Data Theft – How Curiosity Can Kill the Evidence

Every action on a PC or digital device leaves a trail.  In industry, these are termed as ‘artefacts’.  Artefacts within a forensic investigation are what enable an investigator to piece together the happenings around a specific event, in this case, suspicious activity or data theft.

When data theft is suspected by an employee it is often hard for stakeholders to resist the temptation of involving their in-house IT department. However, this should be avoided at all costs.

Each time the suspect device is utilised by anyone after suspected infringement, the evidential trail is muddied in terms of the creation of artefacts.  If your IT department personnel are not forensically trained then their actions could result in the evidential trail becoming so muddied, that any recoverable evidence of wrongdoing or data theft is inadmissible.

Potential Issues that ‘poking around’ could result in:

Time Stamps and Metadata

Each time a file is accessed, its metadata (information about the file), changes.  So for example, if there is a file entitled “Confidential Business Data” that you suspect an employee may have opened up to copy the contents of, prior to your IT department poking around, the metadata will log the last time the file was modified or accessed.  This could give valuable insight on a suspected employee’s actions if the file is recorded as accessed the hour before they leave employment, for example, then alongside other potential artefacts this could be an indicator of wrongdoing.  However, if your IT department personnel poke around opening files to check contents etc. then their actions become the last recorded action against the file’s time stamp and therefore any evidence has been overwritten.

User Credentials

Previously, IT Group has investigated Intellectual Property theft claims where upon investigation, it has been identified that in-house IT department personnel have not only logged onto the suspect machine to investigate wrong doing, but used the suspected employees own credentials to do so.  The implications and repercussions of this should need no explanation.  Our investigators uncovered this in one instance where artefacts identified the confidential material had been accessed on premises a month after the suspected employee had left the company and had no remote access nor been physically present at the times the artefacts displayed. Therefore, the question posed was whether our investigators could isolate the confidential material potentially accessed by the suspected employee prior to their termination aside from the artefacts altered by the in-house IT personnel.  In short, our answer was yes – to a certain extent.

The legal argument becomes diluted where there is evidence of potential wrongdoing where an individual’s credentials have been utilised by another.  How does one prove it was performed by a specific single person?  This is why IT Group instructions are never to let in-house personnel perform investigations.  If you suspect any employee wrongdoing then we advise you to do the following:

  • Isolate equipment if possible so that no further activity takes place that might over-write crucial evidence;
  • Document any detail surrounding the suspicion (without accessing the suspected employee’s computer equipment) to provide to the investigative expert as background. Particularly, dates and times when suspicious activity may have taken place. These could be dates and times an employee was visually observed utilising unrecognised removable media and/or staying late for reasons unknown, or conversations had with other employees about their employment and future plans of progression;
  • Contact a digital forensic specialist such as IT Group who will make forensically sound copies of any digital material that should be investigated;
  • Ensure limited personnel are involved or made aware of the suspected infringement so as not to arouse any activity by the suspected employee that might encourage deletion of any evidence where wrongdoing has occurred.

Whilst IT Group can investigate company owned equipment in respect of investigating potential infringement activity upon instruction from an authorised company stakeholder, we cannot investigate employee personal devices without their consent or the required legal instruction.  If you suspect an employee has utilised personal media to copy data then you should seek legal assistance from an Intellectual Property Law specialist.