During his exit interview, the contractor returned his company laptop stating that he had deleted the relevant database. He also stated that he had copied confidential company information which he was going to use to set up his own company.
The company’s IT department established that there was no backup of the database, which had been deleted from the laptop. The company IT Security manager contacted CYFOR requesting data recovery of the deleted database files and to establish if any company information had been copied to removable media.
A common misconception is that a deleted file completely removes the data from the media; this is not the case. When a user deletes a file, the area of the disk that the file occupies is simply marked as being available for re-use.
The operating system may then choose to overwrite that area, or a portion of it, with another file. Therefore, by utilising various recovery techniques it is possible to recover files or portions of files that have been deleted, or deleted and then partially overwritten. These processes identified the relevant database files which were recovered successfully; although these files were password protected the computer forensic examination identified the relevant passwords.
This analysis also identified that an external USB CD Rewriter had been connected to the laptop and that the software required to ‘burn’ a CD was installed; a log file relating to this software established that the database files had been copied to a CD-Rewritable drive.
If you have a requirement for our data theft investigations, please contact our team.
After submitting an enquiry, a member of our team will be in touch with you as soon as possible
Your information will only be used to contact you, and is lawfully in accordance with the General Data Protection Regulation (GDPR) act, 2018.