CYFOR Blog

Had a team of departing employees stolen company data? A CYFOR expert investigates.

Late on a Tuesday afternoon in mid-2019, I was asked to sit in on a standard phone call with a client to discuss the potential of assisting them with a corporate forensic investigation. Typically, if the client feels our proposed solution is suitable then I could expect the devices to be received within the following week and for the average examination to be completed 2-4 weeks after that.

This case was different.

It turns out, there has been an ongoing forensic investigation undertaken by another forensic company for a few months already and that now, finally, that company had provided their report, yet the client was not happy.

They didn’t understand the results and still had no answers.

They wanted CYFOR to repeat this other company’s work and give them answers they could understand and with which they could move forwards.

The kicker? They needed that repeated examination to be completed within the next 48 hours.

The background of this case was quite simple: one company had an office with a large technical team that had upped sticks and gone to work for a rival company. The big question that needed answering was whether there was any indication that this team had stolen company data. A standard case then.

A lot of money had already been spent on this investigation. Upon accepting the challenge, CYFOR were immediately provided with an extensive case background detailing every available scrap of information pertaining to each team member that had left, countless snippets of intelligence (including overheard conversations and rumours) and long lists of evidence from other, non-technical, avenues of investigation. This information all pointed towards a primary member of the technical team having been a “ring-leader” of sorts, responsible for the move and believed most likely to have stolen company data when they left. My 48-hour investigation was to look into two computers relating to this prime suspect.

As mentioned previously, these two computers had already been investigated by another digital forensic company, yet the final report received just a few days earlier showed little to no attempt at answering the client’s query: had this person stolen company data? Luckily for my case deadline, and to their credit, the previous investigating company were more than willing to help me in any way they could and were happy to provide copies of the data they extracted and had processed during their investigation. With the agreement of our client, it was this data that would be investigated a second time allowing me a much better opportunity to meet the very short deadline that was in place.

By the time I had finished reading the case paperwork, it was quite late in the evening. The exhibits and previously processed data had been arranged to be delivered to CYFOR’s offices early the following morning. When Wednesday morning came around, the data was delivered as expected and the examination was started. By 4am on Thursday morning, I had a report compiled detailing how this primary suspect had accessed a USB device upon which they had created a series of files and folders seemingly copied over from their work computer. This file creation had occurred on their final few dates of employment before moving to the new company and included several files of particular interest to my client.

I passed my report on to the client and followed it up with a brief meeting to discuss the report’s content. There were now some answers that the client could work with, allowing them to progress with their investigation. From here, I went on to investigate another 15+ digital devices relating to 10+ members of that same technical team during which time I identified new evidence indicating that a number of different staff members had stolen company data.

What had started as a quick overnight case had transformed into a much larger and complex investigation.

What I found most interesting about this first stage of the investigation, was that the previous forensic company had found the same information that I had. They had noted the same artefacts showing the same USB connection, had noted the same folder structure on both the computer and that USB and had noted all the same dates that I had. They just didn’t detail their findings clearly in their report.

Their report was a great example of where a digital forensic investigator can easily trip up: explaining their findings. The examination they had conducted was perfectly competent and their write-up was a valid technical report, it was just written in such a way that the client could not understand what result they were being presented. They were left still trying to answer their original query.

The additional investigation that stemmed from this first bit of work generated some really interesting results which themselves may be worthy of a separate write-up, but for now, I think I will leave this with a simple bit of advice for investigators out there:

Think of your end reader when writing your report.