Before You Begin Investigation
Often investigations will be triggered as a result of standard IT activity: noticing something unusual in a server or router’s log files, a problem or issue reported by users or IT staff. As a result, you might already be acting on symptoms of the situation that you’ll be investigating and have a pretty solid idea what you’re looking for before you start your investigation. If you and your staff are already in the habit of taking solid case notes, this will add evidence to the investigation before it even starts.
It is also important that your users be aware, through your organization’s computer use policy that you may investigate the contents of their computers, home folders, email accounts, and so forth. Likewise, in the case of acceptable use policy, it is important to be as specific as possible in the policy about what users can or cannot use their company computers and Internet access to do. And you should review it before an investigation to be certain whether anything you discover actually violates the policy or not.
You might also want to consider working with one or more staff members during the investigation, which provides additional witnesses to your investigative activities in addition to providing extra sets of eyes to help with the investigative process. Keeping a limited number of people involved and/or aware of the investigation, however, is also wise because it limits the chance of tampering or loss of evidence.
Finally, if you suspect that criminal activities have taken place or that there might be serious legal repercussions, you might want to contact the authorities or a forensics professional.