Data Theft

 

Thomas is an R&D manager overseeing a team of 17 engineers, just before Christmas Thomas decided to clean up unnecessary files from the network shared drives and perform a full back up before he goes for his holidays. While performing the housekeeping he realised one of his engineers shared folder contains lots of technical drawings, documentation, product photos and specifications, clients and suppliers contact list. Many of these confidential files should not have access by this engineer.

 

Thomas then recalled that this engineer had tender his resignation and one more week will be his last day, Thomas felt uneasy about these sensitive data and he informed the management about the incident.

The management had concern over data leakage and Digital Fraud investigator team was deployed to investigate into the incident.

 

Our Actions

We named the resigned engineer as “Subject”.

 

Our digital forensics investigator obtains a list of server logs from the IT manager to analyse the data movements and a chart was drawn to show the amount of data accessed and transferred to the subject shared drive. We noticed that upon subject tendered his resignation letter, the amount of data accessed and transferred increased by 400%

​

We decided to put up a covert operation and arranged with the management and IT manager to visit the office after midnight to perform forensics imaging of the subject desktop computer hard drives. From observation, we noted that the subject’s desktop was padlocked and all the USB ports were disabled, this is part of the company IT security policies. This rules out that subject have copied data from the share drive to the external storage device via his desktop computer. The forensics imaging completed at 7 am and our team moved out of the office.

​

 

Back to our forensics lab, we analysed the subject’s hard drive contents and did not find any data transfer done. We then interviewed the R&D manager to have a better understanding of their job scopes, it was a successful interview, we found out those products that the subject is working on has a network connection and the USB ports were not disabled. We tracked back which are the product the subject has been working since he tenders his resignation, 5 devices were identified.

​

 

We put up a second covert operation to perform forensics imaging of these 5 devices and perform forensic analysis in our lab. We found data has been transferred from the subject’s shared drive to a few external devices including USB hard drives and mobile phones. However, at his stage, there is still no evidence to show these files were copied by the subject because the shared drives can access by many engineers.

​

 

As the time counting down, the subject is a foreign person and will be leaving the country once he has finished his tender period. Of no choice, the management decided to make a police report to refine subject from leaving the country and concurrently getting a lawyer to apply to the court for an Anton Piller order (APO) to perform searches at subject’s premise.

​

 

An APO was obtained and our forensics team together with the client and lawyers went to the subject’s house to serve the order. The entire search and seizure took 7 hours and a total of 43 storage devices were identified to contained client’s confidential data including the entire product assembly specifications.

​

 

Digital forensics analysis was done on these 43 storage devices and most matches the devices list found on the product that the subject was accessing.

 

References

 

(1) Breached A Binding Employment Agreement

(2) Computer Misuse Acts

(3) Other relevant laws