Don't hem and haw, Fitzgerald said. He and his team know what they're doing. "Many times we have cases where people waited and stuff goes missing. We'll ask for all computers and drives that were used and affected, and why you think those things were affected. It's important to have an idea of why a machine was infected," he said. "We'll want to see the employee manual. That will help us define the rules people work in. We'll need names and e-mails, work and personal, of any employees you suspect might be involved. Personal e-mail addresses you should have simply for emergency contacts. There are resumes and applications where this information can be found. We need this because personal e-mails can be used to move sensitive data out of the company gates."
2. Don't touch anything
In that moment of panic where the company suspects foul play, the urge to tamper with data can be irresistible. Sometimes data is spoiled by a malicious insider with something to hide. But many times the culprit is an honest person who accidentally destroys data in a panic or does the wrong thing before they realize what they're doing, because the fear has taken over.
Whatever the motive, Fitzgerald said the investigators will easily uncover what you've done.
"It's not worth it. You risk jail time if we discover you tried to destroy data," he said. "Regardless of whether you did anything wrong or not, if you tamper with data you're going to be in trouble."
He has had cases where someone took a 40-gigabyte hard drive and downloaded 10 movies onto it, then deleted them without destroying the hard drive. "People will purchase DVDs, download movies, as many as they can, then delete the movies and continue to step over the data. We can see the download data and dates, we can compare what's done online to what's done offline," he said.
People have tried to reload operating systems, but investigators can still see fragments of data such as dates that a download occured. "We can see that you knew a lawsuit was happening and you attempted spoliation," he said. "All we need it one fragment of data to see you tried to reload an OS. Judges and DAs have become more aware of these things happening, and they're starting to request evidence of these activities."
--PB---
3. Bring in the lawyers
Company executives are often slow to bring in legal counsel. That's unfortunate, Fitzgerald said, because the lawyers are on your side and can help you construct a sound game plan to keep the company out of trouble.
"When you bring in lawyers, psychologically it makes the problem real," he said. "It's scary for executives who don't want to make it look like they're circling the wagons."
The best approach is to collect every bit of information that may be helpful, give it to legal counsel and let them piece together the story.
4. Decide if you want a "loud" or "silent" probe
Companies should decide at the beginning if they want investigators to come in with a bang or a whisper. The right approach depends on what a company thinks it's up against.
"When we come in companies have us either do it with guns drawn and blazing, equipment in bags and boxes wheeled in, looking like we're hunting for aliens, or they have us come in quietly in a way where no one knows we're even there," he said. If the company smells a rat, the loud approach could be used to rattle employees who might know something into coming clean.
"They want to make an example of the incident," Fitzgerald said. "They have a pretty good idea that it may have been an employee or team of employees leaving to work for a competitor. They want to show that they have control and power and that whoever tries to steal is going to get caught."
More often than not, the quiet approach is called for. Employees typically want to do the right thing, Fitzgerald said, and if his team is polite and friendly and set up shop in a conference room off to the side, the work is done in three hours and data is taken back to the lab.
"If someone is still with the organization, you want to go in quietly, at night and on weekends. They don't want to make a big thing of it until they know what they are dealing with and what the potential liability is."
5. Educate the employees
Fitzgerald said education is the best way to ensure people like him aren't needed in the first place.
"Educating employees is so important," he said. "If they know what they can and can't do and all the tech policies are in place, the potential for an incident drops dramatically."