Investigating Data Theft, Term Paper Example

Background of the Case

Business organizations are in dire need of a system that would protect them from the instances that could endanger the confidentiality of the data that specifically serve as the foundation of their organizations’ integrity. In relation to the case being resolved herein, a distinct concentration on email utilization is to be given focus to. It has been observed by the organization that an employee has been sending confidential data from the main server and email towards an outside email [which is suspected to be owned by the same employee]. However, whenever they look through the data system, it seems that everything has been covered and hidden. The said incident has been observed to have occurred within the past 13 days. Given these circumstances, the following sectional discussions shall provide a distinct description on how data theft investigation shall be given attention in line with the desire of catching the employee and gaining the right evidence that points to him as the primary culprit behind the incident.

Nature of Investigation

Email, being suspected as the primary path used by the culprit to pass on files from the company’s server towards an outside destination, should be noted to constitute a particular process of patience on the part of the one committing the crime. Besides that, the employee need to know the password keys and the usernames for the organization’s email account for him to get access on the data that is confidentially used by the organization. Relatively, the suspect is also expected to have a distinct knowledge on which of the data and files kept within the company’s server are confidential and are of high value. Hence, he [or she] is expected to be employed within a position that has the access to all the needed data and access pass to be able to qualify as one of the suspects of the crime being investigated upon.

When it comes to utilizing the email account of the company, the employee may have been working on the matter for several days already as email file attachments are relatively small. Give this scenario, it would be impossible for one to be able to pass on large amount of data file within one strike of operation. Hence, the suspect ought to be working within the same station several times within the past days [13 days as suspected by the administrators]. With such repetitive utilization of the path of information transfer, it is bound that there would be a traceable path of activity that is recorded within the computer used and/or the traffic noted within the internet browser regularly used as default by the company.

Indications of data theft could include the following:

• Bouncing emails from one particular email address to another thus being marked as spam (Tenenbaum, et al, 1997):

Repetitive large emails sent from one port to another is easily detected by the outer system that manages the email transfers. Relatively, when the repetition of such transfers occur, the record of the email operators alert the system sending in a note for possibly anomalous activities occurring. Usually, the emails bounce back while also flagging the email from which the data is being served from (Tanenbaum, et al, 1997). On the other end, the email used to transfer the data from inside the company towards an outside direction could receive flagged messages that note the activities of the user within a specific time and date.

• Large scale search activity posted on the file server system (Ross, et al, 1999):

The one sending in the files from the email system would of course firs search through the server. It should be noted that every search activity performed within a data server is recorded accordingly (Ross, et al, 1999). Such traces may be cleared from history, but then again, the security system of the company would serve as a firewall towards such scrupulous acts of clearing or deleting traces through history records of the server.

• Late Night or weekend working schedules (George, 2003):

To be able to avoid any suspicion, the suspect may file for particularly odd schedules of work, or perhaps may work overtime when no one else is around and utilize such time to pass on the data [he/she] may need to be transferred.

Finding the right person to fit into the profile of a data thief should be cross references from the different patterns of behavior that each of the employees present especially in relation to their desires of leaving the company or perhaps simply selling out some confidential information of the organization to its competitor in the industry (George, 2003). It has been learned through experience that data thieves often undergo particular conditions of stealing data at least months or weeks of resigning from an organization [thus hoping to get away even before the stealing could be detected by the admin].

Procedures to take into Account

Looking through data records and history is the primary procedure to be taken into account when establishing the case of data theft. Most often than not, to cover their trail, data thieves delete the details of their email activities immediately thus imposing that there is clear data on the historical record of the organization’s database. There are however some remnants that are not easily deleted (Ross, et al, 1999); due to the massive amount of data that is cleared off from history, the repetition of such action is sometimes bound to fail thus leaving a trail that creates a distinction on what particular details have been left behind to set up the case that certain data was stolen from the server or from the database of the company.

Through checking the temporary files logs such as the metadata system which shows the recent access and activities that have occurred within a computer system, detecting the possibility of data theft cases becomes easily traced. The temporary files log system also provides a distinct indication on which files have been used recently. These key documents pertain to which specific data have been used, accessed, downloaded or uploaded within the system. Unlike other activity logs that are often cleared off by the data thief, it is most often than not that the data noted in the temporary registry system is forgotten to be cleared off by the suspects.

Another aspect to consider is the possibility of large files being compressed into zip files for faster transferring options. Remote access logs usually show which files were compressed [repetitively] and which of these compressed files were sent out, or downloaded from the system (Prosise, 2001). Checking through the remote access logs could indicate what time the activities occurred, what path has been used for transfer and how long the transfer of data was.

Given the possible procedures to be taken into account regarding this particular investigation, it is then important to note that there are several primary points that need to be considered as the main purpose of this investigation:

1. To identify which of the data kept within the organization’s database have been passed on out from the system to another remote destination
2. To determine what method was used to steal the data and how the data thief’s timing identifies him as the suspect to the incident
3. To possible reduce the damage caused by the data theft case through controlling the distribution of the data that has been stolen
4. To determine who is the real suspect to the crime and to have him or her face the consequences of the actions committed
5. To improve the company’s database protection system to make sure that data theft cases do not happen in the future again

These goals do not only pertain to solving the issue at hand, but also towards creating a more viable system that would specifically assist the company in protecting confidential files that are essential to their status and the way that they are operating in the industry. Notably, this approach shall establish a much secured operation that would protect the company from allowing any member of its employees to incur particular options of maliciously handling their authority in mandating the direction to which the data of the business is used and distributed outside its limiting control.

Tools to be used for Investigation

Restoring data [especially on the account by which the suspect has already cleared several pathways that could identify the type of activities that occurred in the system] may be necessary (Prosise, 2001). In this case, it is important to have a data recovery program that could retrieve the lost data within a specific system. Its role is to recreate the path that crushed and retrace the activities that occurred within a specific computer system. Through mounting the system drive, a data-recovery software could reestablish the original status of a particular server [including the details of the activities that were registered in the server before it crashed or before everything was deleted intentionally] (Casey, et al, 2008).

In relation to the case being investigated upon, it could be noted that there are possibilities that suspect may have conclusively tried to clean the path of his acts hence causing a compromise on the system or the disk partition of the entire server’s OS (Casey, et al, 2008). When this happens, data may not be easily read by the recovery operation. Nevertheless, utilizing a specialized data-recovery software may be able to retrieve back data [but the said instances may not completely return data as it has been in the original state of the system] (Prosise, 2001). For deleted files or deleted records of activities in history, it should be noted that deleted files do not immediately leave the system completely (Casey, et al, 2008). They are stored in remote areas to be overwritten in the future. In case the suspect has not cleared that path yet, it is possible that fragments of the deleted data could still be recovered fully for reference.

Once all these procedures have been considered and results have been garnered, it is expected that the employee whose ID or whose schedule of work tallies with the results of the data recovered from the system be given attention to and specifically be investigated upon. Such investigation shall then involve character referencing, behavioral reporting and an analysis of why and how he has incurred the said crime against data theft.

Basing from the procedures of investigation noted in this discussion, it could be analyzed that modern computer forensics allow the possibility of specifically pinpointing on how a particular data theft crime occurred and who has actually done it. With the utilization of strong data-based evidences, investigators would be able to identify accordingly how a particular situation occurred, why it occurred and how it could be prevented in the future. With highly digitalized operations, data theft suspects are in no way excused from being notably known to their victims through proper investigation handled through applying proper operations of computer forensics.

References:

Tanenbaum, A. & Woodhull, A. S. (1997). Operating Systems: Design And Implementation, 2nd ed. New York: Prentice Hall.

Honan, Mat (2012-11-15). “Kill the Password: Why a String of Characters Can’t Protect Us Anymore“. Wired.com (Condé Nast).

Casey, Eoghan; Stellatos, Gerasimos J. (2008). “The impact of full disk encryption on digital forensics”. Operating Systems Review 42 (3): 93–98.

Ross, S. and Gow, A. (1999). Digital archaeology? Rescuing Neglected or Damaged Data Resources. Bristol & London: British Library and Joint Information Systems Committee.

George M. Mohay (2003). Computer and intrusion forensics. Artech House. p. 395.

Prosise, C. (2001). Incident Response and Computer Forensics, Second Edition. Jossey Bass Publications.