Friday, April 5, 2019
Using Computer Forensics to Investigate Employee Data Theft
Using Computer Forensics to Investigate Employee Data TheftIntroduction all over 25 percent of employees steal proprietary selective education when departing a company or organization.1 To that end, our experience launchs that departing employees bind a sense of ownership over the selective information that they copy. Intellectual property commonly stolen includes customer lists, cryptical formulas, source code, strategy documents and other trade secrets. The information is often used against the organization when the former employee goes to pass away for a competitor or decides to start a new company. When suspicions of employee selective information theft arise, it is important to withdraw a calculator forensics expert to coiffure a theft of IP analysis in edict to preserve electronic data and uncover important present. Using specialized softw are, the expert can observe digital foot patsys much(prenominal) asUSB activityFiles recently openedCloud shop usageFiles dir ect to ain telecommunicate accounts tardily printed documentsThe results of the analysis can provide the foundation for legal action much(prenominal) as a temporary restraining order, permanent injunction, subpoena of personal kinks, or other litigation to interdict the misappropriation of company data.When Employee Data Theft Is SuspectedEmployee data theft occurs more(prenominal) or less frequently adept prior to, or immediately after, an individuals termination or resignation from an organization. Telltale signs that an investigation is warranted include unmatched activity by the employee, such asPlugging a personal USB thumb drive or laboured drive into a figurerComing into work at odd hours or establishing remote backcloth connections during off-hoursTransferring large amounts of data on the company networkVisiting charge sharing sites like Dropbox or Google DriveSending emails with attachments to personal accountsIf there are concerns that a departing employee has stolen proprietary data, accordingly it is important to beat back steps not to delete important electronic evidence located on his or her computer. If the computer is powered on, then leave it on, because important evidence may be stored on the computers random doorway memory and could be deleted if the computer is powered off. Also, ensure the computer cannot be accessed remotely by disconnecting it from the network.If the computer is already turned off, then place it in secure storage. Furthermore, confirm the employees login credentials are modify or convey been changed, hardly do not let the IT staff reinstall the operating clay or reassign the computer to another employee. Such actions could demean or overwrite any evidence of wrongdoing. Finally, resist the temptation to take a peek at what is stored on the computer by routine it on and accessing files because this could alter the data, thereby making the investigation more complex.If the suspected employee had a compa ny-issued cell phone, then place it in secure storage as salubrious. Smartphones hold an abundance of useful information such as text messages, emails, call logs, internet activity and more. The simple act of resetting the phone, however, can permanently destroy this data.IP Theft InvestigationsPreserving and Analyzing Electronic EvidenceThe first step in a theft of IP investigation is to forensically preserve the data on the employees device(s). The computer forensics expert pull up stakes create chain of clasp documentation, photograph the badlyware, and verify the integrity of the preserved data, among other things. These steps ensure that the electronic evidence will be admissible in court.Once the data is preserved, the next step in the investigation is to perform an analysis to identify software and artefacts that may be indicative of IP theft. These areas on a normal Windows installation includeUSB activityFiles recently opened or deletedCloud storagePersonal email accou ntsInternet history reportPrinted documentsUSB Activity AnalysisMany of todays USB devices, such as thumb drives and outside(a) hard drives, have enough storage capacity to assuage an entire copy of a users hard drive. As such, they are one of the most common tools used to steal data. The good news is that victimisation a USB device leaves behind a trail of digital evidence that can prove invalu up to(p) to an investigation.Analyzing a users USB activity can grass several key facts regarding what was connected to the computer and when. In most cases, forensic experts can determine the serial number and/or brand of the USB device, as well as the first and come through clock the device was connected to the computer. In some instances, they may as well as be fitting to verify each time a special(prenominal) USB device was connected.Oftentimes, the analysis will reveal that an external USB hard drive or flash drive was connected for the first time during an employees exist we ek of employment. While most analyses reveal a new USB connection, it is also possible that a device used throughout the duration of the suspects employment was never tabulatored. A device such as this would credibly contain numerous documents and files that were related to the employees day-to-day activities and could contain value to a competitor. If it is a requirement that employees return company-owned USB drives at the end of their employment, forensic experts have the ability to verify whether or not that policy was upheld.Files Recently OpenedWhile confirming that a USB device was connected to a computer is significant, it is however