Using Computer Forensics to Manage the Internal Threat

IDWise Logo

Even in the most mundane positions, employees can have access to company networks that will allow them to steal data. Smart business owners take measures to protect themselves from data theft—by recently terminated employees as well as current staff.

While smart policies and updated technology will prevent casual data theft, determined employees will still steal data. That's where computer forensics can help.

In order to recover damages or file criminal charges against a current or former employee, a company must first prove that the theft originated from their systems. Computer forensics experts can find and document instances of an employee's improper conduct using specialized techniques, software, and hardware.

Researchers at the Center for Identity are investigating ways in which data lapses like these happen and what companies can do about them. Read on for our best practices on using forensics to deter and catch data thieves.

Burden of proof.

A company suffering data theft can only recover damages by proving two things:

  • The employee took information without permission
  • The stolen information caused harm

Computer forensics experts can determine if an employee connected a device such as a removable USB card, or created a CD that contained confidential data. An expert should be able to identify:

  • The make, model, and serial number of a USB card
  • When a storage device was first connected
  • The last time a storage device was used

Forensics can also identify if data was deleted (and often can even recover the deleted information). The trails left by printing a document and searching the web can also provide key information about the theft or even constitute direct evidence.

An example of how computer forensics was used in a case was in Dental Health Products, Inc. v. Ringo. Frank Ringo was accused of stealing confidential information from his employer. He had been issued a laptop by his employer, which allowed him access to highly confidential information about customers, business practices, negotiating strategies, and sales reports. In July 2008, Ringo's employer noticed that his sales were declining; Ringo submitted his resignation soon after. That same month, his employer learned that Ringo was associated with a direct competitor.

Upon the return of Ringo's laptop to the employer, computer forensics revealed that Ringo had installed and used special software to copy the entire contents of the computer onto an external hard drive. The court found that the plaintiff had presented enough evidence to find Ringo guilty of the misuse of his employer's trade secrets.


If an employee has robbed your company of valuable data, computer and mobile forensics experts are your best tools for recovery.

  • A company suffering data theft can only recover damages by proving that the thief took information without corporate permission.
  • Computer forensics experts use specialized hardware, software, and techniques to pinpoint data theft.
  • Mobile forensics targets devices like the iPhones, the Blackberry, or Androids. Data such as voicemails, emails, contacts, and call logs—even those deleted by the user—can be recovered and used as evidence.
  • A cost-effective way to hedge against theft by departing employees is to make a forensics copy of the computer or mobile device. This “mirrors" the stored information, leaving the company free to reuse or alter the device but maintain potential evidence.

Mobile forensics.

An emerging discipline is mobile forensics, which targets smart phones such as the iPhone, the Blackberry, or Android devices. These contain information that can provide significant insight on what an employee was doing leading up to the theft of data—and might also provide direct evidence of the theft.

As an example, a forensics investigation of an Apple iPhone will generally result in the recovery of 50,000–60,000 files, most of which the user never knew existed or thought they had deleted. For the iPhone, recoverable files include:

  • All voicemails ever left on the phone
  • All emails ever sent or received
  • Data users often believe is deleted—including text messages, contacts, call logs, and pictures

The blending of modern smart phones with GPS technology can also pinpoint a departing employee's location at a particular date and time. Of course, privacy implications must be thoroughly vetted, but lawyers should be aware of the data available if a company employs the services of a qualified computer/mobile forensics expert.

Preserving the evidence.

Information gathered during a forensic investigation can provide crucial evidence that enables the employer to seek legal redress—including monetary damages or an injunction—from an employee's data theft. Unfortunately, many employers do not realize an employee has taken confidential information until weeks or months have passed. If the former employee's computer is reused or altered by the company, the value of the evidence uncovered is severely diminished.

When deciding whether to forensically preserve a departing employee's computer, consider that employee's access to confidential data. One cost-effective precaution is to make a forensic copy of the hard drive or mobile device. Should suspicions arise in the future concerning theft of confidential information (or a number of other potential matters), the results of a forensic examination conducted on the hard drive “mirror" will be valid.

IDWise Logo
What is IDWise?

Funded by a partnership with the Texas Legislature, and powered by the Center for Identity, IDWise is a resource center for the public on identity theft, fraud, and privacy. IDWise offers clear and accessible resources to empower citizens—both online and offline—to be better informed and make smarter choices to protect their personal information.

Sign Up for IDWise