Our company was approached by a manufacturing businessman who suspected that one of his former employees had acted to the detriment of the company. This concerned a sales representative who had resigned a few months earlier. Shortly after his departure, other employees also handed in their resignations and several key contractors unexpectedly terminated contracts with our client.
It soon became apparent that the former employee had become a partner in a company that had not been a competitor up to that point, but had begun to grow rapidly in size. Other former employees of our client also found employment in the new company, and the contractors who had broken their contracts established cooperation with this new entity.
Purpose of the investigation: finding evidence
Our team was tasked with finding out whether, already during his employment with the client, the former employee had established contacts with a rival company while planning to take over employees and customers. The only evidence available to our client was an old company computer belonging to the former employee.
Using computer forensics tools: Magnet AXIOM
The first step was to recover and analyse data from the computer disk. For this, we used Magnet AXIOM, an advanced computer forensics tool that enables the recovery and detailed analysis of data from computers, mobile devices and clouds.
The programme allows you to:
- restore deleted and hidden files,
- analyse the user’s activity history,
- reconstruct email communications and web browsing,
- establish a chronology of events and visualise the acquired data.
Thanks to these functions, it has been possible to identify potential information security breaches and collect evidence that can be used in legal proceedings.
Scope of recovered data
More than 560,000 records of various types were recovered from the computer, which were analysed in detail:
- approximately 7,000 documents (including text files, spreadsheets, PDFs),
- nearly 110,000 multimedia files (photos, audio and video recordings),
- more than 135,000 records of internet browsing history,
- approximately 2,800 location and travel data,
- nearly 1,500 records from social media, devices and user accounts,
- more than 20 calendar and email files.
This variety of data allowed us to create a full reconstruction of events and assess possible threats to the company’s information security.
Intelligent data search
With Magnet AXIOM’s keyword search function, we worked with the client to develop a list of phrases, which we then successively expanded. This approach significantly reduced analysis time, eliminating the need to manually review hundreds of thousands of files.
Among the materials found were:
- emails between a former employee and a competitor company,
- documents evidencing previous collaboration,
- log-in traces to private email accounts from a company computer,
- location data indicating the employee’s presence at the competitor’s premises.
Result of the investigation
Thanks to the evidence collected, our client obtained confirmation of his suspicions. The collected material was submitted for forensic evaluation. The entrepreneur expressed satisfaction with the results of the cooperation, and the entire analysis also allowed him to strengthen the procedures related to data protection and the company’s information security policy.
Author: Piotr Dobosz
Read other articles on our blog:
