Computer Forensics Case Study: IP Theft

Computer Forensics Case Study: IP Theft

The expertise of a qualified digital forensics examiner is needed to release valuable evidence in the case of IP theft.

Nowadays almost every staff member in a large office will have access to one or several computers, potentially hand-held and mobile devices as well. In addition, company personnel will be able to use external peripheral devices, example of which are memory sticks, printers and external hard drives.

The opportunities for staff to misuse these devices can range from.excessive personal use, through wasting company time to theft of sensitive company data.

If misuse is suspected then it is vital to proceed correctly important that the company should act correctly, as digital data are fragile and a wrong move can actually change the data and compromise the case. The services of a qualified digital forensics examiner are required.

THE CASE: The sales manager of a large IT company handed in his notice claiming that he was going to set up his own business in direct competition with his current employer. He took three months garden leave as per the terms of his contract.

Several months later, the company became aware of a gradual fall in revenues. Further analysis revealed that an increasing amount of business was lost to their former sales manager's new company.

The risk manager, who had experience of digital forensic examinations, prevented the IT department from examining the suspect's laptop. This is because any attempt by an individual, who is not a qualified digital forensic examiner, to investigate the device can potentially destroy vital evidence. Even the act of turning on a laptop can compromise the data contained within it, and contaminate the €digital trail'.

WHAT CCL DID: The risk manager contacted our computer forensics specialists, and was given advice on the best way to handle the device. A security-cleared driver was dispatched to collect the laptop, which was immediately placed in a sealed evidence bag to begin the process of maintaining the integrity of the evidence.

The digital forensic examiner took a forensic image of the laptop, which allows the analyst to work on an exact copy of the original device without it having to be switched on. The forensic image contains data about installed programs, live and deleted files, metadata, internal log files, registry entries - in short, there is the potential to recover records of almost any activity that took place on the device.

THE OUTCOME: the digital forensic analyst was able to determine that approximately 30 minutes before the former employee resigned, he copied tens of thousands of records from the CRM system onto a memory stick.

For more information on computer forensics or digital forensics, please call us on 01789 261200 or email, or check out

Views: 169
Author: Regular Articles
Nathan is a digital forensics specialist at CCL Group - the UK’s leading supplier of digital forensics, including: computer forensics, mobile phone forensics and cell site analysis services, for more information visit
Tell a friend
Average rating:
(0 votes)

Hezbollah buries militant Qantar, says Israel will be held accountable

Lebanon's Hezbollah group said on Monday that Israel would be held accountable for killing prominent militant Samir Qantar in an air strike in Syria, and accorded him an elaborate funeral of... Read More

Russia says black box from warplane downed by Turkey unreadable

Investigators in Moscow said on Monday they were unable to retrieve information from the damaged black box of a Russian warplane shot down by Turkey last month, data the Kremlin hoped would support... Read More

Exclusive: U.S. glossed over Oman's human rights record during Iran talks

By Jason Szep, Matt Spetalnick and Yara Bayoumy WASHINGTON/MUSCAT (Reuters) - As the United States negotiated this year’s nuclear pact with Iran, the State Department quietly agreed to spare the... Read More