Some years back, the place I worked went through significant changes that caused great upheaval and stress throughout the workforce. Most people accepted the changes and dealt with them professionally. A few people didn\u2019t have the necessary coping skills, and they acted out. One way of acting out came in the form of anonymous letters sent to the board of directors, executive management and a few senior people in some of our sales offices. The letters were not complimentary of the corporate leadership, and a disruptive buzz began around the company.Management wanted to locate the source and choke it off, and that was where I came in. I was asked to do some sleuthing and figure out who was behind the letters.Because the letters were apparently typed on a computer and then laser printed, it seemed logical to look for trace evidence on people\u2019s PCs. With hundreds of PCs as potential crime scenes, we tried to narrow the field by assembling a list of possibly disgruntled employees. The list included about two dozen people who all worked on the top floor of the building. I did some initial reconnaissance and figured out where all the offices were. Because this event occurred before the days of sophisticated forensics tools, I also prepared some diskettes with homegrown search routines.To avoid tipping my hand and generating a lot of commotion in the work area, I planned to come into work at night after people had left for the day. Armed with a floor plan marked with the suspect device locations and my programmatic burglary tools, I rode the elevator to the top floor and began my search. With so many devices to search, I had to move quickly and methodically. I found a workstation, booted it up, write-locked it and started running my tools. I had four tool diskettes so that I could simultaneously search four devices.The work areas were vacant. The cleaning people had come and gone, and the lights were off. I felt every bit the Watergate burglar as I quietly went from desk to desk, office to office in my search. I was surprised that my padding about the workplace at night invited not one visit from the building\u2019s security guards. (Those were the days, too, before 9\/11 and increased physical security.) I felt sneaky and creepy as I violated the sanctity of each personal work space. Although the offices were company property and nobody had a legal expectation of privacy, it still felt wrong to be poking around other people\u2019s stuff. As I moved aside knickknacks, family pictures and other personal items, I used as much care and respect as I could.After hours of scanning for certain keywords that appeared in the anonymous hate mail and more hours analyzing the logs my programs had generated, I ultimately came up empty. If the letters were typed on a computer and printed on a laser printer, it wasn\u2019t on one of the machines I searched.In the end, it wasn\u2019t my high-tech snooping that solved the case. The case was solved through handwriting comparisons done on the envelopes. Sure enough, the culprit was one of the two dozen \u201cpersons of interest\u201d on the list.That Was ThenSince that time, our computer forensics activities have grown much more sophisticated. We work in teams of two now. One person serves as the scribe and keeper of the checklist that helps ensure all important steps are taken. The other person disassembles the PCs, pulls the hard drives and restores the workstation to the previously unaltered state. We alert the building security people, partly as a professional courtesy and mostly to minimize the risk of being confronted by the targets of our investigations. During one nocturnal investigation, I was at the workstation of an employee when she suddenly appeared! Like the Grinch nimbly providing an excuse to little Cindy Lou Who, I came up with a reason for having her PC apart. \u201cThis PC appears to be infected by a virus that\u2019s attempting to propagate across our network,\u201d I said. \u201cI need to take it over to our lab to remove the virus. I should have it back in a few hours.\u201d And off I went.Today, the building security people disallow access for the \u201cpeople of interest\u201d that we\u2019re investigating by disabling their ID badges. We also take along radios that operate on the channel that the building security folks use. The radios allow the two areas to share information about the movement of people, the location of offices and anything else that might come up.Our burglar tools also have grown in sophistication. Computer forensics software available today automatically searches, sorts and analyzes files. We also know enough to bring hand tools, Mylar antistatic bags, a digital camera and self-adhesive labels for tagging evidence.In the interest of speeding evidence acquisition, our investigators practice disassembling PCs in the lab. Different PC cases are screwed and latched together in different ways. When the clock is ticking, there\u2019s no time to fumble around looking for unlatching mechanisms. It\u2019s better to rehearse so that, come show time, they don\u2019t lose precious minutes.When investigators are seeking evidence from the devices of people who are still employed by the company, they use guile and stealth to keep the investigation secret. Innocent people must be shielded from unwarranted suspicions, and of course the investigators don\u2019t want to tip their hands to those who may actually be guilty. Investigators usually perform searches afterhours when people aren\u2019t around. If the device involved is a laptop that the user takes home at night, they may use deception to obtain the device during regular work hours. On one occasion the investigators caused a message to appear on an employee\u2019s PC indicating that a virus had been detected. The message instructed the employee to call and report the problem, which he dutifully did. The investigator answered the call and offered to send someone right away to collect and repair the PC. The caller was pleased with the excellent service, and the investigators got the evidence they were seeking.The best investigators I\u2019ve worked with are not only careful and methodical but also creative. During one investigation many years ago, we needed to figure out who was inappropriately using a particular PC. There weren\u2019t any surveillance cameras in the work area back then, so the investigators had to improvise. They removed some of the guts of an older PC and installed a Web camera in the void that was created. The camera peered out through the diskette drive slot, and the \u201cfloppy cam\u201d was born. The investigators captured the nefarious activity in irrefutable detail.The Paper TrailSince the nervous early days of using simple hexadecimal editors as computer forensics tools, skulking around in offices at night and figuring things out for ourselves, our investigations have settled into a careful, deliberate rhythm. Today we assume that every investigation might lead to litigation. It\u2019s one thing to capture evidence for your own purposes, and another when the courts get involved. We expect attorneys to challenge our evidence-gathering procedures, so we take extra care to ensure those procedures are sound. We use the same software as most law enforcement agencies and follow industry-accepted procedures. We use digital cameras to photograph the work areas we target and use checklists to document every step. Our goal is to provide solid evidence to our lawyers so that their cases hold up in court.Documenting your work is the least exciting part of most investigations, but it may be the most important part. When it comes time to go to court, an investigator\u2019s best friend may be her case log book and associated documentation. Without carefully gathered evidence, most cases will fall apart under attack by knowledgeable attorneys. Furthermore, a poorly run investigation may not even serve the purposes of the internal organization. Management should err on the side of ensuring that the reputations of innocent people aren\u2019t tarnished by bungling investigators.There should be checks and balances in place to ensure that rogue investigators aren\u2019t poking into people\u2019s business without proper cause. Requests for investigatory activities should be made in writing. Not only does this level of formality help guard against inappropriate snooping but it also helps protect the investigators from accusations of the same. Similar to law enforcement investigators who must apply for a warrant before conducting searches, corporate security personnel should loop in legal or HR representatives to corroborate the need for the investigation. Companies have few restrictions placed on them when it comes to searching the systems they own. Although employees may not have a reasonable expectation of privacy, they should be treated with respect.Investigative work can be intriguing, but it\u2019s also serious business. People\u2019s lives can be significantly affected by the outcome of investigations. I always keep that thought in mind as we plan and conduct our investigations, and try above all else to treat others the way I too would want to be treated.