Digital Forensics Dispatch

Digital Forensics Blog
by Sensei Enterprises, Inc.

A Digital Forensic Case Study: You Stole My Customers

November 3, 2022

We are frequently contacted by attorneys regarding legal matters that involve digital evidence from electronic devices or data sets. In a recent instance, our digital forensic examiners were contacted by an attorney seeking assistance with a client, Company A, which had an ex-employee who opened a competing business soon after their departure. The attorney and Company A were worried that the ex-employee had stolen some proprietary company data just before they left.

After meeting with both the client and counsel, it was thought that the previous employee had taken a list of clients with them upon their exit. Company A had noticed a decrease in calls and customers since the employee’s departure. Company A stated that one of their previous customers even said they were working with the ex-employee and their new business.

They reached out to our digital forensic examiners to see what could be gleaned from the ex-employee’s electronic devices. At the beginning of any prospective matter, our examiners ask the client and/or counsel a series of questions about the case such as:

  • What types of devices are involved?
  • What is the make and model of the device(s)?
  • What information are you looking for from the device(s)?
  • Are there any specific file names or keywords that would be useful when conducting a search of the data?
  • Is there a specific date range of interest? (In this case, when did the employee leave and when did they give notice?)

There are of course more questions that can be asked, but the main point is to try and set up the scope of work for the analysis. Much of the time, our clients don’t know what it is they can find out from an analysis of the device(s). Our forensic examiners can help to explain what data they may expect to find on the device(s).

In this case, the client stated that the employee had both a work phone and a laptop issued to them, which were collected by Company A upon the employee’s exit. Luckily for Company A, their IT team hadn’t yet reissued the devices, thereby losing data, a practice we often encounter.

Usually, when a device is put back into use, one of two things happens. One, a new account is created for the new user, thus hindering the ability to recover some artifacts. Two, the device is factory reset for a new user, which overwrites all the data, meaning that an examination of that device won’t turn up anything.

In this case, the client was able to articulate what it was they were looking for. On the company issued laptop, they mentioned that the employee used Microsoft Outlook as an email client, and they were interested in what he was emailing to himself or having sent to his work account for the period just before notice was given to the time the laptop was turned in. The time frame was roughly a 4-week window. In addition to email, they were interested in what files the employee may have accessed during that time, as well as if there were any USB devices connected to the computer.

From the employee’s cellphone, an Apple iPhone, the client was looking for messages with clients for that 4-week period, as well as any notes or files that were downloaded to the device that were company data.

The client provided us with several file names and even some customer names to use as search terms to run across the data set. After creating a forensic image of the laptop, and a forensic collection of the Apple iPhone, our digital forensic examiners started with the analysis.

The results of the analysis were interesting to say the least. On the computer, our examiners had determined that a USB Hard Drive had been connected two days prior to the employee’s last day. A review of file access showed that dozens of company files were stored on an external storage drive, something that was not allowed by company policy.

Access to those files was determined to have occurred the same day that the USB hard drive was connected to the laptop. Using the last mapped drive letter and the file path of the accessed files, it seemed extremely likely that those dozens of files were moved to that hard drive just days before the employee left. Most importantly, one of those files was the client list that Company A was extremely worried about.

The analysis of the email showed that, just a few weeks prior to the employee’s departure a number of emails were sent from the work account to a personal email account. The emails contained contact information of current customers and some with file attachments.

Unfortunately, the analysis of the cellphone didn’t reveal much information in this case. There weren’t many messages back and forth for the period of interest. There were phone calls with several customers, whose duration could be determined but not what was actually discussed. Our examiners communicated these findings to counsel as a lead they and the client could follow up on if they deemed it necessary. A review of the files on the device didn’t reveal any company files stored on the phone.

After discussing the findings with the client and counsel, it was determined that the employee likely took company documents on the external hard drive connected just days before leaving. If it was possible to get that external hard drive, a forensic analysis of that device would reveal what documents are currently stored on it.

With the information provided, counsel asked the court to order the ex-employee to turn over any and all external storage media, including USB drives, and hard drives for a forensic analysis to determine if Company A’s proprietary data existed on those drives. With the evidence presented, the judge signed off on the order and the ex-employee turned over the external storage media.

The analysis of the ex-employee’s external devices found that dozens of files were stored on the external hard drive, and that there were some flash drives containing emails with client information as well as some additional company files.

Email:    Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology