Analysing what a sales rep had done to his laptop!

Posted on 2011-03-15
Last Modified: 2012-05-11
odd request perhaps but we have had a situation where a sales rep has attempted to steal coompany data to a business competitor of ours.  The guy has been using his own personal webmail to email out documents and databases to himself and this other company.  As malicious as this is we cant see a way of being able to track what he has done with any real conviction.  The laptop runs Windows 7 and yes we have had a look at his internet history but what we really need is something that can prove that he has attempted to steal company files. Hindsight is a wonderful thing as we would have installed spy software to record such activities but is there anything that can be used to do something similar retrospectively..???

Any help here would be greatly appreciated.

Question by:philipgecko
  • 2
LVL 62

Expert Comment

ID: 35143606
ideally you are looking at data loss prevention solution. there are many when you start googling this term, some include endpoint, server and network control and checks for such leakage. there can be content filtering at network not endpoint only for keyword to identify sensitive data and control the surfing, some are from blucoat k9, etc.

for your retrospective case, it is to establish chain of evidence. area to check out are minimally

a) window event log for audit (if enabled) to check who login, and file access.

b) establish browser history, site accessed

some ref on using tool to sieve out more info
LVL 47

Accepted Solution

dlethe earned 250 total points
ID: 35144790
First, if you plan legal action then stop everything and call in a certified computer forensic pro.  But realistically, at this point you've tainted everything so it is certainly too late to be able to defend somebody that you set him up. As breadtan said there are just so many articles out there then you might as well be asking how to write a computer program.

So i'll think outside of the box and address a few things that are more vital ...

Take a binary image if the disk drive. then you can work on copies and preserve the original in case you need it later. (or what is left of the original). Make several copies.

You can't just boot an operating system and poke around to the booted drive.  In linux, for example, you can mount the entire disk read-only which will prevent you from mucking things up.

I'm thinking outside of the box, so I would contact a judge to get him/her get a warrant so you can take it to the ISP to get his email logs.  

Get a binary editor that can read the entire raw disk, and then search for strings such as some likely email addresses.   This will find files, bits of files, deleted files, and everything that is still on the HDD.  From there just look at it.  
LVL 62

Assisted Solution

btan earned 250 total points
ID: 35174250
Establishing timeline will be useful for the trails too. Check out these two links

The second link  highlights the key parameters to look for out in the browsing activities. I see that if the browsing activities and the hash of the leaked files has close proximity to its access time and visit to particular website, there may be some correlation to be done. Though it does not mean that it is uploaded but it would be possible that each time user access a file through web browser, the browser caches or stores it. This normally makes it easier for the browser to retrieve data for a smoother experience while surfing the web.

See this (starting form slide 33)

Featured Post

Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Every computer eventually fails. When that happens, your valuable data is only as safe as your current backup.
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now