IT managers who fail to preserve electronic evidence may end up in the witness box says a computer forensic expert.
Employers walk a legislative minefield in balancing employees' rights with the legal requirement to monitor e-mail and telephone communications, according to a panel discussion on Balancing Employer Liability and Employees' Rights in Sydney yesterday.
Regardless of the resistance to covert monitoring of employee Internet or e-mail usage, a crack team of computer forensic experts can, in most cases of criminal investigation, obtain evidence needed for prosecution from a "scrubbed" computer.
An IT manager can play a crucial role in assisting these criminal investigations and work with law enforcement agencies, because they best understand the working of their company's computer networks and infrastructure, Graham Henley, director of PricewaterhouseCoopers Australian Computer Forensics and Investigations team told Computerworld.
"IT managers are great at IT, but may have little understanding of how to handle evidence that can be used in an investigation and preserve it correctly," Henley said.
"They could end up in a witness box in front of a clever defence lawyer trying to punch holes in the systems they've built."
Henley recommends IT managers call in forensic experts to properly handle data as soon as there is suspicion of criminal activity, such as the trading of intellectual property.
Henley outlined the methodology behind computer forensics, using the high-profile example of the Federal Police's raid and seizure of electronic records from One.Tel's head office and the home of co-founder Jodee Rich last year.
"A computer is a filing cabinet with an audit trail," Henley said, speaking at the panel discussion.
Henley said Federal Police and computer investigators can covertly acquire evidence through a process of forensic imaging, whereby an identical copy of the target hard drive is stored on another media such as a CD ROM, eliminating the need to seize physical hardware.
"In the private sector, many acquisitions of evidence occur covertly. We can come in the middle of the night and copy the hard drive without the suspect being the wiser," he said.
Despite these dire examples of criminal investigations and covert surveillance, under the current scheme the law allows overt surveillance of employee e-mail and Internet usage as long as it satisfies the Privacy Act guidelines, clear polices are in place and unions are consulted in the development of these polices.