IDM Success Story – Forensic Analysis & Data Recovery
Mr. Smith was employed for over ten years as the head of business development at Acme, Inc., a medium sized retail distribution company. In his role, he had access to the company’s internal communications, finances, and various other confidential intellectual properties specific to the company’s internal workings. On a Monday afternoon, without any prior notice, Mr. Smith contacted the HR department and informed them that that day would be his last day with the company. During Mr. Smith’s exit interview he disclosed that the reason for his leaving the company was to seek other opportunities outside of this field of business. Several weeks later, Acme, Inc. learned that Mr. Smith had taken a similar position working for their largest competitor.
IDM was contacted by attorneys for Acme, Inc. We were asked to analyze Mr. Smith’s desktop computer for any evidence showing whether he had taken company property with him when he left to work for a competitor. So as not to disrupt the day-to-day operations of the business, an IDM Forensic Acquisition Specialist was dispatched to the location during off-hours – when the business was closed – to forensically preserve the state of Mr. Smith’s hard drive. Utilizing state-of-the-art hardware, write-blocking, and duplication technologies, the Specialist was able to quickly and accurately create two, bit-by-bit; AES encrypted forensic images (copies) of Mr. Smith’s hard drive.
Detailed Chain of Custody documentation was created from the first moment the IDM staff handled the original media and the records traveled with the collected data throughout its entire life cycle. In addition to the Chain of Custody documentation, IDM also compiled data acquisition documentation which contained information about the collection. This documentation detailed exactly what was collected (serial numbers, models, versions, etc.), where the collection took place (address, date/time, etc.), the amount of data collected (number and size of hard drives, size of server data, etc.) and many other technical and situational details relevant to the acquisition.
The collected data was hand carried to IDM’s forensic laboratory for analysis, logging, and secure storage in our fire resistant media vault.
The End ResultUpon forensic analysis of Mr. Smith’s hard drive, it was determined that he had in fact been in communication with the competitor for several weeks prior to his departure. Mr. Smith had downloaded his personal AOL email to the company computer and was using it to send confidential, company-owned documents to the competitor. Mr. Smith deleted the mailbox prior to resigning, however, IDM was still able to recover 90% of the emails in unallocated space on the hard drive. In addition to the recovered emails, IDM determined that Mr. Smith had inserted an external USB hard drive two days prior to his resignation –not a typical activity for someone in his position. Upon discovery of this information Mr. Smith was requested to provide the external hard drive in question, which was found to contain several proprietary documents owned by Acme, Inc.
IDM prepared an affidavit detailing the processes we used for submission to the court. Based on the affidavit and the information discovered, a TRO was issued prohibiting Mr. Smith from contacting Acme, Inc. clients. Eventually a settlement favorable to Acme, Inc. was reached with all parties.