Term Paper: Investigating Data Theft
Information technology has eased the service delivery of different of services by the automation of most of their services. However, it has also brought new challenges that have to be dealt with by these institutions to ensure that the service delivery is seamless. One of these challenges brought about by the uptake of IT is data theft. Data theft is among the growing issues related to technology and ranges from the theft of financial information to that of corporate information. Having such information at hand can enable the data thief to blackmail such institutions or even blackmail them into some form of ransom so as not to release the data. This data can also be sold to rivals to give them an upper hand in understanding what their competitors are up to. For this reason, it is critical to ensure that the data of a corporate or institution is protected from data theft. In the case of any data theft, it is also important that the institution or corporation takes the necessary steps to curb this act, catch the perpetrator, and put up measures to avoid such an instance in the future. This paper discusses an instance of data theft in an aerospace engineering firm and the actions taken during the entire investigation to recover any data that might be lost.
With the rise of data theft, there has been a need to have forensic specialists who address all the issues related to data theft. Some of the institutions as a preventative measure often have their forensic team that performs all potential instances of data theft. However, it is a good idea to outsource a forensic team for the simple reason that outsourcing such a team can ensure efficiency in dealing with such instances since outsourced teams cannot tamper with the evidence or even be involved in any way in the aiding of the data theft. In the greatest forms of data theft, the federal government performs the investigation while the in-house or outsourced forensic team performs data recovery. The field of forensic studies continues to advance at the same level with that of IT. This means that IT advances will also mean that the forensic team will also advance in their forms of investigations, data recovery, and their testing procedures.
Investigating Data Theft
Being outsourced to investigate a potential case of data theft that has been happening in an aerospace engineering firm for 13 days is important for both the firm and for my career. It outlines that the firm has confidence in my skills as a forensic consultant while at the same time shows the need for the firm to either permanently outsource a firm to ensure that potential instances of data theft are dealt with or to build an in-house forensic team. The firm has provided information that they believe that one of their employees for the last thirteen days has been breaching their corporate policy and this case is a potential data theft case. The suspected employee has been using his/her corporate email to send corporate information that is proprietary to the aerospace firm to their personal email. Such a case of data theft is critical for the survival of the aerospace engineering firm due to the competitive nature of their industry. Selling the proprietary information to their competitors has the potential to lead the aerospace engineering firm into losses by giving the competitors an upper hand onto what this firm is manufacturing or in the way of developing. It is, therefore, important to start a successful investigation of this potential case of data theft.
To ensure success in this case of data theft, then several steps need to be followed. First, as the forensic investigator, I need to be ready to deal with the issue. Being ready means that I have the desired tools to complete the investigation such as the necessary software, hardware, and other tools required to conduct this investigation. Additionally, I need to possess the necessary know-how to understand the issue and to plan the way forward. Successful planning at this point is most crucial to ensure that the investigation is conducted successfully. Planning is the most important part of the readiness step since it ensures that I devise the right way to deal with this potential instance of data theft. The next step that is crucial for a successful investigation is the evaluation of the instance of data theft. In this case, it crucial to ensure that I do not miss any of the details provided regarding the employee involved in the data theft. Failing to analyze the data presented on the employee crucially can mean that I can miss something that might lead to the crumbling of this investigation. Evaluation is important, especially when performing an investigation of the workspace of the employee. It is, therefore, necessary that all the information brought be carefully analyzed so as to take decisive action. Another factor that ensures the success of this investigation is the collection of the necessary data. Such data can be collected on the network in cases where the network was being monitored during the instance of transferring the data to the personal accounts. Additionally, the email servers must be used to check for any data that might have been transferred or even deleted by the employee. The data still on the servers can be studied to see consistency and detect any form of erasure. After the evaluation of the employees workspace and the collection of data from the email servers and the live monitoring of the network, it is important to make sense to the collected data. This can be done with a careful analysis of what has been collected so as to deduce whether or not there has been any instance of data theft. Additionally, this stage is important in outlining the magnitude of the data theft. It can either show that the case has been with minimal damage to the institution or can lead to huge losses to the aerospace engineering firm. The presentation is also an important aspect of ensuring that the investigation ends successfully. After careful evaluation of the employees workspace, the collection, and analysis of data the data collected, it is important to give a presentation of my report to the management of the firm. In this presentation, I should show the magnitude of the data theft towards the firm, and show potential impacts that this data theft might have on the firm. This case of data theft should be backed by the evidence that I collected during the entire investigation and the results that I deduced from the investigation. Additionally, I should provide an opinion on why I think it happened such as not critically securing the network and email servers. In this report, I should also give a recommendation that ensures such an instance is well mitigated, prevented, or avoided in future. The last part of ensuring a successful investigation is the review part. This part ensures that the entire investigation is reviewed to look at the areas that might be improved in the case of another investigation. The processes and tools used are reviewed to ensure that there is an advancement in the field of forensic investigations.
