Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Using Computer Forensics to Investigate Employee Data Theft

By Timothy M. Opsitnick, Joseph M. Anguilano and Trevor B. Tucker
April 02, 2017

Over 25% of employees steal proprietary data when departing a company or organization. See, “Employee Departure Creates Gaping Security Hole, Says New Data,” Biscom. To that end, our experience shows that departing employees have a sense of ownership over the data that they copy. Intellectual property commonly stolen includes customer lists, secret formulas, source code, strategy documents and other trade secrets. The information is often used against the organization when the former employee goes to work for a competitor or decides to start a new company.

When suspicions of employee data theft arise, it is important to engage a computer forensics expert to perform a theft-of-IP analysis in order to preserve electronic data and uncover important evidence. Using specialized software, the expert can reveal digital footprints such as:

  • USB activity;
  • Files recently opened;
  • Cloud storage usage;
  • Files sent to personal email accounts; and
  • Recently printed documents.

The results of the analysis can provide the foundation for legal action such as a temporary restraining order, permanent injunction, subpoena of personal devices, or other litigation to prevent the misappropriation of company data.

When Employee Data Theft Is Suspected

Employee data theft occurs most frequently just prior to, or immediately after, an individual's termination or resignation from an organization. Telltale signs that an investigation is warranted include unusual activity by the employee, such as:

  • Plugging a personal USB thumb drive or hard drive into a computer;
  • Coming into work at odd hours or establishing remote desktop connections during off-hours;
  • Transferring large amounts of data on the company network;
  • Visiting file sharing sites like Dropbox or Google Drive; or
  • Sending emails with attachments to personal accounts.

If there are concerns that a departing employee has stolen proprietary data, then it is important to take steps not to delete important electronic evidence located on his or her computer. If the computer is powered on, then leave it on, because important evidence may be stored on the computer's random access memory and could be deleted if the computer is powered off. Also, ensure that the computer cannot be accessed remotely by disconnecting it from the network.

If the computer is already turned off, then place it in secure storage. Furthermore, confirm that the employee's login credentials are disabled or have been changed, but do not let the IT staff reinstall the operating system or reassign the computer to another employee. Such actions could destroy or overwrite any evidence of wrongdoing. Finally, resist the temptation to “take a peek” at what is stored on the computer by turning it on and accessing files because this could alter the data, thereby making the investigation more complex.

If the suspected employee had a company-issued cell phone, place it in secure storage as well. Smartphones hold an abundance of useful information, such as text messages, emails, call logs, Internet activity and more. The simple act of resetting the phone, however, can permanently destroy this data.

IP Theft Investigations

Preserving and Analyzing Electronic Evidence

The first step in a theft of IP investigation is to forensically preserve the data on the employee's device(s). The computer forensics expert will create chain of custody documentation, photograph the hardware, and verify the integrity of the preserved data, among other things. These steps ensure that the electronic evidence will be admissible in court.

opsitnik graphic 1_500

Once the data is preserved, the next step in the investigation is to perform an analysis to identify software and artifacts that may be indicative of IP theft. These areas on a typical Windows installation include:

  • USB activity;
  • Files recently opened or deleted;
  • Cloud storage;
  • Personal email accounts;
  • Internet history report; and
  • Printed documents.

USB Activity Analysis

Many of today's USB devices, such as thumb drives and external hard drives, have enough storage capacity to save an entire copy of a user's hard drive. As such, they are one of the most common tools used to steal data. The good news is that using a USB device leaves behind a trail of digital evidence that can prove invaluable to an investigation.

Analyzing a user's USB activity can reveal several key facts regarding what was connected to the computer and when. In most cases, forensic experts can determine the serial number and/or brand of the USB device, as well as the first and last time the device was connected to the computer. In some instances, they may also be able to verify each time a specific USB device was connected.

opsitnik graphic 2_500

Often, the analysis will reveal that an external USB hard drive or flash drive was connected for the first time during an employee's last week of employment. While most analyses reveal a new USB connection, it is also possible that a device used throughout the duration of the suspect's employment was never returned. A device such as this would likely contain numerous documents and files that were related to the employee's day-to-day activities and could contain value to a competitor. If it is a requirement that employees return company-owned USB drives at the end of their employment, forensic experts have the ability to verify whether or not that policy was upheld.

