Digital Evidence in Employment cases.
An often overlooked but contributing factor.
Like in every profession, digital evidence bears its own share of stereotyping and misconceptions. Most people see digital evidence used in criminal cases, in TV series like NCIS and Law & Order, and of course in CSI:Cyber (not so successful as the original franchise).
But the reality in the life of an Expert Witness is that most digital forensic investigations do not have to do with criminal cases. And another reality of the criminal justice system, is that in most western countries only about 2-5% of criminal prosecutions go to trial. Most end up in a guilty plea or are dismissed. So it stands to reason that someone entering the profession may take a long time to actually give evidence in a criminal court. This of course has happened to me. Although I was involved in criminal cases from the early stages of my career, it actually took me more than 4 years to give evidence in a criminal court. After that, for some reason things changed, and I would go to court for about one in two of the criminal cases I was involved in.
The Employment Tribunals however are a totally different story. Once you are involved in analysing evidence and preparing a report, you are more likely than not, to actually attend the Tribunal.
Employment lawyers are picking up on the fact that there is digital evidence in most of the employment cases and they realise that there is a need to get expert advice in order to do their due diligence.
The first Employment Tribunal cases I worked on, were with one of the best independent employment lawyers in Glasgow, Mr Malcolm Cameron. These first cases were on behalf of two nurses against the NHS. These were eye opening experiences; not only in the experience that I gained but also in the understanding of how the legal system works and how large organisations like the NHS can get things extremely wrong.
The first case was about a nurse who had been visiting Bebo on an NHS computer. At the time the IT Policy in place would more or less allow staff to install staff as long as they checked them for viruses. But what was a lot more interesting is that nobody understood what “preserving evidence”meant. The nurse was dismissed on the basis of some cookies from bebo (ie Bebo[1].txt … Bebo[5].txt etc). The cookies were printed on a piece of A4 paper, handed to the HR and the nurse was fired on that basis. The justification was that a tool called WEBSENSE was installed, Bebo was allegedly blocked, so the nurse, either used a proxy server, or she installed something to bypass security.
I was actually shocked when I heard the NHS lawyer making the claim that she may have installed something … I mean .. why would a nurse have admin rights to install software on NHS computers? That is a NO-NO. Allowing something like this should be a criminal offence in itself.
So in order to examine the other possibilities, I investigated the way proxy servers work. A proxy server will leave its own cookie but not any cookies from the visiting websites. That is the point of a proxy server. So the presence of cookies from Bebo actually prove the opposite: that a proxy server was not used.
I installed Websense and examined its behaviour. When I blocked Bebo, I would not be able to “land” on its home page, so no Bebo cookie would be created from my computer. The bottom line is that if Websense was installed, and Bebo cookies had been created, then either Bebo was not blacklisted or Websense was not properly configured.
The end result was simple: the evidence used by the NHS to fire the nurse, was the exact evidence we used to exonerate her and win the case.
Some employment cases need hands on examinations:
In one other case, the employer who hired me wanted to confirm the suspicions of the abuse of the manager’s desktop by an employee, during the manager’s absence. The first issue in this case was that the client did not want me to clone the drive and work from the clone as I was properly taught during my studies! In that case I had to document the process and make sure that the client understand the implications. During the investigation I got evidence of a file that was created on the Desktop but was not recoverable, of an email login and download, and of the absence of temporary files for a period of time. The last one was a lesson that:
“the absence of evidence is not evidence of absence”.
So I took all the pieces of evidence and I put them in a timeline. The gap in temporary files was from an effort to clean up the activity on the days the manager was absent. The employee had used that computer to download her CV from her email, print it, and while there she opened and read confidential files. The employe was identified by the username of her Yahoo mail and all the other activity (ie reading the confidential files) was the time she was printing copies of the CV.
When all these pieces of evidence were put in a timeline and presented to the employee, she got her stuff and left the building.
Some other employment cases were by far less exciting: investigating metadata on PDF files or location metadata and time-stamps on photos on a mobile to provide evidence of the whereabouts of a member of the staff during an incident.
Sex, lies and Social Media
In another case I investigated a desktop PC for traces of some government originated emails. That part was pretty straight forward for me at that stage, as the access to email was through a webmail service. Using simple key search strings as Home Office and gov.uk I easily identified the emails and recovered their content from the traces on the disk drive, without the need to access the email account itself.
And then things got interesting. I was asked to investigate the presence of porn material with an emphasis on the possibility of indecent images of children. I explained to the client that if I found any, I had a duty to report to the police, and we both agreed to continue with the investigation and involve the police if that proved to be necessary.
It turned out that there was no contraband of that kind. There was however a huge amount of trace of mainstream porn, and thousands and thousands of URLs from social media (mainly Facebook and YouTube). I found most of the URLs as traces and not as part of the browser’s history, which meant I did not have date and time stamps for many of them.
In this case I had to come up with some estimate of average usage, based on the amount of time that employee had that computer.
A simple keyword search with 15 domain names only (porn and dating websites) returned 54,828 hits.
Based on the findings and given assumptions on the time spent on average on a porn video or on a Facebook/YouTube page, I compiled some tables with indicative numbers. The average values were 57 mins / day on porn websites, and 111 mins/day on social media. That is 2h49' per day (more than 14 hours per week!!). The estimates have taken into consideration that some of the browsing history is not recovered, so that the actual numbers are larger than the ones on the table below. The very best case scenario was half an hour a day visiting porn websites.
This was the only case in my career when an opposing Expert questioned my report and my methodology. However neither the expert or the opposing solicitors questioned the above estimates.
I had to retort and defend my report; the opposing side conceded that they were at fault and the case ended in our favour. It has been many years but I have kept a copy of the opposing expert’s report to remind me of the challenge.
For more than a decade I worked with many lawyers (mainly in Scotland) but also in England and abroad. It is a positive sign to see that lawyers do seek more and more often expert opinion and especially when it comes to digital evidence.
It is difficult to get carried away, but if you are practicing employment law, no matter which part of the world you are, it is most likely than not that digital evidence exists in your case and it can severely affect it.
What you will find in an investigation may surprise you and may be way more than what you were looking for.
One thing you should never do, is start browsing a computer or a mobile phone by yourself. You are more likely than not to compromise the integrity of the evidence!
