DD said, “There’s a difference between an investigation and an “investigation” that would be used for a legal case.”

My question is, why is there a difference ? Is there a potentially very large trap here ?

How can the ‘investigators’ be so sure that their investigation results will not end up in Court one day ?

After all, it might not be their company initiating the legal process. It might be a fired employee, a competitor or a Government agency. (This is a relatively free country, right ?)

There’s a plethora of examples of what I’m talking about, but here’s one for the sake of what I’m getting at:

As a result of your high-level ‘investigation’ into the theft of IP, an employee’s email records are accessed by the companys’ IT people, at the request of management, to see whats going on.

The employee has been discovered sending IP to a competitor via the company email servers.

The employee is dismissed. At the time, the company takes the view that no legal action will be initiated against the employee (to keep it quiet - they don’t want it publicised), however they decide to sack them anyway. The email “investigation” was not conducted in a forensically sound manner.

The sacked employee then initiates action against the former employer, citing unfair dismissal. They are also claiming costs for damage to their reputation, since its unlikely that they will be re-employed. The records of the investigation are subpoenaed by the former employee, & produced at Court.

Do you think the employee might have a good case against their employer ? My bloody oath they might ! And the case is likely to be publicised anyway, which is exactly what the employer was trying to avoid.

My apologies for playing devil’s advocate. I’m simply pointing out the potential traps of allowing the companies’ IT guys play office detective.

@BG - Absolutely, I completely agree. There are many situations where, no matter what, a full legal forensic investigation is required.

However, the vast majority of security incidents on the internet are more like this: A system is compromised by an attacker from who came from a country far far away. There logs are only stored locally. There is no IDS, no decent Firewall logs and nothing on the system that can be trusted.

The company wants to know what happened, and how to fix it. Even if they provided the AFP with the address, name and phone number of the person who hacked into their system - nothing could be done - they are far away in a country that does not care.

As I said however, I agree. I would like to see people doing things properly all the time but if that was the case - We wouldn’t be in there doing an investigation, would we ?

This was not a case where I was saying I think this is a good idea, just that this is what is happening, and why. In the cases you mention - employees, IP theft etc sure - there is no point at all in doing anything if you arn’t going to be able to back it up in court.

On the flip side, There are cases were the AFP have been given full forensically sound evidence, the name address and phone number of an Australian Citizen, living in Australia who has been repeatedly hacking into different places and done absolutely nothing. zip, zilch, nadda.

In the case of system compromise, It is very very hard to justify the cost of a full investigation to a business when the chance of success - even in the best cases - is so slim. Companies are far more concerned with finding the extent of the compromise and how to get their business running again.