Question about file access history - someone stole files at work

[MrDudeMan]

I accidentally overlooked the permissions on a shared folder, which allowed domain users to access sensitive information. I noticed the problem on Monday of this week and I fixed it immediately. However, someone overheard me talking about it she reported that someone else had looked at the data. She knows because he talked to her about it.

After looking at his computer, I noticed he accessed files by looking at his recent file history (shell:recent via run). I also noticed that the path to some of the files had changed from P: to F: and the root folder name 'Public' had been changed to 'New Public'. I used a utility to show me which drives had been mapped and it showed an F: that was not connected, so that tells me he copied all of the sensitive data to a removable drive. Am I on the right track?

The images are here. The _Administrative folder is supposed to be hidden and the _Mgr. Adm. Svcs folder is supposed to be even more protected. He viewed the files on P:, which is a mapped drive on his computer, and then he viewed the files on F:, which is not a mapped drive. Any advice or input would be greatly appreciated. He's denying that he copied any data and I'm 99% sure he's lying. The police are on the way as I write this.

 

[MushyNAT]

I'm not really sure what you expect the police to do about it, accessing a file you have rights to isn't something they're going to arrest this guy for. But that aside, is this in a domain environment? If so, do you have auditing enabled on the fileserver the files were located on? Windows by default does not provide any sort of centralized file access auditing trail, but detailed auditing is a feature on Windows Server that will show file access events in event viewer on the server.

If not, the best you can do is leave the user's PC alone, nobody touches it, and hire a computer forensics firm to gather any details they can about file access (such as Word recently accessed files lists that show full file paths, etc). Though that might not be even worth the time or the money, you *might* have a civil suit against this guy if he was trying to exfiltrate client data against the company acceptable use policy. You'll have to consult your company's attorney.

 

[MrDudeMan]

Regarding the access rights, he didn't have rights to it and that's covered in our orientation about security and privacy. He knew he shouldn't be looking at it, which is why he copied it to another drive. He also told another employee that he knew everyone's salaries and many other things that he shouldn't have known. Thankfully, she spoke up, but only after a few days had passed and I had already caught and fixed the breach on my own. I didn't realize when I fixed it that it had been copied, though. I'm not an IT pro, so I'm doing the best I can.

The police arrested him and charged him with a second degree felony. He stole sensitive data about as many as 49 former and current employees. Our attorney filed a restraining order against him and the data (I'm not sure how that works. Maybe I'm wrong, but it's something like that). I believe he is going to be prosecuted, but I don't know and I'm not in the loop anymore.

I don't believe his intent was to steal client data. Actually, no one knows what his intent was because I don't think he knows. I have his flash drive in my possession now, so I'm trying to recover deleted files. I think we already have enough evidence given the logs on his computer, but seeing the data on his drive would be pretty damning. He didn't format it, but he did delete the files if they were on this drive.

I turned on file auditing. I didn't know it was off by default, so thanks for that.

 

[Bardock]

Maybe use Disk Investigator on the flash drive:

http://www.majorgeeks.com/files/details/disk_investigator.html

Disk Investigator helps you to discover all that is hidden on your computer hard disk. It can also help you to recover lost data. Display the true drive contents by bypassing the operating system and directly reading the raw drive sectors. View and search raw directories, files, clusters, and system sectors. Verify the effectiveness of file and disk wiping programs. Undelete previously deleted files.

 

[MrDudeMan]

Thanks for the tip. I wasn't able to find anything on the flash drive because we had the wrong drive. Apparently, he connected more than one external drive to the computer to steal data. I brought the computer to a forensic analysis firm. They're going to give us the model and serial number of every drive that has been attached to the computer and specifically which one was used to copy the data.

 

[Elixer]

You might also want to look at disabling USB devices being mounted (either via registry or with programs, or to do it physically).
BTW, if the police didn't confiscate all USB devices they had on them, then, usually, they don't have a case, just a strong suspicion, but, eye witness accounts of what he said to them sure does help.
Who knows, he might have tossed the USB drive once he knew you were on to them.

Also, what exact OS version were you guys using?

 

[MrDudeMan]

The NAS is running WSS 2012 R2 and all of the desktops are W10.

 

[Elixer]

If you haven't done so already, it is always nice to set up file access logging.
http://blog.technotesdesk.com/windows-server-2012-r2-how-to-detect-who-read-a-file-on-a-file-server

 

[MrDudeMan]

Well, we have the evidence that information was stolen, but the detective told me, and this is a literal quote, "we only deal with real crimes." Apparently, because intent can't be proven and nothing physical was stolen, there's no crime. I spoke with several lawyers who are completely astounded by what is happening, but we don't seem to have much recourse because the detective doesn't understand computer crimes _at all_.

He told me the information has no monetary value, which is the primary problem. Corporate assets definitely do have monetary value, though, so he's completely wrong. He also did not understand even a little bit how file permissions are supposed to work. I didn't even get to say any technical jargon before it was obvious he was being very dismissive and didn't want to spend his time on this. He tried to make a point about how the user could have accessed the data from home and copied it there, but that's completely wrong as the user had no VPN access and why would that matter anyway? Does stealing something from home make it totally legit? The whole conversation was like that.

I don't know what to do, but this isn't over. There's no way I'm going to let a dumbass detective who probably can't work his way out of Notepad put the brakes on this. A huge amount of information was verified to be stolen by a third party forensic firm and the guy tells me no crime has been committed because I can't prove intent. What a fucking joke.

 

[Bardock]

https://youtu.be/FBk9ugb5C-o

Fine police work, pretty par for the course I guess.

I hope the thief doesn't destroy your business. I'd file a complaint, lazy pigs.

 

[Elixer]

I don't know what to do, but this isn't over. There's no way I'm going to let a dumbass detective who probably can't work his way out of Notepad put the brakes on this. A huge amount of information was verified to be stolen by a third party forensic firm and the guy tells me no crime has been committed because I can't prove intent. What a fucking joke.

You ask for the Detective's supervisor, or, you can contact the AG, but, they usually want you to deal with the police first.
Data theft is a crime last I looked, in almost every state.

 

[deustroop]

Can also sue for breach of trust, conversion ( civil theft) and invasion of privacy, getting a quick injunction on any further movement of the "goods" to a third party.But do it now .