As a technology leader in a school district, we’ve all had that worrisome call from HR to pick up an employee’s computer for immediate action. In most cases, it’s not that the technology that has been overcome by spyware and malware. Rather, it’s a school district staff member that has failed the technology, causing it to be collected for evidence. What do you do?
Steps to Take
In my tenure as technology director, I encountered at least seven to eight situations where campus technology had to be confiscated and staff terminated due to inappropriate use of technology. Accounts in district systems had to be frozen, passwords changed, or, heaven forbid, deleted. In other cases, a Google email account had to be delegated to another for review. What steps should the technology leader take to safeguard the district and its assets?
As a matter of course (e.g. in cases of porn on a staff member’s computer), I caution districts from expecting the technology department to play a digital forensics role. This ensures that the technology department staff, well-meaning as they often are, will not inadvertently destroy evidence. Larger districts have the benefit of in-house police detectives who specialize in computer forensics, and in smaller districts, there is a push to get a district officer trained in digital forensics. It only takes one Distributed Denial of Service (DDOS/DOS) attack by a dedicated group of students, or inappropriate technology use by staff, to make this a worthwhile investment.
Some steps I have overseen include the following:
- Require a complaint form to be submitted and authorized by the Superintendent and/or Human Resources leadership staff. If a principal has a complaint, I refer them to Human Resources immediately. I explain that the Technology Department can take no action until HR becomes involved. This prevents a host of issues from derailing the evidence gathering process later. In the meantime, I recommend confiscating the affected equipment.
- Conduct a digital evidence search. Again, computer forensics is not something to be entered into lightly. But there are other things that can be done without affecting the evidence, such as a detailed search of internet logs to see what an individual user has been up to. Of course, any user with a Virtual Private Network (VPN) or Private Internet Access (PIA) for all devices or Windscribe VPN on a mobile device (to mention two which I have used, but this is not an endorsement) can protect against prying eyes.
- Submit confidential findings to appropriate staff and then take action as directed.
Digital Evidence Search
Below, you will find the digital evidence search form I used in a previous school district. It is adapted from many you can find online. Here’s the Google Docs version.
Digital Evidence Search Request
Directions: HR staff will complete Section I of this form, then send it to the technology department for completion.
Section I: About the User
(to be completed by Human Resources staff member)
|Active Directory (AD) Username:
|District Equipment To Be Assessed:
__Desktop computer (Win / Mac)
__Laptop computer (Win / Mac)
__Tablet (iPad / Android)
__Mobile Device / External USB Storage
Requested Actions Authorized by: __________________________
__Recover district equipment issued
__Investigate computer storage for suspicious (e.g. offensive, explicit, graphic) content
__Review internet logs for suspicious website traffic and/or content
__Suspend Account (Circle: Email | Gradebook | PD Tracker | Computer Login/AD)
__Change Google Apps Password/ New Password:__________________________
__Change Computer Login/AD/PD Tracker Password
__Change Web Content Management System Password
__Delegate email account to _________________________ (designated district employee)
Requested Completion Date/Time: ____________________________
Section II: Digital Evidence Discovery
(to be completed by a technology department staff member)
Actions Taken by Technology Department
(all efforts will be made to protect evidence from contamination)
__Internet Logs Reviewed __Internet Browser(s) Cache Searched and Analyzed
__Hard Drive Search and Analysis __Made copy of computer hard drive
__Files copied to compact disc (CD) __Suspended accounts requested in Section I
__Anti-malware software verified as up to date __Review Computer Registry and/or Preferences
__Review of software/apps loaded on device(s) to ensure appropriateness and legal status
__Requested Actions Authorized by:____________________________ / Completed (See above)
Section III: Findings
- Was inappropriate content, as defined by the Responsible Use Agreement (RUA) and District Policies/Procedures, located on any of the user’s devices? (Circle: YES | NO )
- Describe in detail what inappropriate content was found, including websites, descriptions of images, video, documents, unauthorized software, etc. in the space provided below:
|Sources of Digital Evidence:||Description|
|Internet Logs, including websites and IP addresses|
|Computer Registry, Preferences, Library|
|Concealment of Data (e.g. wiped hard drive, encrypted data, steganography)|
__No suspicious content was found.
__Recommend that further digital forensics investigation be conducted
- When and to whom has this form been submitted to in Human Resources:
Whom:____________________________ Date and Time:______________________________
If you have been on the receiving end of a call from district leadership about a staff member who is digitally behaving badly, what steps have you taken? Please share your experience in the comments section below.
Update: This blog entry was updated with fresh links for the VPN on 4/23/2018.