For anyone who does digital forensics as part of an internal security team (i.e. only investigate your own employees) - what kind of documentation do you keep when the request comes in to cover your own back if it was ever challenged? I.e. requesting director/manager, allegations, search criteria etc. These are only ever internal disciplinary investigations and not criminal, and only internal including our own staff. But I am struggling to identify what such documents would be called to look for some templates, so any input would be most useful.
Most of the investigations I conduct are "internal" but most are on behalf of a customer.
The first thing I would say is that although the case may be internal, treat all cases as though they are potentially criminal cases (you never know it may turn into one). If you use the same thoroughness as a criminal case, you won't get caught out.
Before conducting an internal investigation I require a completed and authorised forensic request form. The forms are fairly basic, giving the outline of the requirements, and a follow up call is usually required, but the important thing is that it is signed off by the agreed authorisors. These include HR and data privacy officers. If I have all the correct signatures, I'm happy to proceed with an investigation.
Aside from the basics IE. Chain of Custody, device related information for which you have collected ETC. I would suggest taking extensive notes. Regardless of the fact that the device may stay within your walls (so to speak) you still need to prove that the device has been under your care and control since it was signed over to you and that no-one had the opportunity to tamper with it.
Totally agree with pmurton - The most fatal mistake anyone could ever make in these types of investigations is to assume that an employment matter will never find its way into civil litigation, this commonly happens.
Accepted User Policy
