Embed Size (px)
Citation preview
Employee Privacy, Digital Evidence, and
the CFE
Kenneth C. Citarella, M.B.A., J.D., CFE
Managing Director, Investigations
Guidepost Solutions LLC
June 2011
The Good Old Days
June 2011
CFE’s Aerial View 1. What Information Needed?
Documentary
Personal
2. Where Is It?
Container
Person
3. How To Get It?
Data review
Interview
4. Access, Review and Report
June 2011
Scope
1. Quick Overview of Digital Forensics
2. Employee Privacy in Digital Communications
3. How Digital Forensics Impacts Employee Privacy
4. Current State of the Law of Employee Privacy in
Digital Communications
5. How the Employers Compound the Problem
6. What the CFE Can Do
June 2011
Digital Data Questions
1. Where it is stored
2. How much is stored
3. How to get it
4. How to be sure it is reliable and
admissible
June 2011
Where It Is Stored 1. Desktop
2. Laptop
3. Notepad
4. Smartphone
5. USB Drive
6. Servers
Local
Corporate
Cloud
June 2011
CFE’s Data Trinity
1. Integrity
2. Chain of Custody
3. Know How to Explain
June 2011
Cloud 1. Which Cloud?
2. Where?
3. Access Controls?
4. Audit Trails?
You will need Cloud personnel to establish the
authenticity of your data
June 2011
CFE Tip #1
Know the policies and procedures of
your Cloud(s) before it is too late for
data to be useful to you.
June 2011
Easy Way or…
Request the data from a reliable
source.
Or … Use Digital Forensics.
June 2011
“CSI” Version of Digital Forensics
E-V-I-D-E-N-C-E
June 2011
Digital Forensics
Applies to your media within your
physical control.
Cloud forensics by cloud provider.
June 2011
Digital Forensics 7 Step Discipline of Investigation
1. Identification
2. Collection
3. Preservation
4. Recovery
5. Verification
6. Analysis of data
7. Report the findings
June 2011
Forensic Workstation
June 2011
Identification
1. Not just the obvious containers
2. Also: digital cameras, handheld PDAs, wireless e-
mail devices, fax machines, cell phones, USBs, etc.
3. Any device that can store digital information
June 2011
Collection • Must follow standard rules for collection of evidence
• Chain of custody—Same “old” rules
June 2011
Preservation
Extreme temperature changes, moisture, magnetic
fields, physical damage
Write protect original HDD
Avoid the well-intentioned, but untrained…
June 2011
Recovery Software
Automated process
Able to analyze numerous operating systems
Training, support, accepted in community
Accepted by courts
June 2011
Verification
• Verification done by mathematical
formula
• A change of one “bit” would be
detected
June 2011
Analysis 1. Human function
2. Browse through
Folder
File
Cluster
Deleted files
Slack Space
June 2011
June 2011
June 2011
Analysis
“Deleted” Files:
1. Still there
2. OS cannot see
3. Forensic software can
4. HDD space available for re-use
5. Length of time recoverable depends on size of
HDD, use of the computer
June 2011
Analysis Slack space:
1. Data written in blocks of preset length
2. Last block of file might have empty space (like this
line of text)
3. Contents of deleted file not overwritten by empty
space at end of block
4. Old contents remain
June 2011
Report Findings 1. “Just the facts”
2. No opinion
3. Probative materials, the “bookmarked” files are
admitted, not the whole report
4. Report gets turned over as part of discovery
June 2011
Forensics Issues 1. Poor forensics will fail to find evidence
2. Impossible to find evidence that is not there
3. Argument is over what it means
Not if it is there
4. Search for malware
5. Date and time stamps
June 2011
Forensics Issues 1. Protecting original media
2. Documentation of process
3. Clock verification
4. Software used
How widely
How well accepted
June 2011
CFE Tip #2
Discuss your objectives and concerns
with forensic examiners before they
begin work.
