No Investigation Is Ever Exactly Alike
As I mentioned in a previous post, no two investigations in digital forensics are ever exactly the same. Sure, when we’re handling a straightforward investigative case, there are some standard approaches or “templates” we might rely on to get started. But when the assignment is, “Here’s a computer, smartphone, server, or online account, go run your process and make a report,” that’s where the differences become striking.
Every investigation varies, not just in how we dig into the details but also in how we ultimately report our findings. And that’s for good reason.
It Starts with the Investigation
We often begin with what we call the “low hanging fruit.” For example, looking into USB device activity. But even that isn’t as simple as it might sound.
Today’s USB drives could be a simple thumb drive with a few hundred megabytes (especially older models) or a newer stick holding 512 gigabytes or more. Then there are external hard drives, small portable ones the size of a deck of cards, larger drives resembling a book, or even RAID boxes the size of a shoebox, capable of copying an entire server’s shared directory.
Ideally, when someone connects a USB device, it leaves expected artifacts on their computer, like device IDs, timestamps, or logs. But sometimes these artifacts aren’t available. That doesn’t mean nothing was connected. It just means we need to dig deeper to figure out how it was connected, what activity occurred, and what was stored there, or what was there the last time it was used.
The missing data could be due to the specific controller used to interface with USB, or because the user ran a utility to try to wipe or hide the metadata. Still, it’s rare that no evidence exists. Even if we only get the manufacturer’s info or timestamps, that can be critical to making the case.
The Email Trail (or Attempted Cleanup)
Another common area of investigation is email. Employees often send data from the corporate network straight to their personal email accounts. It might seem like an obvious mistake, but it happens more than you’d think, especially when someone sees a last-minute opportunity and caution flies out the window.
Even if someone tries to be subtle, mistakes happen. All it takes is one accidental send to a personal address, and it pops up on our radar. And once it’s there, we dig into the data and the digital artifacts tied to their personal email.
Usually, after sending something, the person logs into the account on the same computer to check if it went through. That little verification step is common, you don’t need OCD to want to make sure your scheme worked. And sometimes they’ll try to clean up afterward. But these attempts to cover their tracks, like deleting sent items or running CCleaner, often leave behind their own evidence. Ironically, it’s typically easier to explain sending company files to yourself if you didn’t also wipe everything afterward.
Beyond the Obvious: Additional Artifacts
Depending on the investigation, there could be countless other artifacts to examine. For example:
- Online storage services like Dropbox, Google Drive, or OneDrive often keep logs or indexes on the local machine to keep data synced. First, we have to determine if such services were even used, then see what they hold.
- Link files, which show connections to USB devices or remote servers.
- Shellbags, which record folder activity in the Windows registry and can reveal how folders and files looked at certain points in the past.
- Jump Lists, which document recently opened files, showing what a user accessed or edited.
Each of these pieces helps us reconstruct what happened.
Different Investigations Mean Different Reports
Just like no two investigations are the same, neither are the reports we produce.
- Some reports are geared for internal HR use, documenting misuse of company assets, policy violations, or harassment. These are essential if there’s ever a wrongful termination claim.
- Others highlight unethical conduct tied to licensing or certifications, emphasizing risks beyond just company policy breaches.
- And then there are formal reports for litigation, including statements of fact or affidavits intended for court filings.
Each type of report focuses on different priorities depending on your goals and the likely outcomes.
One Size Never Fits All
In short, every case is unique. The devices, the evidence, and even the attempts to hide it differ from one investigation to the next. And the final reports aren’t cookie-cutter copies either. They’re crafted to fit the specific situation, made to order, just like the investigations themselves.
About Swailes Computer Forensics
Swailes Computer Forensics provides expert digital forensic services to law firms, corporations, and organizations nationwide. Our work includes investigations into intellectual property theft, employee misconduct, data breaches, and more. With decades of experience and a commitment to integrity and clarity, we help clients uncover critical evidence and take informed action.
If you’re facing a potential case of employee data theft or have concerns about unauthorized activity, contact us for a confidential consultation.