SPONSORED SECTION
Protecting the Corporate Jewels DIGITAL FORENSICS IN TRADE SECRET AND OTHER EMPLOYMENT INVESTIGATIONS By James Vaughn
T
he amount of communication in today’s commercial environment is astronomical. The ubiquity of Bring Your Own Device (BYOD) protocols adds complexity to a situation in which corporations already use traditional data sources such as a desktop, laptop, server and corporate email. This article is intended to be a helpful reminder, perhaps new information for some, on things to consider when using digital forensics for investigating potential theft or improper usage of proprietary data. Given the changing landscape of technology, I’d be remiss if I didn’t suggest consulting a forensic and legal professional before making any decisions. ELECTRONIC STORAGE AREAS AND DEVICES
There are certain electronic data sources that defendants, plaintiffs and forensic neutrals alike should consider for any
investigation. They include laptops/desktops (workstations), email servers, file servers, external media, online repositories, personal email accounts, home computers, smartphones and other mobile computing devices. Collection from some of these sources is self-explanatory, but others may not be as straightforward. Examples of the nuances that you may encounter include email and file servers. Email servers can be configured multiple ways. Some keep a copy of all emails on only the server, while others allow for a synchronization with other devices (e.g., Outlook). Alternatively, a server may allow a user to download and keep the only copy of the email on their local devices. This is an important distinction to understand, so as not to assume that the email will all be located on a desktop or laptop. One technique may be to synchronize the email to the desktop or laptop
before creating a forensic image of that device, which may save you the need to collect the email from the email server. For servers, it is important to understand the types of servers in use and the general terms data custodians and users may utilize when describing them. Take a file server, for example, a server where individuals or members of certain groups can store a myriad of document types, even email archives. It is often referred to as a “private network folder” or “home directory” for individuals, and as a “group share” (e.g., accounting group share, engineering group share) for members of certain groups that have a common area for sharing documents. Analysis Considerations: Data can leave a company in a variety of ways. One way to exfiltrate large amounts of data is through the connection of an external device. It is very easy to mass copy files, disconnect the device, and leave with it. So what artifacts should one consider if you want to see that kind of activity on your commonly used Microsoft Windows-type workstation? One way to view a user’s activity is through the review of link (LNK) files. A LNK file is a shortcut on a local drive that may indicate the history of a file being opened from an attached device. Clients often ask me why I cannot give them a list of files that were copied to an external device. It’s not that simple. Windows does not create a log, audit trail or record of files that are simply copied to an external device via the drag-and-drop method. Absent having the actual device that the files were copied to, you must rely on other artifacts, such as LNK files, to show or infer that this activity occurred. For example, I have a document saved to a USB removable device named
29