When an employee leaves a job, especially when they do so to work for or start a competing firm, most employers have similar questions about the potential for intellectual property theft. The idea that an employee may have taken some type of proprietary company data can be very concerning but what is the best way to determine if there is a problem? Often the answer to that question is that a digital forensic examination of the work device(s) of the former employee needs to be undertaken. Even if it appears the former employee may have tried to cover up their activities by deleting data, clearing history, even re-installing the operating system, etc. there will almost always be some recoverable artifacts of recent user activity.
The first thing to remember in a situation such as this is the data needs to be preserved before one starts to investigate. Poking around on the devices will likely begin to change valuable evidence. It is also important to keep in mind data may exist not just on the company computer but also in locations such as email accounts and mobile devices like phones and tablets. Once a preservation is complete, a forensic examination can help answer questions like:
What documents and other files have been accessed recently?
Have there been email exchanges, message forwards or attachments that may be concerning?
Have external drives like USB flash drives and hard drives been plugged into the system?
Were cloud storage services like DropBox and OneDrive used to exfiltrate data?
Is there internet history of interest? (browser History, searches and downloads)
Are there indicators of mass deletion or other attempts to cover their tracks?
Even if a user has made an effort to delete files or records of their activity, this data is often recoverable, especially if you act quickly.
Email: firstname.lastname@example.org Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology