The IT director noticed something odd on a Monday morning. An employee who’d given two weeks’ notice the previous Friday had accessed the company’s engineering shared drive over the weekend — twice, from the office building, after hours. Both accesses happened between 11 p.m. and 1 a.m. Badge records confirmed the employee had badged in both nights.
By Wednesday, the company’s outside counsel had called asking for a forensic examination. By Friday, we had the employee’s company-issued laptop and company phone in hand and authorization to proceed with acquisition.
This is a composite illustration based on patterns common to corporate trade secret investigations. The facts described are representative of how these matters typically unfold, not a specific client case.
The Scope of the Engagement
Counsel’s instruction was precise: determine what the departing employee accessed, copied, or transmitted from company systems in the 60 days prior to resignation. The relevant data categories were engineering specifications, customer lists, and pricing models — all clearly covered by the employment agreement’s confidentiality provisions.
Two devices in scope:
- Company-issued Windows laptop
- Company-issued Android smartphone
The shared drive access logs from the corporate network were already preserved by IT and would serve as corroboration. Our job was to examine the endpoints to determine what left the network and how.
A clear scope at the outset matters enormously. Corporate espionage examinations have a tendency to expand as you find things — every new lead wants to be followed. Without a written scope, you end up in a months-long examination covering years of data and generating evidence that’s legally and technically outside your authorization. Write the scope, get counsel’s sign-off, stick to it.
The Logical Acquisition Decision
Full forensic imaging of both devices would have been ideal from a completeness standpoint. But we had practical constraints.
The Android device was enrolled in the company’s MDM (mobile device management) system. A physical acquisition — even a supported one — would trigger an MDM remote wipe flag if we disconnected it from the network during acquisition. The company’s IT team hadn’t yet suspended the MDM policy for this device. We had two choices: wait for IT to suspend MDM and risk data changes on the device, or proceed with a logical acquisition via the MDM’s built-in export capabilities while documenting why.
We chose logical acquisition with full documentation of the rationale. Counsel was notified and agreed.
Logical acquisition captures the data visible to the operating system: files, messages, call logs, app data, media. It doesn’t capture deleted data in unallocated space, and it may not capture everything in encrypted containers. For this case, our primary interest was in what the employee had done recently — not in recovering long-deleted data. The logical acquisition scope fit the investigative question.
For the laptop, we imaged the drive using Magnet AXIOM after booting to a forensic environment. The laptop wasn’t encrypted, so we had full disk access. We ran both a logical acquisition (for timeline speed) and a full forensic image (for completeness and defensibility).
USB Artifact Analysis on the Company Laptop
The first significant finding came from the Windows registry.
Windows tracks connected USB storage devices in several registry locations. The primary ones:
- `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR` — records device class, vendor, product, and serial number for every USB storage device that has ever connected
- `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB` — broader USB device enumeration
- `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt` — ReadyBoost history, useful for older systems
- `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2` — mount points for connected drives, including timestamps
From `USBSTOR`, we identified three external USB storage devices that had connected to the laptop. Two were long-term devices — a company-issued external drive used for backup (verified against IT inventory) and a USB hub. The third was a Samsung T7 portable SSD with a serial number that didn’t appear in the IT inventory. It first connected 23 days before the employee’s resignation.
From `MountPoints2`, we had a timestamp for each connection. The Samsung T7 connected on four separate occasions in the three weeks before resignation.
This established that an unregistered external drive had connected to the laptop during a period of interest. Now we needed to know what was on it.
Reconstructing File Transfers
Windows doesn’t maintain a native log of every file copied to a USB drive. But it leaves considerable indirect evidence.
LNK files. Windows automatically creates shortcut files (.lnk) in the user’s Recent Items folder when files are opened. LNK files contain the file’s original path and, critically, the volume serial number of the drive it came from. We parsed all LNK files in the Recent Items directory and `AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\` (jump lists) using Eric Zimmermann’s LECmd tool.
Two LNK files pointed to a volume with a serial number we hadn’t seen in the drive inventory. Their targets: engineering specification documents with product names matching the company’s unreleased product line.
Prefetch files. Windows Prefetch logs the execution of applications. File copy operations involving Windows Explorer leave traces in prefetch. We confirmed that Explorer had accessed the documents in question during the same time windows as the USB connection timestamps.
VSS (Volume Shadow Copies). The laptop had automatic shadow copies enabled. We examined shadow copies from the period before the USB connections and compared file access timestamps against the shadow-copy versions. Files that appeared in shadow copies but were subsequently modified or accessed showed the access pattern we were building.
OneDrive sync logs. The employee had OneDrive for Business configured. OneDrive maintains a local SQLite database (`%LOCALAPPDATA%\Microsoft\OneDrive\logs\`) tracking sync activity. Several of the engineering specification files appeared in the sync log with last-sync timestamps predating the resignation — meaning they were in the employee’s OneDrive folder at some point, not just on the local drive.
The combination: files accessed, files moved to an unregistered drive, files synced to a personal cloud account. The pattern was consistent across three independent artifact sources.
Smartphone Analysis: The Messaging Layer
The Android logical acquisition gave us access to the standard data categories: SMS, call logs, contacts, and third-party app data.
The most significant findings came from two apps.
WhatsApp. WhatsApp on Android stores its message database locally in `sdcard/WhatsApp/Databases/`. The primary database is `msgstore.db`, a SQLite file. We parsed it using WhatsApp’s own decryption key (available from the device’s local storage with proper acquisition) and extracted the message history.
The employee had a WhatsApp conversation with a contact whose display name was a first name only — no company affiliation visible in the contact record. The conversation, in the 30 days before resignation, included several messages that couldn’t be misread: specific customer names and pricing terms that matched the company’s confidential customer list.
We documented the message content, the timestamps, and the foreign phone number associated with the contact. We didn’t identify who that phone number belonged to — that was outside our scope and would require legal process to the carrier. We noted the number and flagged it for counsel’s further investigation.
Google Drive app. The Google Drive app on Android logs recent file activity in local databases under `data/com.google.android.apps.docs/`. The logs showed the Drive app had opened and uploaded several files with names matching the engineering specifications from the laptop. The upload timestamps matched the same period as the USB connections.
This was the key corroboration: the same documents that appeared in USB artifacts on the laptop also appeared in cloud upload logs on the phone, within the same time window.
Timeline Construction
Timeline construction is where the separate artifact streams come together into a coherent narrative.
We used a unified timeline approach: all timestamps from all artifact sources — USB connection records, LNK files, OneDrive sync logs, WhatsApp messages, Google Drive upload logs, and the network access logs provided by IT — were exported to CSV and merged by timestamp.
The resulting timeline, covering the 60 days before resignation, showed a clear escalating pattern:
Weeks 1-4: Normal activity. No USB connections from the unregistered drive. No unusual file access patterns.
Week 5 (approximately 30 days before resignation): First connection of the unregistered Samsung T7. Three engineering specification files accessed within 20 minutes of the connection. OneDrive sync logs show the same files syncing to the corporate OneDrive shortly after.
Weeks 5-7: Recurring pattern. The unregistered drive connects approximately twice per week. File access logs show the employee accessing specification documents, customer list exports, and pricing model spreadsheets — all identified as trade secrets in the company’s information security policy. WhatsApp messages to the unknown contact begin in this period.
Week 8 (the final 2 weeks): Weekend badge-in accesses captured by IT. The network logs from those sessions show access to the engineering shared drive and large file transfers to a cloud storage URL associated with a personal account. Resignation submitted Monday of week 8.
The timeline didn’t prove who the employee was sending files to, or whether a competitor was involved. What it proved — from independent, corroborating artifact sources — was that specific trade-secret-classified documents were accessed, copied to an unregistered external drive, synced to a personal cloud account, and discussed via encrypted messaging during a defined period before resignation.
Supporting the Civil Complaint
Our role ended with the delivery of our report and the raw evidence exports to counsel. What happens next in civil litigation is the attorney’s domain.
The report structure we used:
Executive summary. Two pages, no jargon. What did we examine, what did we find, what does it mean. Written for a judge who has never opened a forensic tool.
Methodology. What tools, what versions, what acquisition method, and why we made the choices we made. Every step documented with hash values for acquired images.
Findings by artifact type. USB analysis, file transfer reconstruction, smartphone analysis, timeline. Each section: what we found, where we found it, how we validated it.
Timeline exhibit. A clean, one-page visual timeline in the appendix. Color-coded by artifact source. This is the exhibit that works in a courtroom — not the 40-page detailed report.
Raw exports. All extracted files, databases, and tool outputs, hashed and provided on encrypted media.
In trade secret matters, the civil complaint typically needs to establish: what the trade secrets were, that the defendant had access and a duty to maintain confidentiality, that misappropriation occurred, and that the plaintiff suffered harm. The forensic report addresses the misappropriation element — it’s the “what actually happened to the files” evidence.
For examiners newer to civil litigation, the important thing to understand is that your report will be read by attorneys and eventually disclosed to opposing counsel. Write it with that in mind. Don’t editorialize, don’t speculate beyond what the evidence supports, and be precise about what each artifact type does and doesn’t prove.
Common Failure Points in These Investigations
Three things consistently undermine corporate espionage investigations before they get to a courtroom:
Delayed engagement. Companies often wait weeks or months before calling a forensic examiner. By then, the employee has returned their devices, IT has re-provisioned the laptop (overwriting data), and the window for volatile evidence has passed. Organizations should have an IR plan that includes forensic examination as an immediate step when trade secret misappropriation is suspected.
Device re-provisioning. The single most common evidence destruction event we encounter isn’t intentional — it’s IT wiping and re-imaging a departing employee’s laptop before legal hold is established. This should be addressed in every company’s offboarding procedure: devices from employees departing under disputed circumstances go to legal hold storage, not back to the IT pool.
Incomplete scope authorization. Examining a company-issued device is generally covered by company ownership and acceptable use policies. Examining a personal device — even one used for company business — requires either consent or a court order. Know where your authorization ends before you start acquiring.
For related case studies covering how similar artifact patterns appear in different contexts, see the [intellectual property theft browser history case](/ip-theft-browser-history-case/) and the [identity theft reconstruction study](/identity-theft-reconstruction-insurance/).
What This Type of Case Teaches
Corporate espionage investigations succeed when they’re methodical, corroborated, and honest about what the evidence proves.
No single artifact source is enough. USB connection records tell you a drive connected. LNK files tell you files were accessed. OneDrive logs tell you files were synced. WhatsApp tells you the content of conversations. The convergence of all four — pointing to the same files, the same time window, the same pattern — is what makes the finding defensible.
The examiner’s job is to follow the evidence, document everything, and present findings precisely. The conclusions lawyers and courts draw from that evidence are their job, not ours.
That discipline — staying in your lane, presenting findings cleanly, not overstating — is what makes forensic testimony credible. And credibility, in this work, is everything.
