The emergence of the digital age due to rapid technological advancements has transformed nearly every facet of today's societies. While the developments have contributed to significant benefits in the society, they have also resulted in the development of new means for carrying out illegal activities. An example of such cases is the way technological advancements have transformed employee data theft. Employees no longer steal files from the company but can access a firm's confidential information and secrets through the use of computers and the Internet. The most commonly used tools by employees to take confidential information include smart phones, messenger services, and emails. Therefore, companies need to be adequately prepared to respond quickly to data theft and preserve probable evidence.
Employee Data Theft Scenario:
A large aerospace engineering company has immediately hired me as a consultant to investigate a probable violation of company policy and data theft. There is suspicion that an employee may have been using the firm's corporate email to send confidential corporate information to one or more individual email accounts. These individual email accounts may or may not belong to the suspected employee. This action has been taking place for nearly two working weeks and the employee is unaware of the suspicion.
Initial Actions in Investigating the Case:
Similar to many incidents of employee data theft, the investigation of this data theft case started with the firm's suspicion of such practices. While the suspicion is based on little to no evidence, the current circumstances, especially the activities in the past 13 business days, indicate the probability of the occurrence of data theft. Since the employee is currently unaware of the company's suspicion, there is need to carry out important initial actions that could help in uncovering the activities and collecting potential evidence that can be used against the employee in a lawsuit. Generally, employees involved in data theft usually steal data days, weeks, or months before they decide to resign from their work duties in the company. This process makes it difficult to determine the legitimacy of data transfers or transmission of confidential information. Furthermore, the employee will not only copy the corporate information for legitimate reasons but will also make a stolen copy of the information at the same time.
Based on the information presented in this case, the company did not have enough evidence to incriminate the employee of data theft. Secondly, it seems like the employee was copying the corporate information for illegitimate reasons. The illegitimacy of the employee's actions was fueled by the fact that he sent the corporate information to at least one personal email accounts that could either belong to him or someone else. The initial actions I would undertake as an investigator based on the provided information include & #8230;.
Determine My Priorities:
The first step in investigating the case based on guidelines for basic incident response is to determine my priorities in dealing with the data theft. These priorities would form the basis for any further activities that would be conducted to investigate the data theft. The priorities will also help in determining rapid response to prevent the employee from using the data immediately after it is stolen ("Data Theft," 2009). Some of the major priorities in this case include detecting the timing and scope of data theft, determining the method used to steal corporate information, and preventing the creation of further copies or more distribution of the stolen information. The other priorities include preventing the employee from making use of the stolen corporate information, examine the appropriate regulatory or legal action for the employee, and prevent further occurrence of data theft.
Identify Potential Evidence:
The second step after determining priorities is to identify potential evidence of suspicion of theft of corporate information by the employee. While data theft is a difficult crime to investigate, it's an offense that leaves a substantial deal of trace evidence on the computer systems, networks, and storage devices. The identification of potential evidence requires computer forensic techniques to recover the information in a way that it can be used as evidence in a court of law. This process will not only involve determining potential evidence but also correlating diverse kinds of evidence in order to create a coherent picture ("Data Theft," 2009).
The first step towards identifying potential evidence in this scenario is to obtain a copy of corporate policy and regulations of data theft. This will be followed by examining the policy to identify the violation and data theft and whether the organization has effectively communicated this policy to its employees. Secondly, copies of the email messages and corporate email inbox will be obtained as well as intact or deleted messages in e-mail accounts. Third, I will obtain email addresses of the personal email accounts where the information was sent.
Fourth, I will evaluate the physical and logical places for potential evidence on the suspect's computer(s) and/or network servers. The computer system and/or network servers would be analyzed because they contain metadata showing recent access and activities. The identification of these physical and logical places would also help in detecting the employee's fingerprints to prove his/her involvement in sending the confidential information. They will also to examine remote access logs showing dates and times of access to the company's key servers.
Preserve Crime Scene and Evidence:
The next initial action would be to hire computer forensic experts to help in preserving the crime scene by protecting the computer systems from any damages or compromise of existing data. The need for computer forensic experts is because potential evidence can be compromised or damaged if handled by an inexperienced individual. The experts will examine the created date, last accessed date, and last modified date contained in each file (Niccollini, Deakins & Walker, n.d.). These dates will be helpful in determining the confidential information the employee may have accessed, distributed, or copied and when it occurred.
The preservation of evidence will involve restricting access to the company's computer systems, more sensitive information, and documenting and tracking employees who access the confidential information. Since the suspicion is on email use, preservation of the crime scene will involve limiting the use of webmail accounts and external tools for instant messaging in order to prevent the ability of the employee to distribute the information in a manner that is not evidenced in the firm's email system.
Transportation of Evidence:
To ensure that the evidence is transported to the lab for examination, the computer forensic experts will be provided with the equipments and granted access to the computer systems used by the employee. These equipments and systems will be transported to the lab close to their original condition as much as possible. The evidence will be transported to the lab based on the procedures and instructions provided by the computer forensic experts.
Physical and Logical Places for Potential Evidence:
Similar to the investigation of a physical crime scene, the investigation of digital devices is quite different from a physical forensic analysis due to the amount of potential evidence. The main physical and logical place to investigate examine for potential evidence is the company's computer. While it's the only piece of evidence in this case, it can be processed to identify other pieces of digital evidence. The resultant pieces of digital evidence can be analyzed to determine location, ownership, and timing. Furthermore, the digital evidence can be processed to generate the same characteristics of physical evidence (Carrier & Spafford, 2003, p.2). This implies that the analysis of the computer systems would produce additional digital evidence to implicate the employee. The other physical places for potential evidence are surface areas, objects, and fibers found within the crime scene.
From a logical perspective, the computer forensic expert will process bytes of digital data, web-mail used to send information from the company, and remote access to the company's systems by the employee. The other logical places to look for evidence include personal and corporate email, any additional hard drives, instant messaging tools, USB activity, FTP access, DVD burning, and unusual mail patterns.
The email investigation process in this scenario will be based on email forensics, which is the analysis of email source and it's content to determine several factors about the message. This process helps in determining the email's actual sender, the recipient, time it was sent, and its web address ("Digital Forensic Examiner," n.d.). The process also involves evaluation of the email header, search for keywords, and the collection and transportation of evidence. The whole process in email investigation and analysis is geared towards detecting potential evidence that can be used against a suspect in a court of law.
The scenario at the large engineering company requires email investigation through email forensics for identification of potential evidence. The findings of this process will help the company in prosecuting the employee suspected for sending confidential company information to unknown email accounts through the corporate email and violation of corporate policy. This process will also be important in the…