Cyber Investigations: Managing Risk

In a fraud investigation, classic practice teaches the investigator to collect evidence first, then interview the subject second.  But that practice may be backwards when the evidence is on computers, on mobile devices or out in cloud computing (social media and mobile apps).

In the classic scenario, evidence was physical.  It was paper, or it was fingerprints on a file cabinet.  The evidence could be destroyed or tampered.

Digital Evidence Changes Dynamics of Investigation

Fraud has changed.  More commonly the evidence is now digital.

This change has two implications:

1.  The evidence is much harder to eradicate than people think.

People naively think they can delete digital records.  But deleted records can be recovered from hard drives and mobile devices like tablets and smart phones.  Also, very commonly, the records are copied to lots of places due to backups, synchronization, sharing in social media and so on.

Moreover – and this is a subtle point – the number of relevant records today is far larger than was true in the past.  Our mobile phones and computer networks are collecting records of biblical proportions . . . records about whom we talked to, what we said, when it happened, which applications we accessed, what cologne we were wearing and precisely where we were at any given moment (plus more and more and more!).

2.  The collection of digital evidence can raise dicey privacy and related issues.

Our society is in shock about the quantities and details of information that technology is now collecting, storing and spreading about us.  In reaction we see a confused privacy push-back.

First example:  In the past twelve months, several states have enacted (non-uniform) legislation preventing employers from demanding social media log-on credentials from employees.

Second example:  Some networks like Facebook publish little-understood terms of service that severely limit the ability of an investigator to collect information about a network user – even so-called “public” information.

Third example:  Under broadly-worded Connecticut legislation, if an investigator collects private information, the investigator must “safeguard” it.  Connecticut gives no clue what safeguarding requires. (Encryption? Lock and key?  Final, absolute, confirmed destruction of all copies of the information?)

Privacy Issues Connote Risk

Privacy issues create risk for the investigator.  Hence, when management of a restaurant read the contents of an invitation-only Myspace forum set up by employees, it infringed the privacy of the employees.  As a consequence of the privacy violation, a jury held the restaurant owed employees back wages and punitive damages.

Similarly, the administration at Harvard University angered the faculty when it surreptitiously conducted a limited search of the emails of 22 deans (related to an investigation of a data leak).

Response to Risk: Soft Investigative Steps

This change in evidence from physical to digital gives an investigator incentive to work differently.  The investigator is often wise to take “soft” investigative steps before aggressively grabbing evidence off of a social network or a mobile device.

These soft steps include:

A.  Give the target of the investigation a preservation letter.  The letter would warn the target not to destroy evidence and would educate the target that any effort to destroy evidence can probably be detected and punished.

B.  Interview the target and transcribe the
Recorded Interview
interview.  Present to the target the allegations that have arisen.  Explain to the target that lying will dig the target’s hole deeper.  Lying can ultimately be uncovered through the many sources of evidence (emails, texts, photos, videos, meta data), brought forward through appropriate procedures such as a subpoena or eDiscovery in a civil lawsuit.

Results of Soft Investigative Steps

If the target of the investigation is guilty and wise s/he will confess.

If the target is innocent, s/he may voluntarily turn over a lot of convincing evidence to refute the allegations.

In any case, taking the soft steps first helps the investigator reduce risk of violating a privacy or stalking law.

–Benjamin Wright