CYFOR Blog

CYFOR forensic expert investigates whether or not a director had stolen company data for the purpose of setting up a competing business and if you can recover deleted data.

This is a pretty standard conversation opener from clients looking to instruct CYFOR to conduct a digital forensic investigation. The answer, as with most questions in a digital forensic context, is often “it depends”; after all, broad questions often require broad answers. One past case started with just this question, posed to us as a result of an interesting situation that had arisen with a large recruitment firm.

Information had been received by our client indicating that one of their directors may have been intending to leave and set up their own company in competition. The director was subsequently suspended and sent a request for their company-owned digital devices to be returned, specifically stating that no alterations or deletions of data were to be undertaken. The director outwardly complied with this request. A few days later, our client then received an invoice via email, sent to them accidentally by a local IT firm, stating that payment was due for the deletion exercise they had undertaken on that director’s laptop computer.

Thus, CYFOR were introduced into the equation. We were to look at the empty laptop and find out why the director had seemingly arranged to have his computer wiped.

Had he stolen data?

Had he contacted clients?

Had he been misusing it?

Was he simply removing personal data?

CYFOR took receipt of the laptop, created a forensic copy of its data storage content and conducted an initial review of the data present. What we found was a superficially empty installation of the Windows Operating System. No documents, no emails, no internet activity.

In light of the provided intelligence indicating that a specialist IT firm had potentially been involved in deleting content from this device, hopes were not high for the investigation; however, as forensic investigators, we do have a few tricks up our collective sleeves that can be deployed in just this kind of situation. A review of the device found that it had historically connected a WiFi network with a name matching that of the IT firm, ostensibly confirming that the received email did in fact relate to the device under investigation.

Now, when this IT firm was instructed to remove content from the laptop, they had a number of options in front of them including, but not limited to, the following:

• Manually delete files
• Factory reset the Operating System
• Install a fresh Operating System
• Forensically wipe the storage drive, then install a new Operating System

Each of the options available to them had different advantages and disadvantages, both in terms of security of deletion as well as their own time/cost considerations. Examination of the device found that the IT firm appeared to have spent its time manually deleting files from the laptop. This left a considerable number of forensic artefacts available for investigation and, most importantly, left certain key backup files untouched.

In the forensic world, these backup files are commonly referred to as “SysVol” files. SysVol, short for System Volume Information, stems from the name of the folder in which the Windows Volume Shadow Copy (VSC) Service maintains a series of system backup files most commonly used by the Operating System to restore the device to a previously functional state, were an error to occur. A number of these backup files had been automatically generated in the week prior to the wiping action being undertaken.

The investigation into these SysVol backup files was then undertaken. This allowed a pattern of activity to be put together whereby the user could be seen to have downloaded a considerable number of company documents to their laptop’s Desktop, culminating in the creation of an archive “ZIP” file (containing all of those documents) on the final evening prior to the device being wiped. The name of this ZIP file appeared to support the user’s intent to remove this data.

“can you recover deleted data”?

Unfortunately, although I was able to demonstrate that an internet browsing application interacted with this ZIP soon after its creation, I was unable to definitively identify the nature of that interaction. At this stage, I put together my final report detailing these findings and passed it along to the client.

The findings from my investigation were then provided to the director who promptly admitted that they had indeed taken the identified ZIP file and confirmed that it did contain my client’s company data. This case is a prime example of how even an IT expert’s attempt at deleting data may not always be as successful as they had intended.

So, when it comes to asking “can you recover deleted data”? my answer will probably continue to be “it depends”, however, as this case clearly demonstrates, not all forms of data deletion were created equally and it really does depend on each case circumstance.