Insider Data Theft¶
Scenario 1: Insider Data Theft¶
Let's assume a disgruntled employee was not promoted recently because of poor performance. He has been seen making attempts to access sensitive files, and it is doubtful that he may be sending confidential company documents to a competitor using communication apps.
Keeping this scenario in mind, we will frame the following forensic questions to be asked/looked for on his confiscated device.
Forensic Questions to Frame
- Who had access to the WhatsApp account on the device?
- What documents or files were shared through the app?
- When were the messages sent and received?
- Which contacts were involved in the communication?
- Was WhatsApp used exclusively, or were other communication apps like Telegram or Signal involved?
- Were screenshots or screen recordings taken of sensitive information?
- Is there any indication of deleted messages or use of "disappearing messages"?
Where to Find These Questions?
To find the answers to these questions, we will extract and examine the following evidence:
- WhatsApp db
- Other communication apps
- Evidence of deleted messages
- Chat logs
- Evidence of presence / deleted communication apps, etc