Running head: INVESTIGATING DATA THEFT

Investigating Data theft

Christine King
CIS417
Professor Dr. Laurant Jolly
June 15, 2014

Data Theft 2

Data theft is one of the fastest growing computer crimes today. Data theft can range from
proprietary corporate information to financial data theft. With this type of theft on the rise the
need for forensic system specialist is also on the rise. While some of the forensic investigations
stay in-house, when it comes to identity, financial, or corporate secrets theft, these investigations
are usually handled not only in-house but on the federal level too. The growth in system
forensics has surged and will continue to surge along with the advancement of technology and
the attackers that are out there. The organizations that oversee the system forensic specialist will
continue to grow and most likely become stricter with its certifications and testing procedures.

Data Theft 3

Investigating Data Theft

Being an immediate hire for a large aerospace engineering firm shows me two things;
their confidence in my skill set and experience and that their immediate need for a system
forensic specialist. The firm has informed me that they believe that one of their employees is
using the corporate email to send proprietary corporate information to at least one personal email
account. It is their understanding that this has been taking place for at least the past thirteen
days.
There are some steps that will need to be followed in order to complete a successful
investigation (www.forensiccontrol.com):

Readiness this cannot be overlooked, in order to have a successful investigation and

one that can be certified, if necessary, the people need to have the proper training,
equipment, software and tools.

Evaluation this part in when given the set of instructions and whether there is any issues
when it comes to investigating the suspects property that is in work area

Collection this includes anything that is obtained during the live monitoring of the
network and any data that has been deleted or stored on the network servers

Presentation the report that the examiner produces with the results of the investigation,
including the data findings and any fraud that took place

Review this stage is also very important, it is so that the examiner and other
investigators can review the processes that were used and if there could be any
improvement in the investigation.

Data Theft 4

Of course based on the information that was given to me it appears that a violation of
corporate policy and that data theft has taken place. To begin the investigation following needs
to happen (www.forensiccontrol.com):

Obtain the name of the person suspected of the data theft

Look at the personnel file of the suspected person, how long have they been with the
company, do they keep to themselves or are they very social

Ascertain which workstation or workstations they have used over the past thirteen or so
days

What user name is the suspect using to log in to the network

What type of proprietary data is thought to have been sent to the personal email accounts

Once the above has been obtained, live system monitoring should be used to see if there is
any current activity form the workstation(s) or from the login that has been used. A few of the
things that can be looked for while monitoring a live system is (Vacca, R., & Rudolph, K.,
2011);

Search the email server for any traces of emails that have been sent to the personal
account

Monitor the system for any activity from the user or workstation

Any traces of the user deleting emails that have been sent or received

Look for any evidence that data hiding

Once the live system monitoring has been completed, the workstation, if necessary,
should be moved to the forensic lab. If there is no hardware to be transferred then the digital
evidence that is found needs to be recorded, cataloged, and documented. Documenting each step

Data Theft 5

and everything that is recovered is an essential step. This step is not to be skipped, no matter the
type of investigation; the investigation needs to be able to stand up in court.
When looking for evidence there may be also a need to look for any hard copies of emails
or data that may have been sent to those personal email accounts. Some of the places that should
be looked at for evidence of data theft would be; saved documents on the workstation (s),
embedded data in images, traces of external storage devices, traces of data uploads or
downloads, any email attachments, and unknown/non-business email addresses.
The investigation into email accounts can be extensive, depending on the network
settings; this can dictate the extensiveness of the investigation. Strict network settings will not
allow for much freedom when it comes to accessing the internet while using a workstation.
However, should the network settings not be so strict, this can allow for much easier access to
the internet and unauthorized websites.
Unfortunately just because corporate policy states that the use of the internet is restricted
to authorized websites does not mean that employees will adhere to such a policy. Most
employees will have no intent of data theft or any type of intrusion to the network, but when
employees are given too much freedom on the corporate network they can unknowingly allow an
intrusion to take place. They can also unknowingly allow for data theft, should one of their coworkers be more experienced in computer systems and security they may have the knowledge to
make it look like the theft or intrusion came from another workstation. Thus making it look like
another employee is responsible for the intrusion or theft.
In order to make it so that corporate policy is adhered to when it comes to the internet,
the network settings need to be strict and the authorized websites need to be listed on the

Data Theft 6

trusted sites within the network settings. The network needs to allow the employee to have the
tools necessary to do their job successfully.
There are many software tools that are out there that can be used with recovering deleted
data, some of these tools are free downloads and some are commercial software programs that
can be purchased. Listed below are the top five free download recovery tools
(www.lifehacker.com):

TestDisk

Recuva

PhotoRec

Restoration

Undelete Plus

There are also commercial software recovery tools that are available, these are the top five
(www.best-5.com):

Data Recovery Pro

Remo Pro

Stellar

File Recover

Remo Basic

No matter which tool you use, you must be able to document its accuracy and acceptance
in the system forensic investigation field. While you want to stay up to date on all system
forensic tools you do not want to use something that is so new that its accuracy or reputation is

Data Theft 7

questioned. When choosing the right system forensic tool that needs to be used for the current
investigation you should consider what the needs of then investigation are. Does the forensic
software tool meet the needs of the investigation? Will the tool standup to authentication? Is the
tool you have chosen kept up to date and is the most current version being used? Is this forensic
tool designed to work with the operating system that is being used?
For this investigation I am going to use one of the commercial data recovery tools, Data
Recovery Pro, it is reputable and reliable in forensic investigations of this kind. Data Recovery
Pro has high ratings in recovering emails and email attachments, which is one of the main
focuses of this investigation. This software is able to recover files that have been encrypted,
compressed and even on external hard drives. This software is quick and takes up minimal space
and resources (www.best-5.com). This type of software will find and recover files or data that
has been lost or deleted, it also allows for convenient storage of the recovered data, in a location
that you specified.
Investigating data theft on a corporate level can be time consuming and critical. As
depending on the type of data that is thought to have been stolen a quick resolution may be
needed. All corporate information is critical; some can be protected trade secrets or could be a
threat to national security. No matter the type of data theft that is thought to be taking place a
complete investigation and solution needs to happen in a timely manner.
St the end of the investigation the review of then processes should take place. This
review can show the strengths and weaknesses during the investigation. It can show the
procedure that need to be amended, those that should be removed, and those that need to added.
Were there steps that were skipped in the interest of time? Who made the decision to skip these

Data Theft 8

steps? With these skipped steps does this put the evidence that was recovered in the
investigation into question? Did the forensic tools that were used produce the evidence that was
being looked for? Was it complete? Does the software need to be upgraded? If so when should
the upgrade take place?
These are the types of questions that need to be reviewed at the end of each investigation.
This type of internal review will help keep the system forensic team current and consistently
expanding their knowledge in the field of system forensics. It also helps the department adjust
future budgets, if software and hardware changes are needed in order to have complete
investigations that can be authenticated.

Data Theft 9

References
Vacca, R., & Rudolph, K. (2011). System Forensics Investigation & Response (1st ed.).
Sudbury, MA: Jones & Bartlett Learning.
https://forensiccontrol.com/computer-forensics/fraud-investigations/
http://www.recoverdatatools.com/
http://www.best-5.com/data-recovery-software/
http://lifehacker.com/5237503/five-best-free-data-recovery-tools