Internal investigations: The basics

Internal investigations are a vital part of a security program. It’s a serious matter when an employee is alleged to be violating company rules. So-called ‘insider threats’ can cause as much damage as thieves outside. These threats come in many different forms, including:

• Accounting fraud
• Outright theft of physical assets
• Unauthorized access, to manipulate data or to sell it
• Threats, sexual harrassment or other inappropriate forms of behavior or communication

Internal investigations aim to uncover the truth about alleged misconduct within the organization. But a good internal investigation must do so without compromising the relationship with innocent employees or unnecessarily damaging anyone’s reputation. That calls for good planning, consistent execution, analytical skill, sensitivity and a solid grasp of the legalities involved.

Typical elements of an investigation include collection and examination of written or recorded evidence, interviews with suspects and witnesses, and computer and network forensics. It may also require consultation with managers, human resources and legal personnel, and potentially also law enforcement. The exact players and actions will be ONLY those dictated as necessary by the particular case at hand.

Here is a primer covering the basics of internal investigations, compiled from expert advice in CSO Online articles. You will find links throughout pointing to more detailed information.

[Last updated 7/6/2012]

What planning steps should be undertaken at the outset of an internal investigation?

Have clear policies. A policy is helpful in several regards. It should dictate the appropriate personnel and procedures for internal investigations at your organization. A clearly written policy will help your arrive at a successful and correct outcome, avoid common blunders, ensure that proper documentation is kept (see next point), and keep your company out of legal hot water.

Document your work. This includes documenting your compliance with your own policies. In the event that, for example, the subject of the investigation files a lawsuit against your company, you will need to demonstrate to a judge’s satisfaction that you behaved responsibly and legally throughout.

Another key document is a confirmatory memorandum. You may determine this is necessary, frequently the case when a verbal complaint or accusation is made. A confirmatory memorandum clarifies the scope of the investigation for all parties involved, including the complainant.

Minimize witness intimidation. “Certain witnesses to the investigation might feel intimidated by the alleged wrongdoer, even by the simple fact that the alleged wrongdoer is in the workplace. Even worse, the alleged wrongdoer (and even the complainant) might intimidate, harass, or retaliate against witnesses in an attempt to influence the outcome of the investigation,” Thompson writes in “How to plan an investigation“. Keeping the investigation confidential is one step. Extreme circumstances might require removing the suspect from the workplace via paid suspension.

Form an interview team and divide duties. Interviewing suspects one-on-one, unless recorded, can create an opportunity for a plaintiff to challenge the interviewer’s notes or recollection. In a team interview, one person may ask questions while the other takes notes and records observations.

Establish the time frame for the investigation. Quick and appropriate action can help head off future legal challenges and also minimize negative impact on morale.

Collect documents and evidence. Thompson’s list of things to consider obtaining includes: personnel files, telephone records, expense account records, computerized personnel information, appointment calendars, time cards, building entrance/exit records, computer/word processing disks and hard drive, e-mail records and voice mail records.

Consider the need for special investigative techniques. These are almost always investigative techniques that have a high legal risk and never should be discussed or implemented without legal counsel. In fact, many of these techniques should require high-level approval before they may be utilized, including the following: internal audit, physical investigation (fingerprint, handwriting, voice analysis), physical surveillance, polygraphs, searches of organization or private property, and electronic monitoring or surveillance.

For each interview, you should prepare opening and closing remarks and a set of questions. This does not preclude asking followup questions during the interview. However, it will increase the precision of your communication to the interviewee and improve the quality of information you are able to obtain. These question lists should be retained with your case documentation after the interviews are completed, along with the notes or recordings of the interviews themselves.

Written statements. “Written statements minimize the opportunity for interviewees to dispute the investigators recollection of the interview or change their story. Statements also are a highly persuasive form of evidence,” writes Thompson.

Who should be kept informed about an investigation at each stage?

The general rule is: As few people as necessary. Human resources is a likely candidate and should have a great understanding of the level of confidentiality required. After that, judgement calls are in order. Factors include the severity of the incident(s) under investigation, the place within the organization of any suspects, and the tasks that will be required in gathering evidence.

