Digital Forensics Case Study: Rogue IT

Organizations place a tremendous amount of trust in their Information Technology (IT) staff, but often lack anyone in senior leadership positions that are technical enough to provide proper oversight. While most IT employees and organizations are trustworthy professionals, like anything else, there exists a possibility for fraud, waste, and abuse. Since most organizations don’t audit their IT department because it’s generally not a regulatory requirement, leaders are left with relying upon their IT staff to provide their own oversight.

Leaders understand the need for oversight and validation of staff, which is why most businesses, organizations, and government agencies undergo financial audits annually. The assurance from an auditor that the books are in order is important for a variety of reasons. But how do leaders get assurance and validation about their IT organizations? Short answer is, most don’t.

A simple Internet search will yield plenty of results showing how situations can go wrong when an IT employee goes rogue. The damage an internal user can inflict upon an organization can be severe, especially if that employee is an IT employee with administrative access. Whether the employee is an insider threat, stealing or destroying data, or someone causing havoc as retaliation for a perceived wrong, the fallout can be devastating. One such example is the IT network administrator in San Francisco who held the city’s data hostage while he sat in jail.


As a licensed private investigative agency with significant law enforcement experience, Natsar is uniquely qualified to assist organizations that find themselves in a position that requires an investigation of either their IT staff, or any type of personnel investigation that may have a nexus to technology. An example of a case that a Natsar investigator has conducted in the past is highlighted below.

The investigator was called by the Human Resources (HR) Director of a municipal government because they had received an allegation regarding cyberstalking and sexual harassment from a city employee. The complainant reported to HR that each time she logged in to her computer at work, a male IT employee would show up at her desk. When the male employee arrived at her desk, he began making unwanted advances toward her. After several such incidents, the female complainant believed that the IT employee was using her instant messenger status to know when she was at her desk.


After interviewing the female complainant, the investigator met HR staff after-hours and acquired a forensic image of the IT employee’s hard drive to look for evidence of him tracking the activity of the female complainant. Upon forensically analyzing the hard drive, the investigator discovered that not only was the employee tracking the online activity of the female complainant, but the employee was also regularly looking at adult pornography and saving images to his work computer.

As the investigator continued the forensic analysis, email messages were located that raised new concerns between the IT employee who was the subject of this investigation and his boss, the IT Director. This new evidence was brought to HR, which necessitated another after-hours visit to acquire the hard drive of the IT Director. The forensic analysis of the IT Director’s hard drive revealed that he also was viewing and downloading adult pornography using city equipment. Evidence of other misconduct was also identified including city equipment being installed at personal residences, the download and installation of illegal copies of Microsoft operating systems, and more.

Upon the conclusion of the investigation and the final report provided to HR, the investigator was asked to participate in interviewing both IT employees to help with some of the technical aspects. Because of our former law enforcement experience, interviewing individuals is a core competency of Natsar. The interviews of both subjects resulted in full confessions and corroboration of the forensic evidence.

The investigation lead to the dismissal of both IT employees. This most likely saved the city thousands in future legal expenses between the illegal licensing of software issue and potential claims for sexual harassment.


Upon completion of the investigation, the HR director wrote a letter that said, in part:

I faced a particularly difficult challenge when I needed to conduct a disciplinary investigation involving computer use and interview employees about technical matters for which I am not well versed. You stepped in and conducted the interviews and collected and examined city equipment, which made a significant difference in the information obtained from the investigation. Your combination of interviewing skills, investigative abilities, and computer knowledge provided a thorough, effective, and accurate investigation of the personnel matter.


If you are facing an internal, administrative, or corporate investigation that involves or may eventually involve technology, contact us for assistance. Some of the typical ways we support investigations include:

  • Acquisition of digital evidence
  • Consulting with HR and Legal on how to obtain, preserve, and authenticate electronic records and evidence
  • Forensic analysis of digital evidence such as servers, computers, and mobile devices
  • Interviewing witnesses, complainants, and subjects
  • Obtaining data from applications and the cloud for review

Related Posts

Leave a comment

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.