As noted from Phil Beckett in 2016...

Data is the lifeblood of most modern-day organizations. Email, infographics, databases, presentations, payroll systems, audio, video and spreadsheets are just a sampling of the types of data that comprise a business entity. The challenge with data is that it is portable, easily manipulated and relatively effortless to duplicate. Countless organizations are susceptible to data vulnerability, be it from a “planted” mole, a disgruntled employee or someone trying to get a leg up in his or her new position. How organizations prepare for, protect and respond to an incident against critical infrastructure is vital to its sustainability.

Trying to prevent an attack on business data is almost impossible, although the implementation of loss prevention systems, if implemented and managed effectively, can make the task of the thief a lot more difficult. When it comes to responding to a situation, which can include seeking appropriate legal advice, the most important task at- hand is to secure any or all evidence in a forensically sound manner. Undoubtedly, this of course will include the computer used by the suspects, but the process should also extend to include relevant network logs and smartphones, if legally obtainable. The paramount phrase above is “forensically sound” — this ensures that not only a complete copy of every data element on the device is captured, and therefore can be interrogated, but also that the equipment can be used in any subsequent legal proceedings and stand up to appropriate scrutiny.

Once the data has been secured, it is the investigator’s job to piece together any intelligence or evidence that may reveal what actions were undertaken and whether these actions support or refute any suspicions. Normally the investigations focus on 1) what activities the individuals had undergone on the computer and 2) whether any data had been transferred off of the computer in an unauthorized manner. Therefore, a key focus in a typical investigation is to look for the use of webmail to send attachments, and the use of external USB devices, as well as to profile what files and folders have been accessed in the days leading up to the suspicious activity.

However, we have found that vital data can also lurk outside of these “normal” places. Below are three examples of where the investigation has gone further than the norm and has been instrumental to the case.