data theft concept

Digital Forensics: A Look into Employee Data Theft Investigations

Share this article

Employee data theft happens frequently, and especially in current times where employees are leaving or being terminated. Some may be due to layoffs while others may leave for personal or other reasons. However, there is always a risk with a departing employee.

The employee had access to information that a company stores on their computers, and if the employee had a work cellphone, there could be data there as well. In some cases, a departing employee may knowingly take company data with them upon departure or termination – and they may delete data from devices.

While this isn’t the scenario with every case, it does happen. We have seen it dozens of times. So, what should you do? How can you protect your critical business data?

It’s never a bad idea to preserve data.

To start, it is never a bad idea to forensically preserve a departing or departed employee’s devices. This is key in cases where an employee’s data theft or exfiltration is suspected.

A forensic image or forensic collection of the employee’s device(s) will help to ensure that the data that is currently stored on the device is preserved. This means that both existing and potentially deleted data can be recovered from the device.

The forensic acquisition of data is really the first step in the investigation process into the departing or departed employee’s actions.

What digital artifacts can be found from the analysis?

Our computers and smartphones store a lot of information, some that users can see and some that they don’t. A digital forensic analysis may reveal several types of items of evidentiary value that could be important.

In an employee data theft investigation, there can be a lot of information stored on the ex-employee’s mobile device. Preserving the device when it is returned should be priority before putting it back in reuse.

If a smartphone – an iPhone for example – is restored to factory settings before an examination of its contents can be performed, significant data has likely been overwritten and won’t be discoverable.

Emails – An analysis of email accounts can potentially reveal if emails have been sent to or from personal email accounts from a work account. This can be helpful in scenarios where an ex-employee is suspected of emailing private or proprietary work documents to themselves prior to their departure from the company. Additionally, if a local mail program like Microsoft Outlook is being used, there is a chance that deleted email can be recovered.

USB device activity – Most computer systems track when a USB device is connected to them. By examining logs stored on the computer, a digital forensic examiner may be able to determine what type of USB device was connected to the system. Frequently, USB storage devices, such as flash drives or external hard drives, are used to save files and other documents.

File sharing or cloud storage sites – There are a lot of file sharing or cloud storage options available to us today, Google Drive, Dropbox, Box, iCloud and so many more. Employees may utilize these file sharing sites for work purposes, but they could also add a personal version of the cloud storage site to upload documents. A review of the device’s web browser history can show what sites were visited and can even reveal file uploads with the file names. The analysis can also determine if there are any file sharing applications installed on the device.

Device activity prior to departure – Often, employers or their attorneys ask for device activity to figure out what was going on prior to the employee’s departure. A forensic analysis may reveal file deletion, ranging from small to large amounts of files, programs being used, installed or removed, and reveal what files were accessed on the system or an external storage drive. This analysis can provide you with a picture of what was going on prior to the employee’s departure.

Web browser history – Computer and smartphone browser activity can offer a gold mine of information about what the device user was looking up on the internet. This includes websites visited and even searches run. An additional artifact of browser history for some computers is file access records, which can reveal what files were accessed and what drive they were accessed from.

Deleted Data – In some cases, a departing employee may try to delete files on the devices prior to their departure. Depending on the make and model of the device, it may be possible to recover the deleted data.

The ability to recover deleted data from a mobile device such as a tablet or smartphone can vary depending on the support for the device. In many cases a full file system or physical collection of the device needs to be performed to recover deleted data.

SMS/MMS/Chats – One of the biggest data sources that can be found on smartphones and tablets is chats/messages. These data sources are text messages and third-party chat application data such as data from iMessage, WhatsApp and Facebook Messenger.

In scenarios where the ex-employee has been messaging clients, there can be some important information in their messages. If client poaching is suspected with current clients, then it is quite possible that the ex-employee has been messaging them about their new business.

Installed applications – Much like a computer, mobile devices use programs and software to perform tasks. The installed applications can show what apps were installed on the device. A review of these applications can often reveal what capabilities the device user has, such as if there are file sharing apps or other messaging applications installed.

Locally stored files – Many mobile devices contain the ability to save files directly to the onboard storage of the device. This means that an employee can save pdfs, Excel files and much more to the device. There are also photos and videos, which in terms of a data theft or deletion matter, usually are not of great importance unless photos and videos are key to business operations.

What about external storage media?

External storage media, such as USB flash drives or external hard drives or SSDs can often contain information pertaining to a data theft or deletion investigation. These devices often will contain data that has been saved to them.

This can include files and other data that may be important, especially if the company has a strict policy on USB devices. Deleted data can sometimes be recovered from these devices to show what files were once stored on the device as well.

All of this, combined with the data from a computer that a USB device was connected to, can sometimes show file access on the USB drive(s). This may indicate files being copied or accessed on that USB drive and certainly shows that the device was connected to the computer system.

Final thoughts

Of course, what can be found on a device during the forensic analysis is dependent on a great number of factors. It’s always helpful to know the make and model of the device to gauge support and help focus the scope of work in a matter relating to employee data theft or deletion.

Data theft investigations can take quite a long time to complete, especially if there are many devices that need to be investigated. As always, consulting with a digital forensic examiner about what data types might be found is recommended and can save both time and money.

Zach Roush on Email
Zach Roush
Digital Forensics Examiner at Sensei Enterprises, Inc.
Zachary Roush is a Digital Forensics Examiner at Sensei Enterprises, Inc. and specializes in electronic evidence analysis, data recovery, mobile devices, and digital forensic reporting. Zach is a Cellebrite Certified Physical Analyst (CCPA), Cellebrite Certified Operator (CCO), an EC-Council Certified Incident Handler (ECIH), and a McAfee Certified Cyber Intelligence Investigator (CCII). Zach obtained his Bachelor of Science degree in Digital Forensic Science from the Defiance College located in Defiance, Ohio.
Digital Forensics Examiner at Sensei Enterprises, Inc.

Share this article