The use of electronic evidence has resulted in a new breed of investigator, the forensic computing examiner. Chris Budge and Campbell McKenzie look at some of the issues involved for schools.

• A Christchurch school recently found suspicious Web activity by a teacher. Forensic investigators found thousands of ‘adult-themed’ images and non-work related activity.

• An Auckland school thought a student’s work productivity and performance was down. Forensic investigators discovered significant chat logs made during class time where she’d been looking for dates and sexual encounters.

These are just two examples of the work of forensic computing – the securing, preserving, analysing, reviewing and reporting of matters relating to electronic evidence. The expertise of ‘forensic computing examiners’ is relied upon to ensure evidential integrity by uncovering the ‘who, what, when, where and how’ of any situation. They are the CSIs of the classroom and are increasing being used by schools to:
• Verify independently any information to evidential standards;
• Conduct investigations so that no allegations of an ineffective or one-sided school position is made;
• Protect school staff from viewing distasteful pictures during the review of the data.

If you suspect something, what should you do?
The first thing to do is to talk to advisors early – STA, lawyer, HR consultant, etc. Their advice will provide the procedural considerations. If a computer is involved you should:
• Secure the Internet and access logs;
• Give the staff member another computer to use in the mean time;
• On advice, have the computer copied by a forensic specialist, not using Ghost by the IT staff (this does not secure all the possible evidence that may be required). It does not have to be analysed now but at least it is secured;
• Subject to the interaction with the employee, the computer could be analysed with the intention of a report being produced;
• Consider contacting an expert from outside the business. This can be crucial in keeping information confidential from internal IT staff and contractors. Also, if you do use an external contractor, make sure you are specific on your requirements otherwise the cost may be more than expected.

Prevention before a cure
There are a number of measures you can put in place to prevent or prepare for these sorts of situations, including:
• Have a cybersafety reporting policy;
• Have a robust policy that all staff know, adhere to and have signed (shorter is better – aim for two pages);
• Have ‘acceptable computer usage’ sections in all employment contracts, and include the ‘punishment’ possibilities. A recent case we dealt with had an outdated contract where suspension was not an option;
• Don’t try to be nice or ignore a potential problem;
• Treat everyone the same.

If it’s a student as opposed to a staff member the ‘contract’ with the individual, particularly in regards to process timeframe and employment obligations, is clearly different. However, the evidential standard should be the same and any internal timeframe requirements and reporting should be prepared for the highest ‘court’ the matter can be taken to, so that principals/BOT can consider the option.

What to look for in a forensic examiner
Forensic computing examinations require considerable technical resource. From a purely practical perspective, they are often complex in size and geographical boundaries, so make sure you are satisfied your forensic provider has adequate equipment. Ensure that they are capable of previewing or copying on and off-site. They should also be flexible enough to work through the night or at the weekend to support the processing of millions of files. Always look for someone with a proven track record and, lastly, make sure you ask them this question: “Are you willing to prepare an affidavit or present evidence in court to explain your actions and be challenged by an opposing expert?”

The CSI Approach
Don’t expect evidence to be produced within the hour like on the popular television show, but you are entitled to expect your expert will properly deal with the matters of CSI: confidentiality, security and independence.

Ultimately, the need for the evidence to be collated should be considered at an early stage. If there is the remotest likelihood of a criminal complaint or that evidence will need to be presented to a court or in any proceedings, you and your expert need to know the evidential requirements under which it will be accepted. Consider the implication of the evidence not being accepted – use an expert that is knowledgeable, experienced and capable of committing to the CSI factors.

CHRIS BUDGE AND CAMPBELL MCKENZIE ARE ASSOCIATE DIRECTORS IN THE INVESTIGATIONS AND FORENSIC SERVICES TEAM AT PRICEWATERHOUSECOOPERS. CHRIS IS PRESENTING AT THIS MONTH’S NZEI SUPPORT STAFF CONFERENCE IN ROTORUA.