If you are a business or institution that assigns computers to individual employees, we highly recommend that you properly prepare the computers before they are assigned for use. This is for accountability purposes and applies to each and every time a computer is reassigned.
We receive computers for forensic examinations and the business or institution (client) will advise that it was only assigned to one employee. We will examine the system and locate data from several different users. What the client does not realize is that our forensic software may find any residual data. This data may have nothing to do with the employee that is being investigated. This does not mean the employee will be blamed for what is there unless we can definitively show the content came from the employee’s user account. It is just better to not have any residual data from previous users clouding the examination process. If a computer is properly prepared, certain data may be attributed to a particular employee. This will not be the case if the computer was not properly prepared. Here are examples of how this works.
The Improper Way – Scenario 1
A computer used by other employees is turned back in to the IT department so it can be reassigned. IT Personnel delete old user accounts and configure the computer for a new employee. The computer may appear new to the next employee to use it, but residual data will remain. Though not visible, residual data may include documents, music, photographs, internet history, email, etc.
The Improper Way – Scenario 2
A computer hard drive fails and needs to be replaced so the IT department selects a used hard drive that had been in another computer. This replacement hard drive is not prepared in any way and the Windows operating system is installed to it. As with scenario 1, residual data will remain.
The Proper Way – Scenario 1
Whether new or used, a computer should be properly prepared the same way. IT personnel should use a program that securely erases the entire hard drive by overwriting all data with zeros. IT personnel can then install Windows, all necessary programs, configure all settings, etc. IT personnel should not conduct any personal or unnecessary activity on the computer. The prepared computer should be as sterile as possible.
Once the configuration of the computer is complete and prior to it being issued to or configured for an employee, IT personnel should create a backup image (copy) of the hard drive. The copying of the hard drive serves a few purposes; (1) the system can easily be recovered should an employee experience a serious problem, (2) the computer can be securely erased, the image restored, and the computer be reassigned to a different employee, and (3) there is a record of exactly what the hard drive contained prior to being issued to an employee.
IT personnel should keep detailed records of what was done, what programs were used to prepare the system, and what programs were installed. This is actually easier than it sounds and a checklist could be used to make sure all steps were followed. A program called Belarc Advisor can be used to inventory the system once it is configured.
Why Following These Procedures Helps an Investigation
When we forensically examine a computer we need to prove who was responsible for activity or data on the hard drive. Some files or data will be in what is called unallocated space and we will not be able to say where the data came from, when it was created, modified, deleted, etc. The data is a mystery. If a computer was properly prepared before being deployed and the employee assigned the computer states that nobody else used the computer, it may be reasonable to infer the employee was responsible for that data. This “mystery” data alone may not be enough for discipline, but it may be support other evidence in the investigation – even if not related to computer use.
Conclusion
If proper procedures are followed, you will know exactly what was on the hard drive before a computer was assigned to an employee. If an employee is investigated at a later time and the computer is examined, it may be possible to show improper behavior by a particular employee. This may not be the case if the computer was not properly prepared before being issued.
Obviously these procedures will not be as effective if a computer will be used by several employees.