Can you determine if someone has copied or taken data?

One of the most common questions we are asked is “can you determine if an ex-employee took company data”. Generally, the short answer to that question is yes, but the amount of available information greatly influences how complete that answer will be. Throughout an analysis, there may be circumstantial evidence alluding to the possibility of data exfiltration, but more information or analysis may be warranted to make a final determination. Learn how to detect data exfiltration below.

Computer Analysis & USBs

When analyzing a computer, whether that computer is a Windows, Mac, or even Linux computer, forensic examiners can review different artifacts to determine if data was taken from a corporation. These artifacts can help determine if a USB device was connected, if improper email communications were sent, or if a cloud storage platform was signed into through a web browser.

One of the most common methods of taking data, also known as data exfiltration, is through the usage of external USB devices. These devices would include flash drives, external hard drives, SD cards connected via readers, among other types of devices. Most users know how to connect and copy data to USB devices. From the perspective of forensic examiners, the starting point for analysis is evidence of USB connection to a computer. The information available on a computer for connected USB devices can include the serial number, dates of connection, make/model, and maximum capacity of each device.

While there is no artifact that states “File.doc was copied to USB device,” there are other forensic techniques that can be used to infer data exfiltration occurred. On Windows computers in particular, file access artifacts stored on the computer will indicate if files and folders were opened from connected USB devices. As such, examiners can compare files opened on the source computer against files opened from connected USB devices to identify common file names. The inference would be, if a file with the same name is opened from both locations, that file could have been copied from the computer to the connected USB device.

Approaching the review from another angle, a USB device could be analyzed for evidence indicating data was copied from a computer. Using the create timestamp of the files and folders stored on the USB device, an examiner could determine if data was copied to the device while it was connected to a corporate computer. Similarly, a listing of the files stored on the USB device, as well as their content, could provide insight.

A Closer Look at Email & Cloud Storage

Since email is used on a daily basis in most organizations, attaching files to an email is a routine task for most users. During an analysis, the user’s corporate mailbox can be reviewed for evidence of email communications with a personal email account. Then, if evidence is identified of confidential documents being emailed to a personal mailbox, an argument could be made for preservation and review of that personal mailbox. The subsequent analysis of the personal mailbox would determine if any received emails contained confidential attachments.

Cloud storage platforms, such as Google Drive and Dropbox, also provide a means of taking data. For example, a user might use a web browser to navigate to “drive.google.com” and sign into their own personal Google account. Then, files could be uploaded directly to Google Drive from the source computer. Notably, file upload activity to cloud platforms via web browser does not have a dedicated artifact indicating files were uploaded. Instead, examiners would inform the client about the navigation to such cloud platforms and the real possibility that corporate data could have been uploaded.

All of the above examples can be used to assist examiners with determining if data was taken from a corporation. However, additional information, such as the USB devices connected to the suspect computer, the personal email account that received any improper communications or attachments, and access to the identified cloud storage platform(s) may be necessary to determine with certainty if data was taken or not.

If you suspect data has be taken or copied from any of your company’s electronic devices, CONTACT our digital forensic experts today.