Based on the information provided to me, it looks like the employee indeed violated the corporate policy of the aerospace engineering firm through theft of data from the institution. However, to begin the investigation, it is important to carry out several things.
The first part is to get the personal information of the suspected party. This is in the form of the employee file that includes the personal name of the suspect, the position that they hold and the duties that they perform for the firm.
The next step involves a scrutiny of the personal file. This part ensures that important information that can form the basis of the investigation. It is important to study items such the time that the employee has worked for the firm, and if in this entire period, whether there have been any instances of behaviors considered to be negative. It is also crucial to know if the employee has some friends within the institution or whether he/she is anti-social. If they are social, then it is important to question their friends after the investigation.
The next step is to be certain that the employee has been using the same workstation that has been mauled with the data theft case.
After this, I should ascertain the username that the suspected employee uses to log in to the network.
Lastly, it is crucial to know the kind of proprietary data that the employee is purported to have stolen.
After obtaining the above information, the live monitoring of the network should be done to check any current activity by the employee through their workstation or the username that has been assigned to them. Following Vacca & Rudolph, several things should e observed when monitoring a network.
First, a search should be conducted on the email server to ascertain that there has been any information that has been transferred to a personal account.
Next, activities on the network should be monitored to look at activities by the employees workstation or their assigned username.
A trace of the deletion of emails by the user should also look at to see if any emails received or sent been wiped off the system.
It is also important to see if there have been any instances of hiding of data.
After the completion of the network live monitoring, it is crucial that pieces of evidence be moved to the forensic lab such as the employees workstation. It is critical to provide a documentation of everything found after this investigation.
Apart from the network live monitoring, and the forensic study of the workstation, instances of hard copies can also be looked into. The employee can be in possession of the proprietary data or emails sent in hard copy. These can be found with the worker at their desk, or even at their lockers. The hard copies can also be scanned in their computers as images, found in external storage devices among others.
Another way to look at the investigation can be that another employee used the workstation of the suspected employee to steal the data. This can especially be possible if the firm does not have strict policies regarding internet access. Through the help of the internet, a more experienced party can intrude the workstation of another employee and use it to conduct data theft so that it can seem that the suspected employee is the one who conducted the data theft.
Read also: "Creating a PowerPoint Presentation"
In the case of deleted data, it is important for the investigation that this data be recovered. Several tools can be used to recover data including Undelete Plus, Restoration, Recuva, Data Recovery Pro, File Recover, among others. The kind of software used to recover the data should outline accuracy and the acceptable in the field of forensic investigation. All software used during the investigation should be up to date. To choose a specific tool to perform the recovery, it is important to ensure that several aspects are looked at. Does the tool answer all the issues raised during the investigation? Is the tool up to date? Is it compatible with the Operating System in use?
For this investigation, I chose to use Data Recovery Pro since it is a commercially available software hence is acceptable in the field of forensic investigation. This software can be used to recover emails and their attachments which the at the center of this case. This recovery is not limited to workstation but also to external storage devices, compressed, and encrypted data. The setting up of the software takes up minimal computing resources and is an easy step. It also offers an option of storing the data in any place you specify. This tool is, therefore, crucial in this investigation since it works around the recovery of emails and attachments, and gives the proof in the form of recovered data. Depending on the kind of data involved in the theft, the process is often essential and can be time-consuming. Regardless of the type of data, it is, therefore, important to provide the required analysis of the investigation and the results on time.
The review should be conducted at the end of each investigation. The review defines the strengths and the weaknesses of this investigation. The strengths are the areas that should keep on happening in the future researches and investigations. On the other hand, weaknesses are areas that future research and investigations should improve. Conducting a review of the investigation is, therefore, crucial in enabling advances in the field of forensic investigations. During the review, several questions should be answered:
Were there any procedures that were skipped so as to save time?
Does the skipping of such procedures result to questionable evidence being presented?
Were the appropriate tools used to give the required evidence in the case?
Should there be software upgrades? If so, when?
The review of such questions helps to internalize the investigation. In the case of an in-house forensics team, such question can help them be able to conduct another investigation with more success. Additionally, such a department can be ready regarding its budget, and the requirements that they need to possess to conduct a successful investigation. Having the necessary tools for such instances can make or break the entire study.
In conclusion, it is critical to conduct an investigation after any suspected instances of data theft. To start with the investigation, an investigator must be ready to conduct the investigation. After this, a careful evaluation of the workspace of the employee who is suspected of conducting data theft should be conducted. This is followed by data collection from other sources and an analysis of the data. After this, a presentation should be performed to show the evidence and the results yielded by the investigation followed by the review process of the entire investigation. The right tools should be used throughout the entire process to ensure that the results of the investigation are seen to be credible in the eyes of the rest of the members of the forensic team. Lastly, the review process is important in that it helps improvements to be made in future investigations. The strong parts of the investigations are held, and the weaker ones improved.