Wednesday, 23 November 2016
A senior employee left your company six months ago. Now there’s suspicion that she misused IP. But someone else in the company is now using the computer she’d had.

This is a common scenario. Many investigations happen long after the event.

A computer may be a silent witness to a crime. Everything done on it leaves a trail. Timely preservation is the key. The moment someone else uses the computer, things change: dates and times are updated and files are overwritten.

Digital evidence is volatile and subject to deliberate or accidental destruction. But deliberate deletion of files and emptying of the recycle bin do not, in fact, destroy the files. Timely action can recover them. The longer the delay and the more the computer is being used, the more likely it is that the deleted data will be overwritten.

Simple steps can preserve digital evidence. If a departing employee has had a key role or access to critical IP and is going to a competitor, you can either:

- Set aside the computer and do not let anyone use it; or
- Keep an exact copy of it, before it is re-used.

Sometimes setting aside a computer is too costly. This is where taking an exact copy, or “image”, of a computer comes into play.

A forensic image is an exact copy of a hard-drive reinforced with forensic verification that all data is preserved, including deleted data and vital dates and times. The image can be stored indefinitely.

Putting aside or preserving a computer device are easy steps. They can provide peace of mind that if suspicion emerges later, the evidence is there to be used.