Another Data Breach? The Thief May Have Left an Electronic Trail

Fortunately for the victims of data theft and their investigators and lawyers, deleted information is often recoverable.

Posted by Dawn Lomer in Corporate Security, Information Security on July 14th, 2011

A computer forensic expert has the tools to pry open the vault of secrets in your employees’ computers. And when data theft occurs, that’s the first place an investigator is likely to look for clues to the case, despite the guilty employee’s best efforts to hide them.

Naturally, the ideal situation is to prevent data theft in the first place, but that isn’t always possible, and when data theft does occur, you need the right tools to investigate it.

The most common method of covering tracks is to try to delete information, says Richard Morochove of Morochove and Associates, a computer forensic investigation and consulting firm in Toronto. Fortunately for the victims of data theft and their investigators and lawyers, deleted information is often recoverable.

When Deleted isn’t Deleted

Some data can be recovered and some can’t, says Morochove, and there’s a list of factors that determine whether it can or can’t.

“When was the data deleted – yesterday or two years ago? Obviously if it was deleted a long time ago it would be harder to recover,” he says.

“How much of the computer hard drive was used? For example, if most of the computer hard drive is used and it’s nearing storage capacity…there’s a chance that the unused space given up by the written material will be overwritten by new material very quickly. On the other hand, if the computer drive has a lot of capacity… then there’s a better chance that some of the information thought to be deleted can be recovered,” he says.

Computers and Privacy

FREE Investigation Report Template

Prepare thorough, consistent investigation reports with our free report template.

Download Template
Many employees are under the impression that the information they store on the computers they use at work is protected by privacy laws. The employer, however, as the owner of the computer, has a clear right to the data and doesn’t require any legal authority to search it or to hire an investigator to search it.

In civil cases, a legal procedure known as an Anton Piller order allows an investigator or lawyer on a case to search a suspect’s premises and seize his or her personal computer without prior warning. It is granted by a judge on presentation of suitable evidence. Morochove describes it as the civil equivalent of a search warrant.

However, there are differences. “With an Anton Piller order, the lawyers who work to get the order do not have the authority to enter your premises without your permission,” says Morochove. “But there’s a presumption that if you have nothing to hide, you will not stop them from entering your premises to examine your computer equipment.”

The key advantage to the Anton Piller order is that the suspect doesn’t have advance knowledge of the search. “In general it’s used for cases where data that’s relevant to the case might be easily disposed of,” says Morochove.

The Anton Piller order is used in Canada and other countries with English-style legal systems. Similar legislation in the US under the Copyright Act allows for the impounding of the personal computer of a suspect if there is well-founded suspicion of wrongdoing.

Dawn Lomer
Dawn Lomer

Managing Editor

Dawn Lomer is the managing editor at i-Sight Software and a Certified Fraud Examiner (CFE). She writes about topics related to workplace investigations, ethics and compliance, data security and e-discovery, and hosts i-Sight webinars.