Digital Forensics, Legal

Digital Forensics in Employee Wrongdoing Cases

21 October 2020

If data can get in, then data can get out. The explosion of digital technology and innovation has been incredible, and yet has also opened us up to a number of threats—and they aren't always outside our organization.

With the accessibility of so much information, and the ease and ability of moving that data in and out, comes a myriad of challenges. This is the very reason we are seeing so many issues related to cyber breaches of personal health, financial, and identifying information being lost by major entities all over the world. The total damage from these incidents is almost always a matter of how prepared and secure an organization is, but even with the best security, the ethos has changed. Whether the organization is public or private, small or large, it is now understood that when it comes to a data breach by a malicious actor, it is not a matter of if a breach happens, but when.

Exfiltration by Employees Has Become Easier

As with data breaches, the same can be said for employee wrongdoing; if data can get in, then data can also get out. Our experts have worked on thousands of cases in which organizations have allowed employees to use their own external hard drives, thumb drives, and cell phone, and it's still relatively common. But we are well past the days of BYOD (Bring Your Own Device) being the only feasible method of malicious data extraction out of an organization. Even if personal devices are not allowed by an organization, and the IT department has safeguards against any foreign device being plugged into a computer or server at the company, there are still a plethora of ways data can be exfiltrated from inside an organization.

Confidential customer lists, proprietary information, and executive strategy documents are now being transferred out of an organization maliciously by employees, or former employees, using filesharing applications, cloud-based services, messaging applications, videos taken of the computer screen right on a cell phone, and personal email accounts.

Every time an application introduces methods to transfer files using a computer, cell phone, or tablet, they increase their potential customer base. Subsequently, the danger of data theft by an employee is greater than ever, if only because the means to do so is so easily accessible and requires such a low level of technical sophistication.

Non-Sophisticated Technology Users on the Attack

Examples abound from the case we have worked that play out this scenario. As a digital forensics firm, we've seen employees steal data by transferring files from a work Skype account to their personal Skype account. We've also seen thousands of emails sent from work email accounts to secret personal email accounts, and even sensitive company data transferred via messaging application by a disgruntled employee to the cell phones of their children to obfuscate the activity.

Employees can even deploy remote access capabilities to computers after their termination date. They can go in and harvest the data they want well after walking out of the building, which, believe it or not, is relatively simple even for a technology novice with modern software applications.

All of the aforementioned methods are at the fingertips of a non-sophisticated technology user. The ways a technocrat can nefariously extract data are so convoluted and multiplicious that they are truly limited only by ability and imagination. We have seen employees create backups of their entire computer in proprietary software formats so they are essentially hidden from non-forensic review, and then they subsequently delete all of the sensitive information from their machine so it appears "clean." On the surface, the employee's computer would not flag any concerns, and the employee could walk right out the door, but that story can quickly change once the company starts seeing their customers being solicited and poached.

Make no mistake, the ability to create a backup like this is possible using any device, including a cell phone. What is preventing an employee from simply creating a backup of all their data, including emails, contacts, and confidential files before turning the phone over to be wiped by the IT department? In almost every instance, nothing.

Why Time is So Important

In many cyber breaches, an organization that is having sensitive data stolen by hackers usually doesn't know it is occurring until weeks or months after the initial breach occurred. The same is true in employee wrongdoing cases. An employee has stolen data and the organization doesn't know until weeks or months have passed. The damage is already done, and that employee is at their new job opportunistically wielding their previous employer's data.

The passage of time harms data. For example, let's play out a common scenario. The computer used to steal data by a previous employee has been given to a new hire. Every moment that computer is in operation it is overwriting unallocated space, often called "deleted space" with new data, truly deleting the forensic artefacts and evidence of wrongdoing that lived there. Without this evidence, the chances of successful litigation are compromised.

Truly, this is a too common scenario that we see. For an organization, it is in its own best interest to preserve computers, cell phones, and other digital devices. This could mean simply placing those items into secure storage and leaving them untouched for a period of time. Or preferably forensically imaged (copied) so that these devices can be verified in accordance with forensic best practices. This is especially helpful if litigation ensues and expert testimony may be required. Another benefit is that the devices can then be wiped and put back into circulation.

After a Breach or Employee Wrongdoing Incident Occurs

Obtaining the devices and computer is just the first step. If you choose to work with a digital forensics examiner, make sure you understand how they store those devices, because those items are the only true evidence you have and if they get tampered with, hacked, or destroyed, your case is gone. Make sure you understand the software and storage options, the costs, and have a good feeling about the examiner. They need to be able to present clearly and easily the technical data found to not only you—to a possible judge or jury.

Gaps in the Law

As it pertains to the scope of criminal law protection for trade secrets there are inherent gaps that are about to be amended to provide additional protection for trade secrets. The enhancement to this law is a direct result of the Canada, US, Mexico (CUSMA) free trade agreement. Implemented in a new bill, (Bill C-4) in Canada's Parliament, a trade secret is any information that:

  1. Is not generally known in the trade or business that uses or may use that information;
  2. Has economic value from not being generally known; and
  3. Is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.

By law, this definition is quite similar to the federal Security of Information Act which is targeted at preventing foreign espionage. Section 19 of that Act defines a trade secret as any information, including a formula, pattern, compilation, program, method, technique, process, negotiation position or strategy or any information contained or embodied in a product, device, or mechanism that:

  1. Is or may be used in a trade or business;
  2. Is not generally known in that trade or business;
  3. Has economic value from not being generally known; and
  4. Is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.

When an employee is aware of the rules and understands how to go around them to capitalize on the information they seek, rules will be broken. Especially if that information is accessible, to some degree, for them to obtain and copy. When theft occurs, having a case and being able to prove your case are two different things. Spoliation of evidence happens every day, which is why working with third-party experts can be so useful to walk through the process of what's needed for litigation or potential litigation.

Never underestimate the human imagination. Even with the most elite of internal information technology experts on staff, where there is a will, there is a way, and employees will, and do, take advantage of company data.


Has a recent catastrophe affected you?

Our experts are ready to help.

About The Author
Lars Daniel
Practice Leader
Digital Forensics

Mr. Lars Daniel is the Practice Leader of the Digital Forensics Division. Mr. Daniel has qualified as an expert witness and testified in both state and federal courts, qualifying as a digital forensics expert, computer forensics expert, cell phone forensics expert, video forensics expert, and photo forensics expert. He has testified for both the defense and prosecution in criminal cases and the plaintiff and defense in civil cases.

How Can We Help You?

We have experts in multiple disciplines all around the world. Talk to us and we'll help you find the right expert for the job.

 Envista Forensics Logo
Explore Our Site

Our job is to solve complex problems for our clients, in the face of a disaster. We serve business owners, small and large, no matter where they are in the world, and no matter what problem they are facing.