Case Study

A departing employee prompts an insider threat investigation for a global technology company

After the departure of an employee, a large global technology company was worried about the theft of intellectual property. They needed a thorough forensic analysis conducted by objective experts to validate their suspicions.

In brief


Global technology company




United States


  • Ex-employee returned a “clean” laptop a month after she joined a competing firm.
  • She may have stolen enterprise intellectual property or violated her noncompete agreement.

    • A thorough forensic analysis of a laptop that had been wiped clean by the user.
    • Recovery of key data, files, and other forensic evidence.
    • Evidence of use of proprietary software allowing remote desktop control, file sharing, and more.
Download PDF Share


A “clean” laptop

A month after an employee left for a competing firm, she returned her corporate laptop, which she had “wiped” herself. Her previous employer, a large global software company, was concerned she may have stolen enterprise intellectual property or violated her noncompete agreement. The company needed a team of digital forensics experts to examine the laptop to see if she had conducted nefarious activity.


High-level digital forensics

The Unit 42® digital forensics expert recovered various forensic artifacts detailing network connection history and determined that the laptop in question had been connected to the ex-employee’s new company network, just several days after she resigned. Additionally, Unit 42 found evidence that multiple USB drives had been connected to the laptop before she turned it in to her former employer, specifically while connected to the competitor company’s network.

Through a deeper forensic dive, Unit 42 found artifacts related to directories and files belonging to the former employer that were accessed from these USB devices. These files included marketing templates, user guides, code reviews, and rollout plans. Finally, and perhaps most critically, Unit 42 identified evidence of considerable efforts taken by the former employee to mass-delete files and evidence of unauthorized activity on the laptop. These actions were a clear indication that the employee attempted to cover her tracks.

Unit 42 found evidence that prior to the laptop being returned, the former employee installed and used TeamViewer software: proprietary software for remote control, desktop sharing, online meetings, web conferencing, and file transfer between computers. From these details, it was clear that mass deletions of files on the laptop took place during this TeamViewer session and immediately thereafter. The data deleted contained synced email messages, including evidence the suspect conducted email conversations with the company’s outsourced service providers that were likely in violation of the nondisclosure and noncompete agreements that those providers had signed.


Experts in forensic evidence discover proof of theft

Unit 42 experts know that computers or other digital devices are rarely fully “wiped clean.” Useful, actionable information is usually hidden somewhere on the system and can be recovered with digital forensics techniques. By using host-based forensic analysis techniques, tools, and methodologies, the investigative team at Unit 42 was able to provide the client with evidence of potential theft of intellectual property, remote access, destruction of data, and attempts to solicit current employees. Based on the employee’s departing contract, this evidence could be in violation of that agreement—if not criminal law—and allow the former employer to seek legal recourse.

About Unit 42

Palo Alto Networks Unit 42® brings together world-renowned threat researchers, elite incident responders, and expert security consultants to create an intelligence-driven, response-ready organization that’s passionate about helping you proactively manage cyber risk. Together, our team serves as your trusted advisor to help assess and test your security controls against real-world threats, transform your security strategy with a threat-informed approach, and respond to incidents in record time so that you get back to business faster.


Under Attack?

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team at or call North America toll-free: +1.866.486.4842 (866.4.UNIT42), EMEA: +, UK: +44.20.3743.3660, APAC: +65.6983.8730, or Japan: +81.50.1790.0200.

Approved by Cybersecurity Insurance Plans

Unit 42 is on the approved vendor panel of more than 70 major cybersecurity insurance carriers. If you need to use Unit 42 services in connection with a cyber insurance claim, Unit 42 can honor any applicable preferred panel rate in place with the insurance carrier. For the panel rate to apply, just inform Unit 42 at the time of the request for service.