A few years back, I participated in a computer forensics investigation at one of our corporate clients. One of the company’s employees was accused of accessing large amounts of pornographic material from his office workstation and faced termination for blatant violations of the company’s Internet use policies.

After imaging the employee’s workstation, we discovered porn everywhere. In his email box. In his temporary Internet files. In addition, data collected from Internet monitoring software that had been recently installed by the company had recorded all kinds of activity to adult Web sites from this employee’s workstation. It looked like an open and shut case.

Not so fast though. True, looking at the electronic evidence alone, one could easily come to the conclusion that this employee was a rampant porn surfer at work.    

Here’s the problem: It wasn’t true. Although mistakes were made, there was no severe, inappropriate conduct by the employee and a more in-depth investigation exonerated him. The moral of the story is this – computer forensic investigators should never rely on data alone when formulating their conclusions regarding someone’s innocence or guilt.

In this particular case, when questioned by the company’s management about the illicit material on his workstation, the accused employee gave what many people involved in the investigation considered a far-fetched explanation. He admitted that weeks before he had visited porn sites from his home computer and, at some point, had entered his company email address when prompted to do so at some of these sites. Since then, the employee insisted that his work email had been deluged with porn spam and that all of the evidence of porn on his workstation was the result of this spam and his efforts to delete it.

Now, taken at face value, his explanation came across as pretty lame. After all, in my experience, simply receiving and deleting spam email would not likely result in the volume of images that had been found on his computer or the Internet activity traced to his workstation. That said, this employee’s job was at stake. Since he just seemed like he was telling the truth in our interviews, we investigated a little further.

As it turns out, this particular employee was extremely unsophisticated when it came to email. When asked to demonstrate his process for deleting the porn spam he had been receiving, he clicked on each individual email, opening the email and then deleting it using the button on the toolbar within the email.

Little did he know that opening the emails automatically caused the pornographic images in the email to be saved to his temporary Internet files folder. Even worse, some of the emails were rigged to automatically open an Internet browser and connect to illicit Web sites, explaining the Internet activity to such sites logged by the company’s monitoring software.

In the end, the only inappropriate conduct this particular employee was guilty of was being ignorant enough to enter his company email address when surfing Internet porn from the privacy of his own home. Cause for discipline? Sure, but not necessarily termination. After we discussed our conclusions with the company, the employee was reprimanded and required to attend basic Internet and email use training, but his job was saved.

Cases like this are not uncommon. We’ve investigated many matters over the years involving email and Internet browsing, as well as other technologies such as instant messaging, mobile phone text messaging and the like. Cases in which the initial review of electronic evidence suggested inappropriate or illegal conduct, but explanations that sounded absurd were, in the end, determined to be true.

Ultimately, it’s a bad idea for a diligent computer investigator to look at data and data alone and expect to draw ironclad conclusions. Human foibles should never be discounted and it's vital that every avenue be pursued to find out what really happened.