1.866 LUCIDATA (582.4328) | info@lucidatainc.com
Leave nothing uncovered. Leave nothing to chance.

Dropbox Forensic Analysis

Case Study: Dropbox Investigation Confirms Intellectual Property Improperly Transmitted

A corporate client asked LuciData to assist with a potential Intellectual Property theft incident, involving a departing employee who left for a direct competitor. LuciData was initially provided with several pieces of digital evidence, including:

  • The departing employee’s personal home computer
  • The departing employee’s personal iPhone
  • Cryptographic hash values representing files that were suspected as having been taken

During the investigation, LuciData initiated several of its standard IP theft investigative procedures, including recovering both deleted and active Internet history fragments. During the review of this material, it was discovered that the departing employee had accessed the Dropbox file sharing website from his personal home computer around the time he resigned and left for the competitor.

Additionally, the iPhone we examined also had the Dropbox ‘app’ installed and we were able to recover the specific Dropbox account name as well as several filenames that were potentially still active inside the account.

Using this information, we asked our client to conduct a brief search of the corporate computer system the departing employee used before resigning, looking for reciprocal Dropbox activity. Our client confirmed that their corporate machine did in fact have the Windows PC Dropbox program installed. Based on the  information we had discovered to date, we believed we had sufficient evidence to compel the departing employee to provide credentials to the Dropbox account, allowing us to further investigate the disposition of our client’s IP.

Now armed with valid Dropbox credentials, we were able to capture several key pieces of information about the Dropbox account, including:

  1. All filenames currently active in the Dropbox
  2. All actual file contents from active files in the Dropbox
  3. All deleted filenames from the Dropbox (within 30 days)
  4. All deleted file contents from the Dropbox (within 30 days)
  5. Historical information about when files were added/deleted
  6. A list of specific computers and other devices that had been ‘associated’ with the Dropbox account

Using this information, LuciData was able to confirm suspicions that specific machines were used with Dropbox. We also performed a cryptographic hash comparison on the contents of the files stored in the Dropbox, and verified that several key files belonging to our client had indeed been uploaded to the Dropbox, without authorization.

Through our Forensic Analysis, we gained positive confirmation that IP theft had taken place through Dropbox; our client was able to pursue a remedy that ultimately preserved their interests and prevented further misappropriation of their trade secrets and other confidential information.