Use case
Employee data theft investigations.
Departing engineer with a suitcase of source code. Sales lead taking the customer list. Accountant copying spreadsheets. We document the exfiltration so HR, counsel, and the board have something defensible to act on.
Signs you may need this
Common indicators we hear from counsel and corporate clients.
- An employee resigned to join a competitor
- Unusual USB or external drive activity before departure
- Large file uploads to personal cloud accounts
- Bulk email forwarding to a personal address
- Missing client lists or proprietary documents
Scope of this work
What we cover and what we typically find.
In departing-employee matters, the recoverable artifact set is usually rich. Common findings:
- USB connection records showing the make, model, serial, and timestamp of every device plugged in (Windows registry SYSTEM hive, USBSTOR keys, setupapi logs).
- Cloud upload activity in OneDrive, Google Drive, Dropbox, and Box logs, often correlated to specific files and exact byte counts.
- Email forwarding rules that quietly redirected messages to a personal address for weeks or months.
- Browser uploads to file-sharing sites (WeTransfer, Sendspace, Mega) with timestamped POST requests.
- Print job records showing volumes and document names of materials printed off-network.
- File access timestamps in the MFT and USN journal that establish exactly which files were touched and when.
- Recently used and jump list artifacts showing the user's interaction with specific documents in the days before resignation.
- Cloud sync state that often preserves file content even after local deletion.
How we approach it
A defensible, repeatable process.
1. Scoping with HR, counsel, and IT. We agree on the custodian, the date range, the in-scope endpoints and accounts, and the deliverable. Engagements taken through counsel are structured to support a litigation-privilege claim.
2. Preservation. We preserve the relevant endpoints, M365 or Google Workspace mailboxes, OneDrive and Google Drive, Slack and Teams, and any other in-scope source. M365 audit log retention is short, so preservation begins within hours.
3. Endpoint forensics. We examine the endpoints for the artifact set above: USB activity, file access, browser uploads, cloud sync state, recently used artifacts, jump lists. The output is a timeline tied to specific exhibits.
4. Cloud forensics. We pair endpoint findings with cloud audit logs to confirm what was uploaded, downloaded, shared, or forwarded. This is often the strongest evidence because it lives outside the user's control.
5. Reporting. The deliverable is a written examiner report with a timeline, exhibit indexing, and a clear methodology disclosure. The report is structured for HR review, counsel review, and potential litigation production.
What we deliver
Concrete outputs from a typical engagement.
- 01
Forensic image of the employee's device
- 02
Timeline of file movement and exfiltration
- 03
USB device connection history
- 04
Cloud upload and email forwarding evidence
- 05
Examiner report and affidavit if required
- A preserved, hash-verified evidence set of all in-scope endpoints, mailboxes, and cloud accounts.
- A written examiner report with a timeline of suspected exfiltration activity.
- An exhibit index linking each finding to its source artifact.
- An expert affidavit if the matter requires sworn evidence.
- A chain-of-custody record from intake through archive.
Services typically engaged
Forensic services we draw on for this scenario.
Computer Forensics
Forensic imaging and analysis of Windows, macOS, and Linux systems for litigation, internal investigations, and expert witness work.
Learn moreMobile Forensics
iOS and Android extraction including chip-off, JTAG, and ISP techniques for damaged or locked devices that conventional tools cannot read.
Learn moreCloud Forensics
Defensible collection and analysis of Microsoft 365, Google Workspace, AWS, Slack, Teams, and Salesforce evidence under legal hold.
Learn moreExpert Witness
Court-qualified expert witnesses delivering affidavits, expert reports, and trial testimony in Canadian civil and criminal matters.
Learn moreCommon questions
Employee Data Theft questions we hear most.
How quickly do we need to start preserving evidence?
Within hours. M365 unified audit log retention is 90 to 180 days by default. USB connection records on a re-imaged endpoint are gone forever. The cost of waiting compounds quickly.
Can you preserve evidence without alerting the employee?
In many cases, yes. Cloud audit log preservation is server-side and invisible to the employee. Endpoint preservation can be done through remote agents during scheduled maintenance windows or through after-hours imaging. The right approach depends on the matter.
What if the employee already returned the laptop?
Often a strong starting point. As long as the device has not been wiped or re-imaged, the artifacts on it are preserved by default and can be examined forensically. We move quickly because IT processes often re-image returned devices within days.
Can findings support termination, civil action, and criminal referral?
Yes, when the underlying methodology is defensible. The same forensic record can support a termination decision, a civil claim under the Defend Trade Secrets framework or breach of fiduciary duty, and a criminal referral under Criminal Code section 342.1 (unauthorized use of computer) where applicable.
How long does an investigation take?
A single-employee matter typically moves from intake to draft report in two to four weeks. Urgent matters can be expedited.
Related scenarios
Other use cases that often arise alongside this one.
IP & Trade Secret Theft
Source code, formulas, and proprietary data theft investigations with court-ready reports.
ExploreWorkplace Misconduct
Harassment, policy violation, and misconduct investigations with defensible evidence.
ExploreLitigation Hold
Defensible preservation of devices, mailboxes, and cloud accounts once litigation is anticipated.
ExploreSuspect an employee took data on the way out?
Tell us what you saw and when. Our team will reach out as soon as possible.