In today’s world, everything moves so fast. Everyone wants something yesterday. Everyone demands and expects more from less. Every action we take leaves a data footprint and every product we buy asks for a review.
So why are today’s ‘forensicators’ not taking the time to properly review data on cases? Can we really afford to take shortcuts when people’s jobs, careers, marriages, livelihoods – even their lives – are on the line?
We have all heard of – or experienced – situations when work colleagues overstep the mark. Office pranks, off-the-cuff comments on email, even hiding office chairs or moving cars when colleagues aren’t looking because it’s “funny”.
But what happens when those pranks go wrong, or when there is malice in those pranks? When someone sends a malicious email with intent and it gets someone fired? Or when someone steals IP or PII using another colleague’s workstation to hide their own malfeasance? What happens when they do this to bring about their own agenda?
Using just a high-level forensic tool to collect only live files and easily accessible evidence could result in not seeing the real story behind the “facts”. This information may be used to discipline – or even prosecute – an individual. Could you sleep at night knowing you’d got someone fired, or arrested, or worse as a result of incomplete or inaccurate information?
How would you feel if someone later demonstrated that there was no way Employee A could have committed the action that lost them their job – or their marriage – or their family? Were the time and effort saved by using an artifact-led approach worth the investment? Did you get a good ROI?
Let’s take another example where an employee is fired after inappropriate images are found on his computer. You investigate, prove the images were there and they get sacked. End of, right?
But what if an investigation with a deep-dive forensic tool could have surfaced deleted files – containing child sexual abuse material (“CSAM”). That evidence could lead to a conviction and help protect further children. If something had happened after the fact, could you stand by your decision to use an artifact-led approach to your investigation?
How comfortable would you be taking your findings to court if you know you only have half the information available? And worse – you don’t really know which half. All it takes is a canny defense attorney with access to a deep–dive tool that has surfaced, say, 50,000 more files to call the prosecutor’s evidence into question.
How can you stand by your evidence if you don’t have all the information? The evidence presented by a forensic examiner has the potential to exonerate or convict an individual. It has the power to save or to ruin lives.
So, ask yourself: “Do you know enough?” If the answer is no, it doesn’t matter how easy your tool of choice is to use
Authored by Iain Nash, Account Executive, OpenText, and James Allen Kritselis, Lead Solutions Consultant, OpenText