more important to know what files were accessed and potentially transferred to the device. The Microsoft Windows operating system creates various artifacts when a user opens a file or brochure. These artifacts indicate what was opened, when it was opened and where it was opened from. A classic red flag is if the employee was opening files du ring the last week of employment that were not related to the work being performing during that time.Another consideration is the organizations data access policy. If data access restrictions are not in place, then the employee may be able to access company files unrelated to current work that are stored on the network. The existence of these artifacts when combined with a USB activity timeline can indicate a high probability that data was copied off the system.Lastly, the artifacts can also contain specific information about where the file existed. If a file was opened from a USB drive, the artifact will indicate this, providing factual evidence that the suspect is in possession of a USB drive that contains specific files. For example, combining a USB analysis and files recently opened analysis could show that on October 7, 2016, at 72208 a.m., a non-company-issued SanDisk thumb drive with serial number 851450 was plugged into the computer for the first time and a file titled Clien t Contact List.xlsx was opened.Cloud StorageIf the analysis shows that certain files were accessed but no USB activity was detected, the next step in the investigation is to identify evidence that a overcloud storage provider such as Dropbox, Google Drive or Microsoft OneDrive was accessed. The purpose of these applications is to share and sync data across multiple computers. For example, Dropbox may have been surreptitiously installed on the employees work computer as well as his or her home computer. Consequently, the simple act of syncing a company file to Dropbox will right away also make that file available on the employees home computer.The good news is that cloud storage applications often have corresponding log files and databases that record what files the user accesses and what activities are performed. These logs can signify files have been uploaded to the cloud in the past even if they have already been deleted from the shared folder. Some of these applications even sa ve deleted data in a separate hidden folder on the computer itself that users typically are not aware of. As a result, a theft of IP analysis may show that Dropbox was installed on the users work computer and that early in the morning on October 7, 2016, fifty files were deleted and the hidden folder reveals these were company files.Personal Email AccountsSome individuals may use their company email to send attachments to their personal email account such as Yahoo or Gmail. In these cases, forensic experts are able to perform a preservation of the employees work email to identify and document the evidence of misconduct.Internet level ReportAn Internet history report can be generated that shows, inter alia, recent Internet searches, web sites and pages visited, cookies from websites, and Internet downloads that occurred. Such information is helpful in establishing what an individual thought was important or even their state of mind. For example, analysts have discovered that indivi duals have searched on how to delete data or copy data surreptitiously and that they reviewed websites that were in essence how to manuals to perform certain deleterious acts.Paper DocumentsFinally, individuals who are a elflike less aware of more modern techniques to copy data will simply print the documents they esteem to take out the door. In these cases, forensic experts are able determine the last known print date of Microsoft Office documents.Deliverables and Project TimeframeThe turnaround time for a theft of IP analysis performed by an analyst is typically one week. Deliverables provided will be easy to understand in the form of spreadsheets, hypertext markup language reports, and written reports containing the findings of the analysis. A forensic expert should also spend time with the client either over the phone or in person to discuss the reports in detail so that they know scarce what a report contains and the assumptions and opinions of the forensic expert. If necess ary, an expert will also provide depositions or expert insure testimony regarding the authenticity of the evidence and their findings.AuthorsTimothy M. Opsitnick, President, JURINNOV, LLC, Joseph M. Anguilano, Director of Operations, and Trevor B. Tucker, Forensic Analyst. JURINNOV, LLC, a wholly-owned subsidiary of Technology Concepts Design, Inc. (TCDI), is a technology company that provides cybersecurity and eDiscovery services. Cybersecurity consulting includes investigating accidental or malicious data breaches as well as providing security strategies and assessments to prevent such occurrences. eDiscovery consulting includes computer forensic investigations and ASP ESI hosting. JurInnov news and information is available at www.jurinnov.com.For over 25 years, TCDI has been providing technology solutions through partnerships with large corporations and law firms. These solutions include advanced litigation stay software and services for electronic discovery, hosted review and production, and large-scale litigation case file management. TCDI news and information is available at www.tcdi.com.1 Biscom, Employee Departure Creates Gaping Security Hole Says New Data, December 23, 2015 https//www.biscom.com/employee-departure-creates-gaping-security-hole-says-new-data/.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment