SITUATION
Our client informed us that one of their employees left the company several months ago and is now working for a competitor. Our client had reason to believe that proprietary information was taken by the former employee due to recently lost bids on contracts to this competitor.
OBJECTIVE
We were asked to retrace the former employee’s activity on computer systems used during the time of employment.
ANALYSIS
Our first step was to preserve and forensically acquire the computer used by the former employee. The laptop had not been reissued and was stored in a secure cabinet within the HR manager’s office. After confirming chain of custody, we prepared a forensic copy of the hard drive content. Equipped with a working copy of the forensic image we began the analysis. Using timeline analysis techniques crucial events, surrounding the departure of the employee, were chained together.
RESULT
Even though the employee left several months prior to our involvement, we immediately identified Internet browsing activity related to job searches and visits to the competitor’s career section on their website. The Internet activity occurred days before the employee’s departure.
Next, we turned efforts to sensitive and proprietary information used for contract bids. Utilizing various operating system artifacts, a timeline was established which revealed that the former employee accessed proprietary information on the company’s server and began to stage copies of such files on the computer just days prior to leaving the company. Furthermore, we were able to show that the proprietary files were copied to and then accessed from a USB thumb drive attached to the computer hours before the employee left.
Equipped with this information and an in-depth timeline of events, our client was able to make an informed decision on how to proceed.
