Computer forensics fighting recession-era data thieves

11 May 2009

One disquieting side effect of the current economy’s number of redundancies is the increase of insider data theft. IT security experts Espion recently looked at incidents where firms found that ex-employees had stolen intellectual property (IP) and client lists to set up competing products or services.

However, proving that this was the case and stopping this data theft was another issue altogether.

“One of the unfortunate consequences of this tough economic environment is the loss of staff by redundancy. However, another less obvious consequence is the prospect of former staff establishing competing companies,” said Colm Murphy, technical director with Espion.

“Relatively low-level events such as contractual and employment disputes and data theft are very common and, if not handled properly, can cause considerable direct and indirect losses to organisations.”

Espion was contacted by a law firm that wanted to help three clients prove exactly this, and the resulting evidentiary report carried out a detailed forensic analysis using advanced tools that provided enough evidence to bring the ex-employees to court on a charge of unfair competition.

“Computer forensics, if performed by trained experienced professionals, can offer compelling evidence that can bring about a swift conclusion to the most threatening of situations,” said Murphy.

Espion’s report was enough to encourage one particular ex-employee to voluntarily hand over a USB hard drive for investigation. While the hard drive had been wiped and formatted, advanced forensics tools were able to recover quite a large number of files.

Computer forensics must prove “continuity and integrity of evidence” and be approached in a manner that is clear and open to being repeated by any third party, Murphy said.

The analysis in these particular cases proved that sensitive data had been accessed from the server by former employees in the days leading up to their departure, and that these files has also been opened from the external hard drive, giving a clear trail of digital evidence.

By Marie Boran