In today’s world, the amount of communication is astronomical. BYOD (Bring Your Own Device) adds complexity when already faced with corporately used traditional data sources such as a desktop, laptop, server, and corporate email.

This article is intended to be a helpful reminder (or for some, new information) on things to consider when using digital forensics for investigating potential theft or improper usage of proprietary data. Given the changing landscape of technology, I’d be remiss if I didn’t say to consult a forensic and legal professional before making any decisions.

Consideration of Electronic Storage Areas/ Devices

There are certain electronic data sources that defendants, plaintiffs, and forensic neutrals alike should consider for any investigation. These include laptops/desktops (aka, workstations), email servers, file servers, external media, online repositories, personal email accounts, home computers, smartphones, and other mobile computing devices.

Collection from some of these sources is self-explanatory, but others may not be as straightforward. A couple of examples of the nuances that you may encounter include email and file servers.

Email servers can be configured multiple ways. Some keep a copy of all emails on only the server, while others allow for a synchronization with other devices (e.g., use of Outlook), or a server may allow a user to download and keep the only copy of the email on their local device(s).

This is an important distinction to understand so as not to assume the email will all be located on a desktop or laptop. One technique may be to synchronize the email to the desktop or laptop before creating a forensic image of that device, which may save you the need to collect the email from the email server.

For servers, it is important to understand the types of servers in use and the general terms custodians (users) may use when describing them. Take a file server for example: a server where individuals or members of certain groups can store a myriad of document types, even email archives. It is often referred to as a “private network folder” or “home directory” for individuals, and as a “group share” (e.g., accounting group share, engineering group share) for members of certain groups that have a common area for sharing documents.

Analysis Considerations

Data can leave a company in a variety of ways. One way to exfiltrate “large” amounts of data is through the connection of an external device. It is very easy to connect an external device, mass copy files to the device, disconnect the device, and leave with

it. So what artifacts should one consider if you want to see from that type of activity on your commonly used Microsoft Windows type workstation?

One way to view a user’s activity is through the review of link files (aka, LNK Files). A link file is a shortcut on a local drive that may indicate the history of a file being opened from an attached device.

Clients often ask me why I cannot give them a list of files that were copied to an external device – it’s not that simple. Windows does not create a “log,” “audit trail,” or “record” of files that are simply copied to an external device via the drag-and-drop method. Absent having the actual device that the files were copied to, you must rely on other artifacts, such as link files, to show or infer that this activity occurred.

For example, I have a document saved to a USB removable device named tradesecret.doc (the target file). If I save and close that document, then go back to my Windows Start Menu and select the Microsoft Word program, I get a list of recent documents (including “tradesecret.doc”) that I can choose to open.

This method of opening one of those documents creates what is known as a shortcut. A shortcut exists on the computer because a document was “opened.” Shortcuts contain metadata, including the path of the target file. The path may be an external device that left the company with the departed employee. The shortcut may also contain dates and times that the shortcut itself was created, as well as the creation, modified, and access dates of the actual target file.

This shortcut metadata can tell you when a file was copied to a removable device and whether it was modified on that device. Please keep in mind that locating a copy of the same named file on the computer hard drive does not mean it has the same content as the copy that was identified on the external device. The only true way to identify a complete list of files, and their content, is to analyze the external device.

The Cloud

Online repositories are areas that are “in the cloud.” Programs like OneDrive, Carbonite, Dropbox, SugarSync, Hightail, Mozy, and ShareFile are but just a few of the hundreds (if not thousands) of online repositories. Although each may vary slightly in how they are used, in the end they all allow a user to store and access files.

Looking for the installation and usage of these programs on a workstation may prove to be valuable. Visiting these sites may also create a record within Internet History files. Some of these sites even record detailed audit logs of file activity (uploads, downloads, deletions, etc.). Keep in mind that you may have to act fast because these audit logs can be as short as 30 days.

Mobile Devices

In addition to making calls and sending text messages, mobile devices and smartphones can store files. With today’s advancement of “apps” it is possible to retrieve, open, edit, and resave a document back to a mobile device, or to the cloud-based repository the document was retrieved from.

Another example of how sensitive data can be stored on mobile devices are the SIM cards, which can maintain contact lists and can be moved from one phone to another compatible phone with ease. In some matters, the mere taking of a contact list can be very significant, as it could be a client list.

Let’s not overlook backup files made from BlackBerrys, iPhones/ iPads, and other mobile devices. These may prove to be valuable to show ownership or usage of a device that has not been produced for inspection, especially in today’s BYOD world, where the device may be privately owned but allowed usage at the company has resulted in corporate data on the device.

Staying on the subject of BYOD, be familiar with the company policies and rules for these hybrid devices. Does your company have well-written policies, such as whether the employer can remotely “wipe” the device of business data if the device is lost, or if the employee and the company part ways? Have you considered how to deal with that issue before it happens? I’ve seen it all too often wherein a client’s default was to remotely wipe an employee’s mobile device upon departure and then want evidence from that device (which no longer exists).

In addition to implementing and reinforcing a culture of security and reserving the ability to “wipe” devices if they are lost or stolen, companies should also consider ongoing training, annual acknowledgements, and otherwise set and manage employee expectations about the privacy they will have to surrender in exchange for the convenience of using their personal devices for work. This can help avoid some awkward conversations when you need to examine somebody’s personal device.

Should that need arise, what are some of the artifacts one could look for to ensure confidential company data has not been taken, or no longer resides on a departed employee’s device? As an example, you may want to know about geo-positional information (GPS data), which can indicate where the device was at a particular date/time.

Examples of some user activity to investigate include: attachments that have been broken apart from an email and saved to the device; installed software that allows a direct connection to a company computer that may bypass a particular security protocol; names of file attachments that may exist within personal email accounts on the device; pictures that may have been taken of a trade secret document in lieu of the actual file being taken; and Internet history and/or text messages, just to name a few. The data on the actual device may differ from the last backup, especially if the device is used more frequently and more recently than the last backup.

In summary, it is important to be educated or surrounded by people who will keep you informed. Getting a jump on the investigation, knowing that evidence will be perishable, and preserving what is needed even if put on ice will put you ahead of the game.

iDiscovery Solutions is a strategic consulting, technology, and expert services firm – providing customized eDiscovery solutions from digital forensics to expert testimony for law firms and corporations across the United States and Europe.