Subsequent to his leaving, a number of occurrences were revealed: files were being deleted and other actions occurred on the company’s network, including the deletion and corruption of the CEO’s email file.
First action taken
Only after 6 weeks the departure of the employee, the new IT contractor changed the Administrator’s password on all of the networks devices and one of the routers.
Digital Forensics work
- A number of the company’s computers were forensically copied
- Analysis: it was identified that the staff member visited the office over a weekend and deleted a large number of files on his work PC.
- A further investigation took place to copy all data on the servers and analyse those too.
- On analysis, it was found that a large number of company files had been deleted, by an unknown person. The deletions had occurred between the time the staff member left and when the Administrator’s password was changed.
- Some files had also their content deliberately altered.
- The entire default event logging on the servers had been purged and turned off to mask user identity and activity.
- Each of the servers had also a full remote control Trojan Horse virus installed on them.
- Although the Administrator’s password had been changed, someone was able to surpass the router gain access to the servers once they were on the internal network.
- The decision was made to review the External Internet Router and it was identified that there were in fact 5 routers and only the password on 1 of these had been changed! Therefore the former employee (with knowledge of the IP Addresses and passwords) was able to remotely login. We soon discovered that only 1 of the routers password had been changed.
Lesson to learn from this case
This was a complex investigation but Digital Forensics was able to find evidence against the former employee.
Every organisation should have a strict employee exit strategy that should include the following:
- Lock access to system and backup data prior to the notification meeting
- Checking if the employee had remote access to the server and emails and cancel the access
- Remove access to external Company databases and/or remote access software
- Change the Admin passwords of all data and internet servers if the employee had access to them
- Take any USB or other devices from the employee.
- Change their email password,
- Cancel banking and corporate credit card access ( code and signature)
- All office access ( keycard, keys, badge)
- Set automatic e-mail notification to alert sender that employee is no longer employed
- If there is a concern that the exiting employee may have or will become hostile, treat the computer as a crime scene, appoint a forensic agency to forensically copy it and examine it. Internal IT staffs are not forensically trained for this. And we often found that, in their good will to examine devices, they damage and sometimes even render the evidence unusable by contaminating the metadata files.