Following the departure of an employee, a number of business leads were lost, with several business partners withdrawing from the negotiations in favour of another supplier. Suspicions were raised, as the employee negotiating those specific deals was the individual who had just left the organisation. Our client suspected that customer details were being handed on to one of their competitors, and that the employee had taken this data prior to their departure. We were therefore asked to do a forensic examination of all of the employee's work devices to ascertain what information, if any, had been taken in order to assess the business impact.
Two devices (one laptop and one iPhone) required forensic imaging, whilst maintaining chain of custody in the event that this matter resulted in criminal proceedings. Two members of the Secure Impact CIRT were deployed to the client’s premises where the device acquisition and imaging took place. The iPhone had been wiped upon being returned by the employee so no data could be recovered.
The team then completed analysis of the laptop, and forensic copies of files from the employees OneDrive were obtained using forensic cloud imaging tools. The handset could not be examined due to it being wiped upon point of return to the employer, but a forensic extraction of the SIM card found inserted with the device was obtained.
Our team worked in collaboration with the organisations Office 365 administrator to obtain a copy of the employee’s Outlook emails, as the locally stored backup recovered on the laptop was limited in content around the date the employee left the organisation. The laptop was subject to examination, and keywords were used to search across the contents of the device.
Timeline analysis and analysis of shell bags, most recently used (MRU) lists, jump lists and file timestamps did show that the employee had accessed and viewed an excel spreadsheet containing thousands of rows of customer data.
This was provided to the client who confirmed this was a spreadsheet containing current, previous, and prospective clients. Artefacts were recovered which suggested that an external device may have been connected to the employee’s laptop. Furthermore, the access times of several files containing customer details had been updated shortly after, suggesting these files may have been exfiltrated on the employees last day in office.
The team documented these findings in a detailed forensic report, notifying the client of what information may have been taken. The report served to highlight the extent of business loss that may occur due to the exfiltration of these documents, and to inform the clients response strategy.
To prevent this issue occurring again in the future, stricter access controls should be implemented to ensure that sensitive details cannot be accessed from home. Whilst the COVID-19 pandemic has created a necessity to work remotely, time and location-based access controls would have prevented confidential data being accessed remotely by their employee. Implementation of a data loss prevention (DLP) solution could have provided key indicators that sensitive data had been accessed and copied to an external device. Our team would also suggest taking advantage of the Windows built in BitLocker encryption solution to prevent data loss or leakage if work devices were lost or stolen.
If you have any questions about this case study, please contact our defensive security team.
