So you’ve taken the right steps. You’ve secured the device, created a forensic image, and confirmed its authenticity by verifying the hash values. Now it’s time to process the evidence.
How that happens depends on the type of matter at hand. But for our purposes here, let’s stick with a very typical scenario:
An employee leaves abruptly, someone with access to your company’s trade secrets, intellectual property, or other critical data.
They used a company-issued laptop running Microsoft Windows.
This is the bread and butter of what we handle daily, so let’s walk through it.
Loading and indexing the evidence
We’ll start by loading the forensic image into one of our digital forensic programs. A common favorite is Access Data’s Forensic ToolKit (FTK).
Why index?
- It allows us to later search specific terms, like client names, contact info, or sensitive project references, instantly.
- Without indexing, every new search could take hours, especially on large drives.
A quick story from the trenches:
When I first started in this field (back in 1997), I was using Guidance Software’s EnCase. Every time we needed to search a new keyword or concept, we’d run a fresh search, which meant waiting hours each time. EnCase has long since improved its indexing, but I still lean toward FTK for searching.
Gathering intel for targeted searching
While indexing is underway, we usually work with the client to nail down case specifics:
Names, contacts, emails
Project codes, file types, serial numbers
Important dates or time windows
Or sometimes, broad concepts the company is worried about
And trust me, we’ve seen it all when it comes to client-supplied keywords.
- Specific serial numbers, phone numbers, or emails = excellent starting points.
- Keywords like money, steal, or even cheese? (Yes, really, someone once suggested that!) = usually too broad to be helpful.
But that’s okay, we’ll help narrow these down and build a set of intelligent, case-focused terms.
Diving into the indexed data
Once indexing finishes, we’ll have searchable access to:
- Document contents (Word, Excel, PowerPoint, PDFs, and more)
- Image-based files (JPEGs, TIFFs, GIFs) that have been OCR’d (Optical Character Recognition) so text inside images is searchable
- Emails plus deleted emails and attachments
- Unallocated space where fragments of deleted files often hide
We’ll run our developed keyword sets against this index.
Then we can:
- Exclude known operating system files (to cut noise)
- Apply filters to hone results
- Export relevant findings to review with the client
Rarely is it as simple as finding everything neatly organized in a folder labeled “Stuff I Plan on Taking.” More often, these hits give us a jumping-off point that leads to deeper insights.
Following the digital trail
This is where the real investigative mindset kicks in.
Say we find sensitive files sitting in odd folders. That might lead us to look harder at:
- Connected USB drives
- Personal or external email accounts
- Cloud storage activity
Much like Netflix recommends what to binge next, each clue often points us to the next avenue to explore.
What’s next?
We’ll pause here. In the next post, we’ll jump into the exciting (and still top) way data walks out the door: USB drives.
It’s still the most common medium we see used to sneak data out the door. So it deserves its own spotlight. #KeywordSearch
About Swailes Computer Forensics
Swailes Computer Forensics provides expert digital forensic services to law firms, corporations, and organizations nationwide. Our work includes investigations into intellectual property theft, employee misconduct, data breaches, and more. With decades of experience and a commitment to integrity and clarity, we help clients uncover critical evidence and take informed action.
If you’re facing a potential case of employee data theft or have concerns about unauthorized activity, contact us for a confidential consultation.