Internal investigations: The basics

Internal investigations must uncover the truth about misconduct or fraud without damaging innocent employees. Here are the basics of how to plan and conduct a successful internal investigation.

1 2 Page 2
Page 2 of 2

Acme (rapidshare. | megaupload. | sharebee. | mediafire. | slil. | sendspace. | turboupload. | speedshare. | depositfiles. | | |

In some cases, electronic evidence may include communication from an anonymous person on the internet. Gregg also identifies a set of tools that can help determine such a person's identity, where necessary and appropriate.

A wise investigator will ensure that any of the tools mentioned in this section are used in accordance with policies already communicated to employees regarding privacy and employee conduct.

Network-based fact-finding or surveillance is simple. But if I need to confiscate the subject's computer, won't that tip them off that they are under investigation?

This should all be established protocol BEFORE an investigation becomes necessary.

Most commonly the suspect's computer will be taken at night by a team of at least two well-prepared investigators. One anonymous CSO described his company's protocol like this:

"We work in teams of two now. One person serves as the scribe and keeper of the checklist that helps ensure all important steps are taken. The other person disassembles the PCs, pulls the hard drives and restores the workstation to the previously unaltered state. We alert the building security people, partly as a professional courtesy and mostly to minimize the risk of being confronted by the targets of our investigations. During one nocturnal investigation, I was at the workstation of an employee when she suddenly appeared! Like the Grinch nimbly providing an excuse to little Cindy Lou Who, I came up with a reason for having her PC apart. 'This PC appears to be infected by a virus thats attempting to propagate across our network,' I said. 'I need to take it over to our lab to remove the virus. I should have it back in a few hours.' And off I went.

"Today, the building security people disallow access for the 'people of interest' that were investigating by disabling their ID badges. We also take along radios that operate on the channel that the building security folks use. The radios allow the two areas to share information about the movement of people, the location of offices and anything else that might come up.

"Our burglar tools also have grown in sophistication. Computer forensics software available today automatically searches, sorts and analyzes files. We also know enough to bring hand tools, Mylar antistatic bags, a digital camera and self-adhesive labels for tagging evidence."

The CSO's further experiences and thoughts are provided in "How to be a better burglar".

These are good practical steps to take in the event the suspect does not know he is under investigation. If there are relevant devices (BlackBerrys/iPhones, laptops) that the suspect does not leave in the office, you will either have to come up with a premise for keeping the device (such as 'routine maintenance'), which may still cause him some suspicion, or confiscate the device immediately upon notifying him of the investigation.

Can employees or outsiders successfully evade computer forensic tools?

Just as forensic software and hardware advances, there is a class of software tools called 'antiforensics'. Efforts to evade detection or erase all record of certain actions might include use of these tools.

No forensic tool or technique is perfect, but they remain effective in many instances. It takes a relatively sophisticated computer user to cover all tracks if he is engaged in significant wrongdoing.

How do I interview a suspect?

Proper interview techniques can help separate the guilty from the innocent. Here are practical interviewing steps and tools from Nate Gordon, director and founder of The Academy for Scientific Investigative Training in Philadelphia:

Icebreakers. An interview usually starts with some icebreaking chitchat unrelated to the investigation. This allows the interviewer to get a sense of the subject's style: things like verbal tics, amount of eye contact and physical mannerisms.

Non-verbal cues. When discussing the case, the interviewer looks for non-verbal behaviors. A deceptive person will often put a hand to his eyes or mouth to obscure what he's saying. A truthful person usually exhibits mannerisms that clarify what he's saying, like touching a hand to his chest and making eye contact when stating his innocence.

Set up two chairs. Gordon recommends placing two chairs facing each other so that the interviewer can see the subject's entire body and there's no object behind which a subject may hide.

For more about reading cues, see "How to spot a liar: Identifying deceptive behavior".

Consistent questions. With multiple subjects, the interviewer should avoid accusatory questions and ask each one the same set of questions, and should use a consistent reading and writing style. The questions should either be all read off paper or all memorized. Every response by the subject should be written down. (Selective recording invites a subject to analyze the interviewer's behavior.) It may help to have one person record while the other manages the interview.

Anyone else in the room must be silent. If a manager or an HR representative is present, that person should sit behind the subject and stay quiet.

A critical point: Frequently internal investigations involve interviews with employees who are NOT suspects. This is standard evidence-gathering technique. As noted earlier, Attorney John Thompson says that you may (or may not) choose to let an interviewee know that she is not a suspect—this may earn you more candid answers.

Is it reasonable to include hidden cameras in my surveillance effort?

If you have a clear written policy and have communicated it to employees on a consistent periodic basis, and if the cameras are kept in clearly public spaces, you may be able to use a hidden camera as part of an investigation.

Otherwise, hidden cameras create some legal risks. There may be many more instances of prudent and appropriate application, but cases of inappropriate use do grab headlines.

offers A more detailed examination of the issue can be found in the article The hidden camera, including some examples of the consequences of improper use.

As with all legal questions, involvement of counsel is strongly advised in any circumstances.

What investigation tactics and common mistakes clearly should be avoided?

Intimidation. Any attempt to coerce information out of an interviewee is likely to backfire.

"Pretexting", or posing as someone you aren't, is more complicated. It isn't strictly illegal but can create difficult challenges. This was strongly illustrated by the corporate investigation case at HP in 2006 involving board-level information leaks. This type of technique should only be used in lockstep with counsel.

Heresay obviously has no place in legal proceedings. Accusations must be documented, investigated with the appropriate rigor, and either confirmed through evidence or dismissed. Actions taken (such as an employee termination) without a strong case create not only legal liability but also morale problems, the impression of favoritism, and other issues.

Failure to control information. It bears repeating: Employees' reputations and relationship to the organization are on the line in an investigation. Careless disclosure of information causes rumors, damages productivity, and creates liability for the company and the investigator. ##

This introduction to internal investigations was compiled from articles on Contributors include Malcolm Wheatley, Brandon Gregg, Daintry Duffy, Sarah Scalet, and John Thompson.

Copyright © 2010 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 hot cybersecurity trends (and 2 going cold)