Sometimes it's necessary to investigate the actions taken by a user to determine if a breach of policy (or a crime) was committed.  Done fairly, an investigation is worth the time, but done in the wrong way and the report is entirely worthless.

Forensic investigations can be fascinating and one of the biggest temptations is to go off reservation and start investigating out of scope.  As part of the investigation the analyst will be given access to a lot of data, some of which is almost certainly out of scope.  For example, during an investigation I conducted for the Information Commissioner's Office I was given access to an individual's mailbox across various points in time.  A time period was set of a few months and my task was to determine the location of emails (inbox, deleted items, sent items etc.) on a certain subject during that time period.

With the mailbox laid bare I could have reviewed any emails I wanted.  Given the individual's role within the organisation there would have been emails from customers, some potentially quite personal.  There could also have been emails about upcoming events and policies that I wasn't entitled to know about.  Crucially, I didn't go looking.  I stuck to my brief based on time period and subject and prepared my report.  Interestingly, there could have been an incriminating email outside of the date range, but being out of range it was out of scope.  Finding such a piece of evidence would have been an interesting dilemma.

Investigating honourably

In England the law states everyone is innocent until proven guilty and I feel it's important to approach an investigation the same way.  When needing to involve others for the aforementioned investigation (I couldn't restore mailboxes myself) it was crucial to protect the identity of the accused.  To that end I requested five mailboxes, across different parts of the organisation, be restored and provided to me.  By hiding the target of the investigation among other data I could avoid drawing attention to a single individual, protecting them from rumour.

It's fair to say an investigation can give rise to lots of gossip, or attract attention from those looking for gossip.  Keeping conversations about the investigation out of the main office space helps limit possible leaks.  This does mean you have to not gossip yourself of course.  Limiting access to the report is also necessary to protect its confidentiality.

Reporting accurately

Blame isn't apportioned by the forensic analyst conducting the investigation, their job is simply to review the materials and report accurately what was found.  Being accurate means explaining what was found without applying bias in your reporting, and that's sometimes easier said than done.  During the process of the investigation it's easy to form an opinion on whether the subject is guilty, but try to keep that out of your report.

There will always be limitations, from corrupted data to time constraints to simply not knowing something.  Acknowledge these in your report so as to be as fair as possible to all parties.  For example, when reviewing the aforementioned mailbox across multiple points in time I noted that an email I expected to see in all snapshots was missing in one of them.  Not just in a different place, missing entirely.  My report featured a comment like this:

It has been observed that an email dated 23rd February 2018 is present in mailbox restores from 25th February 2018 and 15th March 2018 but is missing in the restore dated 6th Match 2018. This indicates an anomaly in the restore process.

While this inconsistency is concerning, I do not believe the restore has "created" emails when they shouldn't be present. Similarly I do not believe the restore has moved emails within the mailbox (i.e. if the email shows it's in the "inbox" then it was).

Key caveats

In digital forensics we're working in the digital realm, so we can't 100% state "Fred did this" unless there's a camera pointing at the screen, keyboard and mouse that shows Fred really was present, performing that action.  There's no DNA for us to tie a person to a place.  Such limitations should be mentioned in your report so this is clear to the reader:

It should be noted there is a difference between a user account and a real world individual. While this report will be able to show which account performed an action, it is not possible to tie that account to the individual that was using it at a precise moment in time (the account could have been used by someone else).

The reader should consider other factors (door entry logs, CCTV, witness statements) in determining if the account was being used by the named individual at the time of the event.

Automated, and background processes, should be considered too.  When reviewing a web browsing report it's quite likely there'll be references to domains a person never chose to browse to.  Facebook, advertising agencies and content delivery networks will make an appearance in the logs where they've been referred to by the site the person actually visited - their presence doesn't mean they've been browsing where they shouldn't.

Bear in mind also that some sites actively refresh in the background in order to show updated news feeds and messages (Facebook et al).  Having such a site open in a browser tab will cause regular traffic to come from that site, artificially inflating the amount of time an individual has actually spent using it.

Ensuring the investigation is authorised

Witch hunts reached their peak in England in the 1600s.  These were the practice of, as the name suggests, hunting witches but the methods were questionable at best.  Flawed "science" ensured the victim often died (submerging them in water after attaching weights: if they floated they were using magic, if they didn't, and died, they were innocent (but still dead!)).  

The term "witch hunt" has remained today and tends to reference looking for evidence of some wrongdoing, even though there may not be any.  An unauthorised (or inappropriately authorised) investigation can be an example of such a hunt.  Also sometimes called a "fishing expedition".

Make sure the person requesting an investigation is actually authorised to do so.  The policy used at my current employer requires a director sign off from the client as well as approval from ICT's management.  This double approval prevents a manager with a gripe against an employee simply arranging a witch hunt to support questionable disciplinary action.

Protecting the integrity of evidence and the report

It's probably obvious, but if someone else can edit your report, or tamper with the evidence, they can change the outcome of an investigation.  Your report will be used by someone else, potentially even the court, so it's important to protect its integrity.

Returning to my earlier example, where my report was used in court.  My boss of the time had read only access to my report (in case he needed to answer questions / something happened to me) but he could not edit it.  I'm fairly certain he never read it either (the "need to know" never arose).  I also protected my evidence store with audit logging to ensure any changes were logged.  Access to the evidence was also coupled with a chain of custody log, so I could clearly show who had had access.

Protecting the integrity of data is a key tenet of security.  In doing so, you also help to protect your own integrity.

Conclusion

An investigation is about finding the truth, not for lending credibility to trumped up charges.  As an investigator, you have a duty to find that truth and be honest about what you found.  Your report should guide the reader to understand the facts, without applying bias or spin.

Ultimately, "innocent until proven guilty" is the only fair system.  Be courteous to the accused, they may not be the perpetrator!


Banner image a word cloud based on some words that sprang to mind.