You may need to interview other employees in the course of the investigation. Depending on the nature of the incident, that does not necessarily require that you divulge to those interviewees which individuals are under investigation. However, you may choose to let them know if they are NOT under investigation as that may help them relax and provide more information.

All documentation needs to be locked up tight with strict protocol governing acccess. And if you are using case management software, ensure that access to that data is controlled as strictly as it is for paper documentation.

What departments or skills sets are likely to be required?

The answer depends on the nature of the suspected misconduct. Necessary skills include the ability to conduct

• face-to-face interviews
• forensic accounting
• e-mail discovery and review
• computer and network forensics
• cell phone records
• video surveillance analytics
• access-card logs
• inventory audits

or all that and more.

This means the investigation team may include representatives from:

• physical security
• IT or information security
• finance
• audit
• facilities
• human resources
• legal
• suspects’ departmental management
• outside investigation or forensics firms

Details of each individual case must dictate the selections. Each investigation should include the necessary personnel and no others. See Security investigations: Merge ahead for more on this question.

What about detecting and investigating financial fraud specifically?

Clearly, suspected financial crimes will require the involvement of someone with expertise in fraud.

Software can help detect fraud. Packages with that specific intent typically run more than 100 test per transaction, looking for common issues such as a vendor address that is the same as an employee address, duplicate invoice numbers, and multiple changes in a vendor identity field. Such scans can be run on a daily basis or in-line during transaction processing in order to prevent fraudulent transactions, or on historical data to help in a fraud investigation.

Employee training to recognize fraud is equally important.

See more expert advice about fraud detection from a security professional and also in this Q&A with the former head of the Association of Certified Fraud Examiners.

Also see this list for certifications relevant to fraud, investigations and forensics.

Is it typically worthwhile to set up an employee hotline, allowing anonymous accusations?

A 2006 study of employee hotline calls found that 65 percent of the calls yielded information that warranted investigation, and that roughly half (46 percent) of the ensuing investigations resulted in corrective action of some kind.

What tools can help with the computer aspect of evidence-gathering?

There are a number of different types of software that can be helpful.

Digital forensics tools are intended to help security staff, law enforcement and legal investigators identify, collect, preserve and examine data on computer hard drives related to inappropriate and illegal activity, such as cybercrime, e-mail and Internet abuse, fraud, financial mismanagement, unauthorized disclosure of corporate information, intellectual property theft, and so on. Increasingly, these tools are also being applied to e-discovery efforts related to civil litigation and regulatory compliance.

Off-the-shelf enterprise forensics software packages include:

• Guidance Software’s EnCase
• AccessData’s Forensics Toolkit
• Paraben Corp. P2
• Technology Pathways’ ProDiscover Technology

Others include New Technologies’ suite of tools, X-Ways Software Technology’s WinHex utility, StepaNet Communications’ DataLifte and ASR Data’s Smart utility. On the open-source side are Sleuth Kit and E-fense’s Helix.

These forensic tools cover a range of capabilities (and cost).

In addition to forensics tools geared toward hard-drive contents, two other types of tools are often used in conjunction with forensics (or e-discovery) work, according to Mark Rhodes-Ousley, an information security architect and author of Network Security: The Complete Reference. For instance, there are “survey tools” that report on exceptions to preconfigured thresholds, including intrusion detection tools, e-mail and log analyzers, Web proxy reporters and network traffic analyzers, he says. In addition, “sliding-window” systems observe the behavior of a system over time, including network monitoring tools such as those from NetWitness, Niksun, and Sandstorm Enterprises.

Other tools can come in handy specifically when someone within the company is believed to be leaking proprietary information to the outside.

So-called data loss prevention (DLP) software can attempt to block or record such data leaks. Over the past several years most DLP providers have been acquired by larger security suite vendors: Symantec bought Vontu. CA bought Orchestria. WebSense bought Port Authority. EMC bought Tablus. And so on. Verdasys and Code Green Networks remain examples of independent DLP companies—as of this writing, of course. (Find advice on how to choose and use DLP software here.)

Depending on the particular case in question, there are other tools and techniques which may supplement or replace these off-the-shelf packages. Corporate Investigations Manager Brandon Gregg recommends several free methods for identifying the source of information leaks, which may be intentional or accidental:

Monitter.com allows you to customize Twitter searches by keyword and location and save your searches as RSS feeds to have the data emailed or texted to you instantly. Start off slow with searches for your company name or a new product and monitor twitter for threats, disgruntle employees and internal leaks.

Limewire is a popular peer-2-peer file sharing programs; unfortunately, during a quick install of the program, most users overlook the details and approve the program to share the entire contents of their My Documents folder. Install this program on your computer —make sure to disable all file sharing—and routinely search for your company’s name. Documents with “Acme” in the metadata or title will flag and you can actually see the user’s IP address and download the file.

Addictomatic.com provides a quick and easy way to search for your company or keywords across a wide selection of sites including news, blogs, YouTube, and even popular photosharing site flickr. Countless unapproved videos and photos by employees can quickly be discovered.

Google‘s proprietary collection of websites and vast arsenal of tools give it the fourth and fifth place on the list. Using a recipe of basic and advanced search features can greatly narrow the number of results returned and give you better data. Instead of searching for Acme Company, use “Acme Company” in quotations or narrow your results with more details like “Acme Company” “Confidential Handling” to find any leaked company documents with “confidential handling” in the metadata or headers. Check out Google advanced search or search for “Google Hack Lists” for more tricks like finding your company’s IP CCTV cameras and password lists.

Google Alerts. Once you have narrowed your search and tested it out, use Google Alerts (www.google.com/alerts) to make Google work for you. In this example I have set up two searches in Google Alerts.

The first is a simple search to specifically search Myspace users postings about ACME:

“Acme Company” site:profile.myspace.com

and a second more complex search looking for any Acme file on free file sharing websites:

Acme (rapidshare. | megaupload. | sharebee. | mediafire. | slil. | sendspace. | turboupload. | speedshare. | depositfiles. | massmirror.com | ftp2share.com | zshare.net)

In some cases, electronic evidence may include communication from an anonymous person on the internet. Gregg also identifies a set of tools that can help determine such a person’s identity, where necessary and appropriate.

A wise investigator will ensure that any of the tools mentioned in this section are used in accordance with policies already communicated to employees regarding privacy and employee conduct.

Network-based fact-finding or surveillance is simple. But if I need to confiscate the subject’s computer, won’t that tip them off that they are under investigation?

This should all be established protocol BEFORE an investigation becomes necessary.

Most commonly the suspect’s computer will be taken at night by a team of at least two well-prepared investigators. One anonymous CSO described his company’s protocol like this:

“We work in teams of two now. One person serves as the scribe and keeper of the checklist that helps ensure all important steps are taken. The other person disassembles the PCs, pulls the hard drives and restores the workstation to the previously unaltered state. We alert the building security people, partly as a professional courtesy and mostly to minimize the risk of being confronted by the targets of our investigations. During one nocturnal investigation, I was at the workstation of an employee when she suddenly appeared! Like the Grinch nimbly providing an excuse to little Cindy Lou Who, I came up with a reason for having her PC apart. ‘This PC appears to be infected by a virus thats attempting to propagate across our network,’ I said. ‘I need to take it over to our lab to remove the virus. I should have it back in a few hours.’ And off I went.

“Today, the building security people disallow access for the ‘people of interest’ that were investigating by disabling their ID badges. We also take along radios that operate on the channel that the building security folks use. The radios allow the two areas to share information about the movement of people, the location of offices and anything else that might come up.

“Our burglar tools also have grown in sophistication. Computer forensics software available today automatically searches, sorts and analyzes files. We also know enough to bring hand tools, Mylar antistatic bags, a digital camera and self-adhesive labels for tagging evidence.”

