Image of NHS employee browsing the internet.


A member of IT staff was suspected of misusing a trust's computer to access unsuitable websites, downloading pornography and using chat rooms during work hours. The person concerned was suspected of bypassing the proxy server, so that the trust could not see the sites he had accessed. All of these activities were forbidden under the terms of the trust's acceptable use policy.

The member of staff was responsible for monitoring the logs of Internet activity for all users and, as an 'administrator', he had the privileges to install any software.


The Forensic Computing Unit (FCU) was called in, with the following objectives:

  1. Perform a 'preview' service to determine whether there was sufficient evidence to launch a full forensic computing investigation.
  2. If evidence was found to support the allegations, to make a forensic copy of the hard drive and return it to the laboratory for analysis.
  3. To recover Internet history and identify any usage that would be deemed inappropriate by the trust's acceptable use policy.
  4. To establish whether 'webmail' had been used.
  5. To establish whether any instant chat programs had been installed. Investigation


A preview was conducted in the laboratory. The Forensic Computing Specialist removed the hard drive and connected it to a forensic workstation using a write blocker. This allowed the analyst to view the contents in a forensically sound manner. No alterations were made to the hard drive, which ensured that the evidence was preserved. During the preview, a number of pornographic images were quickly identified, which substantiated the accusation and allowed the investigator to justify a full investigation.

A forensic copy of the hard drive was then taken, and the original hard drive was replaced in the machine.

A thorough Internet analysis was conducted, with the following results:

  1. A number of pornographic images were identified in the user's 'temporary Internet files' folder. These images had been downloaded as a result of Internet browsing.
  2. A number of pornographic website addresses were recovered from the user's Internet 'History' folder, showing repeated and prolonged browsing of pornographic web pages.
  3. Several 'Google' search results web pages were recovered, showing that the user had intentionally searched for that type of material.
  4. The dates and times that the user was browsing the sites was identified, which showed that all the activity had taken place during the user's lunch break. However, the company's acceptable use policy specifically prohibited viewing this material at all times.
  5. A number of 'Hotmail' web pages were recovered, clearly showing that the user used webmail to communicate with family and friends. While no evidence was found to suggest that files were being sent via the webmail program, the company's acceptable use policy specifically prohibited using webmail for any purpose.

The 'Program Files' folder was examined and found to contain a number of installed instant chat programs. Further examination of the programs showed that they contained address books and profile information which indicated that they were regularly used and updated. A number of 'chat logs' had been saved to the hard drive, which supported this. The 'last accessed' date and time revealed that the program had been used that day.

A full report outlining the findings of the investigation was generated by the forensic officer and presented to the investigator.


Based on the evidence provided by the FCU, the employee was dismissed, and decided not to appeal.