According to Potrafka, when insiders steal corporate data, they tend to do it via noncorporate e-mail accounts or using external storage media.
Potrafka spent four years as a Special Agent, Computer Forensic Examiner, and Internet Investigator in the High Tech Crime Unit in Michigan Attorney General's Office, and served as a law enforcement officer for 24 years. "Certainly, hacks take place. ... Those are the ones that makes the papers," he says. "But it's more common that it's insider-related and employee-related."
Nowadays, Potrafka tends to work for clients in civil actions, though he still works on the occasional criminal case. A lot of his work involves e-mail analysis and keyword searches.
"A few years ago, we did a case for a major banking corporation where the president of the corporation and the majority of the staff, all within a two-to-three day period, resigned and went to another bank," he said. "We got a call on a Saturday from IT at the bank asking us to come look at some computers at the bank on Monday. Rather than wait until Monday, we came in on Saturday night and started looking at them and by Monday morning, we had found out that the president plugged in an external hard drive to his computer two days before he resigned."
The bank's attorneys then filed a legal demand to see that hard drive, Potrafka said. When they received it, they found stolen files.
Encryption can be an issue, but it isn't a common problem. "If a file is truly encrypted, without the key, you're not looking at it," Potrafka said. "But very honestly, we don't see much of it."
Potrafka participated in a homicide investigation several years ago in which he was asked to construct a timeline that showed when a murder victim had been using her computer.
"It was a case where the husband came over and killed his ex-wife," he said. "She had been connected to America Online. And the America Online records showed she was online the entire time, from like 8:00 p.m. or 9:00 p.m. until 7:50 am the next morning, when her son found her deceased. We were asked to look at the computer and show when she was really using it. ...Working with Microsoft and America Online, we were able to show that she stopped using the computer about 10:50 p.m., which is about her estimated time of death. It kind of blew a hole in the husband's defense." Potrafka was also involved in an industrial espionage case involving the sale of trade secrets to China.
"We were asked to analyze an engineer's laptop computer and desktop computer and his PDA," he said. "We were able to show where he had been taking trade secrets out of the country, actually, and selling them to China."
Potrafka said he sees a lot of trade secret theft. Such cases, he said, often involve fired or departing employees who take contact lists, price lists, or plans when they leave. He said he works closely with clients to encourage them to preserve their data, because bringing in new employees to work on the same computer as someone who just left the company overwrites what the former user of the computer was doing.
The blurring of boundaries between work and home life poses a problem for forensic investigations, Potrafka said. While data can be recovered from any computer, corporate IT departments have far less control over what happens on personal computer equipment that's used for work. "When the sales manager leaves and he has been working at home, it's not so easy for IT to go and look at his home computer," he said.
The ideal scenario from an IT perspective, Potrafka said, is for companies to provide and own the equipment that workers use at home.
Investigating Windows machines is the easiest, said Potrafka, because more tools have been developed for Windows forensics. "When you're getting into the Apple Macintosh world and the Linux world, the investigations become more complex," he said.
Major forensic software packages include EnCase Forensic (Windows, Linux, AIX, OS X, Solaris), Forensic ToolKit (Windows), MacForensicLab (Mac OS X, Linux, Windows), and Blackbag Technologies (Mac OS X), to name a few.
So what should you do if you think your company's security has been breached? InformationWeek has published an independent analysis on the topic. Download the report here (registration required).