Preserving Digital Evidence

When a business owner suspects fraud by an employee, it is natural to want to search that employee’s computer, but doing so could fundamentally weaken the integrity of the evidence discovered. Properly retrieved, digital evidence can be critical to building a legal case against an alleged wrong doer. A Certified Digital Forensic Examiner is specially trained to gather, examine and present digital evidence in court through legally recognized procedures that avoid compromising the evidence. Be sure to call one at the outset of suspicion. Read on to find out what steps you can take to preserve evidence when fraud occurs.

First, an illustration – A business owner suspects that a manager used company money for excessive entertainment expenses. She has reason to believe that an AP clerk who authorizes payment is also involved. The manager claims the expenses are legitimate marketing costs, but the owner believes otherwise. Both the manager and accountant are placed on administrative leave, and another employee is assigned to the accountant’s computer for daily use. In order to find proof of fraud, the owner searches the accused employee’s computer and his email account.

The owner’s actions may have been a natural response, but they eroded the company’s case. Here’s how it works: When a computer boots up to an operating system such as Windows XP or OS X Lion, hundreds of files are automatically accessed. Date/time stamps are modified every time the device is turned on, regardless of whether a single file or application is opened or accessed, and regardless of the user’s intentions. What evidence existed on the manager’s computer was altered by the investigation, and whatever existed on the accountant’s computer was compromised by routine use by another employee. Neither body of evidence would have been inadmissible in court had counsel taken it that far. Once before a judge, it would be just as legitimate for opposing counsel to argue that the owner logged-on to the manager’s system and altered files, as it would be for the plaintiff’s attorney to argue the manager’s fault.

Unplug and Secure: First steps when you suspect fraud

If digital evidence is to be collected and preserved for a proper investigation or for litigation, the digital system in question (computer, Smartphone, flash drive, CD, etc.) must be secured immediately and searches should not be performed by you or any of your employees. The validity of the potential evidence depends on this. To protect the evidence, unplug and secure…and call a Certified Digital Forensic Examiner:

  1. Unplug the computer: Do not use the alleged wrong doer’s devices or files in any way. This includes logging off and shutting down the computer. When the system is unplugged from the wall, a forensic analysis will show an abrupt end of usage. This will rule out suspicion against an owner of implanting, fabricating or editing files to incriminate the suspect.
  2. Secure the system: Digital media should be moved to a locked room or a locked safe. Document access to the secured area with a log that records when the lock was opened, by whom, and when it was re-secured. If your organization does not have a way to secure the system, the CDFE must take custody of the device and document both the chain of custody and access to the system.

Establish Electronic Equipment Policies – Preparedness before fraud occurs

Effective use of your company’s internal controls will reduce the risk of fraud through proper accounting practices. Vicenti can help you assess and improve your current design of controls. But there are other precautions necessary related to digital evidence. Clarifying the company’s position on fraud may be enough to cause those who are thinking of crossing ethical lines to reconsider – that alone is a good reason to establish an electronic equipment policy. Follow the steps below and educate employees on all processes that prevent fraud in your organization.

  1. Document, Train and Implement: Define policies and procedures including the two steps mentioned above – unplug and secure. Employees must be trained to activate the protocol at the first hint of suspicion.
  2. State, Inform and Collect Acknowledgements: Clearly state what constitutes appropriate usage of company systems including email servers: Is all email received by organization-created accounts considered to be the property of the organization? If so, collect signed statements of acknowledgement from all employees. If this is not your organization’s policy, state or local laws regarding the employee’s right to privacy may apply, making email messages off-limits as evidence.

When confronted with a situation where fraud is suspected, understanding these steps will help an owner avoid damaging evidence needed in building a case against a perpetrator.

John Hostetler is a Certified Digital Forensic Examiner with Vicenti Fraud Solutions, the fraud prevention, detection and investigation division of Vicenti, Lloyd and Stutzman LLP. As a CDFE, John is qualified to assist attorneys and investigators in fraud cases by inspecting digital media in a forensically sound manner. He trains organizations, including management leaders and IT staff, on the proper protocol to follow with electronic equipment that is involved in an alleged fraud. Call John at 626-857-7300 ext. 241 or email him at

Workplace fraud is too costly to ignore. Vicenti Fraud Solutions partners with business owners to protect your company’s assets and integrity…Read more.