Over the last 20+ years Cyber Agents has assisted in hundreds of cases some of which involve employee espionage. Today we’ll discuss a particular case where an employee was using company funds to purchase computer parts for their IT side business. Once we got involved we identified his phone and computers. We used Cellebrite’s Physical Analyzer to take an extraction of his iPhone and we used a hardware forensic imager to take forensic images (clones in a forensic format) of his computers hard drives. One mac mini, one standard dell desktop, and an iPhone. Unfortunately once he learned he was fired the employee reset their phone.
It is VERY important to secure company devices before you notify an employee they have been let go. Have them either tell you their pass code or enter the pass code for you in order to change the pass code to something known by management. Removing the pass code also removes access to shared items in the iOS keychain, which isn’t strictly necessary but it’s good forensic practice to change as little as possible on the device. (If they refuse to tell you the pass code we can crack it for you!) Then place the device into airplane mode and make sure to disable Bluetooth and WiFi in the settings menu and not in the control center pull down menu. Then give us a call at 859-523-9081 to have us preserve the devices. Even if you don’t intend to go after the person, preserving the data is important in case something comes up. Phone and laptop collections can be performed remotely so there is no need to ship the devices in most cases.
In this case, because the phone wasn’t secured we lost valuable information. It was fortunate that the suspect IT person backed up their phone to the company Mac mini. We were able to locate an older backup which had some of his personal business data on it. The suspect used a Newegg account to purchase the equipment. We were not able to access the account itself to get a list of parts. We were able to find emails with the purchased parts and we had the credit card bills showing Newegg purchases on the company card. The company declined to pursue the matter so the individual got away with the fraud. Will your employees get away with it?