XYZ Corporation, a medium-sized Government contractor, found that it had begun to lose business to a tiny competitor that seemed to know exactly what the sales team at XYZ Corp was planning.
The senior management suspected that an insider was leaking information to the competitor.
A network forensic 007 was called in to investigate the problem.
A preliminary information-gathering exercise was initiated and a list of keywords was compiled to help in identifying packets that contained information of interest. A list of possible suspects, who had access to the confidential information, was also compiled.
The specific network segment relating to the department in question was put under network surveillance. Wireshark was deployed to capture all the network traffic. Additional storage was made available to store the .pcap files generated by Wireshark.
The collected .pcap files were analyzed using NetworkMiner.
The following screenshot depicts Wireshark capturing traffic:
An in-depth analysis of network traffic produced the following findings:
- An image showing the registration certificate of the company that was competing with XYZ Corp, providing the names of the directors
- The address of the company in the registration certificate was the residential address of the sales manager of XYZ Corp
- E-mail communications using personal e-mail addresses between the directors of the competing company and the senior manager sales of XYZ Corp
- Further offline analysis showed that the sales manager's wife was related to the director of the competing company
- It was also seen that the sales manager was connecting to the office Wi-Fi network using his Android phone
- The sales manager was noted to be accessing cloud storage using his phone and transferring important files and contact lists
- It was noted that the sales manager was also in close communication with a female employee in the accounts department and that the connection was intimate
The information collected so far was very indicative of the sales manager's involvement with competitors.
Based on the preceding network forensics exercise, it was recommended that a full-fledged digital forensic exercise should be initiated, including that of his assigned laptop and phone device. It was also recommended that sufficient corroborating evidence should be collected using log analysis, RAM analysis, and disk forensics to initiate legal/breach of trust action against the suspect(s).