Digital Forensics Dispatch

Digital Forensics Blog
by Sensei Enterprises, Inc.

Employee Data Theft & Deletion Investigations: Part One – Preserving Evidence

January 31, 2023

It happens frequently, and especially in current times where employees are leaving or being terminated from employment. Some may be due to layoffs while others may leave for personal or other reasons. However, there is always a risk with a departing employee.

The employee had access to information that your business stores on their computers, and if the employee had a work cellphone there could be business data there as well. In some cases, a departing employee may knowingly take company data with them upon departure or upon termination, they may delete data from devices.

While this isn’t the scenario with every case, it does happen. We have seen it dozens of times. So, what should you do? How can you, the employer, protect your critical business data?

It’s never a bad idea to preserve data.

To start, it is never a bad idea to forensically preserve a departing or departed employee’s devices. This is key in cases where an employee’s data theft or exfiltration is suspected.

A forensic image or forensic collection of the employee’s device(s) will help to ensure that the data that is currently stored on the device is preserved. This means that both existing and potentially deleted data can be recovered from the device.

The forensic acquisition of data is really the first step in the investigation process into the departing or departed employee’s actions.

In an ideal scenario, a forensic collection is performed prior to company IT staff doing anything with a device. If the business IT staff have to perform critical business functions on the departed employee’s devices, it is key that they document the steps taken.

Actions taken on the system after the employee has departed can affect the data on the system. If IT, for example, goes in and removes a password or sets up another user account, that new data has the potential to overwrite recoverable data from a system.

What happens after data preservation?

Once a device has been preserved, a digital forensic analysis can begin. There is a lot of evidence that can be found on smartphones, tablets, and computers. The type of data found also depends on the device being analyzed.

Stay tuned for part two to find out what types of data a digital forensic analysis of a departing/departed employee’s device can reveal!

Email: Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com/services/digital-forensic

Sensei Enterprises

Subscribe in a Reader

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Digital Forensics Dispatch

Employee Data Theft & Deletion Investigations: Part One – Preserving Evidence

Ride the Lightning

Your IT Consultant

Disclaimer