduciary duty. Often, these matters are handled internally, even though there may be future regulatory and/or legal proceedings.

Organizations typically employ IT personnel to set up and manage corporate systems. Internal IT usually helps with items like system administration, securing and maintaining IT assets, and troubleshooting user issues. However, they are often not equipped with the right knowledge base or tools to handle ESI that contains evidence. Digital forensics experts have a different area of expertise and are able to capture information in a manner that can be used in legal proceedings.

Photo by Marvin Meyer on Unsplash

Computer forensics is the “use of specialized techniques for recovery, authentication and analysis of electronic data when a case involves issues relating to reconstruction of computer usage, examination of residual data, and authentication of data by technical analysis or explanation of technical features of data and computer usage.” Digital forensics experts focus on preserving and analyzing data from a wide array of sources and are typically called upon to write affidavits and provide expert testimony about their findings. It is important for organizations to understand how ESI is stored and how the use of digital forensics can play a role in their investigation.

During any investigation, there is a fact-finding process that involves collecting information and evidence from relevant parties and systems. Forensic investigators can assist with this process by collaborating with other members of the investigative team to develop strategies and collect and analyze data related to the facts of the case. This process allows companies to save time, money, and effort by creating efficiencies throughout the investigation. To give examples of how digital forensics can be used to assist with investigations, this article will use examples from a fact pattern that examines what happens when an employee departs for a competitor and may have taken confidential corporate information with them.

First, Review the Rules of the Road

In the modern workplace, there are a wide array of laws, regulations, policies, and procedures that govern the organization’s practice. This includes how data should be collected, stored, and used as well as the responsibilities of individuals who use organizational assets. In some instances, employers are limited by law in how they can collect and use certain types of electronic data. For example, the Illinois Right to Privacy in the Workplace Act contains a section governing a line of prohibited inquiries that employers can make regarding the online accounts of current and prospective employees. Before beginning any investigation, it is important to ensure all applicable laws, regulations, and policies are followed to maintain the integrity of any evidence collected during the course of the investigation.

Photo by Headway on Unsplash

Consider and Integrate Digital Forensics

At the beginning of any investigation, there is usually an internal team that works together to uncover facts related to the case. This team often involves individuals from human resources, management, IT, compliance, and legal departments. These team members have different areas of expertise and work together to identify relevant facts related to an employee’s departure, such as the version(s) of onboarding and policy documents acknowledged by the employee, the employee’s date of resignation, the systems the employee used to perform their job functions, the individual’s new employer, and any data-loss-prevention system (DLP) logs that may exist relating to the departing employee’s activities.

The internal team has a wide institutional knowledge base that can be used to assist with the investigation. All this information is used to develop a fact pattern and create a road map to guide the investigation. Many organizations also seek advice from outside counsel regarding potential legal avenues to pursue as well as firms who specialize in investigations or digital forensics. Adding a digital forensics expert to the team early in the process can help bring a fresh perspective and develop additional lines of inquiry.

As investigations progress, new facts are uncovered, which leads to new questions. These new unanswered questions require further analysis. Digital forensics professionals will help guide the members of the team through the process of identifying, collecting, and analyzing relevant ESI related to the investigation. Having routine collaboration and status update calls can help the digital forensics team members understand the ever-changing fact pattern of the matter at hand. It is important to continue the transfer of information from the internal team to the digital forensics expert so they can continue to consult on the matter and collect, review, and identify potentially relevant ESI.

Move Quickly to Manage the Departure Process

When employees resign, their accounts are typically disabled, modified, or deleted as part of the off-boarding process. Similarly, computers and phones are usually repurposed and reassigned to other employees throughout the organization. However, these accounts and devices often contain ESI and artifacts relevant to the investigation, such as information regarding account logins, file activity/deletions, and the use of external storage devices/accounts. Although the routine collection of data for departed employees may seem cumbersome, the value of this data may not be realized until long after the employee departs the company.

Former employees often need to remain compliant with all of the agreements they signed when they were an employee for a limited-term after departure, such as confidentiality and noncompete agreements. Many organizations choose to have a forensic collection completed and hold on to a preservation copy when certain members of the organization leave, such as executives or high-ranking sales personnel, even if there is not a current investigation. This allows the company to return to the relevant data at a later date to conduct an investigation.

As organizations grow and make changes to their IT infrastructure, company policies and procedures should be routinely updated to reflect changes in technology. It is important to ensure that something similar to a litigation hold is placed on their devices and accounts to protect the ESI when an employee leaves to work for a competitor. Many systems (such as Office 365 or G Suite) have a litigation hold or compliance feature that allows IT administrators to preserve emails, documents, logs, and other important information. If these functions are available, it is a step that can be taken to help preserve this data. Ultimately, the goal is to protect and preserve the data contained on devices and accounts until they can be forensically preserved.

Capture ESI Quickly in a Forensically Sound Manner

While your investigation may currently be an internal matter, it is pertinent to consider computers, phones, file shares, servers, user applications, and other electronic systems as sources of electronic evidence. When an employee leaves there is often an urge to investigate what they were doing before they departed. In a quest to help, many individuals within the organization, often IT personnel or management, want to “take a quick look at” the departed employee’s laptop and email account to investigate the matter. However, accessing any accounts or devices can alter important system artifacts and file metadata. These types of activities can ultimately alter evidence and potentially open up the organization to claims of spoliation.

It is crucial to ensure these accounts and devices are preserved as soon as possible. Many accounts and devices have data retention policies that affect the timeliness for the collection of data. Some examples of data points that may be affected by time include account logins and other events present in Office 365 audit logs and text messages sent on a company-issued phone that are set to delete after 30 days. Similarly, as individuals in the organization are interviewed or learn about the investigation, there is the possibility that relevant data may be modified or deleted. Moving swiftly to preserve data can help prevent potential data loss.

Any electronic evidence should be collected by digital forensics professionals who use industry-standard tools and best practices. The process of forensically collecting ESI captures additional information that may not be available using standard IT tools. The methods for collecting this data will vary by data source, but options are often available to collect data on-site or remotely. Using a digital forensics expert to preserve ESI helps maintain the chain of custody and provides the organization with an expert who can authenticate the collection and preservation of the data in legal proceedings if necessary.

Forensic Analysis Complements Traditional Investigations

Once the data is securely preserved, a forensic examiner will conduct analysis based upon the scope of work and the facts of the case. There are millions of artifacts on computers. The investigator needs to have the experience necessary to develop a game plan for how to review potentially relevant sources of data. To reduce the number of artifacts to analyze, the examiner will use strategies such as date filtering, keyword searching, pivoting off of key events, and creating a timeline based on recent user activity.

While digital forensics can help answer many questions about ESI, it does not solely determine the relevance of the data to the matter at hand. For example, an investigator may be tasked with determining what files were accessed or modified prior to the employee’s departure. If a date filter was used, they can retrieve important information such as where the file was stored, the name of the author who created the document, and the date and time it was last accessed. However, that information is likely not relevant if the PDF file contains the user guide for the vacuum that the recently departed employee purchased for their home. Similarly, a forensic exam can identify methods through which data may have been exfiltrated, provide some insight into internet history, locate communications, and help answer many investigative questions.

Photo by Markus Spiske on Unsplash

Determining the relevance of activities takes collaboration between the investigative team. For example, if there is an appointment for a hotel check-in on the departed employee’s calendar, the forensic examiner typically focuses on the electronic evidence during their examination such as the email containing the reservation and the text message containing plans to meet someone. Internal investigators often have access to documents that are not readily available to a forensic examiner such as time cards, credit card statements, and other items that can help determine if a hotel check-in was for official business. When the institutional knowledge is combined with forensic artifacts, it helps the investigative team determine the relevance of the calendar event.

In the case of a departed employee, a forensic investigator will typically focus on a few key types of activity such as file and network access, internet history, communications, data exfiltration, and data deletions. When combined with the facts of the case, these artifacts often provide information regarding whether or not the individual:

  • Had dual employment,
  • Took confidential and/or trade secret information when they departed,
  • Communicated and/or coordinated with the competing firm using corporate assets,
  • Exceeded their authority to access systems, or
  • Deleted work product prior to returning their devices or accounts.

Once the examiner has completed their initial analysis, they will often prepare preliminary findings. The preliminary findings are made available to members of the team as requested. These findings can be integrated with other information gathered by investigators to see if there are any gaps remaining in the investigation. Once the investigation is complete, relevant findings can be distilled into a concise written report. This written document can be tailored to meet the organization’s needs, whether it is a findings report used to brief executives on the investigation or an affidavit used to support the organization’s request for a temporary restraining order.

Finding The Right Fit

There is no one-size-fits-all approach to digital forensics. Every organization has a unique combination of technology, workflows, and user habits. To find the right fit, it is important totalk to multiple vendors. Talk to your outside counsel, industry colleagues, insurance carriers, and others to get word-of-mouth referrals. Most forensic firms have a standard vendor or retainer agreement that will lock in pricing and terms for an agreed-upon amount of time.

When looking for a digital forensic firm to partner with, it is important to find one that will check a few boxes:

Familiarity with Relevant Technology

There are numerous hardware and software solutions in today’s technological landscape. Go through a checklist of hardware and software solutions with the vendor and ask about their experience working with the main components of the environment.

Quick Response Time

Often, firms that end up being difficult to work with will be slow to respond to the organization’s needs. Some key questions to ask when vetting a vendor include what their availability for phone calls is and their turnaround time to conduct on-site visits.


Investigations require forensic examiners to adapt to the circumstances of the matter at hand.

Employs Testifying Experts

Many firms will provide some forensic services, such as forensic collections and basic analysis. It is important to ensure the firm has testifying experts on staff with experience relevant to the IT systems at your organization to prevent the need to hire a second firm with relevant experience later in the process.

Digital evidence is crucial for many of your internal matters, and finding the right vendor is the key to success. Compliance professionals who learn to leverage digital evidence will have a more robust toolbox to investigate issues. It will help the organization expedite the investigation of a myriad of compliance and legal matters. Whatever you do, make sure to start the vetting process now to ensure you find the right digital forensics expert before an incident occurs.


  • Modern investigations will almost always contain relevant electronically stored information, and it needs to be quickly preserved in a defensible manner.
  • In-house IT support is not enough. Forensic investigators have the expertise and specialized tools to collect and investigate electronic data.
  • Forensic investigators are an invaluable asset to an investigative team by collaborating on strategy and identifying, preserving, and analyzing electronic data.
  • Information sharing is key. Integrating forensic professionals into the investigative team helps them find the relevant information for the investigation.
  • Forensic findings are often a key piece of internal investigations. Finding the right firm before an incident occurs saves time and money during the investigation.

This article was written by Melody Haase and originally appeared in CEP Magazine.