, ,

“Trust, But Verify”: The Implications of Digital Artifacts

The implications of forensic investigations of digital artifacts

Written By

Michael Neher

While it is easy to click the “delete” key and assume something is gone, it is important to realize that the attempted disposal of digital information (and the trail of actions preceding it) is much more discernable than the average user might imagine. A “digital artifact”, generally speaking, is the memorialization of user activity left within a device or file – akin to digital fingerprints. There are key places digital forensic investigators will check when looking for artifacts of user activity. Among them, some places where key artifacts can reside are Email Attachments, External Hard Drives, Printer Logs, Internet History, Operating System Logs, Registry, Software, Databases, etc.

At Capsicum, a common type of digital investigation we handle is the case of the employee who was recently terminated or who has left one company to join its competitor. Often, departing employees will delete data that they should not have had access to; or worse, attempt to depart with valuable information -like customer lists or trade secrets- on their way out. When searching for stolen data or employee impropriety in employment matters, we frequently reveal attempts to permanently delete data and or exfiltrate data on external drives. We often start with link files to see if external drives were connected and when, as well as what, files were on the drive at the time. However, digital investigations are not as simple as following the digital footprints; the nature of digital artifacts often requires examinations of corroborating sources of data for contextual information that will verify the suspected user activity in a forensically sound manner.

For instance, in one matter, Capsicum was tasked with investigating inappropriate images and restricted content discovered on an employee of interest’s company-issued computer. At the outset of the case, Capsicum received six hard drives from the employer related to the employee of interest’s use of company devices. These six drives contained data from the various company devices used over the length of the employee of interest’s tenure with the company, spanning the past ten years. While there was a substantial amount of data to review, after imaging, processing, and mounting the data using advanced forensic tools, we were able to quickly and clearly confirm the problematic photo’s existence and its file location; however, it was peculiar that the file artifacts did not implicate that it had been downloaded via an Internet website or torrent downloads, nor did it appear the images had been copied onto the employee of interest’s computer from an external drive or as an email attachment.

While the artifacts were clear as to the presence of the restricted material, this was clearly not the end of the story in this matter. Upon further investigation, which began with the most current drive in use by the employee of interest, Capsicum’s analysis revealed the source of the photos by tracing and backtracking the data to the original ten-year-old drive. We discovered that the same files had been on every iteration of the employee of interest’s six company devices. The investigation also revealed that none of the inappropriate file’s six iterations had any digital artifacts that indicated the employee of interest ever opened or otherwise accessed them. While the restricted images were on every one of his devices, the employee of interest was ostensibly unaware of their existence.

Ultimately, we discovered the first iteration of the restricted content was placed on the employee of interest’s first device along with other files related to the scope of his employment. The files were provided to him after belonging to his predecessor. In other words, the potential source of the problematic images appeared to be a second former employee who was not originally implicated in this matter. The predecessor had provided folders for the employee of interest ten years ago, and the employee of interest had inadvertently copied and propagated those folders, along with the restricted material, through each of his subsequent corporate devices as his files were moved.

As this matter demonstrates, digital artifacts are powerful reservoirs of information related to user activity. While on the surface it was clear that restricted information was present, a closer examination of the data tells a much different story. At Capsicum, we specialize in digital forensic analysis and have expertise with tools and applications necessary to analyze digital evidence and arrive at informed, defensible conclusions that can make a drastic impact on the outcome of a matter.

Capsicum has years of experience investigating the technology and data making up trade secret theft, money laundering, tax and financial reporting fraud, misappropriation of assets, and other bad acts. Our forensic technology experts work with private investigators and legal counsel to respond to regulatory investigations, internal investigations, and lawsuits. We work closely with general counsel, senior executives, audit committees, receivers, and outside counsel to determine and present the truth. Contact us today to learn how we can assist you.