Running head: INVESTIGATING DATA THEFT 1

Investigating Data theft

Christine King

CIS417

Professor Dr. Laurant Jolly

June 15, 2014

Data theft is one of the fastest growing computer crimes today. Data theft can range from

proprietary corporate information to financial data theft. With this type of theft on the rise the

need for forensic system specialist is also on the rise. While some of the forensic investigations

stay in-house, when it comes to identity, financial, or corporate secrets theft, these investigations

are usually handled not only in-house but on the federal level too. The growth in system

forensics has surged and will continue to surge along with the advancement of technology and

the attackers that are out there. The organizations that oversee the system forensic specialist will

continue to grow and most likely become stricter with its certifications and testing procedures.

Investigating Data Theft

Being an immediate hire for a large aerospace engineering firm shows me two things;

their confidence in my skill set and experience and that their immediate need for a system

forensic specialist. The firm has informed me that they believe that one of their employees is

using the corporate email to send proprietary corporate information to at least one personal email

account. It is their understanding that this has been taking place for at least the past thirteen

days.

There are some steps that will need to be followed in order to complete a successful

investigation (www.forensiccontrol.com):

Readiness this cannot be overlooked, in order to have a successful investigation and

one that can be certified, if necessary, the people need to have the proper training,

equipment, software and tools.

Evaluation this part in when given the set of instructions and whether there is any issues

when it comes to investigating the suspects property that is in work area

Collection this includes anything that is obtained during the live monitoring of the

network and any data that has been deleted or stored on the network servers

Presentation the report that the examiner produces with the results of the investigation,

including the data findings and any fraud that took place

Review this stage is also very important, it is so that the examiner and other

investigators can review the processes that were used and if there could be any

improvement in the investigation.

Of course based on the information that was given to me it appears that a violation of

corporate policy and that data theft has taken place. To begin the investigation following needs

to happen (www.forensiccontrol.com):

Obtain the name of the person suspected of the data theft

Look at the personnel file of the suspected person, how long have they been with the

company, do they keep to themselves or are they very social

Ascertain which workstation or workstations they have used over the past thirteen or so

days

What user name is the suspect using to log in to the network

What type of proprietary data is thought to have been sent to the personal email accounts

Once the above has been obtained, live system monitoring should be used to see if there is

any current activity form the workstation(s) or from the login that has been used. A few of the

things that can be looked for while monitoring a live system is (Vacca, R., & Rudolph, K.,

2011);

Search the email server for any traces of emails that have been sent to the personal

account

Monitor the system for any activity from the user or workstation

Any traces of the user deleting emails that have been sent or received

Look for any evidence that data hiding

Once the live system monitoring has been completed, the workstation, if necessary,

should be moved to the forensic lab. If there is no hardware to be transferred then the digital

evidence that is found needs to be recorded, cataloged, and documented. Documenting each step

and everything that is recovered is an essential step. This step is not to be skipped, no matter the

type of investigation; the investigation needs to be able to stand up in court.

When looking for evidence there may be also a need to look for any hard copies of emails

or data that may have been sent to those personal email accounts. Some of the places that should

be looked at for evidence of data theft would be; saved documents on the workstation (s),

embedded data in images, traces of external storage devices, traces of data uploads or

downloads, any email attachments, and unknown/non-business email addresses.

The investigation into email accounts can be extensive, depending on the network

settings; this can dictate the extensiveness of the investigation. Strict network settings will not

allow for much freedom when it comes to accessing the internet while using a workstation.

However, should the network settings not be so strict, this can allow for much easier access to

the internet and unauthorized websites.

Unfortunately just because corporate policy states that the use of the internet is restricted

to authorized websites does not mean that employees will adhere to such a policy. Most

employees will have no intent of data theft or any type of intrusion to the network, but when

employees are given too much freedom on the corporate network they can unknowingly allow an

intrusion to take place. They can also unknowingly allow for data theft, should one of their co-

workers be more experienced in computer systems and security they may have the knowledge to

make it look like the theft or intrusion came from another workstation. Thus making it look like

another employee is responsible for the intrusion or theft.

In order to make it so that corporate policy is adhered to when it comes to the internet,

the network settings need to be strict and the authorized websites need to be listed on the

trusted sites within the network settings. The network needs to allow the employee to have the

tools necessary to do their job successfully.

There are many software tools that are out there that can be used with recovering deleted

data, some of these tools are free downloads and some are commercial software programs that

can be purchased. Listed below are the top five free download recovery tools

(www.lifehacker.com):

TestDisk

Recuva

PhotoRec

Restoration

Undelete Plus

There are also commercial software recovery tools that are available, these are the top five

(www.best-5.com):

Data Recovery Pro

Remo Pro

Stellar

File Recover

Remo Basic

No matter which tool you use, you must be able to document its accuracy and acceptance

in the system forensic investigation field. While you want to stay up to date on all system

forensic tools you do not want to use something that is so new that its accuracy or reputation is

questioned. When choosing the right system forensic tool that needs to be used for the current

investigation you should consider what the needs of then investigation are. Does the forensic

software tool meet the needs of the investigation? Will the tool standup to authentication? Is the

tool you have chosen kept up to date and is the most current version being used? Is this forensic

tool designed to work with the operating system that is being used?

For this investigation I am going to use one of the commercial data recovery tools, Data

Recovery Pro, it is reputable and reliable in forensic investigations of this kind. Data Recovery

Pro has high ratings in recovering emails and email attachments, which is one of the main

focuses of this investigation. This software is able to recover files that have been encrypted,

compressed and even on external hard drives. This software is quick and takes up minimal space

and resources (www.best-5.com). This type of software will find and recover files or data that

has been lost or deleted, it also allows for convenient storage of the recovered data, in a location

that you specified.

Investigating data theft on a corporate level can be time consuming and critical. As

depending on the type of data that is thought to have been stolen a quick resolution may be

needed. All corporate information is critical; some can be protected trade secrets or could be a

threat to national security. No matter the type of data theft that is thought to be taking place a

complete investigation and solution needs to happen in a timely manner.

St the end of the investigation the review of then processes should take place. This

review can show the strengths and weaknesses during the investigation. It can show the

procedure that need to be amended, those that should be removed, and those that need to added.

Were there steps that were skipped in the interest of time? Who made the decision to skip these

steps? With these skipped steps does this put the evidence that was recovered in the

investigation into question? Did the forensic tools that were used produce the evidence that was

being looked for? Was it complete? Does the software need to be upgraded? If so when should

the upgrade take place?

These are the types of questions that need to be reviewed at the end of each investigation.

This type of internal review will help keep the system forensic team current and consistently

expanding their knowledge in the field of system forensics. It also helps the department adjust

future budgets, if software and hardware changes are needed in order to have complete

investigations that can be authenticated.

References

Vacca, R., & Rudolph, K. (2011). System Forensics Investigation & Response (1st ed.). Sudbury, MA: Jones & Bartlett Learning.

https://forensiccontrol.com/computer-forensics/fraud-investigations/

http://www.recoverdatatools.com/

http://www.best-5.com/data-recovery-software/

http://lifehacker.com/5237503/five-best-free-data-recovery-tools