Human Resources (HR) investigation of the Director of IT

CASE STUDY

HR Digital Forensics Investigation of IT Director

Tags
Human Resources (HR), Personnel Investigation, Digital Forensics, IT Investigation, Email Analysis, TSCM, bug sweep
Human Resources (HR) Investigation

Background

The CEO of a not-for-profit organization called Maryman due to some concerning behavior from the Director of Information Technology (IT). Shortly after the Director of Personnel started at the organization, the Director of IT asked her if she would go out on a date with him. The Director of Personnel politely declined and thought nothing more of it. Two weeks later, when she was at a restaurant on a date, she looked over at the bar area, and saw the Director of IT by himself. At the time, she thought it was a coincidence since it was a popular restaurant and bar. One week afterwards, she was at a restaurant with the CEO for a business dinner. The location of the restaurant was on the other side of the city. Again, she saw the Director of IT at the bar by himself. She pointed it out to the CEO, who called Maryman the next day.

Scope

The Maryman team proceeded with a full scope digital forensics investigation to determine if the Director of IT was engaged in any invasion of private information. This was a difficult situation since the Director of IT had full administrative access to the environment. Luckily, there was a new employee working under the Director of IT, who had appropriate credentials but did not have any deep loyalty to the Director of IT yet.

Preservation

The team went in for a covert, after-hours forensic imaging to ensure that the Director of IT was not tipped off to the investigation. To ensure the secrecy of the investigation, we simulated a power outage to ensure that we could preserve the data on the servers and his workstation. We found multiple USB hard drives at his desk that we imaged onsite to return them in the same position and condition.

Analysis and Findings

The forensic investigation and analysis uncovered some evidence that was troubling to the CEO. The CEO was aware that all company chats and communications went through an onsite server which was preserved and analyzed by the Maryman team. What the CEO did not know, was that the Director of IT was forwarding all email and communications from all female employees to his personal email account. We found that the rules for the automatic forward had been in place for years without the CEO’s knowledge. This compromised not only the privacy of the employees but also compromised the confidentiality of some of the donors of the organization.

Next Steps

The Director of IT was terminated with cause. The Maryman team provided termination support and worked with the new outside IT team to secure the environment to ensure that the former Director of IT no longer had valid credentials or access to the work environment.

Maryman also conducted the Technical Surveillance Counter Measures (TSCM), or bug sweep, specifically to determine if the Director of IT went beyond just spying on female employees’ emails and chats. This included the sweeps of the CEO’s office, the Director of Personnel’s office, as well as the restrooms. It was determined there were no bugs or video cameras placed by the former Director of IT.

Outcomes

Ultimately, the Maryman team uncovered that the Director of IT had been spying on the female employees by automatically forwarding all their emails and communications to his personal email. This led to his termination while restoring confidence in data security and privacy for the CEO and all employees at the organization.
Scroll to Top