Question

If the investigator finds that an employee has been misusing a company computer, or using it to conduct illegal activities, What is the best way to protect the evidence?

1) Immediately shut down the computer and disconnect it from the network
2) Take a backup of the computer's hard drive
3) Notify the company's IT department
4) Leave the computer as it is and inform the employee about the investigation

Answer 1

When an employee is suspected of misusing a company computer, the best way to preserve evidence is to take a forensic backup of the hard drive and notify the company's IT department. The computer should be left as is to prevent data tampering.

Step-by-step explanation:

If an investigator finds that an employee has been misusing a company computer or conducting illegal activities, the best way to protect the evidence is by taking certain informed actions. It is not advisable to immediately shut down the computer or disconnect it from the network, as this could result in the loss of volatile data or alerting the employee to the investigation which might lead to further complications.

Best Practices for Preserving Digital Evidence

Take a backup of the computer's hard drive to ensure all data is preserved in its current state. An exact image of the disk should be created using forensic tools.

1. Notify the company's IT department so they can assist with the forensic process and ensure a proper chain of custody is maintained for the evidence.
2. Leave the computer as it is, without informing the employee, to avoid any potential tampering with the evidence until the proper legal and investigative steps can be taken.

In handling such sensitive situations, it's crucial to follow a structured approach adhering to the organization's policies and legal requirements to appropriately manage the incident.