No Image Available

Annie Hayes



Read more about Annie Hayes

Briefing: Computer forensics for HR


Simon Steggles, Director of Disklabs Computer Forensics looks at how IT sleuthing can be used to HR’s advantage.

Many people still believe that the data stored on a computer is erased once it has been deleted. This is not the case, and more often than not, it is the main reason that employees are caught out when they steal client databases, or when they make a catastrophic mistake and try and cover it up, or are committing internet abuse, or when they are simply up to no good during working time.

The practise of computer forensics is an opportunity to ensure all data on a computer, phone, PDA, or other digital device is thoroughly investigated, in accordance with ACPO (Association of Chief Police Officers), guidelines. Furthermore, when presented appropriately, the ‘evidence’ found can be used in a tribunal, or even in a court of law.

A common myth was that computer forensics was only used by police forces to help in convicting criminals, but that is far from the truth. Computer forensics, and indeed mobile phone forensics are regularly used worldwide. More and more private individuals are using these services to find out about the fidelity of their loved ones.

Companies are utilising these services to ensure that their staff are adhering to company procedures and increasingly human resources departments are using computer forensics and mobile phone forensic practises to help them investigate suspected internet and email abuse, internal hacking, network abuse, staff who are divulging company confidential information.

The perpetrators who commit these offences will undoubtedly try and cover their tracks. They may try and delete an email, they may change a word document, or use a USB memory stick, or a CD/DVD to copy the company’s database, to intend to sell it to the nearest rival, or even use the data to set up in business in direct competition with their employers.

They may be downloading inappropriate images, (pornography, internet child abuse, non-work related surfing of the internet during working hours, likewise with email, they may be distributing inappropriate images, or malicious emails).

An obvious solution to this would be to have internal security to have a look at the offending computer. Unless the security team have been trained in evidence handling, then I would not recommend this course of action. I would get in the professionals, people who are trained in computer forensics and mobile phone forensics.

Simply turning a computer on will change data, and therefore the evidence. Something as simple as checking the offending computers’ email will cause the files to have times and dates changed. If the computer in question has an anti-virus solution on it, it is likely that this will affect all the ‘last accessed’ dates or files. Errors such as these can mean that absolute evidence, which could have implications of years of imprisonment will have to be dismissed, and will not be useable in a court of law, or a tribunal.

What should you do?

1. As soon as someone is suspected of misusing a computer/phone/PDA, take it from them and turn it off. If possible, turn the power off by switching off the electricity at source, (wall socket). Record everything, dates, times, who was spoken to and when. Get this signed by a witness.
2. Keep the evidential item in question in a secure location until the experts arrive. Not doing this could leave an opposing lawyer to suggest that the data on the device in question was open to intervention by a third party that could have manipulated the data. However unlikely this is, the trial adjudicator will take this into consideration.
3. Immediately contact professional computer forensics experts, (such as Disklabs Computer Forensics).
4. When passing the job to a forensics organisation, give as much information as is possible, (times, dates, what the suspect inappropriate material is and names involved etc), as this will significantly reduce the time spent analysing the data, and thus reduce the overall price of the investigation.
5. Add this service into your Acceptable Use Policy – this way, no-one can suggest harassment should you have to pursue this route with them.
6. Speak to your forensics expert if you have any questions regarding the case. Has anyone else approached you stating that staff member X was getting the inappropriate information from staff member Y, gossip in the canteen etc.

* Disklabs Computer Forensics offers, free of charge, a telephone support service to HR Zone’s members – please contact them at for further information.

No Image Available
Annie Hayes


Read more from Annie Hayes

Get the latest from HRZone

Subscribe to expert insights on how to create a better workplace for both your business and its people.


Thank you.

Thank you! Your subscription has been confirmed. You'll hear from us soon.