Piecing digital evidence together...
Warwickshire Trading Standards
Case Study - Protecting Corporate Assets
IntaForensics recently worked with a client whose business was trading in sensitive, time critical information. The organisation had a small intelligence team who gathered and managed the information, and who had access to all of the systems storing the information.
The client needed to ensure that if any of the members of their team were stealing information, or sending data to a competitor, they would be able to quickly investigate and take appropriate action to limit any damage to their commercial interests.
We worked with the client to put a proactive process in place to capture forensic images of the PC’s and laptops used by the employees every 6 months as part of their their Audit policy. Where a member of staff was leaving the company they would also have a forensic image of the device taken at the time of thier exit. These forensic images were securely stored by IntaForensics.
These proactive measures enabled the client to ensure that they were able to investigate any potential misuse of company information and recover evidence of any improper activity by former employees immediately.
Within 3 months the client suspected that a recently departed employee had collaborated with a competitor for whom they now worked to take data and sensitive information out of our client’s systems. Because IntaForensics already worked with the client, we were able to access a clean and forensically sound image of the PC used by the former employee and commence work within 3 days of the employee leaving the company.
IntaForensics analysed the forensic image of the former employees PC. This analysis produced evidence of the data theft and the direct involvement of the former employee’s new employer through the recovery of:
- e-Mail correspondence showing the dates of correspondence, names of people with whom there had been e-mail correspondence (and who worked for the competitor) and the information which had been sent to them. E-mails evidence was recovered from a web based mail service.
- Lists of files that had been stolen from the clients file servers, including the dates and times these files were copied to a specific USB device.
- Logs of Skype communications and file transfers and & Facebook chat pointing directly to the competitors senior staff.
Within 10 days of the client’s initial suspicions being raised, the investigation gave the client sufficient evidence to start legal proceedings against the competitor, who (after initially denying any involvement or indeed possession of the data) agreed to make a substantial payment in compensation and to delete the data received and desist from using it.