Ride the Lightning

How Digital Forensics Aids In the Investigation of Employee Data Theft

May 20, 2013

Law.com published an article last week entitled "Using Computer Forensics to Investigate IP Theft." I read it with great interest since this comprises about 25% of our digital forensics work at Sensei. Some time ago, I recall reading a report that said that 56% of all employees admit to stealing data when they leave a company.

The morality of such conduct aside, it has made a healthy market for digital investigations.

As the article points out, there are obvious things an employer should do to help prevent data theft. Immediate termination of user credentials and remote access is critical – and overlooked an amazing number of times.

If you know the employee was disgruntled or suspect misbehavior before departure, you may want to log the employee's activity and get a forensics image of his/her computer upon departure. When they do bad stuff, it's more often to be found on the local machine than the server as they commonly use web-based mail for their "secret" communications.

At the very least, all of the employee's computers, smartphones, flash drives etc. should be put aside for a while until a decision is made that the departure constituted no threat.

In a more sophisticated environment, data loss prevention (DLP) technologies can automatically flag when sensitive files are touched or an unusual number of files accessed or copied. In less sophisticated environments, logging is critical in obtaining proof of bad behavior. As one example, your expert may be able to tell you what model/make of flash drive was inserted in the employee's machine at a particular time, but not what was copied onto it – unless you have logging enabled.

We recommend that employers compose a lengthy "Departing Employee Checklist" so nothing is ever forgotten. The list itself will vary by the individual employer but might include changing office lock codes, collecting keys, asking questions about any personal devices that may have company data, having the employees sign a statement acknowledging that all company data has or will be returned and another statement acknowledging that any post-departure access to the network would be a criminal act.

Composing this list takes a team of those knowledgeable about the company's policies, procedures and technology – but boy, it sure helps prevent leaving an "open door" for those with bad intent. And, as the article points out, having the expertise of a digital forensics expert can be key to following the employee's digital trail and proving that data theft took place.