IT Forensics: Pinning Down Dishonest Employees

When an employee is leaving many of the following tasks are obvious and routine; production of a P45, removal from the payroll and updating of the internal telephone directory for example.

In this modern age of electronic communications, it is also necessary to remove or re-direct the email account and to back-up and possibly reassign the laptop and desktop PC. Most of us now have company phones or other devices such as tablets and portable media. All of these need carefully dealing with too.

If an employee is to be fired or made redundant, then more stringent processes are commonly deployed and the timing of the locking down of emails and the cancelling of passwords is vital to ensure the process goes smoothly.

But what happens when an employee is leaving for sinister reasons?

It is not uncommon for employees to leave a company to set up their own business. If they are tempted to take a copy of valuable company data they will tend to do that some days or weeks before they actually leave, in our experience it’s the task directly before writing their letter of resignation.

Disgruntled or dishonest employees are sometimes tempted to delete data and to cause disruption. Others have even been known to defraud the company by various means.

Software theft and breach of software copyright are increasingly common, and dealing with these types of “white collar” crime is often complex and requires highly technical skills and processes.

Routines need to be in place to preempt such dishonest deeds.

A burgeoning sector for digital forensics and the deployment of high technology lies in white collar crime. Increasingly the techniques that have been refined and honed in the traditional criminal fields are being put to good use in intellectual property cases and large-scale white collar crime such as insider dealing and tax evasion.

Virtually all businessmen and women access their data online via their smartphones and portable devices. When we are able to access these devices the hugely expensive and difficult task of interrogating a corporation’s servers is often avoided. Techniques for tracking the use of USB devices and for piecing together internet histories and email distribution mean that complex technical findings can be portrayed in graphic terms in a form easy for a judge or a jury to understand.

The following cases are real life incidents involving employee crime or misdemeanour in which IT Group has been asked to help.

Directors of a company hatched a plot to leave and set up in competition. Before leaving they took a copy of the company’s database to give themselves a flying start then deleted some of the database leaving the company without vital contacts and associated data. IT Group was able to take an image of the company server and using specialist forensic tools their experts recovered the deleted data. They were then able to see when USB devices had been inserted into computers on the network and we associated these with the transfer of the company’s data. A successful prosecution resulted.

An IT Consultant in a large corporation worked out how to divert the monthly purchase ledger payments into a single off-shore account. He realised that if he gained the highest level of access to the company’s servers he could make this happen after he had left the company and the country. He also knew that the company often took several days to delete a leaver’s email account and password and so he took over one such leaver’s account and altered it so that HR would not realise that it had not been reset. He then carried out a number of dummy runs to check his plan would work and then when he was ready, he resigned and just before he left he diverted the complete monthly purchase ledger payment run to his off-shore account. After he had left, the purchase ledger ran and the money started to be paid over to this new off-shore account. Fortunately, the bank noticed the strange transactions and was able to stop the payments before millions of pounds had gone. IT Group experts then imaged all the servers and several laptops and were able to identify the alias of the perpetrator. One IP address from an external connection pointed to the street in which one of the employees who had recently left, lived. A police raid confirmed that the username of the perpetrator was on one of the computers in the house.

In an Employment Tribunal, an employee claimed that they were entitled to more holiday allowance and that their Contract of Employment proved this. The Contract of Employment did show additional holiday but a forensic analysis showed that the document had been changed after the employee had started and that this change had been done via a PC on which the employee herself had only just logged onto late one evening. The Tribunal found in favour of the employer.

Just days after a company acquisition the new owners noticed that key employees had handed in their notice and live deals in the pipeline started to stall. Laptop examinations showed that a new cloud-based CRM was being commonly accessed by a number of soon to be ex-employees and that a copy of the companies contacts and prospects had been uploaded to the new CRM. The domain registrar revealed a recently set up competing company. The decision was taken that as the new company was only a matter of weeks into its trading that the new directors could be approached directly. Within days the settlement agreement was drafted, the new company dissolved and new non-compete agreements established.