The call came in on a Thursday. The potential client was concerned with recent actions in the company, notably with someone in IT. The client needed to conduct an investigation involving activity on the computer but how does one conduct such an investigation when the very person being investigated is the one with the keys to the kingdom?
This call wasn’t the first call like this nor the last. The client wanted to know how we could forensically analyze this person’s computer without him knowing. We couldn’t use the lines “we need to upgrade an application” or “there is a piece of software that needs to be installed” because it was this very person in IT that did this work. The job called for something surreptitious.
What Vestige employed was “covert imaging”, a process by which we were able to preserve all content on this person’s computer, just like a forensic image, but doing so while they worked and without the person even knowing. Nothing pops up on their computer, they aren’t asked to accept anything, and they don’t even know that we are capturing all of their data.
In one situation, Vestige wasn’t even on site to perform this work. The client was a company that had multiple people on their IT staff. Vestige worked with the decision makers at the company to identify an IT person that could be trusted. Vestige then shipped our laptop to that IT person. The laptop was put on their network and we undertook remote access of our laptop. From there we identified the suspect’s computer, secretly installed our software and captured the necessary information to help the company in their investigation.
This type of work isn’t just helpful with investigating IT people. It can be used to investigate anyone without them knowing. (Of course, there are still privacy issues to be concerned with and this is not a way to skirt those.) Typically when we want to capture data from an employee’s computer, we work with IT to make up a story such as described above. Any kind of story to get the unsuspecting employee to turn over their computer. However, this route isn’t always possible and that is where the covert imaging comes in handy.
So if you’re ever faced with a situation where there’s concern about moving forward with the investigation because you don’t see a way around alerting the individual being investigated – keep this option open and know that Vestige can work closely with you to ensure a flawless investigation.
by Greg Kelley, EnCE, DFCP, Chief Technology Officer at Vestige Digital Investigations
For more information CONTACT US.