In late 2019, it was reported by Infosecurity Magazine that 72% of former employees admitted taking company data with them upon departure. Determining what actions a former employee took on a company device leading up to their departure can help assist in determining if company data was stolen or misappropriated. Did the departing employee retire or leave for a competitor? Where they forthcoming with their intent to depart or was it abrupt? Depending on the specifics of the situation, it may be advisable to perform a digital forensic investigation to help locate some answers.
It’s Never a Bad Idea to Preserve a Former Employee’s Devices
When an employee makes the decision to leave a company, it may be time to forensically preserve the contents of an employee’s business device(s), including cloud-based accounts. We are talking about devices provided by the employer for the employee to conduct their work and not personal devices. This will ensure the digital data has been collected in a manner that is admissible in court (should that be the outcome). If the device is not preserved and is reallocated to another employee, important information regarding the previous employee’s actions on the device may be overwritten.
Once the devices used by the employee have been forensically preserved, analysis may begin.
What Evidence May be Available?
USB device activity – This type of analysis includes determining what USB devices (removable storage devices) were plugged in during the system by the user. From reviewing the USB device activity in addition to file access records, it may be possible to determine whether or not file transfers to external devices have occurred on the device
Sent and received emails – Reviewing the work email account may prove beneficial in locating possible file transfers via email to personal accounts, messages that have been deleted and who they were communicating with about their departure.
File sharing websites – From Dropbox to Google Drive, employees may use online file sharing websites and applications to steal company data. A review of the web browser history, including active and deleted records, may show access to file sharing websites as well as possible file uploads. It’s also advisable to see if any file sharing programs have been installed on their work computer or mobile device.
Device activity prior to departure – This type of analysis can help determine what the user did on the device prior to leaving the company. Were a large number of files deleted? Were programs uninstalled or removed? This type of analysis can give you a good picture of what was going on in the days leading up to the separation
Deleted file recovery – If a former employee has deleted files before turning their device over, forensic software may have the capability to locate and restore these previously existing files.
Internet history and searches – Web browser history may play a helpful part in determining activity prior to leaving the company. Internet history analysis has the capability to show what websites were visited and when, as well as the ability to recover deleted web browser history and searches. You may also find file access records within the browser history cache which can show when files were accessed and from what location.
Conclusion
Engaging a digital forensics company to analyze a former employee’s business devices can ultimately act as a guard to protect an organization’s intellectual property. If nothing else, consulting with a digital forensics expert can assist in analyzing the situation and offering suggestions on the best way to move forward.