June 2011
Employee Privacy
Issue:
Forensic examination of employee’s work-issued
digital device
General Rule:
No privacy issue in contents of device or records of
Internet use
June 2011
Employee Privacy
BUT
What about personal communications via an
employer’s device?
June 2011
Employee Privacy
Caution:
No definitive answer
June 2011
Employee Privacy
Scenario:
Forensic examination of employee’s work-
issued digital device
Personal communication acquired
Personal communication relevant to
inquiry
June 2011
Employee Privacy
Is it a privacy violation to read employee’s
personal e-mails?
Any consequences to the investigation?
June 2011
Employee Privacy
Courts seem to focus on the scope of the
privacy policy.
Detailed examination of corporate policy
regarding Internet and e-mail.
June 2011
Digital Forensics Reminder
If employee deletes his personal
communications, they might still be
there in
deleted files
slack space
June 2011
U.S. v. Simmons
Internet policy said employer will “audit,
inspect and/or monitor” Internet use “as
deemed appropriate”
NO expectation of privacy
June 2011
Smyth v. Pillsbury
1. Employee e-mails with supervisor in employer’s
system
2. Policy says all e-mail privileged and confidential
and would not be grounds for termination
3. Court found NO expectation of privacy
June 2011
McLaren v. Microsoft
1. Employee e-mails sent over employer’s system
2. Stored on employee’s computer under password in
folder marked “Personal”
3. Court found NO expectation of privacy because e-
mail first transmitted over employer’s system
4. Not like an employee’s locker
June 2011
Employee Privacy
Two recent decisions:
1. Stengart v. Loving Care Agency (NJ Supreme Court)
2. City of Ontario v. Quon (U.S. Supreme Court)
June 2011
Stengart v. Loving Care Agency
Issue:
Stengart was using personal password-controlled e-
mail account from employer-issued computer
Communicating with her personal attorney
Planning to sue the LCA for workplace harassment
June 2011
Stengart v. Loving Care Agency
Stengart resigns and LCA performs a forensic
examination of her computer
LCA finds e-mails with her attorney
Attorney ethical issues rise from failure to disclose
June 2011
Stengart v. Loving Care Agency
Court’s Approach:
1. Examine LCA electronic communications policies.
June 2011
Stengart v. Loving Care Agency
2. “The company reserves and will exercise the right to
review, audit, intercept, access, and disclose all
matters on the company's media systems and
services at any time, with or without notice.”
June 2011
Stengart v. Loving Care Agency
3. “E-mail and voice mail messages, internet use and
communication and computer files are considered part of the company's business and client records.
Such communications are not to be considered
private or personal to any individual employee.”
June 2011
Stengart v. Loving Care Agency
4. “The principal purpose of electronic mail (e-mail )
is for company business communications.
Occasional personal use is permitted…”
June 2011
Stengart v. Loving Care Agency
5. “It is not clear from that language whether the use
of personal, password-protected, web-based e-mail
accounts via company equipment is covered.”
June 2011
Stengart v. Loving Care Agency
6. Terms are undefined.
7. E-mail system seems to refer to corporate e-mail.
8. Policy does not address personal accounts.
June 2011
Stengart v. Loving Care Agency
9. “[E]mployees do not have express notice that
messages sent or received on a personal, web-based
e-mail account are subject to monitoring if company
equipment is used to access the account.”
June 2011
Stengart v. Loving Care Agency
10. “The Policy also does not warn employees that the
contents of such e-mails are stored on a hard drive
and can be forensically retrieved and read by Loving
Care.”
June 2011
Stengart v. Loving Care Agency
Used a personal, password-protected e-mail account
instead of her company e-mail address
Did not save the account's password on her computer
Had a subjective expectation of privacy
June 2011
Stengart v. Loving Care Agency
Court’s conclusions:
1. [T]he Policy creates ambiguity about whether
personal e-mail use is company or private
property.
