A UK based communications company dismissed a contractor, who had been working for the company for five years developing and maintaining a database of business/corporate customers. The contractor in question had been using a cross platform database application that was not supported by the company. During his exit interview, the contractor returned his company laptop stating that he had deleted the relevant database and that he had copied confidential company information which he was going to use to setup his own company.
The company’s IT department established that there was no backup of the database which had been deleted from the laptop. Subsequently the company IT Security manager contacted CY4OR computer crime investigators requesting data recovery of the deleted database files and to establish if any company information had been copied to removable media.
A common misconception is that a deleted file completely removes the data from the media; this is not the case. When a user deletes a file, the area of disk that the file occupies is simply marked as being available for re-use. The operating system may then choose to overwrite that area, or a portion of it, with another file. Therefore, by utilising various recovery techniques it is possible to recover files or portions of files that have been deleted, or deleted and then partially overwritten. These processes identified the relevant database files which were recovered successfully and although these files were password protected the computer forensic examination identified the relevant passwords. The computer forensic analysis also identified that an external USB CD Rewriter had been connected to the laptop and that the software required to ‘burn’ a CD was installed; a log file relating to this software established that the database files had been copied to a CD Rewritable drive.