Fingerprint in hud and immersive people network interface over blurred server room background. Concept of hi tech and identification. 3d rendering copy space toned image double exposure

Departing Employees, Data Theft, and Digital Forensics

Share this article

In late 2019, it was reported by Infosecurity Magazine that 72% of former employees admitted taking company data with them upon departure. Determining what actions a former employee took on a company device leading up to their departure can help assist in determining if company data was stolen or misappropriated. Did the departing employee retire or leave for a competitor? Where they forthcoming with their intent to depart or was it abrupt? Depending on the specifics of the situation, it may be advisable to perform a digital forensic investigation to help locate some answers.

It’s Never a Bad Idea to Preserve a Former Employee’s Devices

When an employee makes the decision to leave a company, it may be time to forensically preserve the contents of an employee’s business device(s), including cloud-based accounts. We are talking about devices provided by the employer for the employee to conduct their work and not personal devices. This will ensure the digital data has been collected in a manner that is admissible in court (should that be the outcome). If the device is not preserved and is reallocated to another employee, important information regarding the previous employee’s actions on the device may be overwritten.

Once the devices used by the employee have been forensically preserved, analysis may begin.

What Evidence May be Available?

USB device activity – This type of analysis includes determining what USB devices (removable storage devices) were plugged in during the system by the user. From reviewing the USB device activity in addition to file access records, it may be possible to determine whether or not file transfers to external devices have occurred on the device

Sent and received emails – Reviewing the  work email account may prove beneficial in locating possible file transfers via email to personal accounts, messages that have been deleted and who they were communicating with about their departure.

File sharing websites – From Dropbox to Google Drive, employees may use online file sharing websites and applications  to steal company data. A review of the web browser history, including active and deleted records, may show access to file sharing websites as well as possible file uploads. It’s also advisable to see if any file sharing programs have been installed on their work computer or mobile device.

Device activity prior to departure – This type of analysis can help determine what the user did on the device prior to leaving the company. Were a large number of files deleted? Were programs uninstalled or removed? This type of analysis can give you a good picture of what was going on in the days leading up to the separation

Deleted file recovery – If a former employee has deleted files before turning their device over, forensic software may have the capability to locate and restore these previously existing files.

Internet history and searches – Web browser history may play a helpful part in determining activity prior to leaving the company. Internet history analysis has the capability to show what websites were visited and when, as well as the ability to recover deleted web browser history and searches. You may also find file access records within the browser history cache which can show when files were accessed and from what location.


Engaging a digital forensics company to analyze a former employee’s business devices can ultimately act as a guard to protect an organization’s intellectual property. If nothing else, consulting with a digital forensics expert can assist in analyzing the situation and offering suggestions on the best way to move forward.

Brandon Barnes on Email
Brandon Barnes
Digital Forensics Examiner at Sensei Enterprises, Inc.
Brandon Barnes is a Digital Forensics Examiner at Sensei Enterprises, Inc. and specializes in electronic evidence analysis, data recovery, and forensic reporting. Brandon is an EnCase Certified Examiner (EnCE). He originates from Pennsylvania, where he received his Bachelors of Science in Digital Forensics at Bloomsburg University.
Michael Maschke on Email
Michael Maschke
Chief Executive Officer at Sensei Enterprises, Inc.
Michael Maschke is the Chief Executive Officer at Sensei Enterprises, Inc. Mr. Maschke holds a degree in Telecommunications from James Madison University. Mr. Maschke is an EnCase Certified Examiner (EnCE), a Certified Computer Examiner (CCE #744), a Certified Ethical Hacker (CEH), an AccessData Certified Examiner (ACE), and a Certified Information Systems Security Professional (CISSP).

He is an associate member of the American Bar Association and has spoken at the American Bar Association’s TECHSHOW conference on the subject of cybersecurity. He is currently an active member of the ABA’s Law Practice Division: Technology Core Group and is on the Fairfax Law Foundation Board of Directors. Mr. Maschke is a 2019 Fastcase 50 award recipient.

He is also a co-author of Information Security for Lawyers and Law Firms, a book published by the ABA in 2006 and The 2008-2020 Solo and Small Firm Legal Technology Guides (American Bar Association, 2008 – 2020).

Share this article