CYFOR Blog

CYFOR were instructed to complete a digital forensic investigation into potential business data theft, however, all was not what it seemed.

The majority of the digital forensic investigations I am instructed to conduct on behalf of CYFOR have a pretty similar structure. First, the client will have a suspicion of some form of wrongdoing and come to us asking to investigate further.

I provide my results which are typically one of the following:

1. I find evidence that supports the initial suspicions
2. I find evidence that refutes the initial suspicions
3. I don’t find sufficient evidence to provide further insight.

As cases often follow these same patterns of results, it is the entries which vary from those patterns which best stick in my memory. This was one such case.

This particular case revolved around a member of a sales team at a building firm. This staff member was reasonably new having recently transferred to my client’s company from a rival building firm. Concerns of potential business data theft arose when this staff member promptly quit and returned to their original employment. Having been provided with the various lists of clients, contacts and pricing that would be best kept out of that rival’s hands.

As this sales staff member had been given a company car with a tracking device during their short stay, the historical movements of that company car were reviewed by the client and they found that the staff member had been frequently making trips to their previous employer. CYFOR were instructed to look into this individual’s computer to see what had been taking place, as there was now a solid suspicion that this staff member had joined my client’s company solely as a method of stealing their company data and providing it to their rival.

As is typically the case, the computer initially appeared to have had most of the user content removed and the account seemed quite empty. As is also typically the case, a simple mistake from the user had left behind a huge amount of personal data. During the sales staff member’s brief stay with my client’s company, they appear to have been connecting their personal mobile phone to the computer in order to keep it charged. They failed to notice that they had also elected to back up their personal mobile to the computer as well…

This personal data, now stored on my client’s company property, was subsequently available for investigation. After being processed through our specialist mobile phone investigation software, I was soon able to review this device and its content was found to be quite enlightening. The communications present on this phone appeared to explain most of what had taken place.

Firstly, the staff member joined my client’s company with no ill intent; they had had a disagreement with management at the rival firm and simply left with a view to “moving on”. Those trips back to the rival firm? They were meeting up with a potential love interest and taking them for lunch. At first glance, this appears to resolve most of the concerns. The user did not join my client’s company intending to steal their data and had not been returning there throughout their employment for malicious reasons.

Further investigation, however, found a bit of a twist.

When this employee had moved from the rival firm, he had brought their company data with him and had been using that information to help his role as a salesman for my client. This data included large lists of clients, and potential clients, contact details, effectively pointing at business data theft.