Sending Information to Webmail
Employees commonly send proprietary information to a personal webmail account, by either accessing a personal email account at work to send themselves files, or by using the company's email system to send files to their personal email. In the case that a personal email account was accessed from work, investigation begins with the browser. Counsel should review the "Internet History" associated with a user's Web activity to see if they visited and logged into a webmail provider such as Gmail or Yahoo! Mail. Then, they can correlate the time of this visit with file system metadata showing if and when the employee accessed sensitive files. In cases of sending files from a business email account to a personal one, employers should preserve and search the user's company email account for any relevant emails.
Proving email transfer of information is becoming more difficult due to mobile devices and tablets. Many people access various email accounts using these devices, and the hunt for proof of insider theft may need to extend to these gadgets. Fortunately, when investigators do delve this deep, it's very possible that the incriminating emails will actually reside on the device itself. In some cases, an investigator may even be able to recover emails that were already deleted.
Access from Home Computer
Another important question to ask is if the suspect had access to sensitive files from home through a virtual private network or through a program such as Outlook Web Access. If there was a VPN, the company's computer network keeps a record of when a connection is established from a home computer. If the company uses OWA, logs may show that the employee accessed his company email from a home computer. Aligning the timing of this remote access to the metadata showing when the user last interacted with sensitive files can also be an indicator of illicit activity.
In any investigation, evidence should not be examined before it's been forensically preserved, to avoid inadvertently altering it. For example, it's easy for a well-meaning counsel to connect her client's USB hard drive to her computer to see the contents of the drive. But even if she doesn't open any documents, just hovering her mouse over some of them can inadvertently change the last-accessed date.
Detecting and proving insider theft of proprietary information is a challenge companies and their counsel face with increasing frequency—and just one of these events can financially devastate a business. But by hunting for these four signs of insider theft, counsel can skillfully weave evidence together to create a reliable and defensible foundation for litigation. •
|File Name||Last Accessed|
|2012 Strat Plan.doc||1/1/12 3:50:15 AM|
|Midwest Customer List.doc||1/1/12 3:50:15 AM|
|2012 Business Dev Initiates.doc||1/1/12 3:50:15 AM|
|Sales Deck.ppt||1/1/12 3:50:15 AM|
|Sell Sheet.doc||1/1/12 3:50:16 AM|
|Non-Compete Agreement.doc||1/1/12 3:50:16 AM|
Younger is director of digital forensics and Branham is vice president at Stroz Friedberg, based in Minneapolis. For daily tech news, go to lawtechnologynews.com.