An employee left one of our customers to join one of their competitors. After a few major clients jumped ship for the competitor, suspicions arose about the employee stealing from the company. Our customer asked our digital forensics team to take a look at the departed employee’s computer. The customer wanted to know whether the employee misused sensitive information or engaged in data theft before he resigned.
After forensically imaging the former employee’s laptop we concluded the employee was stealing company information. We also determined he transferred several highly sensitive documents from his company laptop to a USB drive after giving notice of his resignation.
How did we figure out that the former employee took information? Step one was to obtain a forensic image of the employee’s company laptop. Step two was to recover and examine key “artifacts.” Operating system artifacts, like Windows artifacts, are objects and pieces of information generated by the use of computer applications, like cache files and logs. Once collected, artifacts are examined to identify suspicious activity.
Our forensics team looked at:
Use of USB Devices
When a user connects a USB device to a computer for the first time, a small popup window is often displayed in the lower right corner alerting the user about the installation of software to run the device. After that, the Windows AutoPlay popup window generally appears with options for the user on how they wish to interact with the newly recognized drive.
For a computer user, these popup windows may seem routine or unimportant. For forensic examiners, these popup windows may provide significant information. Each time one of these windows appears, they create numerous system and registry files recording the use of the USB device. (Interestingly, although system files are invaluable to a digital forensic investigation, they are often excluded from an e-discovery review).
These artifacts can provide a forensic examiner with the date and time the USB device was first connected as well as descriptors such as the device name, manufacturer, and device identifiers.
A computer forensics investigation can also recover the drive letter assigned to the USB drive by Windows and the Windows user profile associated with the connected device. This information can help a forensic examiner understand how a USB device was utilized after it was connected, and possibly indicate whether a former employee transferred sensitive data to a USB drive.
In conjunction with USB drive artifacts, LNK files provide additional valuable information for a forensic investigation. Essentially LNK files are shortcut files that link to an application, folder, or file found on a user’s system or removable media.
LNK files are user-generated or created automatically by the Windows operating system. Windows generates LNK files when a user opens a location or remote file or document, and this can provide valuable insight into a user’s activities.
LNK files are also a great resource for examiners who are trying to find files that may no longer exist – files that might have been wiped or deleted, moved to a USB, or a shared network drive. Although the files may no longer exist, the LNK files associated with the original file could still exist on the system and provide valuable information as to what was accessed by the user.
LNK files from the user’s profile folder can provide all sorts of information about a computer user’s activity such as the path to the location of a file, timestamps associated with both the LNK file and the target file, target file size, volume name, and volume serial number of the device the target file is stored on, NetBIOS name (the service devices use to communicate over a local network) and MAC address (the local network address) of the device on which a target file is stored, and network details if the target file was stored on a remote computer or network share.
Jump List artifacts contain information for the file or resource accessed including the file path, the name of the application used to access the resource, and the date and time of use. Jump lists also track details of the drive from which the resource was accessed.
Jump lists also store information on a user’s most recently used files and also help the forensic examiner identify applications the user has used to create, edit, or view specific files.
Jump List entries, like LNK File entries, maybe the only remaining evidence that a file existed on a local system or removable media because they remain even after the original source file has been deleted.
The Windows Timeline keeps a chronological list of user activities on a system. This artifact tracks user actions including folders opened with File Explorer, recently opened files and their associated applications, and web page history. By default, Windows Timeline retains 30 days of activity, with the most frequent, or top activity, shown as thumbnails in the Windows Timeline display.
Windows Event Logs
Since the 1990s Windows OS has had the capability to log user events and this logging capability has only grown more robust over time. This provides system administrators with a standardized format, and centralized location for viewing important application and system activities. The event types usually include general information, warnings, errors, successes audits, and failure audits.
So what did we figure out? After analyzing some of the forensic artifacts discussed above, we determined that the former employee first installed a USB device after the date of his resignation and transferred sensitive information like client lists and contacts as well as presentations and documents relating to the company’s strategies to attain prospective clients.
Specifically, LNK files (and verified by the Windows timeline) showed that sensitive files were created on the D: drive after the date of resignation. Providing additional insight was the USB device list noting that the D: drive was assigned to a USB device on the same date that the confidential files were created.