Digital Forensic Investigations

Infosecurity Magazine reported that 72% of former employees admit to taking company data when they leave their job. After an employee leaves, it is important for a company to determine if company data was stolen or misappropriated. Some questions to ask are did the former employee retire or leave for a competitor? Were they straightforward about their intent to depart or was it abrupt? The answers to these questions determine if a company should perform a digital forensic investigation.


Once an employee decides to leave a company, the first step is to forensically preserve the contents of their business device(s). Business devices are any devices that are provided by the employer to conduct work. Preserving these contents guarantees the data is collected in a way that is admissible in court.


What kind of evidence might be available on the former employee’s device(s)? First, the former employee’s work email account should be reviewed. This allows a company to see if any business related emails or files were sent to personal accounts. This is also a great way to confirm if an employee was communicating with anyone else about their departure.


A company can also look at USB activity. This analysis determines if any USB devices were plugged into the device by the user and may help establish if files were transferred to the external device. It is also vital to check if the former employee deleted any files from their device before returning it. Using forensic software is a good way to locate and restore any previously deleted files.


Internet and search histories should also be reviewed. Aside from viewing websites that were previously visited, a company may also find file access records within the browser history cache. This will show when files were accessed and from what location. File sharing programs, like Dropbox and Google Drive, should be included in this portion of the investigation. These types of programs are easily downloaded onto personal devices allowing a former employee to easily transfer data.


Performing digital forensic investigations of a former employee’s device(s) is the best way for a company to protect their intellectual property.


For more Tidbits & Thoughts, please click here.