"We were asked to analyze an engineer's laptop computer and desktop computer and his PDA," he said. "We were able to show where he had been taking trade secrets out of the country, actually, and selling them to China."
Potrafka said he sees a lot of trade secret theft. Such cases, he said, often involve fired or departing employees who take contact lists, price lists, or plans when they leave. He said he works closely with clients to encourage them to preserve their data, because bringing in new employees to work on the same computer as someone who just left the company overwrites what the former user of the computer was doing.
The blurring of boundaries between work and home life poses a problem for forensic investigations, Potrafka said. While data can be recovered from any computer, corporate IT departments have far less control over what happens on personal computer equipment that's used for work. "When the sales manager leaves and he has been working at home, it's not so easy for IT to go and look at his home computer," he said.
The ideal scenario from an IT perspective, Potrafka said, is for companies to provide and own the equipment that workers use at home.
Investigating Windows machines is the easiest, said Potrafka, because more tools have been developed for Windows forensics. "When you're getting into the Apple Macintosh world and the Linux world, the investigations become more complex," he said.
Major forensic software packages include EnCase Forensic (Windows, Linux, AIX, OS X, Solaris), Forensic ToolKit (Windows), MacForensicLab (Mac OS X, Linux, Windows), and Blackbag Technologies (Mac OS X), to name a few.
So what should you do if you think your company's security has been breached? InformationWeek has published an independent analysis on the topic. Download the report here (registration required).