Digital Forensics Dispatch

Digital Forensics Blog
by Sensei Enterprises, Inc.

Employee Data Theft & Deletion Investigations: Part Two – Computer Evidence Artifacts

February 2, 2023

In part one of this series about employee data theft investigations, we discussed the need to preserve the device(s) of the departed employee. In this section, we will discuss what items of evidentiary value may be discovered from a digital forensic examination of a computer system.

The scope of work and digital forensic analysis.

Before the analysis of electronically stored information (ESI) is conducted, there is an important step that needs to be discussed between the client, counsel and the digital forensic company. That is the scope of the analysis.

The scope is essential to navigating the preserved ESI and finding items of evidentiary value. This scope of work will outline the entire analysis and will include what it is that is being sought on the preserved devices.

A sample scope of work could look like this: “Conduct an analysis of preserved ESI for evidence of data exfiltration, including emails being sent to or from personal accounts, USB devices connected, and cloud storage services accessed.”

This is a solid scope of work, but it can certainly be improved upon to make it more clearly defined. Often there are key words that need to be run to find specific documents or items. If you’re looking for how to put those together, check out this article.

What digital artifacts can be found from the analysis?

Our computers often store a lot of information, some that users can see and some that they don’t. A digital forensic analysis may reveal several types of items of evidentiary value that could be important.


An analysis of email accounts can potentially reveal if emails have been sent to or from personal email accounts from a work account. This can be helpful in scenarios where an ex-employee is suspected of emailing private or proprietary work documents to themselves prior to their departure from the company. Additionally, if a local mail program like Microsoft Outlook is being used, there is a chance that deleted email can be recovered.

USB device activity

Most computer systems track when a USB device is connected to them. By examining logs stored on the computer, a digital forensic examiner may be able to determine what type of USB device was connected to the system. Frequently, USB storage devices, such as flash drives or external hard drives are used to save files and other documents.

File sharing or cloud storage sites

There are a lot of file sharing or cloud storage options available to us today, Google Drive, Dropbox, Box, iCloud and so many more. Employees may utilize these file sharing sites for work purposes, but they could also add a personal version of the cloud storage site to upload documents to. A review of the device’s web browser history can show what sites were visited and can even reveal file uploads with the file names. The analysis can also determine if there are any file sharing applications installed on the device.

Device activity prior to departure

Often, employers or their attorneys ask for device activity to figure out what was going on prior to the employee’s departure. A forensic analysis may reveal file deletion, ranging from small to large amounts of files, programs being used, installed or removed, and reveal what files were accessed on the system or an external storage drive. This analysis can provide you with a picture of what was going on prior to the employee’s departure.

Web browser history

Computer browser activity can offer a gold mine of information about what the device user was looking up on the internet. This includes websites visited and even searches run. An additional artifact of browser history for some computers is file access records, which can reveal what files were accessed and what drive they were accessed from.

Delete file recovery

In some cases, a departing employee may try to delete files on the devices prior to their departure. Depending on the make and model of the device, it may be possible to recover the deleted data.

Of course, what can be found on a device during the forensic analysis is dependent on a great number of factors. It’s always helpful to know the make and model of the device to gauge support and help focus the scope of work in a matter relating to employee data theft or deletion. Stay tuned for more information about what items of evidentiary value can be found on smartphones in the next part!

If you have questions about an employee data theft investigation or a question about digital forensics in general, please contact us at with your questions.

Email:    Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology