This paper examines how a digital forensics consultant would investigate a suspected case of employee data theft at a large aerospace engineering company. The employee is believed to have used the corporate email system to send confidential information to unauthorized personal accounts over approximately two working weeks. The paper outlines the initial investigative steps, including establishing priorities, identifying and preserving potential evidence, and analyzing physical and logical evidence sources. It also details the email forensics process using MailXaminer software, methods for recovering deleted data, and the range of computer forensics tools — including hardware imaging devices, authentication software, and decryption tools — required to build a legally admissible case.
The emergence of the digital age, driven by rapid technological advancements, has transformed nearly every facet of modern society. While these developments have contributed significant benefits, they have also created new means for carrying out illegal activities. A clear example is the way technology has transformed employee data theft. Employees no longer need to steal physical files; they can access a firm's confidential information and trade secrets using computers and the Internet. The most commonly used tools for taking confidential information include smartphones, messenger services, and email. As a result, companies need to be adequately prepared to respond quickly to data theft and preserve probable evidence.
A large aerospace engineering company has hired a consultant to investigate a probable violation of company policy and data theft. There is suspicion that an employee may have been using the firm's corporate email to send confidential corporate information to one or more individual email accounts. These individual accounts may or may not belong to the suspected employee. This activity is believed to have been taking place for nearly two working weeks, and the employee is currently unaware of the suspicion.
Similar to many incidents of employee data theft, this investigation begins with the firm's suspicion of such practices. While the suspicion is based on little to no concrete evidence, the circumstances of the past 13 business days indicate a probable occurrence of data theft. Since the employee is currently unaware of the company's suspicion, it is necessary to carry out important initial actions that could help uncover the activities and collect potential evidence for use in a lawsuit.
Generally, employees involved in data theft tend to steal data days, weeks, or months before they resign from the company. This pattern makes it difficult to determine the legitimacy of data transfers or the transmission of confidential information. Furthermore, an employee may copy corporate information for ostensibly legitimate reasons while simultaneously making an unauthorized copy at the same time.
Based on the information presented in this case, the company does not yet have sufficient evidence to incriminate the employee. It appears the employee was copying corporate information for illegitimate purposes, a conclusion supported by the fact that the information was sent to at least one personal email account that may belong to the employee or to a third party. The initial actions an investigator would undertake include the following steps.
The first step in investigating the case, guided by basic incident response principles, is to establish investigative priorities. These priorities form the basis for all further activities and help determine a rapid response to prevent the employee from making use of the data immediately after it is stolen ("Data Theft," 2009). Key priorities in this case include:
Detecting the timing and scope of the data theft; determining the method used to steal corporate information; preventing the creation of further copies or additional distribution of the stolen information; preventing the employee from making use of the stolen corporate information; examining the appropriate regulatory or legal action against the employee; and preventing further occurrences of data theft.
The second step is to identify potential evidence of the suspected corporate information theft. Although data theft is a difficult crime to investigate, it leaves a substantial amount of trace evidence on computer systems, networks, and storage devices. Identifying potential evidence requires computer forensic techniques to recover information in a manner that will be admissible in a court of law. This process involves not only locating potential evidence but also correlating diverse kinds of evidence to create a coherent picture ("Data Theft," 2009).
The first step toward identifying potential evidence is to obtain a copy of the company's corporate policy and regulations regarding data theft. This will be followed by an examination of the policy to identify what constitutes a violation and whether the organization has effectively communicated this policy to its employees. Next, copies of email messages and corporate email inboxes will be obtained, including any intact or deleted messages in email accounts. Email addresses of the personal accounts to which information was sent will also be collected.
Additionally, the physical and logical locations for potential evidence on the suspect's computer or network servers will be evaluated. These systems contain metadata showing recent access and activities. Identifying these locations will also assist in detecting the employee's digital fingerprints, proving involvement in sending confidential information. Remote access logs showing dates and times of access to the company's key servers will similarly be examined.
The next initial action is to hire computer forensic experts to help preserve the crime scene by protecting computer systems from damage or compromise of existing data. This is essential because potential evidence can be compromised or destroyed if handled by an inexperienced individual. The experts will examine the created date, last accessed date, and last modified date contained in each file (Niccolini, Deakins, & Walker, n.d.). These timestamps will help determine what confidential information the employee may have accessed, distributed, or copied, and when each event occurred.
Preservation of evidence will involve restricting access to the company's computer systems and more sensitive information, while documenting and tracking any employees who access confidential files. Since the suspicion centers on email use, preserving the crime scene will also involve limiting the use of webmail accounts and external instant messaging tools to prevent the employee from distributing information through channels not captured in the firm's email system.
To ensure evidence is properly transported to the laboratory for examination, computer forensic experts will be provided with the necessary equipment and granted access to the computer systems used by the employee. These systems will be transported to the lab as close to their original condition as possible. All transportation will follow the procedures and instructions provided by the computer forensic experts to maintain the integrity of the chain of custody.
Similar to the investigation of a physical crime scene, the examination of digital devices differs considerably from traditional physical forensic analysis due to the volume and nature of potential evidence. The primary physical location to investigate for potential evidence is the company's computer used by the suspect. Although it may appear to be only a single piece of evidence, it can be processed to identify numerous additional pieces of digital evidence. These can be analyzed to determine location, ownership, and timing. Furthermore, digital evidence can be processed to generate characteristics comparable to those of physical evidence (Carrier & Spafford, 2003, p. 2), meaning that analysis of the computer systems may produce additional digital artifacts to implicate the employee. Other physical evidence sources include surface areas, objects, and fibers found within the relevant work environment.
From a logical perspective, the computer forensic expert will process bytes of digital data, webmail used to send information from the company, and records of remote access to company systems by the employee. Other logical sources of evidence include personal and corporate email accounts, any additional hard drives, instant messaging tools, USB activity logs, FTP access records, DVD burning history, and unusual email traffic patterns.
"MailXaminer forensics and deleted data recovery"
"Imaging, authentication, decryption, and email tools"
Carrier, B., & Spafford, E. H. (2003). Getting physical with the digital investigation process. International Journal of Digital Evidence, 2(2), 1–20. Retrieved from https://www.cerias.purdue.edu/assets/pdf/bibtex_archive/2003-29.pdf
Niccolini, R. R., Deakins, O., & Walker, P. (n.d.). Employee data theft in the digital age: Liability, litigation and privacy issues. Retrieved September 7, 2013, from
Pladna, B. (n.d.). Computer forensics procedures, tools, and digital evidence bags: What they are and who should use them. Retrieved from East Carolina University website: http://www.infosecwriters.com/text_resources/pdf/BPladna_Computer_Forensic_Procedures.pdf
You’re 56% through this paper. Sign up to read the remaining 2 sections.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.