Do you need to investigate, recover or secure data from a computer to be used in an HR disciplinary action or legal proceedings?

If so follow these first steps:

STOP: Do you have lawful access to the computer system or electronic device you intend to investigate?

1.  DO NOT attempt to turn the computer on if it is switched off.

2. DO NOT attempt to turn the computer off if it is switched on.

3. DO NOT allow anyone, including the IT department, to access the computer under any circumstances. Wait for advice from a certified computer forensic specialist.

4. DO NOT allow the suspect to access the computer.

5. SUSPEND the person(s) remote access to your network and other computers.

6. IDENTIFY all devices and equipment attached to, or associated with, the device or person(s), eg phones, PDA’s networked systems, internet connectivity.

7. IDENTIFY other storage devices, eg floppy diskettes, hard drives, zip/jaz diskettes, cds, dvd’s, backup tapes, flash memory cards.

8. ENSURE you have copies of all available network and security logs backed up and secured, eg proxy, ids, firewall, email, security logs, door swipe logs, cctv.

9. ENSURE you have copies of the user(s) email backed up and secured from the main server.

10. DOCUMENT all actions undertaken during the above procedures.