laptop with lock on it

When Employees Leave, Data Should Stay

Russell W. Gilmore, CISSP, CISM, EnCE Computer Forensics


Laptop with lock on it

As a security consultant, quite often I am asked to assist with the hiring and termination of employees. The hiring process generally includes background checks, reference interviews, and financial history, along with other information. My involvement in the termination process is as a third-party observer and advisor. As a computer forensics expert and consultant, I am often called in sometime after the termination process to make a forensic image (or exact duplicate) of the terminated employee’s hard drive. This usually occurs as a result of a threat expressed by the ex-employee to file some sort of legal action. Each time I imagine how much time and money could be saved if an image of the computer hard drive had been created before the employee was terminated and/or shortly thereafter.

In some cases, I am asked to image a computer used by an ex-employee months ago. Quite often, the computer is currently being used by another employee. Computer forensics can recover deleted data. If several different employees have used the same computer it is more difficult to show or even prove who deleted the data. Even though relevant information can be recovered, this type of scenario is not optimal.

According to the EEOC, in cases filed with their agency from 1997 to 2010, monetary distribution excluding those obtained through litigation went from $176 million to $319 million. During this same period resolutions stayed at the same level, approximately 104,000. The number of cases is not increasing, but the costs are.

This does not include the cost of legal fees as a result of the EEOC filing or lawsuit. Most companies have become very proactive in regard to employee hiring, but we don’t see this as often in the termination process.

As a computer forensics examiner, I see opportunities for companies to preserve data and protect themselves and even the employee prior to the termination process or as part of the termination procedure itself. When it is evident that an employee must be terminated, steps should be taken to image the computer or devices used by the employee, even if a future computer forensic analysis is not needed. It may even be beneficial to image the computer prior to termination and again after termination. I have often been called to recover data deleted by an employee after they have learned of their impending termination.

I also recommend that an outside consultant conduct the forensic imaging. This can protect the employer from the accusations of manipulating the data in their favor. You may ask, “Why can’t the ‘IT guy’ just make a copy of the computer hard drive?” A copy does not collect much of the deleted data. Unlike a forensic image, a copy is not an exact replica of the computer hard drive. Making a copy can change file information. Finally, a copy cannot be authenticated and verified months or even years later.