When an ex-employee steals data and tries to pass the information to a competitor or use it to start their own business, it can be a race against the clock to identify exactly what data was taken. This is the situation which one of our clients faced, and we were able to help them through the process of identifying and removing their stolen data from their competitor’s systems. Here’s how we did it:
Step 1: Forensic Data Collection & Initial Analysis
When our US client’s former employee left, the company suspected that they had taken sensitive and proprietary company data with them. The company alerted counsel and got us involved. We immediately began the process of forensically imaging the ex-employee’s laptop and work phone, collecting emails, file shares, messages and associated log files. We performed an initial analysis on the collected data using forensic tools and identified that a USB device had been plugged into the ex-employee’s laptop for four hours on the day before they left the company. During that same time window, the ex-employee had accessed sensitive documents on the file share and taken a local backup of their email. At this stage, we could not be sure that this data had been copied to the USB; however, things did not look good for the ex-employee. All signs were indicating theft of company data.
Step 2: Analysis and Retrieval
We notified the client and counsel of our initial finding and counsel were able to order the ex-employee’s USB devices to be handed over to us for further analysis. We analysed the USBs and found the stolen documents.
We then had to determine two questions:
1. Did the ex-employee share this information with anyone else?
2. Did the ex-employee access the USB from any other devices?
In order to answer these questions, we imaged the ex-employee’s personal laptop to look for indications that they had copied the data to this device or to online file sharing systems (such as DropBox, Gdrive etc.) or had shared the information with others via email, social media, blog posts etc. In this instance, the data had not been shared further and remained on the USB devices. However, we did determine that the former employee did plug in the USB devices into his personal computer and did review some of the client’s data that he stole.
By looking at several pieces of evidence, the Orbital team were able to build a picture of the ex-employee’s intent to distribute the data.
Step 3: Forensic Deletion
Once we had identified the stolen data, our final step was to ensure that it was forensically deleted. This means that we wiped the ex-employee’s USB devices clean of any traces of the stolen data, ensuring that the data could not be accessed again.
Conclusion
Data theft is a serious issue that can have severe consequences for businesses. Companies can take proactive measures to prevent theft of data by having proper procedures in place. If you or your company suspects that company data has been taken, it is crucial to act quickly and to work with experts in this field to ensure that the data is collected and analysed in a forensic and defensible manner.
