“You can fool some of the people all of the time, and all of the people some of the time, but you cannot fool all of the people all of the time.”
― Abraham Lincoln
From reading my blog posts on HummingBad and Pokemon Go, you might get the impression that I spend all my time now playing games and solving puzzles in the name of forensic science. I’m doing casework too, so I figured this week I would share an anonymized employee data theft case study. This has been a fairly typical scenario from my experience in the private sector so far.
A walk-in customer came to Gillware Digital Forensics with a problem. He was an attorney who had heard that we offered digital forensic services in employee data theft cases and wanted more information. His client was involved in a civil law suit with an ex-employee who had taken trade secrets (data) and then went into business for himself using the information he took to give him a boost in his new venture. Before leaving, the employee took a vacation day and took his work laptop home with him. He deleted files, and they suspected he took company and customer data with him. The incident happened over a year ago, and the court case was in full swing. A trial was scheduled for the middle of the month. It didn’t seem that there was any chance for a settlement.
We provided consultation and advice, and within a week the employee’s laptop was delivered to GDF for examination. I called the business owner and talked to him about what he suspected had happened. He told me that they had suspected a problem fairly quickly, within a month or so. They removed the laptop from general use, sequestering it to preserve any evidence that might remain on the hard drive. But this didn’t fit what I saw on the drive. I saw files that were modified, accessed, and created right up until the day before the laptop arrived in our lab. So I called him back and asked more questions.
It turned out that his understanding of sequestering the computer was just to take it out of normal use. They were still looking for answers about what happened and what was taken, so they performed searches and poked through files and folders. They were looking for evidence. They were looking for proof.
By looking for evidence of employee data theft themselves, the business was unknowingly stomping on and obfuscating the original digital footprints left by their wayward employee. I know my friends in forensics pretty well. Well enough to know that right now you’re pulling your hair out or knocking your head on your desk or a nearby wall. Unintentional data spoliation hurts. It takes fairly easy forensics problems and compounds them with layers of complexity.
Unintentional data spoliation is an issue that plagued law enforcement in the early years of forensics. Especially before there was any training in the identification and collection of digital evidence. Even after it’s become fairly common knowledge that mucking around on a suspect’s keyboard or cell phone leaves traces, I would occasionally find evidence of actions on a computer or cell phone after seizure. It’s not surprising that education about data preservation is needed in the private sector too.
Thankfully, this isn’t the end of the story. The attorney and business owner knew exactly what files they were looking for information about. They pointed to a specific time period for the activity they were interested in. They provided specific keywords to search for. A Windows update resulted in the creation of a restore point shortly after the employee left.
Thankfully, there are some great tools to help with this sort of problem!
Using a combination of Reg Ripper (my oldest favorite tool for registry examination), Forensic Explorer (my new favorite tool for examining restore points), and Triforce ANJP (an under-known superhero tool for examining journal files), I was able to peel back many of the overlying foot prints to resurrect the previous history of the files they were interested in.
These tools, along with a good deal of patience and perseverance, allow for digital forensic archaeology to happen in employee data theft cases and beyond.
Reg Ripper is an open source tool from Harlan Carvey that allows for quick and easy processing of registry files with an output that can be quickly searched through for file names and events of interest, attached USB devices, and other great clues to user activity. Forensic Explorer is an up-and-coming forensic suite from GetData that offers the ability to easily mount Volume Shadow Copies, allowing for the examination of various snap shots in time of previous versions of files, directories, and volumes.
And Triforce ANJP? This tool is kind of like magic. I discovered it several years ago while reading David Cowen’s daily blogging project (what an undertaking!!). I beta tested early versions of Triforce while working in law enforcement, and provided samples of journal files from Windows Mobile devices for development. This tool ranked high on my shopping list while setting up the new lab here at GDF. TriForce ANJP leverages Windows journaling artifacts and provides a unique way of linking information from the Master File Table (MFT), LogFile, and USN, so that you can examine not just the current file system state, but also historical changes logged in the LogFile and USN. In other words, Triforce is a time machine that can help unravel those unintentional footprints left by unintentional spoliation.
There are other great tools for this kind of time machine work: Registry Recon, libvshadow, Windows Event Log Parser, to name just a few. If you’re interested in further reading Mari Degrazia wrote a great blog post on similar methodology she used examining machines for evidence of malware post remediation.
In the end, this particular wayward employee followed through with the trial, but he did not win. With the information I was able to provide, the attorney questioned the employee on the stand and obtained admissions of employee data theft. Here were the attorney’s reactions:
The trial ended up very nicely. The jury found that Mr. XXXXXX misappropriated a trade secret and we were able to with some confidence question him about taking XYZXYZXYZ the morning he left and he ultimately admitted to it. He said he deleted everything off of it after he took it, which we think only compounded the jury’s perception of his honesty. We very much appreciate your hard work on this Cindy and in particular the time you spent last Friday that led to the specific date and time of the download that we used to pin Mr. XXXXXX down. I will recommend you to others for this sort of work going forward.