Employee fraud – first response

July 7th, 2009

With the downturn in the economy, the foreclosures and the credit crunch, employee fraud, theft and general malfeasance is on the rise. If you don’t want to take my word for it, do a search on employee fraud rise and read a few of the results. I’ve been seeing these kinds of cases here in Memphis too.

What follows is practical advice about what to do when employee fraud happens in terms of preserving evidence for a later investigation and trial. Note that this is not legal advice. Hence the first thing to do is call your lawyer. The way it works in Tennessee is that forensic consultants are retained by a lawyer, not directly by the public, so your lawyer’s involvement is not optional.

Let’s start at the point where you discover your employee’s malfeasance.

Document your actions. Who, date/time, what, where.

Firstly, if that employee has a dedicated workstation, immediately remove that workstation from your network. If the workstation is turned off, DO NOT TURN IT ON. Take the computer box (you don’t need the monitor and cables) and place it in a locked room or cabinet. If it’s a notebook computer, keep the power cable with the computer.

If you turn on the computer, it’s like walking through a crime scene. You leave your own fingerprints and footprints everywhere, and you may accidentally walk all over your evidence and destroy some of it. Resist the urge to look yourself, you’ll only hurt your case later on. (Note that once forensic preservation has been done, you can look all you want.)

If it is turned on, you’re going to need advice directly from a forensic computer expert, so contact us quickly. The permutations about how to deal with a live PC for forensics are too many to cover in this article.

Restrict that employee’s access to your computer network. If you have a central file server, or email server, these are potential sources of evidence and you don’t want your suspect employee trying to access them to cover their tracks.

If your employee has any portable computing devices owned by the company, e.g. a notebook computer, PDA, thumbdrive or mobile phone, take these back now and keep them with the workstation in the locked room/cabinet.

Check your backups. You are making regular backups of essential systems like your file server and your email server right? Check to make sure these backups have been conducted, and put aside your backup tapes or drives. Do not do new backups over old ones after an incident as you may inadvertently destroy evidence.

Get your system forensically preserved as soon as possible. Forensic imaging allows the preservation of all electronically stored evidence so that you can keep running your business. In situations like these, forensic preservation can be done out of hours to minimize disruption to your business.

Once your system has been forensically preserved, you can continue to do business, and decide on a course of action with your lawyer. A forensic examination on preserved evidence can be carried out weeks, even years after the preservation has been performed. If your case becomes a criminal issue, the forensic images can be turned over to law enforcement with a fully documented chain of custody, or your computer forensic expert can testify if the examination has already been performed.