Data is the lifeblood of most modern-day organizations. Email, infographics, databases, presentations, payroll systems, audio, video and spreadsheets are just a sampling of the types of data that comprise a business entity. The challenge with data is that it is portable, easily manipulated and relatively effortless to duplicate. Countless organizations are susceptible to data vulnerability, be it from a “planted” mole, a disgruntled employee or someone trying to get a leg up in his or her new position. How organizations prepare for, protect and respond to an incident against critical infrastructure is vital to its sustainability.
Trying to prevent an attack on business data is almost impossible, although the implementation of loss prevention systems, if implemented and managed effectively, can make the task of the thief a lot more difficult. When it comes to responding to a situation, which can include seeking appropriate legal advice, the most important task at- hand is to secure any or all evidence in a forensically sound manner. Undoubtedly, this of course will include the computer used by the suspects, but the process should also extend to include relevant network logs and smartphones, if legally obtainable. The paramount phrase above is “forensically sound” – this ensures that not only a complete copy of every data element on the device is captured, and therefore can be interrogated; but also that the equipment can be used in any subsequent legal proceedings and stand up to appropriate scrutiny.
Once the data has been secured, it is the investigator’s job to piece together any intelligence or evidence that may reveal what actions were undertaken and whether these actions support or refute any suspicions. Normally the investigations focus on 1) what activities the individuals had undergone on the computer; and 2) whether any data had been transferred off of the computer in an unauthorized manner. Therefore, a key focus in a typical investigation is to look for the use of webmail to send attachments, and the use of external USB devices, as well as to profile what files and folders have been accessed in the days leading up to the suspicious activity.
However, we have found that vital data can also lurk outside of these “normal” places. Below are three examples of where the investigation has gone further than the norm and has been instrumental to the case.
Skype and chat
Our client had started to suffer both staff and client losses to a new rival that was making a sustained effort to penetrate, what was to our client, a new product-market. The likelihood seemed low that the company could have gotten up-to-speed without some form of inside insight. Therefore, when three key people from different countries within our client’s organization resigned at similar times to join the rival, an investigation was launched.
At a first glance, the computers seemed to be relatively clear and showed no unusual activity. However, two key lines of inquiry proved to unravel the situation. The first was that the suspects were probably conscious that emails would be monitored and, therefore, turned to Skype to communicate - specifically through Skype’s chat functions. By analyzing the databases used by Skype, we were able to rebuild their conversations, and found that the dialogue was unguarded and open. The second line of inquiry was that one of the suspects had synchronized his iPhone with the computer to manage his music and videos. However, the synchronization process also created a back-up on the computer of the iPhone, thus allowing this to be investigated. Crucially, this allowed for his WhatsApp messaging conversations to be recovered and analyzed. When this was combined with the Skype data and other nuggets of information, the case unraveled and it became clear that our client was under a targeted and sustained attack.
Armed with this information, appropriate legal action was taken to ensure that our client’s information was returned, that the new market entrant had appropriate restrictions placed upon its organization and that significant damages were recovered.
Within the same timeframe and without warning, a key employee within our client’s organization handed in his notice and announced he was setting up his own business. He assured our client that he would not be directly competing and that he was venturing into something new. Unfortunately, the truth turned out to be the complete opposite. He was entering into direct competition and the fear was he had armed himself with our client’s proprietary information before he exited.
One of the first telling signs of fraudulent activity came to light through the analysis of the network logs for the client, which seemed to indicate that there was unusual amount of traffic occurring during the nights proceeding his announcement. On a closer examination of the computer, it appeared that not only had Dropbox been installed and was linked to key client data; but it also indicated that a direct connection had been established to a storage device outside of our client’s infrastructure. The log files on the computer also detailed all of the files and folders that had been synchronized in the process.
Subsequently, the legal team obtained a court order that allowed us to forensically image data from the suspect’s home and his new business address. During this process, not only did we discover the ‘storage device,’ but we also found evidence of how the information had already been amalgamated into the new business. Therefore, not only were we able to show that information had been taken, but also how it had subsequently been used, thereby drawing a direct line to the losses suffered by our client. Armed with this evidence, our client was able to secure a favorable legal settlement, including financial damages and the secure deletion of our client’s information from the ex-employee’s systems.
The back-door was wide open
Similarly, when one of the lead coders left our client’s employment to engage in a new venture, everything at first seemed to be amicable. However, two chance conversations suggested to our client that all was not what it seemed. The coder had joined a new company that appeared to be competing with our client and it seemed to have developed a competing solution in a fraction of the time it had taken our client.
Based on this scenario, an investigation was launched, seeking information within the computers used by the coder. Many of these computers were virtualized as opposed to acting as physical devices. This in turn presented a myriad of interconnections. What soon became evident was that many of the systems interconnected in his workings were unknown to anyone at the client and when the evidence trail was unraveled, the data findings were not within our client’s premises. Even more concerning was there appeared to be activity on the devices that post-dated the coder’s departure.
A closer examination of all the systems and the evidence contained upon them highlighted that not only had the coder connected devices from his home to the client’s systems, but data transfers to his home had continued long after he had left. Not only had he withdrawn copies of the code and underlying data before he departed the company, he appeared to be continuing to monitor his old employer’s development activities.
During subsequent legal proceedings, the coder’s new company had to hand over versions of their source code for analysis. On first glance, the code appeared very different from our client’s code, however, as our analysis progressed, a number of key observations revealed that their code had originated from our client’s proprietary intelligence. For example, there were identical typographical errors, identical redundant variables defined, and what’s more, the same repetitive code had been replicated. Further detailed analysis demonstrated how the code had originally been created from our client’s code and that it included some developments that had occurred after the coder had left, which were actually based on our client’s developments. The end result of the legal case determined that the coder’s new company had to withdraw its product from the market and pay substantial damages to our client.
Summary and key considerations
Although data is very portable and easy to copy, it also leaves its digital fingerprints in many different places. These digital fingerprints can allow an investigator to unearth vital evidence and intelligence to get to the facts behind the suspicions.
We strongly recommend that the following key considerations be taken into account to help your business protect itself from the incident of an attack:
- Do not turn on the device – no matter how tempting it is to “have a look”
- If a computer is on, turn it off directly at the power switch; do not use the shutdown command; if a server is on, power it down
- Freeze the scene and ensure that the computer/device and any digital media is securely stored
- Try and identify the user and other potential media
- Call an expert as soon as possible
Phil Beckett, Managing Director, (+44) 207 663 0778
Daniel Baron, Managing Director, (+1) 305 704 6698
Daniel Baron is a Managing Director with Alvarez & Marsal Global Forensic and Dispute Services in Miami. He brings more than 18 years of investigative, audit, financial reporting and consulting experience.