The Newberry Group Blog

Archived Categories

Sort By: Title   |   Blog Date
Wednesday, May 04, 2016

When The Threat Strikes. Part 2 of a 6 Part Blog Series

As I mentioned in my first blog post, the internal threat is very real and it strikes ALL companies. (Yes, even forensic companies that investigate internal threats.)  The smallest company that I have identified theft of IP during employee departure had 5 employees.  The largest client was a Fortune 100 company whose name all you would instantly recognize.  Even forensics companies are not immune. When I was the CEO at LuciData, I had a former forensic investigator leave and “take” IP with him to start a competing company. It happens all the time.  Numerous articles quote statistics that over 50% of departing employees take IP when they leave.

50% is a pretty large percentage of people.  Think of how many employees have left your company.   Think about what information they had access to.  Now assume that 50% did actually take information and brought it to a competitor. What would a competitor be able to do once they got their hands on that data?  What would the impact be to your company should that happen?  Loss of revenue, loss of competitive advantage?

Theft of your IP has happened to you with or without your knowledge. It might be happening right now and you don’t know it. In this blog and other blogs to follow; I am going to step through two examples of internal theft: an internal employee working at the office and a home based employee that was granted remote access to the network. The blogs will address what was done right and what could have been done better. 

There are always lessons to learn with departing employees, and most of those lessons deal with controlling your data better.

Internal Employee Case Study:

This was not the first time that our client had called us to investigate a potential theft of IP from a departing employee.   We had put in place a protocol to cover the first initial steps to investigate any departing employee that they suspected of taking IP.

As with all the other cases with this company, a “key employee” had departed, moved across the country to work for a competitor.  What caused our clients suspicion was that the competitor did not have a marketable “product” like the employee had been working on for our client, but the competitor was trying to get a foothold into that space.  The data that this employee had access to was incredibly valuable to the competitor.

As we were completing the initial first steps of the protocol and started digging into the data, there were red flags that we discovered that started to raise questions for us.  The first red flag we found was the sheer number of USB devices that had been used on the computer; including a few devices that were used during the last few days of his employment with our client.  While devices used on the last few days of employment don’t always point to a problem, for some of these devices, it was determined that it was the first time that they had ever been used.

The next red flag we saw was that a special folder sync function had been run.  This function was setup to sync multiple folders from the employee’s computer to what was labeled as “other device”.  This meant that it could sync to something like a network share or to a USB device, basically anything that wasn’t internal to the computer.

What was helpful to us was that this sync function left a log of the folders that it was syncing with, along with the last time that the sync took place.   Unfortunately, the folders that were synced were deleted by the former employee. Not to be deterred, using our forensics capabilities, we were able to recover the deleted folders and found just over 2,500 files in those folders that had been synced to other devices.  A copy of the recovered files list was given to the client to review and determine the “value” of the data.  We determined that most of the files contained documents that had “confidential” or “internal use only” written on the documents, leading us to believe these indeed would be very valuable documents to a competitor – a fact that was quickly confirmed by the client.. Our client asked us to immediately start working on determining if we could tell them where these documents went to (other devices, network share etc.)

Using time information from both the USB and the sync function logs we were able to determine that the data went to one or two USB devices on the same day the employee turned in his resignation notice.  We were able to determine the common name of the USB devices (like one gigabyte SanDisk) and we also had the serial number of the devices we could now start searching for.  This information was given to our client so their Information Technology department could determine if the devices still resided in the former employee’s office or some other place within the company.  When it was determined that the company did not have possession or access to these two USB devices and that the former employee most likely took them when he left, we helped our client’s counsel write the request for the former employee to turn over all USB devices that he used while employed at the company on that computer.  Based on our initial USB analysis, we were expecting 24 USB devices to be turned over.  With that request, the hunt for stolen IP began in earnest.

Home Based Employee Case Study:

In this case, we have a home based sales employee that was allowed to use his own personal computer for work purposes. His request to use his home based computer was granted by management even though it was in violation of company policy.  Because his personal laptop was a Mac, a request was made by the employee for a virtual machine partition to be placed on the machine so that he could use “normal” Microsoft Outlook for work related email. Again, a request granted by management and a violation of company policy.

When the employee left our client’s employment to go to work for a competitor, the company wisely asked for his computer to “image” it to make sure they had access to his email that was in the virtual partition.  However, this image was not a traditional forensic image. Luckily the image did capture all the data on the disk; which included all the Mac data and all the data in the Windows virtual machine.  Confident that they now had a copy of his email allowing them to answer any customer questions that might arise, they returned his personal computer back to him without deleting the virtual machine that contained years of corporate email.  They put the image on the shelf and did nothing with it.

Shortly after this first resignation, a 2nd sales employee resigned.  This employee was going to the same competitor as the first employee that left and this employee would reportto the first employee.  Concern was rising that something nefarious might be going on as the competitor they went to work for was the number one competitor of our client.  Losing both of these top sales people, was a grave concern in the very tight market that both these companies were in.  For the purpose of this blog post and so we can keep them straight, we will name the home based employee with the Mac, Bob and the employee that left second, Steve.

We were sent the work computer (which was a Windows computer) from Steve and we were sent the image of the home Mac computer that Bob used for work.  We initiated our departing employee protocol to determine if there might have been any visible signs of solicitation and to determine if any confidential data may have been taken by either of them.

While we did find signs that they were both communicating with each other, we didn’t find any signs that Bob asked Steve to leave and bring data with him.  At that point, our investigation turned strictly into theft of IP and we began to look at each of them individually.

Investigating both former employees’ computers, we determined that they both had USB drives hooked up to their computers.  Both of them used those USB drives on their final days of employment.  There were also signs that data may have been transferred over to those devices.  We worked with our client and their legal team to request that Steve hand over all the USB drives that he had used during his employment. This process was pretty straight forward with Steve’s computer, Bob and his computer was another story.

As we mentioned, Bob used his personal laptop for work.  This a machine was also used by family members.  Because of this, we were not completely sure the best way to ask for access to the devices, given the high likelihood that we would not be granted access to family member’s devices unless we could clearly prove that data had been transferred to that specific device.  This computer had been used for years and not only were there traditional USB storage devices that had been hooked up to it, but there were also iPhones, iPads and iPods that had been attached to this machine.  These devices, while traditionally used for other reasons, also have the ability to store data. 

Which devices were his, which belonged to his wife’s and his kids?  As the investigation continued into Bob’s computer, we started to notice references to network storage devices, like network attached storage (NAS) and references to Apple’s Time Machine backup, which appeared to backup his entire laptop.  Remember, Bob had the virtual machine that contained all his work email containing confidential information on this machine.  We realized that the work email was in the Time Machine backup, so we had to make sure to request access to that backup as well.  As it was becoming clear the type of home network that Bob had established, we realized that one of his NAS devices was syncing on a regular basis with his Mac.   If you are able to follow the trail - we now know that work email is stored in at least three locations – on his personal Mac in the company provided VM, the Time Machine Backup and on the NAS. 

We gave our client a file list of some of the files on the Mac image that contained the word “confidential”.  We handed over copies of documents, spreadsheets, PowerPoints and PDFs for them to look through.  It was quickly determined by our client those files were very key to the company, and Bob should never have been allowed to leave with that data still on his personal Mac that he used for work.  Like with Bob’s email, we were assuming that these files containing the documents, spreadsheets, PowerPoints and PDFs etc. were also on the Time Machine Backup and the NAS and potentially other USB devices.

At that point, the lawyers knew what we needed access to, but with Bob’s non-traditional home network this wasn’t going to be your normal legal request. This was going to be a case with many unexpected twists and turns.

Hurry up and wait.

As with all cases, once we find that IP may have been taken during employee departure we provide our reports, declarations and/or affidavits.  The lawyers then take over and it is hurry up and wait while the legal process runs its course.  Stay tuned to the next blog post to see what happened with these legal requests and the corresponding TROs (Temporary Restraining Order).

Newberry Group has services that can support all of your needs in these areas.  Our experienced team can conduct investigations that cover both the departing employee as well as the new hire for a fraction of the cost that you could incur should the examples above play out.  Our Departing Employee Program is a fixed fee program that consists of defined computer investigation service packages that identify and report on employee data activity. The packages vary as to scope and cost in order to provide you with a level of assurance proportionate to the value of the employee and the access that the employee had to your IP.

Our Incoming Employee Package consists of 2 services. 1st, it verifies that policies and procedures are appropriate so new employees understand that under no circumstances should any IP from previous employers be brought with them.  2nd, at a predetermined time (usually 30-60 days after the employees start date), we will check the new hire’s drive for signs of external IP.  If data is found, you can take immediate steps to remediate the data before any litigation commences. 

For more information on these services as well as other Forensic-related services we offer, please visit our website at or email us at

 Next Blog:  Temporary Restraining Orders (TRO)

Posted by: Jerermy Wunsch
 | permalink

Leave a comment
*First Name  *Last Name 
*Email Address
*Type the code below into the textbox.