Home CTO/CIO When People Fail Technology: Digital Evidence Search

When People Fail Technology: Digital Evidence Search

by Miguel Guhlin
post its in rows

As a technology leader in a school district, we’ve all had that worrisome call from HR to pick up an employee’s computer for immediate action. In most cases, it’s not that the technology that has been overcome by spyware and malware. Rather, it’s a school district staff member that has failed the technology, causing it to be collected for evidence. What do you do?

Steps to Take

In my tenure as technology director, I encountered at least seven to eight situations where campus technology had to be confiscated and staff terminated due to inappropriate use of technology. Accounts in district systems had to be frozen, passwords changed, or, heaven forbid, deleted. In other cases, a Google email account had to be delegated to another for review. What steps should the technology leader take to safeguard the district and its assets?

As a matter of course (e.g. in cases of porn on a staff member’s computer), I caution districts from expecting the technology department to play a digital forensics role. This ensures that the technology department staff, well-meaning as they often are, will not inadvertently destroy evidence. Larger districts have the benefit of in-house police detectives who specialize in computer forensics, and in smaller districts, there is a push to get a district officer trained in digital forensics. It only takes one Distributed Denial of Service (DDOS/DOS) attack by a dedicated group of students, or inappropriate technology use by staff, to make this a worthwhile investment.

Some steps I have overseen include the following:

  1. Require a complaint form to be submitted and authorized by the Superintendent and/or Human Resources leadership staff. If a principal has a complaint, I refer them to Human Resources immediately. I explain that the Technology Department can take no action until HR becomes involved. This prevents a host of issues from derailing the evidence gathering process later. In the meantime, I recommend confiscating the affected equipment.
  2. Conduct a digital evidence search. Again, computer forensics is not something to be entered into lightly. But there are other things that can be done without affecting the evidence, such as a detailed search of internet logs to see what an individual user has been up to. Of course, any user with a Virtual Private Network (VPN) or Private Internet Access (PIA) for all devices or Windscribe VPN on a mobile device (to mention two which I have used, but this is not an endorsement) can protect against prying eyes.
  3. Submit confidential findings to appropriate staff and then take action as directed.

Digital Evidence Search

Below, you will find the digital evidence search form I used in a previous school district. It is adapted from many you can find online. Here’s the Google Docs version.

Digital Evidence Search Request

Directions: HR staff will complete Section I of this form, then send it to the technology department for completion.

Section I: About the User

(to be completed by Human Resources staff member)

Active Directory (AD) Username:

Current Assignment: ___________________________________

District Equipment To Be Assessed:

__Desktop computer (Win / Mac)

__Laptop computer (Win / Mac)

__Tablet (iPad / Android)

__Mobile Device / External USB Storage

Requested Actions Authorized by: __________________________

__Recover district equipment issued

__Investigate computer storage for suspicious (e.g. offensive, explicit, graphic) content

__Review internet logs for suspicious website traffic and/or content

__Suspend Account (Circle: Email | Gradebook | PD Tracker | Computer Login/AD)

__Change Google Apps Password/ New Password:__________________________

__Change Computer Login/AD/PD Tracker Password

__Change Web Content Management System Password

__Delegate email account to _________________________ (designated district employee)

Requested Completion Date/Time: ____________________________

Section II: Digital Evidence Discovery

(to be completed by a technology department staff member)

Actions Taken by Technology Department
(all efforts will be made to protect evidence from contamination)

__Internet Logs Reviewed __Internet Browser(s) Cache Searched and Analyzed

__Hard Drive Search and Analysis __Made copy of computer hard drive

__Files copied to compact disc (CD) __Suspended accounts requested in Section I

__Anti-malware software verified as up to date __Review Computer Registry and/or Preferences

__Review of software/apps loaded on device(s) to ensure appropriateness and legal status

__Requested Actions Authorized by:____________________________  /  Completed (See above)


Section III: Findings

  1. Was inappropriate content, as defined by the Responsible Use Agreement (RUA) and District Policies/Procedures, located on any of the user’s devices? (Circle: YES | NO )
  1. Describe in detail what inappropriate content was found, including websites, descriptions of images, video, documents, unauthorized software, etc. in the space provided below:
Sources of Digital Evidence: Description
Device Storage
Internet Logs, including websites and IP addresses
Computer Registry, Preferences, Library
Concealment of Data (e.g. wiped hard drive, encrypted data, steganography)


__No suspicious content was found.

__Recommend that further digital forensics investigation be conducted

__Other: _________________________________________________________________________________

  1. When and to whom has this form been submitted to in Human Resources:

Whom:____________________________ Date and Time:______________________________


If you have been on the receiving end of a call from district leadership about a staff member who is digitally behaving badly, what steps have you taken? Please share your experience in the comments section below.

Update: This blog entry was updated with fresh links for the VPN on 4/23/2018.

You may also like

You've Made It This Far

Like what you're reading? Sign up to stay connected with us.



*By downloading, you are subscribing to our email list which includes our daily blog straight to your inbox and marketing emails. It can take up to 7 days for you to be added. You can change your preferences at any time. 

You have Successfully Subscribed!