If I had eight hours to chop down a tree, I’d spend six sharpening my ax. – Abraham Lincoln
The average American will spend somewhere around 30% of their lifetime at work. Organizations generally work diligently to identify, screen, hire, and retain a highly motivated and dedicated workforce. But not even the best employee is efficient or focused during 100% of their work day. According to a 2016 study from the National Bureau of Economic research which cites the American Time Use Survey, the average American worker self-reported spending 34 minutes of their work time not working. A few respondents even reported not working at all during their work day. Common distractions include personal calls, texting, and use of the Internet.
On the other side of this spectrum, work manages to encroach further and further upon leisure time. Cellphones and computers mean that work email and calls easily tug at and intrude upon an employee’s off time. Digital natives in the workforce may feel obligated to stay connected. A 2013 study by Opinion Matters found that 81% of U.S. employees checked their work email outside of work hours, including 55% who checked their inboxes after 11 p.m and 59% who checked their inboxes while on vacation. Maintaining a flexible workplace can mean opening up options for remote access to a company’s network, which can cause challenges for network security.
In the digital age, a great deal of business is conducted on computers, and the workplace doesn’t even have to actually include a place. This means that a good portion of employee misconduct can also occur on an employee’s computer and smartphone. When an employee is suspected or accused of inappropriate conduct over email or through Internet use, a computer forensic investigation may be necessary to assess the full scope of the incident. In fact, I’m working on several employee misconduct cases concurrently these days – everything from workplace use of pornography, to data theft, to blatantly working for one employer on another employer’s time.
Other cases that require computer forensics may involve disgruntled employees intentionally deleting data or sabotaging systems or equipment. Whether they are attempting to get back at a company that terminated their employment, or trying to hide potentially incriminating activity on company-owned hardware, the potential exists for employees to remove data from company networks. Computer forensic investigations can retrieve maliciously deleted data and trace the activity of the employee behind the incident for any necessary legal recourse.
Inappropriate employee conduct can take many forms. An employee could be sending inappropriate messages to or harassing coworkers. They could be browsing websites that are very much not suitable for work on company time. Or they could be spending an hour or two of their 9-to-5 daily grind playing video games online. (Some of these breaches of conduct, obviously, are much more serious than others.) Forensic investigation of an employee’s company phone or computer can tell you how an employee has been using or misusing their time at work. Their internet history and other trace amounts of data on their computer or their smartphone can shed a light on their behavior.
The word “sabotage” was originally French. The story goes that the word came about because disgruntled factory workers would take their sabots (wooden clogs) and throw them into the machinery in order to cause damage, reducing the factory’s efficiency and its owner’s profits. Employee misconduct can take this form as well, albeit not quite in such a literal sense. In the digital age, a disgruntled employee (or ex-employee) may attempt to throw some shoes of their own or take company secrets with them on their way out the door.
Generally speaking, disgruntled employees today aren’t jamming their shoes into their business’s printer or sticking potatoes in the tailpipe of their boss’s car. Digital sabotage is often much easier. Of course, a disgruntled employee may do something drastic, like spill water on or spray WD-40 into their company’s server (we’ve actually seen this at Gillware!). But many are content to simply delete important information from company computers or make off with valuable trade secrets to sell to a competitor.
The fundamental principle of forensics is Dr. Edmond Locard’s exchange principle. Put simply, “every contact leaves a trace.” Any action a person takes will leave behind fragmentary or trace evidence. In the digital age, this doesn’t just include fingerprints on a glass, the scuff marks on the floor left by their shoes, or hair or clothing fibers deposited on a chair, but also the cookies from an Internet browser, the messages on a smartphone, and the files in a computer’s recycle bin, as well as a myriad of other forensic artifacts. Skilled forensic investigators can collect, analyze, and document this trace evidence.
For example, in cases of employee data theft, an ex-employee may steal data by way of a USB thumb drive. USB drives are portable, discreet, and can hold over 100 gigabytes of data. The saboteur may think they’ve gotten away with their heist. But the truth is, as we remember from Locard’s principle, every action they take leaves a trace. Few people realize how many traces are left by USB devices that are plugged into computers. When you plug in a USB flash drive, your computer may even keep a record of its serial number! If an employer suspects that an employee (or ex-employee) has been exfiltrating essential electronic data, a forensic examination of the computer involved can reveal if and when a USB device was plugged into the machine in question.
Employees behaving inappropriately may attempt to cover their tracks and eliminate the evidence of their misconduct by clearing their browser’s cache and erasing their Internet history. The perpetrator of employee misconduct may also delete documents that point toward their wrongdoing. However, deleting data does not lead to a forensic dead end. There are many forensic tools and techniques for uncovering deleted data. Piecing together these various clues can rebuild the electronic story of what happened, and shed light on just how an employee was misusing their time.