Call us — 0191 406 1051
Mon–Fri · 9am–5:30pm · No fix, no fee
Start a free diagnostic →
← All case files // case file · Forensic investigation

Did a departing employee take company data?

A resignation to a competitor, a returned laptop, and a single question: did company data leave with them? An evidential investigation in OSForensics.

DeviceWindows 10 laptop
FaultSuspected data exfiltration
Turnaround5 days
OutcomeEvidence secured
ToolsOSForensics · PC3000

The brief

A Newcastle company came to us after a salesperson resigned to join a direct competitor. They suspected — but couldn't prove — that the owner database and current price lists had been copied before the laptop was handed back. What they needed was a defensible answer to one question: had company data left the building, and if so, how? Our task was to find out and to document it to a standard their solicitors could rely on.

Preserving the evidence

An investigation like this is only as sound as the evidence beneath it, so the opening move was to take a hash-verified .E01 image of the returned Windows 10 laptop behind a hardware write-blocker (for any drive that's the least bit unstable we acquire with the PC3000). The original went into a bag and into storage; from then on every action ran against a mounted, read-only copy. The entire case was worked in OSForensics with its audit trail enabled, so each step we took was recorded and tamper-evident.

Following the trail

OSForensics assembles a “super timeline” drawing together user and system activity, and that is where it all fell into place. Its reconstruction of USB history — pieced together from the Windows event logs and the USBSTOR registry keys — flagged a SanDisk flash drive attached on the evening two days ahead of the resignation, down to its serial number and the times it first and last connected. Sitting on the file-activity timeline, minutes before that attachment, was the export of the owner database and a run of price-list spreadsheets. Indexing the OST archive that held the user's mailbox brought up a pair of messages fired off to a personal address with a price list attached, while the browser history recorded a personal-webmail sign-in and an upload to personal cloud storage inside the very same window.

The user had also deleted the local copies afterwards — but “deleted” rarely means gone. Using OSForensics' deleted-file carving, including recovery from carved MFT records, we pulled the removed database export back out of unallocated space, pinning down exactly what had been taken.

The report

The output from OSForensics was a complete, hash-verified report drawing the threads together: the USB device and its timestamps, the timeline of file copies, the emails sent out, the cloud upload and the deleted exports we had carved back — every item anchored to a secure audit trail. It went to the company's legal team as the evidential foundation for whatever they chose to do next. Five working days from first to last. We take on workplace investigations solely for the owner of the equipment, and only under written instruction.

Tools used on this job

OSForensics · PC3000 — imaging and recovery carried out in-house. Every job is imaged before any recovery work begins, and the original media is never written to.

// sending your device in

Two simple steps.

Send us your device for a free diagnostic, and tell us a little about what happened — an engineer will review it and confirm your exact quote in writing before any work begins.

1

Send us your device

Getting your data back begins with getting the device to us. Pack it up safely, pop your contact details inside, and send it over — once we’ve run the free diagnostic, we’ll confirm your exact price in writing before any work starts.

How to pack it
  • Box the device up in a small, sturdy carton or a padded envelope.
  • You can leave out caddies, cables and power supplies — none of them are needed for the recovery.
  • Pop your details inside — name, address, phone and email, on a slip of paper or via our shipping form — and seal it up.
Post toNewcastle Data Recovery
Rotterdam House, 116 Quayside
Newcastle NE1 3DY
Shipping formPDF · print & include with your devicePDF ↓

Posting it? A tracked, insured service is what we’d recommend. Rather drop it in? You’re welcome Monday to Friday, 9am to 5:30pm — just package the device up as above first.

2

Need more information?

Want a bit more detail first? Fill in the form with more about your issue and an engineer will review it and send you a custom quote.

An engineer reviews every enquiry personally — we usually reply within 30 minutes during the day. Prefer to call? 0191 406 1051.

Thanks — your message is in.

We’ll be in touch shortly. For anything urgent, call 0191 406 1051.

Common questions

Can you tell if an employee took or deleted company data?

Yes — through USB-device history, file-activity timelines, mailbox analysis and deleted-file recovery, all captured and preserved to an evidential standard.

Is your forensic report admissible?

We work from a hardware write-blocked, hash-verified image with a full audit trail, and produce a report fit for solicitors or a tribunal.

How much does a forensic investigation cost?

From £800 plus VAT. We take on workplace investigations only for the owner of the equipment, under written instruction.

Related

// ready when you are

Facing something similar? Let's help.

Start with an instant online quote, or call and talk it through with us first. You'll have a clear, fixed price before any work begins.

Rotterdam House, Newcastle NE1 3DY · Mon–Fri 9am–5:30pm · No fix, no fee on most jobs