Investigation of insider attacks with computer forensics



The integration of technology with business processes has substantially changed the modern workplace. Whether or not this integration has led to dramatic efficiency gains can be debated; what is indisputable is that the amalgamation has exposed organisations to a raft of new technology related risks and threats. The dangers that external attackers pose – whether they are organised crime gangs, nation-state sponsored attack groups or agenda driven ‘hacking’ collectives – are well known and constantly visible in the headlines. However, an organisation’s information security is more likely to be compromised via the actions of an employee facilitated action, and ‘insider’ attacks of this kind can have a much greater impact on the organisation than many types of external attacks.

Many organisations rightly spend a substantial amount on resources, providing external information security to protect against external attack. However, internal security is often somewhat less robust. In any case, it is essentially impossible to ‘bolt down’ internal security to such a degree that ‘insider’ attacks can be entirely prevented. Such a level of security would render the organisation’s systems inflexible and unworkable. Therefore, organisations should also implement controls that assist in detecting information leakage events, and establish procedures that enable incident investigation and recovery of commercially sensitive material. It is in this latter aspect of protecting information assets that computer forensics professionals can assist.

Internally facilitated attacks could include fraud, transfer of client data or other commercially sensitive material, as well as employee privacy violations, among other infringements. Often it can be days, weeks or even months until those responsible for organisational governance and security discover the incident has occurred. In each of these scenarios the common factor is that at least one electronic device – whether it is a laptop, mobile phone, email service, file server or even just a USB thumb drive – has been used to facilitate the information security breach. It is at this point that many organisations ask their IT department to ‘check’ relevant systems to find out what happened. This can be problematic on two levels: general IT practitioners will rarely have the forensic training and experience required to recover and identify evidence, and by directly accessing electronic devices in a non-forensic manner, the IT department may unintentionally damage the integrity of any evidence that resides on the device, as well as potentially destroy critical evidentiary artefacts in the process.

Hidden secrets

At the heart of the Microsoft Windows operating system is the Windows Registry. The Registry is a hierarchical database containing various settings and metadata which is stored and read by applications running on the computer. For forensic investigators it is a primary source of information.

Useful information that can be extracted through the interrogation of the Registry takes place when USB storage devices are inserted. Details of files and folders that have been accessed recently can be pulled out, both on the local computer and over a corporate network, including files and folders accessed from removable USB storage devices. Information can also be extracted from networks that the computer has been connected to, which includes remote desktop sessions. There is also the opportunity to extract information when particular applications are installed.

There are a plethora of other artefacts stored on computer systems which record user actions. A forensic examiner can use these artefacts to determine when a user has opened specific documents or programs, report on a user’s web browsing activity (including Google searches) and identify access to other internet based services. It is also becoming increasingly common to find mobile telephone backups residing on laptops that are being examined, which provide an additional rich source of information to inspect.

Preserving data for later admissibility in court

Accepted best electronic evidence practice requires that the data contained on an electronic storage device be forensically preserved prior to analysis to ensure court admissibility of any findings. A cryptographic checksum (hash value) is generated as part of the preservation process. This checksum can be considered as the equivalent of a digital fingerprint, and allows the practitioner to retain the preserved copy with confidence that it is a true copy of the original.

Any analysis subsequently undertaken occurs on a preserved copy. In addition to allowing for forensic analysis of current files and registry values, a forensic preservation can capture the entire storage space on a device, which includes storage space that is not currently allocated to live files. This ‘unallocated space’ often contains deleted files, data and other useful artefacts that are not visible to the standard user. The integrity of the evidence presented in Court can be assured by reference to the forensic image, verified through the MD5 hash and a correctly completed chain of custody.

Forensic IT evidence assisting with legal relief

A forensic investigation does not need to be drawn out and costly. In the event of suspected employee misconduct, a skilled forensic practitioner can specifically focus their examination on particular characteristics of the preserved data that are most likely to reflect this misconduct. This preliminary forensic analysis can yield sufficient evidence to secure injunctive relief or seek an Anton Piller order, depending on the nature of the claim and the status of any litigation already in progress.

Identifying this evidence is, however, only part of the process. The quality of the presentation of this evidence, usually in the form of an affidavit or expert report, is absolutely critical in persuading a Court that either evidence is at risk of being destroyed, (in which case an Anton Piller order might be appropriate) or if other forms of injunctive relief may be required. At this point in the proceedings, the value of having engaged a properly qualified and sufficiently experienced forensic IT expert is invaluable.

Insider attack warning signs

Organisations may wish to consider implementing detection controls on their network to identify the following warning signs. Some of these signs include employees accessing commercially sensitive files on network shares outside of standard hours, installation or use of non-sanctioned cloud services (such as Dropbox) or other file sharing/transfer applications, as well as downloading evidence destruction tools such as ‘Ccleaner’ or ‘File Shredder’.

Further to these controls, organisations should be alert to potential information theft when managing the resignation of employees with access to commercially sensitive information. This is particularly important if these employees provide vague or non-committal responses when asked about their future employment. If these employees leave to work with a competitor, or start a competing business, the temptation to take a copy of commercially sensitive material will be high.

In the above circumstances, a forensic investigation can be undertaken to confirm or allay suspicions of employee misconduct. At the very least, the organisation should consider preserving any potential electronic evidence of such misconduct before reallocating laptops, mobile phones and other electronic storage devices to new employees.


Michael Khoury is a partner at Ferrier Hodgson. He can be contacted on +61 2 9286 9864 or by email:

© Financier Worldwide


Michael Khoury

Ferrier Hodgson

©2001-2019 Financier Worldwide Ltd. All rights reserved.