Digital Forensics Dispatch

Digital Forensics Blog
by Sensei Enterprises, Inc.

Employee Data Theft & Deletion Investigations: Part One – Preserving Evidence

January 31, 2023

It happens frequently, and especially in current times where employees are leaving or being terminated from employment. Some may be due to layoffs while others may leave for personal or other reasons. However, there is always a risk with a departing employee.

The employee had access to information that your business stores on their computers, and if the employee had a work cellphone there could be business data there as well. In some cases, a departing employee may knowingly take company data with them upon departure or upon termination, they may delete data from devices.

While this isn’t the scenario with every case, it does happen. We have seen it dozens of times. So, what should you do? How can you, the employer, protect your critical business data?

It’s never a bad idea to preserve data.

To start, it is never a bad idea to forensically preserve a departing or departed employee’s devices. This is key in cases where an employee’s data theft or exfiltration is suspected.

A forensic image or forensic collection of the employee’s device(s) will help to ensure that the data that is currently stored on the device is preserved. This means that both existing and potentially deleted data can be recovered from the device.

The forensic acquisition of data is really the first step in the investigation process into the departing or departed employee’s actions.

In an ideal scenario, a forensic collection is performed prior to company IT staff doing anything with a device. If the business IT staff have to perform critical business functions on the departed employee’s devices, it is key that they document the steps taken.

Actions taken on the system after the employee has departed can affect the data on the system. If IT, for example, goes in and removes a password or sets up another user account, that new data has the potential to overwrite recoverable data from a system.

What happens after data preservation?

Once a device has been preserved, a digital forensic analysis can begin. There is a lot of evidence that can be found on smartphones, tablets, and computers. The type of data found also depends on the device being analyzed.

Stay tuned for part two to find out what types of data a digital forensic analysis of a departing/departed employee’s device can reveal!

Email:    Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology