HR! IT! Don’t Throw Away or Reuse that Ex-Employee’s Hard Disk

I run a Computer Forensics firm in London. I received a call the other day from a recruitment firm. They informed me that they were suspicious that an ex-employee might have been stealing data from their firm and using it to help aid their new company. An hour later I arrived at their offices in central London expecting to find the laptop complete with a hard disk. The Lenovo laptop was handed over to me in the meeting room by a stern eager looking white collar type. He was asking questions like “will you be able to get anything back?” and “When you delete something is it gone forever?”. I reassured the director that some evidence should be on there even if the device has been formatted but I cannot tell unless a take a quick look. I attached the hard disk to a blocker to preview the disk and protect my machine from making any writes to the disk, now outside the computer. I saw that luckily the user profile of the culprit was still on the disk or in the ‘Windows Old’ folder on the root of the drive. This folder is created when a new installation of Windows is made to store the old user data. The head of IT looked on sheepishly as he morbidly foreseen the question ready to come out of my lips. I asked him “Has the custodians drive been reused?”. “Yes”, the client replied. I asked “How long for?”, “Two years” he replied hesitantly. I sighed in disbelief hoping no one heard me.

I continued the investigation from a forensic image as not to harm the contents of the original disk I had made. I managed to find fragments of documents, link files and SQLite database for Chrome Browsing recovered from the unallocated clusters (deleted areas of the disk) and active areas in the ‘Windows Old’ folder that indicated production of a contact list spreadsheet from an Act! contact database. The client database was then uploaded to the culprits Google Drive Cloud account via Google Chrome. I had found the smoking gun!

I suggested to the IT department to have some safeguards in place for the future. They should list the serial number of the disk and who it is in use by. Ideally, they should take out the disk from the caddy of the laptop and store it in an evidence bag somewhere safe. Another option is to hire a computer forensic expert to make a certified copy of the disk verifiable by an MD5 hashsum. Prevention is better than cure so safeguards such as blocking USB writing, CD burning and certain sites or exit points of data was implemented. Too many restrictions can hamper productivity so there must be a balance between security and convenience.

Assets must be assessed not just on their material value but on the value of the IP intellectual property contained within. What damage would be done if that written off considered worthless £200 laptop got into the wrong hands? Suddenly it seems worth paying £400 securing it.

Your company may have saved itself £70 on the price of a new hard disk but almost lost £1000’s concerning lost business from other clients. Think before something is reused or is just valued on its material retail price. It may cost you much more than you think. You must protect your assets.