Defensible Deletion
Defensible Deletion
We are regularly brought in for situations when an executive hops from one company to another, and takes data with them on the way out the door. Sometimes we conduct the internal investigation which uncovers the data theft (politely called data exfiltration), other times we assist with the clean-up.
Here is a story which, I hope, will illustrate how messy these clean-ups can be. If you are an employee, thinking of leaving your firm, please leave the data behind. It’s not worth the hassle. In this instance, an executive departed their old institution and took their PST email archive with them, copied to a USB drive. They then copied the PST to their MacBook and opened it up, extracting files.
Their employer discovered the data copy and demanded that a third-party specialist execute a “verifiable deletion of any copies … in whole or in part, of the information contained on the USB (on … laptop, email account, or otherwise)”.
As you can see, this is an expansive demand which includes any data source where copies may have been transferred. We always take measured action with an eye to proportionality, so our recommendations and workplan were as follows:
Operations
(BOLD is easy to predict and budget, the italicized items are unknown with best estimates given available information):
Create a Forensic Image of the USB device (flat fee)
Create a Forensic image of the MacBook (flat fee)
Download all email message in the user’s Personal Email account(s) (per account)
Process the Forensic Image of the USB device, extracting the emails and attachments from the PST to identify the ‘problem set’ of documents (4 hours)
Process the Forensic Image of the MacBook (2 hours)
Search Forensic Image of the MacBook for instances of ‘problem set’ emails or their attachments (4 hours)
Also need to look for forensic evidence of transfer to personal accounts like Dropbox/Google Drive, etc. (~8 hours)
Process the Personal Email messages (2 hours)
Search Personal Email for instances of ‘problem set’ emails or their attachments (~6 hours)
Remediation: If any ‘problem set’ emails are found on either the MacBook or personal email accounts (unknown):
Forensically erase the live files
Remove any file-system snapshots which would allow the file(s) to be recovered
If the laptop shows evidence that it was backed-up (to Apple TimeMachine, or other online backup solution)
Either destroy the backup archive or determine some other mechanism to defensibly erase the data contained within
Dealing with the unknowns
There are many uncertainties here:
How many personal ‘cloud’ accounts were connected to the MacBook, and is there evidence that any data was copied to them?
How much data is contained within the PST
This determines the size of the ‘problem set’, and the number of emails and attachments we must search for.
How much data is contained within the personal email account(s)?
This impacts how long it will take to download all messages and search their contents.
Are there any backup services/systems which also need to be addressed?
Budgeting
The expansive nature of the request means we can only provide a rough budget, the ‘easy-to-estimate’ items are the flat-rate captures and the preparation work, while any estimate for the steps affected by uncertainty must be wildly variable. We can make some simplifying assumptions, for example, that we do not find additional connected cloud accounts, but there is a high likelihood that the work expands. Searching can be estimated, but Remediation depends on what we find.
What’s Proportional?
These uncertainties raise a question of proportionality:
Sometimes it is more cost-effective / meet the needs of the demand to simply forensically wipe and reset the devices, or purchase new devices outright to avoid the cost of complex, targeted remediation.
Generally, personal email accounts cannot be ‘slash-and-burned’ to save remediation costs, but they more easily allow targeted deletions.
As always, happy to talk your team through this process. Defensible deletion is a complex and invasive process.