How to correctly conduct a Digital Investigation
Have you had to terminate an individual, or had a trusted employee resign or abruptly solicited away by a competitor? Do you suspect they may have taken valuable company data or intellectual property (IP) with them? Items such as customer lists, financial information, employee information, processes, strategic plans, software code, R&D information, trademarked or patented items or even entire databases.
Employee data theft and IP theft are growing, serious issues and a key concern for all employers. The act typically occurs just prior to, or immediately after an employee leaves an organization. Motivational reasons often include easy access, vengeance, a sense of ownership to the data, or demonstrating power in their new position.
Obtaining the electronic evidence of what occurred on digital devices can dissipate suspicion and help direct any correct legal action. Read on for what you should know about investigating cases of employee data theft.
Critical First Steps to Take
- First and foremost, do not attempt to power-on, log-in to, or search the suspected electronic device(s). Why? Making the wrong moves could inadvertently quash valuable digital evidence — both the content and artifacts.
- Next, ideally, take any suspected devices out of circulation and store in a dedicated, secured room or office to minimize inadvertent data destruction. It sounds simple enough, but over and over again we’ve seen corporate IT teams attempt to uncover relevant information, yet they do not possess the forensic training to perform a proper digital investigation. This ultimately results in evidence being missed or incorrectly interpreted. At Vestige we’ve often started reviewing computer cases, only to find a well-meaning, yet untrained, IT member had trampled on important evidence.
- After the device(s) are isolated, hire a professional Digital Forensics Expert or team to perform an investigation of the employee data theft. Forward thinking companies are proactive and have Forensic Experts, like Vestige, already vetted out and on speed-dial.
The Benefits Forensic Experts Provide
Degreed, certified, Forensic Experts are trained specifically to find the trail of hidden evidence that employees who steal data leave behind on devices. Digital Forensic Experts are adept at preserving evidence and maintaining chain of custody in a correct, forensically-sound manner so that any uncovered, relevant digital evidence is admissible in court.
Experts can uncover: connected USB devices, files accessed, cloud storage usage, email communications, intentional file deletions, and attempts at covering tracks, among others. All of these forensic artifacts are located behind the scenes on device(s) and can indicate where and how employee data theft and IP theft occurred. For example, the artifacts from connected USB devices could show a flash drive was connected the day before an employee departed from the company. File access artifacts could then indicate that IP was accessed from the flash drive, indicating evidence of potential data exfiltration.
Throughout an investigation, past documents containing client information, customer lists, company secrets, operating procedures, and other closely-held corporate information have to be identified to be exfiltrated from a corporation. As for the”how,” USB devices and email communication seem to be the top contenders in cases of employee data theft. Connecting a USB flash drive or attaching a document and sending to a personal Gmail account are quite easy and thought to be generally inconspicuous. Other exfiltration methods identified include cloud storage sites such as: Google Drive or Dropbox, SD card, File Transfer Protocol (FTP), mobile device applications, among others. A comprehensive forensic investigation will look under every rock and help determine the what, when, how, and where by interpreting the evidence, and testing and reporting the findings in an easy-to-understand manner.
Do not boot up that computer or device to see if John Doe really did take the complete list of clients.
When a situation involves data or IP theft, ensure any potential sources of evidence (ie. electronic devices) remain undisturbed until a Forensic Expert is brought into the picture.
Evidence of employee data theft or IP theft can be uncovered for a vast variety of electronic devices including: laptops. desktops, mobile devices, servers, external hard drives, or removable media such as CDs / DVDs / USB drives. Engage with Digital Forensic Experts to gain remarkable insight into what is locked within suspected digital devices and gain speedier access to critical evidence. When properly investigated, you’ll be able to dissipate or confirm your data and IP theft suspicions…as the uncovered evidence will speak for itself.
You might also like to read this article from Vestige: 10 Step Guide for Digital Forensic & Cyber Emergencies.
By Ian Finch, BS, CGFA,
Senior Forensic Analyst
Vestige Digital Investigations