Files Recently Opened

While confirming that a USB device was connected to a computer is significant, it is even more important to know what files were accessed and potentially transferred to the device. The Microsoft Windows operating system creates various artifacts when a user opens a file or folder. These artifacts indicate what was opened, when it was opened and from where it was opened. A classic red flag is if the employee was opening files during the last week of employment that were not related to the work being performing during that time.

Another consideration is the organization's data access policy. If data access restrictions are not in place, then the employee may be able to access company files unrelated to current work that are stored on the network. The existence of these artifacts when combined with a USB activity timeline can indicate a high probability that data was copied off the system.

Last, the artifacts can also contain specific information about where the file existed. If a file was opened from a USB drive, the artifact will indicate this, providing factual evidence that the suspect is in possession of a USB drive that contains specific files. For example, combining a USB analysis and files recently opened analysis could show that on Oct. 7, 2016, at 7:22:08 a.m., a non-company-issued SanDisk thumb drive with serial number 851450 was plugged into the computer for the first time and a file titled “Client Contact List.xlsx” was opened.

opsitnik graphic 3_500

Cloud Storage

If the analysis shows that certain files were accessed but no USB activity was detected, the next step in the investigation is to identify evidence that a cloud storage provider such as Dropbox, Google Drive or Microsoft OneDrive was accessed. The purpose of these applications is to share and sync data across multiple computers. For example, Dropbox may have been surreptitiously installed on the employee's work computer as well as his or her home computer. Consequently, the simple act of syncing a company file to Dropbox will instantaneously also make that file available on the employee's home computer.

The good news is that cloud storage applications often have corresponding log files and databases that record what files the user accesses and what activities are performed. These logs can signify files have been uploaded to the cloud in the past even if they have already been deleted from the shared folder. Some of these applications even save deleted data in a separate “hidden” folder on the computer itself that users typically are not aware of. As a result, a theft of IP analysis may show that Dropbox was installed on the user's work computer and that early in the morning on Oct. 7, 2016, 50 files were deleted and the “hidden” folder reveals these were company files.

Personal Email Accounts

Some individuals may use their company email to send attachments to their personal email account such as Yahoo or Gmail. In these cases, forensic experts are able to perform a preservation of the employee's work email to identify and document the evidence of misconduct.

Internet History Report

An Internet history report can be generated that shows, inter alia, recent Internet searches, websites and pages visited, cookies from websites, and Internet downloads that occurred. Such information is helpful in establishing what an individual thought was important or even their state of mind. For example, analysts have discovered that individuals have searched on how to delete data or copy data surreptitiously and that they reviewed websites that were in essence “how to manuals” to perform certain deleterious acts.

Paper Documents

Finally, individuals who are a little less aware of more modern techniques to copy data will simply print the documents they wish to take out the door. In these cases, forensic experts are able determine the last known print date of Microsoft Office documents.

opsitnik graphic 4_500

Deliverables and Project Timeframe

The turnaround time for a theft of IP analysis performed by an analyst is typically one week. Deliverables provided will be easy to understand in the form of spreadsheets, HTML reports, and written reports containing the findings of the analysis. A forensic expert should also spend time with the client either over the phone or in person to discuss the reports in detail so that they know exactly what a report contains and the assumptions and opinions of the forensic expert. If necessary, an expert will also provide depositions or expert witness testimony regarding the authenticity of the evidence and their findings.

*****
Timothy M. Opsitnick
is president, Joseph M. Anguilano is director of operations, and Trevor B. Tucker is a forensic analyst of JURINNOV, LLC. JURINNOV, LLC, a wholly-owned subsidiary of Technology Concepts & Design, Inc. (TCDI), a technology company that provides cybersecurity and e-discovery services.

Over 25% of employees steal proprietary data when departing a company or organization. See, “Employee Departure Creates Gaping Security Hole, Says New Data,” Biscom. To that end, our experience shows that departing employees have a sense of ownership over the data that they copy. Intellectual property commonly stolen includes customer lists, secret formulas, source code, strategy documents and other trade secrets. The information is often used against the organization when the former employee goes to work for a competitor or decides to start a new company.

When suspicions of employee data theft arise, it is important to engage a computer forensics expert to perform a theft-of-IP analysis in order to preserve electronic data and uncover important evidence. Using specialized software, the expert can reveal digital footprints such as:

  • USB activity;
  • Files recently opened;
  • Cloud storage usage;
  • Files sent to personal email accounts; and
  • Recently printed documents.

The results of the analysis can provide the foundation for legal action such as a temporary restraining order, permanent injunction, subpoena of personal devices, or other litigation to prevent the misappropriation of company data.

When Employee Data Theft Is Suspected

Employee data theft occurs most frequently just prior to, or immediately after, an individual's termination or resignation from an organization. Telltale signs that an investigation is warranted include unusual activity by the employee, such as:

  • Plugging a personal USB thumb drive or hard drive into a computer;
  • Coming into work at odd hours or establishing remote desktop connections during off-hours;
  • Transferring large amounts of data on the company network;
  • Visiting file sharing sites like Dropbox or Google Drive; or
  • Sending emails with attachments to personal accounts.

If there are concerns that a departing employee has stolen proprietary data, then it is important to take steps not to delete important electronic evidence located on his or her computer. If the computer is powered on, then leave it on, because important evidence may be stored on the computer's random access memory and could be deleted if the computer is powered off. Also, ensure that the computer cannot be accessed remotely by disconnecting it from the network.

If the computer is already turned off, then place it in secure storage. Furthermore, confirm that the employee's login credentials are disabled or have been changed, but do not let the IT staff reinstall the operating system or reassign the computer to another employee. Such actions could destroy or overwrite any evidence of wrongdoing. Finally, resist the temptation to “take a peek” at what is stored on the computer by turning it on and accessing files because this could alter the data, thereby making the investigation more complex.

If the suspected employee had a company-issued cell phone, place it in secure storage as well. Smartphones hold an abundance of useful information, such as text messages, emails, call logs, Internet activity and more. The simple act of resetting the phone, however, can permanently destroy this data.

IP Theft Investigations

Preserving and Analyzing Electronic Evidence

The first step in a theft of IP investigation is to forensically preserve the data on the employee's device(s). The computer forensics expert will create chain of custody documentation, photograph the hardware, and verify the integrity of the preserved data, among other things. These steps ensure that the electronic evidence will be admissible in court.

opsitnik graphic 1_500

Once the data is preserved, the next step in the investigation is to perform an analysis to identify software and artifacts that may be indicative of IP theft. These areas on a typical Windows installation include:

  • USB activity;
  • Files recently opened or deleted;
  • Cloud storage;
  • Personal email accounts;
  • Internet history report; and
  • Printed documents.

USB Activity Analysis

Many of today's USB devices, such as thumb drives and external hard drives, have enough storage capacity to save an entire copy of a user's hard drive. As such, they are one of the most common tools used to steal data. The good news is that using a USB device leaves behind a trail of digital evidence that can prove invaluable to an investigation.

Analyzing a user's USB activity can reveal several key facts regarding what was connected to the computer and when. In most cases, forensic experts can determine the serial number and/or brand of the USB device, as well as the first and last time the device was connected to the computer. In some instances, they may also be able to verify each time a specific USB device was connected.

opsitnik graphic 2_500

Often, the analysis will reveal that an external USB hard drive or flash drive was connected for the first time during an employee's last week of employment. While most analyses reveal a new USB connection, it is also possible that a device used throughout the duration of the suspect's employment was never returned. A device such as this would likely contain numerous documents and files that were related to the employee's day-to-day activities and could contain value to a competitor. If it is a requirement that employees return company-owned USB drives at the end of their employment, forensic experts have the ability to verify whether or not that policy was upheld.

