Lighthouse Finds the Hidden Forensic Evidence Other Teams Miss

Lighthouse's forensics experts found hidden clues missed during an internal investigation, proving a departing employee was stealing company data.

Download the case study

Lighthouse Key Results

By quickly engaging Lighthouse forensics experts: 

  • The company stopped proprietary and sensitive information from being disseminated and used by competitors. 
  • The company’s law firm was able to quickly take action against the employee, preventing any further malfeasance or damage.

Investigation Overview

Week 1

Day 1 – 4 — Employee uploads company data onto a personal Google Drive account over the span of four days.

Day 4 – 5 — An internal investigation concludes that all company data has been deleted from the employee’s personal data sources and no further action is needed. However, the company’s outside counsel calls in Lighthouse forensics experts to perform a separate investigation for affirmation.

Day 6 — Lighthouse forensics experts find evidence missed during the company’s internal investigation, indicating that the laptop provided to internal investigators was a “decoy,” and that the employee had actually transferred the proprietary company data onto an as-of-yet undisclosed laptop. 

Week 2–4

Outside counsel uses Lighthouse’s findings to file a restraining order against the employee and elicit a confession wherein the employee admitted they had downloaded the proprietary data onto a secret laptop—owned by another business.

Week 6

Lighthouse forensics team is provided access to the additional laptop and the employee’s private Google Drive account. Although there is no company data stored on the drive, the Lighthouse team dives deeper and immediately finds that the employee had restored the previously deleted company data back to their Google Drive account, transferred it the secret laptop, and then deleted it again from the Google Drive account. These findings enable outside counsel to take additional remediating actions.

Suspicious Activity by a Departing Employee Raises Alarm Bells

During routine internal departing employee analysis, a global company was alerted to the fact that an employee had uploaded more than 10K files containing sensitive proprietary data to a personal Google Drive account. The company immediately launched an internal investigation and engaged their outside counsel. 

Over the course of the internal investigation, the employee admitted they had uploaded company data to their Google Drive, and then used an external hard drive to transfer that data onto a personal laptop. However, the employee avowed that all company data had since been deleted—which the company’s IT team confirmed by examining all three data sources. 

However, due to the sensitivity of the data, outside counsel wanted additional reassurance that the employee was no longer concealing proprietary company data. The law firm had previously relied on Lighthouse forensics experts for similar investigations and knew that they could count on Lighthouse expertise to find any hidden clues that would point to additional hidden data.  

Finding the Forensic Breadcrumbs

Week 1

The Lighthouse forensics team received access to forensic images of the employee’s personal laptop and external hard drive within one week of the first suspicious upload. The team immediately noticed that the employee’s data tracks conflicted with the timelines and statements provided by the employee during the company’s internal investigation.

Key Evidence Found by Lighthouse Forensics Experts

  • The external hard drive used to transfer company data had not been plugged in to the personal laptop during the relevant time frame. 
  • File paths identified on the external hard drive (which show the file locations where data was downloaded upon connection) did not match those on the personal laptop provided to internal investigators. 

This evidence led the Lighthouse team to conclude that the laptop provided by the employee was not the laptop used to download company data—and that a different laptop with the stored proprietary company data existed but had not been disclosed by the employee.

Week 2–4

A Lighthouse forensics expert provided a sworn declaration explaining the evidence found during the examination of the employee’s personal devices.  

The company’s law firm used this declaration to file a restraining order to stop the employee from continuing to steal or disseminate proprietary data. The law firm also used Lighthouse’s findings to elicit a confession from the employee, admitting that they had been secretly working part-time for another business, and had transferred the company’s proprietary data onto a laptop provided to the employee by that business. 

Week 6

Within two weeks of the Lighthouse forensics expert’s sworn declaration, the Lighthouse team was provided access to the laptop owned by the other business, as well as the employee’s personal Google Drive account. Lighthouse’s inspection of the Google Drive did show that all company data had been deleted, as had been confirmed by internal investigators. However, Lighthouse immediately went deeper into the Google Drive and found conclusive evidence that the employee had subsequently “restored” the deleted proprietary data just a few days after the internal investigation ended, in an attempt to continue with the data theft. 

Key Evidence Found by Lighthouse Forensics Experts

Despite the fact that no company data was stored on the employee’s personal Google Drive account at the time Lighthouse received access to it, Lighthouse forensics experts went above and beyond to do a deeper forensic dive into the user activity log, email account, and internet searches stored on the Google Drive. That deeper analysis showed that:

  • Two days after the internal investigation ended, the employee began conducting numerous internet searches for ways to “restore” deleted files on Google Drive.
  • Two weeks later, the employee emailed a private IT company asking for help restoring deleted Google Drive files. 
  • One day after sending that email, thousands of files were restored to the employee’s Google Drive. Those restored files were once again deleted a few days later. 
  • Before the restored files were re-deleted, the employee downloaded some of the files containing company data to the “secret” laptop owned by another business.

Keeping a Lid on Pandora’s Box

The evidence found by Lighthouse forensics experts after their initial examination of the employee’s personal devices enabled the company’s law firm to take legal action against the employee less than one month after the first suspicious data upload.

Within one day of being provided access to the employee’s personal Google Drive account, Lighthouse forensics experts were able to find exactly how and where the stolen proprietary and sensitive data was hidden. This enabled the company to permanently prevent any dissemination of that proprietary and sensitive data to competitors.