[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now


Analysing what a sales rep had done to his laptop!

Posted on 2011-03-15
Medium Priority
Last Modified: 2012-05-11
odd request perhaps but we have had a situation where a sales rep has attempted to steal coompany data to a business competitor of ours.  The guy has been using his own personal webmail to email out documents and databases to himself and this other company.  As malicious as this is we cant see a way of being able to track what he has done with any real conviction.  The laptop runs Windows 7 and yes we have had a look at his internet history but what we really need is something that can prove that he has attempted to steal company files. Hindsight is a wonderful thing as we would have installed spy software to record such activities but is there anything that can be used to do something similar retrospectively..???

Any help here would be greatly appreciated.

Question by:philipgecko
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 65

Expert Comment

ID: 35143606
ideally you are looking at data loss prevention solution. there are many when you start googling this term, some include endpoint, server and network control and checks for such leakage. there can be content filtering at network not endpoint only for keyword to identify sensitive data and control the surfing, some are from blucoat k9, etc.

for your retrospective case, it is to establish chain of evidence. area to check out are minimally

a) window event log for audit (if enabled) to check who login, and file access.


b) establish browser history, site accessed


some ref on using tool to sieve out more info
LVL 47

Accepted Solution

David earned 1000 total points
ID: 35144790
First, if you plan legal action then stop everything and call in a certified computer forensic pro.  But realistically, at this point you've tainted everything so it is certainly too late to be able to defend somebody that you set him up. As breadtan said there are just so many articles out there then you might as well be asking how to write a computer program.

So i'll think outside of the box and address a few things that are more vital ...

Take a binary image if the disk drive. then you can work on copies and preserve the original in case you need it later. (or what is left of the original). Make several copies.

You can't just boot an operating system and poke around to the booted drive.  In linux, for example, you can mount the entire disk read-only which will prevent you from mucking things up.

I'm thinking outside of the box, so I would contact a judge to get him/her get a warrant so you can take it to the ISP to get his email logs.  

Get a binary editor that can read the entire raw disk, and then search for strings such as some likely email addresses.   This will find files, bits of files, deleted files, and everything that is still on the HDD.  From there just look at it.  
LVL 65

Assisted Solution

btan earned 1000 total points
ID: 35174250
Establishing timeline will be useful for the trails too. Check out these two links
@ https://computer-forensics.sans.org/community/downloads/#howto
@ http://blog.kiddaland.net/2010/05/timeline-analysis-101/

The second link  highlights the key parameters to look for out in the browsing activities. I see that if the browsing activities and the hash of the leaked files has close proximity to its access time and visit to particular website, there may be some correlation to be done. Though it does not mean that it is uploaded but it would be possible that each time user access a file through web browser, the browser caches or stores it. This normally makes it easier for the browser to retrieve data for a smoother experience while surfing the web.

See this (starting form slide 33)  https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-akin.pdf

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Check out what's been happening in the Experts Exchange community.
A new hacking trick has emerged leveraging your own helpdesk or support ticketing tools as an easy way to distribute malware.
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question