Files Recently Opened

While confirming that a USB device was connected to a computer is significant, it is even more important to know what files were accessed and potentially transferred to the device. The Microsoft Windows operating system creates various artifacts when a user opens a file or folder. These artifacts indicate what was opened, when it was opened and from where it was opened. A classic red flag is if the employee was opening files during the last week of employment that were not related to the work being performing during that time.

Another consideration is the organization's data access policy. If data access restrictions are not in place, then the employee may be able to access company files unrelated to current work that are stored on the network. The existence of these artifacts when combined with a USB activity timeline can indicate a high probability that data was copied off the system.

Last, the artifacts can also contain specific information about where the file existed. If a file was opened from a USB drive, the artifact will indicate this, providing factual evidence that the suspect is in possession of a USB drive that contains specific files. For example, combining a USB analysis and files recently opened analysis could show that on Oct. 7, 2016, at 7:22:08 a.m., a non-company-issued SanDisk thumb drive with serial number 851450 was plugged into the computer for the first time and a file titled “Client Contact List.xlsx” was opened.

opsitnik graphic 3_500

Cloud Storage

If the analysis shows that certain files were accessed but no USB activity was detected, the next step in the investigation is to identify evidence that a cloud storage provider such as Dropbox, Google Drive or Microsoft OneDrive was accessed. The purpose of these applications is to share and sync data across multiple computers. For example, Dropbox may have been surreptitiously installed on the employee's work computer as well as his or her home computer. Consequently, the simple act of syncing a company file to Dropbox will instantaneously also make that file available on the employee's home computer.

The good news is that cloud storage applications often have corresponding log files and databases that record what files the user accesses and what activities are performed. These logs can signify files have been uploaded to the cloud in the past even if they have already been deleted from the shared folder. Some of these applications even save deleted data in a separate “hidden” folder on the computer itself that users typically are not aware of. As a result, a theft of IP analysis may show that Dropbox was installed on the user's work computer and that early in the morning on Oct. 7, 2016, 50 files were deleted and the “hidden” folder reveals these were company files.

Personal Email Accounts

Some individuals may use their company email to send attachments to their personal email account such as Yahoo or Gmail. In these cases, forensic experts are able to perform a preservation of the employee's work email to identify and document the evidence of misconduct.

Internet History Report

An Internet history report can be generated that shows, inter alia, recent Internet searches, websites and pages visited, cookies from websites, and Internet downloads that occurred. Such information is helpful in establishing what an individual thought was important or even their state of mind. For example, analysts have discovered that individuals have searched on how to delete data or copy data surreptitiously and that they reviewed websites that were in essence “how to manuals” to perform certain deleterious acts.

Paper Documents

Finally, individuals who are a little less aware of more modern techniques to copy data will simply print the documents they wish to take out the door. In these cases, forensic experts are able determine the last known print date of Microsoft Office documents.

opsitnik graphic 4_500

Deliverables and Project Timeframe

The turnaround time for a theft of IP analysis performed by an analyst is typically one week. Deliverables provided will be easy to understand in the form of spreadsheets, HTML reports, and written reports containing the findings of the analysis. A forensic expert should also spend time with the client either over the phone or in person to discuss the reports in detail so that they know exactly what a report contains and the assumptions and opinions of the forensic expert. If necessary, an expert will also provide depositions or expert witness testimony regarding the authenticity of the evidence and their findings.

*****
Timothy M. Opsitnick
is president, Joseph M. Anguilano is director of operations, and Trevor B. Tucker is a forensic analyst of JURINNOV, LLC. JURINNOV, LLC, a wholly-owned subsidiary of Technology Concepts & Design, Inc. (TCDI), a technology company that provides cybersecurity and e-discovery services.

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
COVID-19 and Lease Negotiations: Early Termination Provisions Image

During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.

How Secure Is the AI System Your Law Firm Is Using? Image

What Law Firms Need to Know Before Trusting AI Systems with Confidential Information In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.

Pleading Importation: ITC Decisions Highlight Need for Adequate Evidentiary Support Image

The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.

Authentic Communications Today Increase Success for Value-Driven Clients Image

As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.