Computer forensics reveals data thieves’ tracks

How experts piece together a case against employees who steal valuable digital information

According to a recent study, the U.S. Chamber of Commerce estimates that 75 percent of employees steal from the workplace. While many of these incidents of theft may include innocuous items such as office supplies, they also can take the form of something far more valuable and highly portable: data.

Last year, Bank of America reported that an insider sold customer information to the tune of $10 million in losses for the bank. Beyond grabbing negative headlines, workplace theft of data considered proprietary, confidential, copyrighted or otherwise damaging in the hands of a competitor remains highly problematic for businesses the world over. Oftentimes the theft occurs at the hands of departing employees either hoping to get ahead at a competitor, from a competing enterprise or profit from the sale of the data.

Consider how much easier it is to conduct data theft in today's digital world. Many corporations' most valuable assets take the form of digital information, from customer contact databases, sales and marketing information and business and strategy plans, to lines of source code. Downloading, saving and transmitting this data can take as little as a few seconds and mouse clicks. But fortunately, this same digital technology arms investigators with a stockpile of techniques to compile a case against these data thieves. Computer forensics specialists are the detectives of the 21st century. Through expert analysis, they can interpret subtle clues left by thieves to create a comprehensive account of the theft and identify the compromised data.

With the evidence compiled by digital forensics experts—evidence that should be gathered in a highly defensible manner in case of future legal action—companies can mitigate the potential damage and bring the bad actors to justice.

Profiling and preserving

Once a company suspects it has become the victim of data theft, a suspicion often aroused when a key employee defects to a competitor, in-house counsel should consider taking swift steps to bring in computer forensics specialists to preserve the former employee's IT assets. This may require the legal department to serve as liaison between the corporate IT department and the outside forensics specialists to determine the spectrum of IT assets that the employee may have had in his or her possession. Common assets include company laptops, desktops, email accounts, smartphones, external storage devices and network storage areas.

IT should suspend any data destruction or retention policies that could inadvertently destroy evidence. Once the departed employee's assets have been determined, the forensics team can create images of hard drives and secure copies of email and network folders. Forensic analysis is performed on exact copies, to preserve the original data for law enforcement or trial. 

Sometimes, a company might wish to conduct its own initial investigation. However, such actions can lead to unintended consequences. For example, opening a file on a desktop may alter the file’s metadata and call into question its authenticity and future admissibility. This act is the equivalent of trampling over the culprits footprints at a crime scene.

Analyzing the data

Once the data forensics experts have taken the preliminary steps to preserve the employee's IT assets, the analysis can begin. Skilled forensics investigators have a number of methods they use to piece together the actions of a suspected data thief. These digital clues help compose a picture of both what the employee may have done as well as the employee's actual intent, nefarious or otherwise.

For example, within the Microsoft Windows operating system, the Windows Registry database stores user options and configuration settings and also maintains an activity log that tracks when a user inserts an external storage device, such as a flash drive, into the computer's USB port. This can prove to be a critical piece of evidence, as theft via flash drives and other portable external storage devices is one of the most common methods of data transfer. Sometimes, simply by looking at the date the flash drive was inserted and comparing it to the date the employee departed the company, forensics experts can begin to build a case.

In addition, file metadata can provide clues into the actions and intent of a departing employee. Windows uses this metadata to report what files were most recently opened. A skilled forensics expert can contextualize this data along with other findings to help pinpoint potentially compromised files as well the intent. For instance, after an employee copies files to an external device, he or she may open those files to ensure they copied successfully. By determining when an external device was connected to the computer and the level of sensitivity of the files last opened, data forensics specialists can begin to tell the story of the employee's final actions prior to leaving the company.

Threats from the cloud

The corporate world has begun to embrace cloud computing applications that allow employees to access solutions wholly in an online hosted environment. Applications, such as the Salesforce.com customer relationship management (CRM) software, contain a well of valuable, sensitive information that can range from client lists to billing models. The ease by which this data can be accessed, as well as the importance of the information, makes these cloud applications highly appealing to would-be data thieves.

A data forensics expert can analyze the departed employee's web browser artifacts to determine when these cloud-based applications were accessed. This tactic, combined with data gleaned from the operating system registry and file metadata, can help determine whether this information was copied to a text-based file on the desktop or transferred to an external device.

In the age of information workers, easy access to company data provides numerous benefits, such as greater employee collaboration, productivity and mobility. Yet it can also heighten the risk of data theft. It is essential for in-house counsel to act swiftly to protect the company's information-based assets. Experienced computer forensics specialists can use their combination of technological and analytical skills to preserve digital evidence and tell the story of the data.

Contributing Author

author image

Veeral Gosalia

Veeral Gosalia is a senior managing director in the FTI Technology segment and is based in New York. Mr. Gosalia’s areas of expertise include data...

Bio and more articles

Join the Conversation

11

Advertisement. Closing in 15 seconds.