Data theft investigation


New Member
May 1, 2018
Hi. I’m seeking for some opinions. I am attached to a local banking company in Malaysia. Recently one of my ex-staff in the Customer Relation department has left the company with less than 24 hrs notice resignation. Other staffs were perplexed and also kept thinking about why. Someone has taken his own initiative to check his computer station (I’m not quite sure that guy was doing) but he suspects there could have been some data from has been stolen. All panicked. How can we investigate that possibility? What information we should look into? Is there any quick way to prove something of data theft possibility? The nightmare is, worst case scenario, he has copied some of confidential data of high customer profiles and could have sold it. Should we invite computer forensic team from local enforcement agencies or we do it the 'forensic' thing?


Experienced Member
Oct 23, 2018
I realise this is an old thread now so the investigation may have come and gone - would be interesting to hear how it went if so. But in general, you want to isolate the suspected machine as soon as possible after believing something untoward has taken place. Then you should absolutely have someone with forensic experience take a look at it -- this will ensure that if the matter needs to go to court, that it can be presented in a forensically sound way ... the person that took their own initiative may have ended up destroying forensic artifacts on the system or providing misleading information when an investigation does take place.

As for the investigation itself, an analysis of MRU's, USB device connections, Shellbags logged to network locations and removable devices, Link files / Jumplists, etc in the lead-up to the person leaving could be performed to produce a timeline of events and provide some level of comfort as to whether anything of concern has occurred. The investigation strategy will depend on length of time since the incident is suspected to have taken place, user policies, if it's a shared device, privacy laws, etc.


Experienced Member
Oct 20, 2018
Charlotte, North Carolina Area
One thing you are going to need to remember about "doing your own thing" for forensics is how do you want to proceed if you do take legal action. If you or someone else is not properly trained nor has credited experience, then all the forensic work is lost. This could be a huge hit for stolen data cases where company propriety information is stole and needs to be protected. So, sometimes, better to talk to local law enforcement about performing the forensics on behalf of the company.

Also, in any company, forensics starts with a solid security program where the proper care is taken to log and document as much as relevant per company security risk assessment.


New Member
Oct 31, 2018
It is necessary to collect the maximum number of documents and other things that have been preserved. No matter how much they lay, the main thing is that there is any information. Also, you need to look at the computer log files, all actions are displayed there and they can help prove the guilt.

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu