Forensic Case Files: Exonerating an Employee of Data Theft

“Every truth has two sides; it is as well to look at both, before we commit ourselves to either.”
– Aesop

Our client in this forensics case was a Wisconsin attorney who was defending a medical professional in a civil lawsuit. Their client stood accused by their former employer of systematically stealing extensive numbers of proprietary documents and supplying them to their new employer, a competitor.

According to the plaintiff, the ex-employee had transferred work-related documents from their business email to their personal Gmail account after deciding to leave for another job. The plaintiff went so far as to claim that the medical professional continued to transfer files to his personal account after he left employment and after his credentials on his former employer’s network were revoked.  That’s right: The medical professional here was accused of “hacking” back into his ex-employer’s network to obtain data.

The medical professional’s former employers used the “hacking” accusation as the reason to withhold a contractually obligated separation check.

The defendant openly admitted to forwarding emails between the two accounts while employed. However, they insisted that they had promptly deleted all the information they’d transferred upon quitting their job, and had not kept any proprietary documents to share with future employers. They argued that the “unauthorized” access to their former employer’s network after leaving employment had been a matter of their iPhone still being synced to their old work email account, and the IT department neglecting to terminate the account. They voluntarily ended the pairing on their iPhone.

Investigating Employee Data Theft with Tetra Defense

Indeed, these are two very different stories about same set of circumstances.

Our task in this case was to carefully examine the defendant’s Macbook Pro, iPhone, and the contents of their Gmail account and to evaluate whether or not their claims were true. At Tetra Defense, formerly Gillware Digital Forensics, we’ve investigated plenty of cases involving potential employee data theft. Expropriation of proprietary documents or trade secrets is a big deal—especially if you’re in a competitive industry.

Many of our clients in these types of cases are employers who suspect that a former employee nicked some trade secrets on their way out the door. Sometimes our investigation proves their suspicions right; sometimes we prove their suspicions wrong. Here, for a change of pace, our client represented the one accused of data theft and not the accuser.

They hoped our findings could help to exonerate the defendant in a case that had already proven long, acrimonious, and stressful. Here in our digital forensics lab, we would see where the evidence led us.

Examining the Defendant’s Mobile Phone for Signs of Data Theft

Our first move was to look through the defendant’s iPhone. Unlike our last few mobile forensics case studies, this wouldn’t require any sort of creative disassembly to get into. This iPhone functioned perfectly, and our client had provided us with the passcode.

This was an iPhone 5S running iOS 10.1.1, which encrypts all data outside of the active file system. Our president Cindy Murphy, who oversees all of Tetra’s forensic investigations, performed logical and file system  extractions from the phone, and examined the phone itself as well.  Once we had extracted the phone’s contents, we could carry out a forensic examination. Using Cellebrite Physical Analyzer, we decoded, parsed, and filtered the email entries in the phone’s file system. Our investigation turned up no active files from within the time period in which the plaintiffs had claimed the defendant had been wrongfully transferring work-related emails to their personal account. We also verify that the defendant’s iPhone no longer had their work email synced to it.

Examining the Defendant’s Computer for Signs of Data Theft

Once we’d conducted our mobile forensics investigation, we moved onto the defendant’s Macbook Pro, removing and imaging its internal Hitachi hard disk drive. Our goal here was, as with the iPhone, finding traces of the defendant’s emails. Sifting through the hard drive’s contents, we found no sign that any email messages had traveled between the two accounts within the time period in question. No evidence indicating that proprietary documents or information were forwarded, copied to an external device, or printed was found. Nor did we find any evidence that specific documents mentioned by the plaintiff had ever existed on the hard drive.

Examining the Defendant’s Gmail Account for Signs of Data Theft

Now, with the defendant’s consent (and their credentials), we examined their Gmail account. Our findings matched with our findings on the other two devices—namely, there were no active emails fitting the plaintiff’s criteria.

We carried out our investigation securely and appropriately, with one of our engineers acting as a witness. Nevertheless, once we’d finished thoroughly examining the contents of the defendant’s Gmail inbox, we advised them to change their password.

Mobile and Computer Forensic Examination Results

Our findings across the defendant’s phone, laptop, and Gmail inbox were all consistent. What’s more, they were consistent with the defendant’s story as well.  With our help, our client was able to settle the case in mediation.  After a long, stressful, and acrimonious battle with their former employer, the defendant could finally move on.

Digital forensics isn’t just about catching the bad guys (although the case studies on our blog might skew a bit in that direction). Digital forensics is about ferreting out the truth. The story digital evidence tells will always, as long as it’s followed properly, lead to the a more clear picture of the truth.

The defendant’s former employers, who fought the defendant tooth and nail under the impression that they had stolen company data, were misled by their own limited knowledge. They had followed the clues in their possession to a conclusion that was ultimately incorrect. Through careful and forensically-sound analysis, though, our investigators here at Tetra Defense helped our client set the record straight.

Once the case wrapped up, our client, the attorney for the accused, had this to say:

I just wanted to let you know that we settled the Doe* case at mediation.  The defendants have a little time to complete refinancing to fund the settlement.  Thank you so much for all your help, I really appreciated it!  It was very instrumental in helping us deflate their claims against Dr. Doe*. I will definitely keep you in mind should we have the need for any technology forensic work in the future.

(*Name changed to protect the innocent.)

Check out some related content on our blog: