In today’s world, the amount of communication is astronomical. BYOD (Bring Your Own Device) adds to the complexity layer when already faced with traditional data sources used by most corporations. This article is intended to be a helpful reminder, or for some, new information on things to consider when using digital forensics for investigating potential theft or improper usage of proprietary data.
Consideration of Electronic Storage Areas/Devices
Whether you are working for the Defendant, Plaintiff or as a Forensic Neutral, there are certain electronic data sources one should consider for the investigation. These may include laptops/desktops (aka workstations), email servers, file servers, external media, online repositories, personal email accounts, home computers, smart phones and other portable computing devices. Some of these sources are self-explanatory, but others may not be. A couple examples include email servers and file servers. Email servers can be configured to keep the email on the server. This is important to understand so as not to assume the email will all be located on a desktop or laptop. One technique may be to synchronize the email to the desktop or laptop before creating a forensic image of that device. This may save you the need to collect the email from the email server.
For servers, it is important to understand the terminology being used. Take a file server for example: a server where individuals, or members of certain groups can store loose documents or email archives. It is often referred to as a private network folder or home directory for individuals, and as a group share for members of certain groups that have a common area for sharing documents. An example of a group share may be the accounting group share, or an engineering group share.
Email, workstations, external devices - where should I start? Data can leave a company in many different ways. Nowadays one way to exfiltrate “large” amounts of data is through the connection of an external device, but be aware it is certainly not the only way, nor should it be considered the most likely method. With that said, It is very easy to connect an external device, mass copy files to the device, disconnect the device and leave with it. So what artifacts would one expect to see from that type of activity on your commonly used Windows type workstation?
Clients often ask me why I cannot give them a list of files that were copied to an external device. To get this on the record, Windows does not create a “log”, “audit trail” or “record” of files that are simply copied to an external device via the drag and drop method. Absent having the actual device that the files were copied to, you must rely on other artifacts to show, or infer, that this activity occurred. One way is through the review of link files. A link file is a shortcut on a local drive that will open a target file on an attached drive or device.
Example, I have a document named tradesecret.doc (aka, the target file). If I save and close that document, then go back to my Windows Start Menu, allow the programs to display, and then move my mouse up to the Microsoft Word Program. This allows me the option to see a list of documents that I can choose from to click on. I choose the entry for tradesecret.doc and I open it.
This method of opening one of those documents creates a link file. A link file exists on the computer because a document was “opened”. Link files contain metadata including the path of the target file. The path may be an external device that left the company with the departed employee. The link file will also contain dates and times that the link file itself was created, as well as the creation, modified and access dates of the actual target file. So, what can you do with this information? We may visit this in a future post, but for now let’s move on to the next topic.
Online repositories are areas that are “in the cloud”. Programs like Carbonite, DropBox, SugarSync, YouSendIt, Mozy, Sharefile and FTP are but just a few of the hundreds if not thousands of online repositories. Although each may vary slightly in how they are used, in the end they all allow a user to store files. Looking for the installation and usage of these programs on a workstation may prove to be valuable. Visiting these sites may also create a record within the Internet History files. For example, if I were to visit www.sugarsync.com on a certain date and time, this may be in my Internet History file, and this may be information relevant to your matter.
Portable devices and smart phones are capable of storing files. With today’s advancement of “apps” it is possible to retrieve, open, edit and resave a document back to a portable device, or to the cloud based area the document was retrieved from. SIM cards from cell phones can maintain contact lists and can be moved from one phone to another compatible phone with ease. Let’s not overlook backup files made from Blackberry’s, iPads and other portable devices. These may prove to be valuable to show ownership or usage of a particular device that has not been produced for inspection, especially in today’s BYOD world where the device may be privately owned, but allowed usage at the company has resulted in corporate data on the device.
Protocols may play an important role in your matter. A well written and agreed upon protocol can save a lot of grief for all parties. This is not always appropriate, and may or may not be necessary for a particular matter, but is something to be considered.