By Jason M. Schery, GCFA, CCO, CCPA, ACE, Senior Digital Forensics Examiner

Information Technology (IT) teams, whether out of curiosity or in a misguided effort to assist the human resources or legal teams, often hinder the investigation of a departed employee’s suspicious activities by  turning on the departed employee’s computer and browsing through the files after the employee has left the company. This “live” [1] browsing of the departed employee’s computer changes the metadata of many of the tell-tale artifacts that are examined in a traditional trade secret investigation, and thus hasty browsing can be detrimental to any legal action against the former employee.

Scenario: A high level employee leaves the Company A and, unbeknownst to HR, takes a similar job at Company B – a competing organization. Months later, customers that were managed by the departed employee leave and go to this competing organization. At legal’s direction, IT provides the computer to a third-party forensics company for imaging and investigation into the matter.  During the investigation, a highly confidential customer contact list is found to have been accessed after the departed employee’s termination and just prior to the computer being provided to the digital forensics company. Due to this “post-termination” access, important dates related to the customer contact list have been overwritten and potential evidence of improper access and theft has been lost. When a file or folder is accessed or browsed by an untrained staff member, the last accessed dates and times of access are changed.

Due to lack of training, the IT team has unintentionally compromised the timeline of access and exfiltration events stored in the computer. IT has “timestomped” the data.

Not all “Timestomping” is unintentional. It often is an intentional tactic that is well know to Incident Responders. It is used by hackers to purposely obfuscate the timeline of the access of files or the running of programs on a system. This is done with the purpose of changing the apparent timing of malicious activity and misdirecting responders as they search for the truth of how the hacking incident occurred. But the same timestomping effect can be created inadvertently by an overzealous, untrained IT, HR, or legal staff, negatively affecting the investigation into the theft of trade secrets or intellectual property.

When performing a trade secret investigation on a forensic image of a departed employee’s computer, specific operating system artifacts are reviewed, and cross referenced with each other in order to paint a picture of the user activity in the weeks and months leading up to the employee leaving the company. In our experience, this time frame is generally when we find that most unauthorized or malicious activity occurs.

Timestomping is detrimental to the investigator who is attempting to create file access and storage location correlations. When a file is accessed by an untrained staff member after the departed employee leaves the company, the last accessed date and time is updated to reflect this more recent access and the earlier date (which is more relevant because it is during the period before the employee’s termination date), is not preserved. If this file was being accessed (and possibly copied) during the time that the employee was still at Company A and a USB device was connected, or accessed when the departed employee was connected to a cloud storage account, this direct link is no longer visible to the investigator. Thus, the USB or cloud storage locations would not be identified as being locations that need further investigation. Such locations may contain additional files of Company A that the departed employee exfiltrated. If these cloud locations are not remediated and Company A’s files deleted, the departed employee can continue to use Company A’s confidential information, such as the customer contact list, in Company B’s competition against Company A.

The best way to mitigate obstacles such as timestomping is by training the staff on the problems that can arise when improper handling of the data occurs. This is similar to the way that many law enforcement agencies forbid touching any evidence in a crime scene when first responders arrive on scene. Anyone who could come in contact with the departed employee’s device should know  that “live” browsing can very well be detrimental to a case. Along with the training, policies should be enacted that would lessen the chances that hasty examination of a computer will lead to the overwriting of important forensic evidence. One such policy is requiring an immediate, forensic preservation of the devices of any departed employee who was in a role involving the proprietary information. This preservation should be performed by trained and certified personnel using digital forensic tools.

Preservation will also have additional cost-saving advantages. Once a forensic image is created, the imaged computer can be re-circulated, eliminating the need to purchase new devices.

In conclusion, “timestomping” by IT, although usually unintentional, can be detrimental to an investigation into trade secret theft. Educating IT staff, enforcing policies for device preservation, and the appropriate retention of digital forensics firms are ways to mitigate the risk of destroying evidence of a departed employee’s misdeeds that could negatively impact your company in its investigation efforts.

[1] “Live,” in this case, means browsing a computer that is running, as opposed to first creating a forensic image of the hard drive and analyzing the forensic image.  The creation of a forensic image does not change any of the data on the computer – but browsing the computer “live” will.