The CSO’s further experiences and thoughts are provided in “How to be a better burglar“.

These are good practical steps to take in the event the suspect does not know he is under investigation. If there are relevant devices (BlackBerrys/iPhones, laptops) that the suspect does not leave in the office, you will either have to come up with a premise for keeping the device (such as ‘routine maintenance’), which may still cause him some suspicion, or confiscate the device immediately upon notifying him of the investigation.

Can employees or outsiders successfully evade computer forensic tools?

Just as forensic software and hardware advances, there is a class of software tools called ‘antiforensics’. Efforts to evade detection or erase all record of certain actions might include use of these tools.

No forensic tool or technique is perfect, but they remain effective in many instances. It takes a relatively sophisticated computer user to cover all tracks if he is engaged in significant wrongdoing.

How do I interview a suspect?

Proper interview techniques can help separate the guilty from the innocent. Here are practical interviewing steps and tools from Nate Gordon, director and founder of The Academy for Scientific Investigative Training in Philadelphia:

Icebreakers. An interview usually starts with some icebreaking chitchat unrelated to the investigation. This allows the interviewer to get a sense of the subject’s style: things like verbal tics, amount of eye contact and physical mannerisms.

Non-verbal cues. When discussing the case, the interviewer looks for non-verbal behaviors. A deceptive person will often put a hand to his eyes or mouth to obscure what he’s saying. A truthful person usually exhibits mannerisms that clarify what he’s saying, like touching a hand to his chest and making eye contact when stating his innocence.

Set up two chairs. Gordon recommends placing two chairs facing each other so that the interviewer can see the subject’s entire body and there’s no object behind which a subject may hide.

For more about reading cues, see “How to spot a liar: Identifying deceptive behavior“.

Consistent questions. With multiple subjects, the interviewer should avoid accusatory questions and ask each one the same set of questions, and should use a consistent reading and writing style. The questions should either be all read off paper or all memorized. Every response by the subject should be written down. (Selective recording invites a subject to analyze the interviewer’s behavior.) It may help to have one person record while the other manages the interview.

Anyone else in the room must be silent. If a manager or an HR representative is present, that person should sit behind the subject and stay quiet.

A critical point: Frequently internal investigations involve interviews with employees who are NOT suspects. This is standard evidence-gathering technique. As noted earlier, Attorney John Thompson says that you may (or may not) choose to let an interviewee know that she is not a suspect—this may earn you more candid answers.

Is it reasonable to include hidden cameras in my surveillance effort?

If you have a clear written policy and have communicated it to employees on a consistent periodic basis, and if the cameras are kept in clearly public spaces, you may be able to use a hidden camera as part of an investigation.

Otherwise, hidden cameras create some legal risks. There may be many more instances of prudent and appropriate application, but cases of inappropriate use do grab headlines.

offers A more detailed examination of the issue can be found in the article The hidden camera, including some examples of the consequences of improper use.

As with all legal questions, involvement of counsel is strongly advised in any circumstances.

What investigation tactics and common mistakes clearly should be avoided?

Intimidation. Any attempt to coerce information out of an interviewee is likely to backfire.

“Pretexting”, or posing as someone you aren’t, is more complicated. It isn’t strictly illegal but can create difficult challenges. This was strongly illustrated by the corporate investigation case at HP in 2006 involving board-level information leaks. This type of technique should only be used in lockstep with counsel.

Heresay obviously has no place in legal proceedings. Accusations must be documented, investigated with the appropriate rigor, and either confirmed through evidence or dismissed. Actions taken (such as an employee termination) without a strong case create not only legal liability but also morale problems, the impression of favoritism, and other issues.

Failure to control information. It bears repeating: Employees’ reputations and relationship to the organization are on the line in an investigation. Careless disclosure of information causes rumors, damages productivity, and creates liability for the company and the investigator. ##

This introduction to internal investigations was compiled from articles on CSOonline.com. Contributors include Malcolm Wheatley, Brandon Gregg, Daintry Duffy, Sarah Scalet, and John Thompson.