The situation
A group of employees in an organisation were suspected of leaking confidential information by electronic mail. It was alleged that this information was used by certain persons to obtain a financial advantage.
Our role
Logging was placed on the company network to identify the movement of email attachments. Leaked documents were tracked exiting the company’s network. Covert access was obtained to laptop computer systems used by employees. The computers were forensically imaged. Deleted electronic mail messages containing the document in question were recovered. A timeline was constructed which identified the movement of the document through a chain of emails to outside parties. Analysis of date and time information associated with the email messages and the attached document clearly identified the time period over which the leak had occurred. Analysis of hidden data within the Microsoft Word document resulted in the identification of the original computer from which the document was first emailed, as well as the subsequent editing of the document by persons along the electronic email chain.
Outcome
The people responsible for editing and releasing the document were identified. Evidence collected was used in a successful civil action. The company used our report to re-evaluate its network security and computer usage policies and controls. The case assisted the organisation in demonstrating to its employees the serious nature of information security issues.
