News, events, media, seminars and more
A UK based communications company dismissed a contractor, who had been working for the company for five years developing and maintaining a database of business/corporate customers, using a cross platform database application not supported by the company.
During his exit interview, the contractor returned his company laptop stating that he had deleted the relevant database. He also stated that he had copied confidential company information which he was going to use to setup his own company.
The company’s IT department established that there was no backup of the database, which had been deleted from the laptop. The company IT Security manager contacted CYFOR requesting data recovery of the deleted database files and to establish if any company information had been copied to removable media.
A common misconception is that a deleted file completely removes the data from the media; this is not the case. When a user deletes a file, the area of disk that the file occupies is simply marked as being available for re-use.
The operating system may then choose to overwrite that area, or a portion of it, with another file. Therefore, by utilising various recovery techniques it is possible to recover files or portions of files that have been deleted, or deleted and then partially overwritten. These processes identified the relevant database files which were recovered successfully; although these files were password protected the computer forensic examination identified the relevant passwords.
This analysis also identified that an external USB CD Rewriter had been connected to the laptop and that the software required to ‘burn’ a CD was installed; a log file relating to this software established that the database files had been copied to a CD Rewritable drive.
London: 0207 438 2045
Manchester: 0161 797 8123