A month after an employee left for a competing firm, she returned her corporate laptop, which she had “wiped” herself. Her previous employer, a large global software company, was concerned she may have stolen enterprise intellectual property or violated her noncompete agreement. The company needed a team of digital forensics experts to examine the laptop to see if she had conducted nefarious activity.
The Unit 42 digital forensics expert recovered various forensic artifacts detailing network connection history and determined that the laptop in question had been connected to the ex-employee’s new company network, just several days after she resigned. Additionally, Unit 42 found evidence that multiple USB drives had been connected to the laptop before she turned it in to her former employer, specifically while connected to the competitor company’s network.
Through a deeper forensic dive, Unit 42 found artifacts related to directories and files belonging to the former employer that were accessed from these USB devices. These files included marketing templates, user guides, code reviews, and rollout plans. Finally, and perhaps most critically, Unit 42 identified evidence of considerable efforts taken by the former employee to mass-delete files and evidence of unauthorized activity on the laptop. These actions were a clear indication that the employee attempted to cover her tracks.
Unit 42 found evidence that prior to the laptop being returned, the former employee installed and used TeamViewer software: proprietary software for remote control, desktop sharing, online meetings, web conferencing, and file transfer between computers. From these details, it was clear that mass deletions of files on the laptop took place during this TeamViewer session and immediately thereafter. The data deleted contained synced email messages, including evidence the suspect conducted email conversations with the company’s outsourced service providers that were likely in violation of the nondisclosure and noncompete agreements that those providers had signed.
Unit 42 experts know that computers or other digital devices are rarely fully “wiped clean.” Useful, actionable information is usually hidden somewhere on the system and can be recovered with digital forensics techniques. By using host-based forensic analysis techniques, tools, and methodologies, the investigative team at Unit 42 was able to provide the client with evidence of potential theft of intellectual property, remote access, destruction of data, and attempts to solicit current employees. Based on the employee’s departing contract, this evidence could be in violation of that agreement—if not criminal law—and allow the former employer to seek legal recourse.
About Unit 42
Palo Alto Networks Unit 42™ brings together world-renowned threat researchers, elite incident responders, and expert security consultants to create an intelligence-driven, response-ready organization that’s passionate about helping you proactively manage cyber risk. Together, our team serves as your trusted advisor to help assess and test your security controls against real-world threats, transform your security strategy with a threat-informed approach, and respond to incidents in record time so that you get back to business faster.
If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team at start.paloaltonetworks.com/contact-unit42.html or call North America toll-free: +1.866.486.4842 (866.4.UNIT42), EMEA: +31.20.299.3130, UK: +44.20.3743.3660, APAC: +65.6983.8730, or Japan: +81.50.1790.0200.
Approved by Cybersecurity Insurance Plans
Unit 42 is on the approved vendor panel of more than 70 major cybersecurity insurance carriers. If you need to use Unit 42 services in connection with a cyber insurance claim, Unit 42 can honor any applicable preferred panel rate in place with the insurance carrier. For the panel rate to apply, just inform Unit 42 at the time of the request for service.