Continuing our look at how company data escapes its rightful owners, aka insider-driven data theft, let’s explore another avenue of modern exfiltration: personal home servers and other online tools.
Beyond Dropbox: Personal servers as data funnels
Last week we touched on services like Dropbox and Google Drive. Today, we’re diving into a slightly more sophisticated method.
Some employees, often a bit more tech savvy, though increasingly this is within reach for just about anyone, set up personal storage servers at home. Devices from Western Digital, Seagate, Synology and others are widely available. You can pick one up at Best Buy or even Wal-Mart.
These small network-connected boxes offer both local storage (to back up your home computers) and remote access, so you can log in from anywhere. That means from Grandma’s living room, you can show off pictures of the kids or pull up a tax document. Or, of course, you can send data there, like from your office.
Many of these devices integrate so easily that they assign themselves a drive letter. You can literally drag and drop filesto your home server from your office computer. And if you’re working from home with your company laptop on a VPN, it’s just as easy to shuttle data directly to your own device.
Even Outlook emails can be saved directly out as files, no need to forward, and dropped right onto that home server.
Innocent… or not so innocent?
Why would someone go to these lengths? Sometimes it’s harmless:
- “Hey, I didn’t even realize I could do this!”
- Or: “It was just easier for me to work on this from home.”
Other times it’s more calculated. We’ve uncovered plenty of cases where someone thought:
“If I copy files this way, no one will be looking, everyone’s watching for USB drives.”
They aren’t wrong in thinking this leaves a different type of footprint. A few clever folks even resort to this because their IT department literally disabled USB ports, sometimes with epoxy. (Yes, that really happens.)
As Jeff Goldblum quipped in Jurassic Park:
“Life, uh… finds a way.”
When it comes to data theft, block one road and the truly determined will find another. But while the same clues as USB usage might not exist, other digital breadcrumbs almost always do.
Modern operating systems are notorious for quietly leaving behind bits and pieces invisible to all but forensic eyes. The constant hunt for “more features and convenience” means security and privacy are often afterthoughts, if they’re considered at all.
Old tricks with new twists: webmail shenanigans
In the old days, many employees simply forwarded work emails (sometimes with attachments) to their personal Gmail or Yahoo accounts. That leaves plenty of evidence in the company’s systems:
- Sent items
- Metadata in the corporate email server
- Logging reports showing where emails were sent, often with the size of messages to indicate attachments.
Nowadays, we see more nuanced tactics. For example:
- Log into a personal email, create an email to yourself with attachments, then save it as a draft.
- Later, from a different computer (maybe at home), log in again and download everything.
Because many forensic efforts focus on emails that were actually sent or received, this type of move is easy to overlook.
Forensics still finds a way
Modern webmail leaves a very different trail than it did years ago. Early on, logging into email generated a static HTML page listing your inbox, which left behind clear, easily recovered local copies.
Today, it’s more complex. The data is scattered in pieces all over the drive. Reconstructing a user’s inbox now often means pulling artifacts from multiple obscure locations, not just a neat “Temporary Internet Files” folder.
But it’s still very doable. Enough remnants usually exist to piece together entire emails or at least enough clues (like dates, recipients, partial content) to see what was happening.
When we can match this with other artifacts; USB logs, VPN logs, cloud storage evidence, or even fragments of deleted documents, we build a powerful case.
Coming up next
We’ll continue this discussion by diving deeper into how we develop the keywords and key terms we almost always use in our investigations. It’s a critical process that helps us sift through the digital noise to get to the heart of a case. #OnlineDataTheft #InsiderThreat
About Swailes Computer Forensics
Swailes Computer Forensics provides expert digital forensic services to law firms, corporations, and organizations nationwide. Our work includes investigations into intellectual property theft, employee misconduct, data breaches, and more. With decades of experience and a commitment to integrity and clarity, we help clients uncover critical evidence and take informed action.
If you’re facing a potential case of employee data theft or have concerns about unauthorized activity, contact us for a confidential consultation.