Studies show that employees who have been terminated, especially against their will, are prone to stealing company data they could use against their former employer. Whatever their purpose is, companies must understand the legal consequences of employee data theft and the role of Elijah computer forensics when this happens.
Common company information that a departing employee may steel includes strategy documents, customer lists, company formulas, code, and others. And when the employee in question leaks this information to a business competitor, this could have serious impacts on the company.
Usually, this vital information is stored by the departing employee electronically on a hard drive, email account, USB, or file. Thus, computer forensics plays an important role in the retrieval of stolen information. Read on to know how your company can use computer forensics to investigate employee data theft:
Investigating and Preserving Information
When a departing employee steals intellectual property, computer forensics experts preserve the stolen data on the device of the employee, create a chain of custody documentation, photograph hardware, and verify the preserved data. These steps make sure the collected data is acceptable in court. After preserving this data, the expert will identify software and other information that may indicate a theft.
Analyzing USB Activity
A lot of USB devices these days like thumb drives and external hard drives can save an entire copy of a user’s hard drive. This explains why they have been commonly used for stealing data. But, USB devices leave behind a trail of digital evidence that can be essential to an investigation.
Computer forensic specialists can analyze the USB activity to disclose many facts regarding what was connected to the computer and when. Usually, forensic experts can identify the serial number and/or brand of the USB device, as well as the first and last time it was connected to the computer.
Identifying the Files Accessed and Possibly Transferred to the USB Device
Forensic experts use the artifacts made by the Microsoft Windows operating system to determine the files a thief may have accessed. These artifacts can indicate what was opened, when it was opened and from where it was opened. It will be an obvious red flag if an employee was opening files during the last week of employment, especially if these files were not related to their work. Moreover, the artifacts can also have specific information on where the file existed. They can indicate if an employee opens a file from a USB drive.