2. The scope of the written Policy, therefore, is not
entirely clear.
3. Stengart had a reasonable expectation of privacy
in the e-mails she exchanged with her attorney on
Loving Care's laptop.
June 2011
Stengart v. Loving Care Agency
Consequences:
Effort to investigate expected workplace harassment
lawsuit created additional cause of action for violation
of privacy.
Note: Stengart’s e-mails were in cache memory, not
saved in their entirety.
June 2011
Holmes v. Petrovich Example where court found no privacy interest.
The corporate policy said:
1. Company technology to be used only for
company purposes.
2. E-mail is not private; like a postcard.
3. Company may inspect all files and messages at
any time for any purpose.
4. Company will monitor for compliance.
June 2011
Employee Privacy
Risk of Poor Privacy Waiver:
1. Poor corporate e-mail policy might create
civil liability if personal e-mail is accessed
2. Might create a restriction on forensic
examination
June 2011
City of Ontario v. Quon U.S. Supreme Court
Significant facts:
1. Police department
2. SWAT team
3. Text pagers for official communications
4. Private carrier
5. Monthly character limit
6. Excess to be paid by using officer
June 2011
City of Ontario v. Quon
Computer Usage, Internet, and E-mail Policy:
City “reserves the right to monitor and log all network
activity including e-mail and Internet use, with or
without notice. Users should have no expectation of
privacy or confidentiality when using these
resources.”
June 2011
City of Ontario v. Quon
Department said text messages will be treated as e-
mails
Quon reminded that usage will be audited because
he exceeded limits
Continued to exceed
June 2011
City of Ontario v. Quon
Sexually explicit
Between Quon and wife
Fellow police officer
June 2011
City of Ontario v. Quon
Sexually explicit
Between Quon and girlfriend
Department dispatcher
June 2011
City of Ontario v. Quon
Court assumptions:
1. Reasonable expectation of privacy in pager
communications
2. But not reasonable to assume immune from
auditing
3. Reasonable police department employee should
expect auditing
June 2011
City of Ontario v. Quon
No privacy right in text messages within police
agency system
June 2011
City of Ontario v. Quon
BUT
“…the Court would have difficulty predicting how
employees’ privacy expectations will be shaped by
those changes or the degree to which society will be
prepared to recognize those expectations as
reasonable.”
June 2011
Employee Privacy
Employee e-mails might be stored in the
Cloud. If so, Cloud forensics might
violate employee rights.
June 2011
CFE Tip #3
Examine corporate e-mail policy so
reasonable expectation of privacy issue
is clearly addressed.
June 2011
Social Networking
June 2011
Social Networking
Increasingly used as marketing avenues
for sales
But can be sources of dangerous
malware
June 2011
Social Networking
For security, IT may insist social network
marketing efforts not go through
corporate e-mail system
Using webmail gives approval for use of
non-corporate e-mail for business
purposes
June 2011
Social Networking
May conflict with corporate e-mail and
Internet use policies and create
ambiguity
June 2011
Social Networking
No expectation of privacy in any matter
posted in social networking site
June 2011
Social Networking
Impact of authorized social network
marketing on ability to use results of
digital forensics on employer-provided
digital equipment is uncertain
June 2011
CFE Tip #4
Examine corporate e-mail policy so
reasonable expectation of privacy issue
is clearly addressed
AND
be sure it covers social network
marketing.
June 2011
You Want What?
Be involved in:
1. Computer security, including Cloud migration
2. E-mail privacy policy
3. Social network marketing policy
June 2011
Conclusion, sort of…
City of Ontario v. Quon:
“…the Court would have difficulty predicting how
employees’ privacy expectations will be shaped by
[communication] changes or the degree to which
society will be prepared to recognize those
expectations as reasonable.”
June 2011
Thanks!
Kenneth C. Citarella
Managing Director, Investigations
Guidepost Solutions LLC
212-817-6700
June 2011
