Client
Global law firm representing a number of private entities (individuals and businesses)

Background
An alleged theft of confidential data.

Task
PLT was instructed by a law firm under a court order to inspect what originally was just one machine to determine if the client’s confidential data had been accessed and, if it had been, to then determine when and by whom, and what subsequently happened to the data.

Challenges
The identification, in the absence of hard evidence, of relevant activity that supported the client’s claim; a second phase investigation of multiple machines and media; the successful completion of the investigation despite opposition obstruction.

Overview Phase One
A thorough investigation of the machine in question was required. A first inspection showed that there were no live documents relating to the client’s confidential data on the system; that there was no smoking gun to be found anywhere. However, by identifying and analysing system and application files, a timeline was built up of what had happened on the machine and relevant patterns of user activity were pinpointed. Our experts were able to:

  • Recover deleted file names and folder structures that showed that data had been copied in an organised manner and with a specific aim in mind;
  • Examine the restore points which showed that the user who had done these things had only had access to the machine for a certain amount of time before being removed from the system;
  • Identify a number of external devices that data had been copied to for subsequent distribution.

Overview Phase Two
This initial investigation of the single machine led to a second phase that involved analysing a much wider spectrum of machines and media to try and identify what had then happened to the data. Over 20 other machines belonging to other individuals were examined which allowed the team to determine where data went, who had access to it, when it was sent externally and who it was sent to.

There was also a highly consultative element to the case due to sustained obstruction from the other side which meant the client needed constant advice regarding what could be done and what could be achieved.

Findings
Significant evidence was identified and explained that illustrated the actions of the individual(s) in question.

Outcome
An expert report was compiled at the conclusion of both phases which was accepted by the other side without any objection.