Is my top talent leaving with our company data?

When an ex-employee steals data and tries to pass the information to a competitor or use it to start their own business, it can be a race against the clock to identify exactly what data was taken. This is the situation which one of our clients faced, and we were able to help them through the process of identifying and removing their stolen data from their competitor’s systems. Here’s how we did it:

Step 1: Forensic Data Collection & Initial Analysis

When our US client’s former employee left, the company suspected that they had taken sensitive and proprietary company data with themThe company alerted counsel and got us involved. We immediately began the process of forensically imaging the ex-employee’s laptop and work phone, collecting emails, file shares, messages and associated log files. We performed an initial analysis on the collected data using forensic tools and identified that a USB device had been plugged into the ex-employee’s laptop for four hours on the day before they left the companyDuring that same time window, the ex-employee had accessed sensitive documents on the file share and taken a local backup of their email.  At this stage, we could not be sure that this data had been copied to the USB; however, things did not look good for the ex-employeeAll signs were indicating theft of company data. 

Definition Forensic Analysis

Step 2: Analysis and Retrieval

We notified the client and counsel of our initial finding and counsel were able to order the ex-employee’s USB devices to be handed over to us for further analysis.  We analysed the USBs and found the stolen documents.  

We then had to determine two questions:

 1. Did the ex-employee share this information with anyone else?  

2. Did the ex-employee access the USB from any other devices?

In order to answer these questions, we imaged the ex-employee’s personal laptop to look for indications that they had copied the data to this device or to online file sharing systems (such as DropBox, Gdrive etc.) or had shared the information with others via email, social media, blog posts etc.  In this instance, the data had not been shared further and remained on the USB devices.  However, we did determine that the former employee did plug in the USB devices into his personal computer and did review some of the client’s data that he stole. 

By looking at several pieces of evidence, the Orbital team were able to build a picture of the ex-employee’s intent to distribute the data.

Step 3: Forensic Deletion

Once we had identified the stolen data, our final step was to ensure that it was forensically deleted.  This means that we wiped the ex-employee’s USB devices clean of any traces of the stolen data, ensuring that the data could not be accessed again. 

Top Tips


Data theft is a serious issue that can have severe consequences for businesses.  Companies can take proactive measures to prevent theft of data by having proper procedures in placeIf you or your company suspects that company data has been taken, it is crucial to act quickly and to work with experts in this field to ensure that the data is collected and analysed in a forensic and defensible manner.

Translate »