hi all, newbie here..
i would like to ask anyone here especially for private investigator..
i want to know, what is the best evidence will the investigator looking for, on pre-investigation stage (stage before official investigation that will involving law enforcement)
for exp
one company has missing the important file and believe that someone among the employee sell to the other company.. what will investigator do on that suspect computer to make sure that suspect is the culprit?
Very little. You won't find any direct evidence that indicates a file was sold to someone.
You may find secondary evidence, for example email between the employee and the third party.
Don't read too much in to the upcoming replies about USB sticks, timelines, link files etc - this stuff is so much like normal behavior as to be of little significance.
What you need to determine is the employee's motive, communication, behavior etc. For example, start with how the allegation of an employee selling data was received; interview the reporting party. Is it a "I think he is selling stuff" or is it "he was bragging about making a quick buck".
Ya, I wouldn't read much into information which could help answer the posters question either. Stuff like USB Sticks, timelines, link files. none of those would help at all (sarcasm off)
If you have a general idea date, week, time, this could have happened then all of above mentioned items would help.
Time is everything, but as for out of the ordinary things. A USB stick plugged in at any time when it's generally not needed in a company would be a red flag, scans of the drive for @ addresses and times associated with those or if you know the company it was sold to a search of @ with that company.
If the company is small a search of employee names, or an index.dat or sql search of websites visited, possibly the item wasn't emailed, lots of people now a days are copying the file and meeting in person thinking they leave no trail like that.
Even searching the drive for visits to the persons banking site even though it's SSL sometimes you get gems from that.
Hope that helps.
Very little. You won't find any direct evidence that indicates a file was sold to someone.
You may find secondary evidence, for example email between the employee and the third party.
Don't read too much in to the upcoming replies about USB sticks, timelines, link files etc - this stuff is so much like normal behavior as to be of little significance.
What you need to determine is the employee's motive, communication, behavior etc. For example, start with how the allegation of an employee selling data was received; interview the reporting party. Is it a "I think he is selling stuff" or is it "he was bragging about making a quick buck".
so, we can say that on the pre-investigation, the investigator commonly will not searching directly to the digital evidence but more onwards looking for the motive of the case so now on it can trace back time to time..?
Armresl's response is what I was hoping to provoke.
We are forensic analysts not investigators (if you are both then good on ya); we produce specialized data/evidence from electronic sources. We are essentially a tool used by investigators whether they be detectives or HR/Ethics officers.
If that investigator has already come to you and said we have an allegation against an employee which we believe is credible, "what can you do for us?", at that point you don't need to triage anything, you just go right ahead and start your analysis.
And Armresl, while your points are valid from an analysis perspective, I read the OP's request as one of triage (he referred to it as pre-investigation); my point being that in employee investigations there is no triage. Either a case is open or not, and the investigator then comes to us for assistance.