Where there are computers, there are potentially hackers. The threat of hacking by insiders to organisations has always been far more serious than from outside, and the potential for damage to organisations today from this threat is, if anything, higher today than it ever was in the past.
The problem
Our client, a large industrial company, found that a number of key financial records were missing from their network. Our client was convinced that these records in question could not have been deleted accidentally. To make things worse, they were required urgently for presentation to a Revenue Commissioners audit team. We were asked to find out if they had been deleted, and by whom. We were also asked, if possible, to retrieve as many of the financial records that might still exist on the computers.
The solution
We used specialised network search tools to determine whether or not the key documents were still present on the network. We also searched a number of retired computers still held in storage by our client. We found all but two of the key files stored on an e-mail computer which had been retired a few weeks before. We also took a forensic copy of the company’s financial file server. From this we were able to retrieve deleted versions of the final two files.
Once the files had been recovered, we investigated who had moved them in the first place. Through a close examination of system logs, file and directory access times and other data, we were able to determine that the files had been moved by a system administrator in the hours before they submitted their resignation to the company. The removal of the files was done as a form of “retribution” against their employer.
The files were forwarded to the Revenue Commissioners. Our client is now considering implementing an up-to-date document management system.
Please click here to download Grant Thornton’s guide to dealing with hacking incidents.