Monitoring all user activity on a PC or Mac 24/7 results in a massive amount of data and screenshot evidence. Sifting through the data is sometimes necessary, but using “keywords” that alert you as soon as a suspicious activity takes place is crucial. Alerts not only eliminates investigators overlooking an important piece of evidence, but they also lets you take action quickly to stop fraudulent transactions or to protect valuable data from being moved off of your network.
Keywords should be specific to your company and the individual being investigated, (e.g. AcmeTopSecret.XLS or server04\creditcardmaster). Additionally, predefined keyword lists can also be imported, covering more universal topics of investigation (e.g. bullying, sexual harassment, fraud, theft etc.). The FBI in conjunction with Ernst & Young created a 3,000 word keyword list around fraud. Some of the top keyword phrases used by employees in email communications with coconspirators include: