Case Study 2: The Departing Engineer — An Insider Data-Theft Investigation
"The technical proof was easy. Making it hold up — chain of custody, legal hold, doing nothing that a defense attorney could call a fishing expedition — was the whole job." — Forensic lead, Aldridge Robotics (constructed)
Executive Summary
This case study deliberately differs in kind from the Meridian ransomware investigation. There, the adversary was external, the harm was loud (encrypted servers), and the work was detection and analysis — racing to reconstruct an intrusion from artifacts. Here, the setting is a different sector (advanced manufacturing, not banking), the adversary is an insider, the harm is quiet (data walking out the door), and the work is dominated by chain of custody, legal hold, and legal soundness — because the outcome is not a remediation but a legally contested dispute that may end in court. It is the same forensic toolkit, weighted toward the parts of §25.3 that an external-intrusion case can sometimes under-emphasize.
Aldridge Robotics, a mid-size firm whose value is its proprietary control-system designs, discovers that
a senior engineer who resigned to join a competitor may have taken source code and design files on the
way out. There is no ransomware, no alarm — just a resignation, a non-compete agreement, and a suspicion.
The investigation must answer: did the engineer exfiltrate proprietary data, and can we prove it to a
standard that survives an adversarial courtroom — without overstepping our authority or contaminating the
evidence? The findings, drawn from $MFT, USB-history registry artifacts, and cloud and email logs,
show a deliberate staging and copy of proprietary files to a personal USB drive and a personal cloud
account in the engineer's final week. But the case turns as much on how the evidence was handled as on
what it showed. The scenario, company, and all figures are constructed for teaching (Tier 3).
Skills applied: legal hold and evidence preservation under litigation; chain of custody to a
courtroom standard; Windows USB-device and $MFT artifact analysis; cloud/email log correlation;
timeline construction; distinguishing what the evidence shows from what an adversary will argue;
the legal and authorization limits of a defensive investigation.
Background
Aldridge Robotics designs industrial robotic control systems; its competitive advantage is entirely in its intellectual property — control-loop algorithms, firmware, and CAD designs. It is not a bank and has no PCI scope, but it has something just as sensitive: trade secrets whose theft is an existential, not merely a financial, risk.
Marcus Webb (no relation to anyone at Meridian) is Aldridge's lone security engineer, who also serves as its incident and forensic responder. The trigger: a senior controls engineer, "R. Vance," resigns on a Friday to join a direct competitor. Vance's manager mentions, almost in passing, that in Vance's final two weeks he had been "tying up loose ends" and seemed to be spending unusual time in the design-file repository. Aldridge's general counsel, aware that Vance signed both a confidentiality agreement and a non-compete, asks a pointed question: Did he take anything?
This question changes everything about how Marcus must proceed, and the difference from the Meridian case is the lesson:
⚖️ Authorization & Ethics: The moment an investigation may lead to litigation — here, enforcing a non-compete or pursuing trade-secret misappropriation — it crosses from an operational matter into a legal one. Aldridge's counsel issues a legal hold: a directive to preserve all potentially relevant data (Vance's laptop, email, repository logs, building-access records, cloud-tenant logs) and to stop any routine deletion or reassignment of those assets. Marcus's first instruction is not "investigate" but "preserve and do not touch beyond what's needed to preserve," and to coordinate every subsequent step with counsel and HR. The defensive instinct to dig is subordinated to the discipline of building evidence that will survive an adversarial challenge.
The asset that matters most — Vance's company laptop — was returned at the exit interview and, critically, had not yet been wiped and reissued. (Aldridge's standard offboarding wipes returned laptops within days; the legal hold stopped that just in time. Had the laptop been re-imaged, the most important evidence would have been gone — the same "rebuild destroys the evidence" trap as the Meridian file server, here applied to an endpoint.)
The Investigation
Phase 1 — Legal hold and preservation, to a higher standard
Because this case was expected to be contested, preservation was performed to the strictest reading of §25.3 from the outset — the assumption being that every step would later be scrutinized by an opposing expert.
ALDRIDGE PRESERVATION — legal-hold posture (constructed)
Scope of hold (set by counsel): Vance laptop; Vance mailbox (M365); repo access
logs; building badge logs; cloud-tenant (M365/OneDrive) audit logs; VPN logs.
Laptop handling:
1. Do NOT boot the laptop into its normal OS (would alter timestamps, run
startup tasks — change the evidence).
2. Image via HARDWARE WRITE BLOCKER, powered-off disk -> Vance-laptop.img (bit-for-bit).
3. Hash source + image (SHA-256) -> MATCH -> sound. (illustrative)
4. Seal original; chain-of-custody from the exit-interview handoff forward.
Cloud/email/repo logs: exported by the platform admin under counsel's direction,
with export queries and timestamps documented (these are business records).
There is a quiet near-disaster embedded in this phase that deserves emphasis, because it is the same trap
as the Meridian file server, transplanted to an endpoint and a routine business process. Aldridge's
standard offboarding procedure wipes and reissues returned laptops within a few days — sensible IT
hygiene that, on any ordinary departure, harms nothing. Vance's laptop sat in the reissue queue. Had the
legal hold arrived a few days later, that perfectly reasonable process would have destroyed the single
most important piece of evidence in the case — the USBSTOR history, the $MFT staging artifacts, the
LNK references to the USB volume, all gone, overwritten by a fresh OS image. The investigation would have
collapsed before it began, not through any malice or error, but because a normal process ran on its normal
schedule. The legal hold's first and most urgent function was simply to stop the wipe. This is the
chapter's forensic-readiness point in its sharpest form: the threats to evidence are not only the
attacker's anti-forensics but your own organization's routine operations — log rotation, backup expiry,
account deprovisioning, device reissue — each of which can erase evidence on a schedule, indifferent to an
investigation no one has told it about. A forensically mature organization knows which routine processes
destroy evidence and has a mechanism (the legal hold) to suspend them fast.
The chain of custody here was treated as the centerpiece, not an afterthought, because in a contested matter it is the first thing an opposing attorney attacks:
CHAIN-OF-CUSTODY — item AR-2025-09-02-LT01 (constructed)
Item : Laptop, Dell, asset-tag AR-4471, S/N XYZ789EXAMPLE (R. Vance)
Received : Exit interview, 2025-09-02 16:00, by HR (J. Ortiz), witnessed.
To forensics: 2025-09-02 16:20 M. Webb. Stored: locked evidence cabinet.
Imaged : 2025-09-03 10:00 M. Webb. Write blocker (S/N ...).
Hash(SHA-256)=b4d2f0...EXAMPLE (illustrative). Image sealed copy x2.
Handoffs : every access (incl. counsel review) logged, dated, signed.
Rule : analysis on IMAGE only; original laptop sealed, never booted.
🛡️ Defender's Lens: Compare this to the Meridian case. There, speed under an active fire shaped the order of volatility (capture memory first). Here, the laptop was already off and the "incident" was over — there was no volatile state worth a live capture, and booting it would only damage the case. The order-of-volatility principle still governs (don't destroy more-fragile evidence first), but its application inverts: in a contested insider case, the safest action is often to never power the evidence on at all, imaging the disk cold. The discipline adapts to the situation.
Phase 2 — Windows artifacts: the USB story
Marcus analyzed the laptop image, focusing on the artifacts that answer "did data leave, and how?" The
Windows registry records the history of attached USB storage devices (§25.4, USBSTOR), and the
$MFT timestamps when files were touched:
VANCE LAPTOP ARTIFACTS (constructed, UTC)
[Registry: USBSTOR + related keys]
USB mass-storage device "SanDisk Ultra" first connected: 2025-08-28 19:42
(personal device; not on Aldridge's asset inventory)
last connected: 2025-08-29 20:15 (after hours, both times)
[$MFT + LNK / jump lists]
2025-08-28 19:50 C:\Repo\controls\loop_algo\* ACCESSED (bulk)
2025-08-28 19:58 staged folder C:\Users\rvance\Desktop\proj_archive\ CREATED
2025-08-28 20:05 proj_archive.zip CREATED (1.7 GB)
LNK/shortcut artifacts reference files opened from E:\ (the SanDisk volume)
[Prefetch]
7-ZIP.EXE ran 2025-08-28 20:03 (archive creation tool executed)
The on-laptop story: a personal USB drive (not company-issued, connected after hours) appeared on August 28; minutes later, bulk access to the proprietary control-loop repository, the creation of a staging folder, and a 1.7 GB archive built with 7-Zip; LNK artifacts showing files were opened from the USB volume. This is a classic insider-exfiltration pattern — stage, compress, copy to removable media.
But Marcus was careful, and his care is the case study's point:
A word on the artifacts themselves, because each one Marcus relied on is a standard Windows forensic
source from §25.4, and the way they interlock is the lesson. The USBSTOR registry key records the
first and last connection times of every USB mass-storage device the system has ever seen, along with
identifying details (vendor, product, serial). That a SanDisk Ultra not on Aldridge's asset inventory
appeared for the first time on August 28 at 19:42 — and only ever connected after hours — is a fact the
registry preserved as a side effect of normal device handling, with no help from the user and no easy way
for the user to alter it. The $MFT then timestamps the bulk access to the control-loop repository
and the creation of the staging folder and the 1.7 GB archive, placing the file activity in the same
narrow window. LNK (shortcut) and jump-list artifacts — created automatically when files are opened —
reference files accessed from the E:\ volume, which is the SanDisk drive, tying the removable media to
the specific proprietary files. And Prefetch proves that 7-Zip actually ran at 20:03, which is
how the archive was built. No single one of these is the case; together, on one timeline, they show a
device appearing, proprietary files being read and compressed, and the archive landing on that device —
the textbook stage-compress-exfiltrate pattern, each step independently corroborated by an artifact the
user did not create and cannot easily forge.
⚠️ Common Pitfall (the overreach): It is tempting to write "Vance stole the files" the moment the USB artifacts appear. Marcus did not. The artifacts prove a personal USB device was connected and that proprietary files were accessed, staged, and archived on the same evening — strong, but he bounded the claim. An opposing expert will argue alternatives (Was it really Vance at the keyboard? Could the archive contain only his own non-proprietary work? Is the USB connection coincidental?). A defensible report states what the artifacts show and corroborates with independent sources before asserting intent — exactly the multi-source discipline of §25.5. The difference between "Vance stole the files" and "the following artifacts show a personal USB device connected at 19:42, after which proprietary files X, Y, and Z were read in bulk, compressed, and an archive of matching size was written to that device" is the difference between an assertion a defense attorney can attack and a chain of facts an expert can defend.
Phase 3 — Corroboration: cloud, email, and badge logs
A single-source story is weak, especially in a contested matter. Marcus corroborated the laptop artifacts with independent, off-host records — the kind an attacker (or a departing insider) cannot easily alter because they live in systems the individual does not control:
CORROBORATING SOURCES (constructed, UTC)
[M365 / OneDrive audit log]
2025-08-29 20:40 FileUploaded: proj_archive.zip -> rvance_personal@example.com
(personal OneDrive, NOT the Aldridge tenant) — 1.7 GB, matches the laptop archive
[Email (M365)]
2025-08-30 21:10 Vance emailed 3 design PDFs to rvance_personal@example.com
[Badge access]
2025-08-28 19:35 entry / 20:30 exit — Vance badged into the building after hours,
bracketing the laptop USB activity (places him physically present)
[Repo access logs]
2025-08-28 19:48–20:02 user rvance: bulk read of loop_algo/ (matches $MFT)
Now the case had what a contested matter requires: multiple independent sources telling the same story on the same timeline. The badge logs place Vance physically present (answering "was it really him?"); the repository logs corroborate the bulk read; the OneDrive audit log shows the same 1.7 GB archive uploaded to a personal account; email shows additional design files sent out. No single source is conclusive; together, on one timeline, they are powerful precisely because they are independent and the insider controlled none of them.
The independence is the entire point, and it is worth making explicit why it matters so much more in a contested insider case than in the external-intrusion case of the companion study. In the Meridian ransomware investigation, the fact of an intrusion was never in dispute — the encrypted files announced it — and forensics existed to determine scope and root cause. Here, the central fact itself is contested: Vance and his new employer will deny wrongdoing, and every artifact will be challenged. So the strength of the case is not any single dramatic finding but the convergence of sources that the insider could not have coordinated. Vance controlled his own laptop, so in principle he could argue its artifacts were planted or misread; he did not control the badge system, the repository's server-side access logs, the corporate cloud tenant's audit trail, or the email server's logs. When four systems that Vance had no ability to manipulate all place the same activity in the same minutes, the alternative explanations collapse: a coincidental USB connection does not also produce a matching 1.7 GB upload to a personal account; a "someone else used his account" theory does not also put his badge in the building at exactly those times. The §25.5 principle — corroborate across independent sources — is not merely good practice here; it is the load-bearing structure of the entire case.
Marcus was also careful about the quality of the cloud and email evidence specifically. These were not artifacts he reconstructed from a disk; they were business records, exported from Aldridge's own M365 tenant by the platform administrator under counsel's direction. He documented the exact export queries, the date and time of each export, and who performed it — because in a contested matter, even the provenance of a log export can be questioned. An export with no record of how or when it was produced is weaker than one with a documented, repeatable query. The same repeatability discipline that governs disk analysis (§25.3) governs log collection.
Phase 4 — The unified timeline
Marcus merged the sources into one UTC timeline (§25.5), the artifact that tells the story at a glance and that counsel could put in front of a court:
UNIFIED TIMELINE — Aldridge insider matter (constructed, UTC, source-tagged)
┌──────────────────┬──────────┬─────────────────────────────────────────────┐
│ Time (UTC) │ Source │ Event │
├──────────────────┼──────────┼─────────────────────────────────────────────┤
│ 2025-08-28 19:35 │ Badge │ Vance enters building (after hours) │
│ 2025-08-28 19:42 │ Registry │ Personal USB "SanDisk Ultra" connected │
│ 2025-08-28 19:48 │ Repo log │ Bulk read of loop_algo/ (proprietary) │
│ 2025-08-28 20:03 │ Prefetch │ 7-Zip executed │
│ 2025-08-28 20:05 │ $MFT │ proj_archive.zip created (1.7 GB) │
│ 2025-08-28 20:30 │ Badge │ Vance exits building │
│ 2025-08-29 20:40 │ Cloud │ proj_archive.zip uploaded to PERSONAL OneDrive│
│ 2025-08-30 21:10 │ Email │ 3 design PDFs emailed to personal address │
└──────────────────┴──────────┴─────────────────────────────────────────────┘
The timeline's strength is that it is woven from sources in four different systems — the endpoint, the badge system, the repository, and the cloud tenant — that an insider could not coordinate or scrub. This is the §25.5 lesson applied to a contested case: corroboration across independent sources is what makes a narrative defensible, not just plausible.
Phase 5 — Where it became "legally contested"
Aldridge's counsel took the report to Vance's new employer and, ultimately, toward litigation. This is where the investigation's handling — not its findings — was tested, and where the case earns its "legally contested" billing. The opposing arguments were predictable, and each was met (or not) by a specific forensic discipline:
CONTESTED POINTS — and what answered them (constructed)
Opposing argument Forensic answer
---------------------------------------- --------------------------------------------
"Evidence could have been altered after Chain of custody: laptop sealed, never
the laptop was returned." booted; SHA-256 hashes prove the image is
unaltered; every access logged.
"How do we know it was Vance, not someone Badge logs place him physically present;
else on his account?" activity bracketed by his entry/exit.
"The archive might be only his own work." Repo logs show the specific PROPRIETARY
files read in bulk; content reviewed under
counsel — matched proprietary designs.
"You exceeded your authority investigating Counsel-directed, legal-hold scoped to
his personal cloud account." Aldridge SYSTEMS and logs only; personal
OneDrive evidence came from ALDRIDGE'S OWN
tenant audit log of the upload event, not
from accessing Vance's personal account.
That last row is the subtle, decisive one. Marcus never logged into Vance's personal cloud account — doing so would have been an unauthorized access, potentially a crime, and would have tainted the evidence. The proof that the archive went to a personal account came from Aldridge's own audit log of the file leaving its tenant — evidence Aldridge was fully authorized to collect. The distinction between "evidence we are authorized to gather from our own systems" and "evidence we'd have to overreach to get" is the line between a winning case and a contaminated one, and it is the §25.3 authorization principle made concrete.
The temptation to cross that line is real and worth naming, because a well-meaning investigator feels it
acutely. Marcus could see, from Aldridge's tenant log, that a 1.7 GB archive had been uploaded to
rvance_personal@example.com. The natural next thought — "let me just confirm what's actually in that
personal account" — would require authenticating to a system Aldridge does not own and Vance did not
authorize. Doing so could expose Marcus and Aldridge to liability under computer-misuse law, and worse, an
opposing attorney could move to exclude all of Aldridge's evidence as the fruit of an unauthorized
investigation, arguing the investigator's willingness to overstep taints his entire account. The
disciplined move — and the one Marcus made — was to stop at the tenant boundary and let counsel pursue the
contents of the personal account through legal process (a subpoena or discovery), which is the lawful
mechanism for reaching data you are not authorized to access directly. The forensic investigator's job
ended exactly where Aldridge's authority ended; the legal system's tools took over from there.
This is the deepest difference between this case and an external-intrusion investigation, and the reason the chapter places forensics so close to the law. When the adversary is an anonymous external attacker, no one is going to contest your evidence in a courtroom on the other side; you investigate to defend the network. When the adversary is a named individual with legal representation, how you obtained every fact becomes part of the case, and the investigation succeeds or fails as much on its restraint as on its findings. An investigator who understands forensics but not its legal boundaries is dangerous in exactly this setting — competent enough to find the evidence, and capable of destroying its value by reaching one system too far.
⚖️ Authorization & Ethics: The boundary Aldridge respected is not merely cautious lawyering; it is the §25.3 principle that authorization to collect is a precondition of admissibility and of legality. The right pattern, when evidence you need lives beyond your authority, is to preserve what you can lawfully reach, document precisely where the trail leads, and hand that to counsel — never to follow the attacker (or insider) onto systems you do not control. The instinct to be thorough must yield to the discipline of staying within authority.
🔗 Connection: This is the same boundary the chapter warns about in §25.3's Authorization & Ethics note: reaching onto a system you do not control — even to follow the trail — can itself be a crime and can taint your evidence. Aldridge won on the strength of evidence it was entitled to collect, handled to a courtroom standard. An investigator who had "just checked" Vance's personal account to be thorough could have lost the entire case on that single overreach.
Discussion Questions
- In the Meridian case, the order of volatility meant capture memory first; here, the safest action was to never boot the laptop. Are these contradictory, or two correct applications of the same principle? Explain what changed between the cases.
- The decisive evidence that the archive reached a personal cloud account came from Aldridge's own tenant audit log, not from accessing Vance's account. Why is this distinction legally and ethically load-bearing? What would have been at risk if Marcus had logged into the personal account "just to confirm"?
- A legal hold stopped Aldridge's routine laptop-wipe just in time. What does this imply about the relationship between standard IT processes (offboarding, log rotation) and forensic readiness? Where else might a routine process destroy evidence?
- Marcus repeatedly bounded his claims ("the artifacts show X" rather than "Vance stole the files"). Why is this restraint stronger, not weaker, in a contested matter? How does it differ from the bounded claim in the Meridian case (PII "reached but not accessed")?
- This investigation involved an employee's actions and, peripherally, his personal accounts and physical movements. What privacy and proportionality considerations should govern how far such an investigation reaches, even when authorized?
Your Turn
Design a constructed insider-investigation scenario in a sector of your choice (healthcare records, financial models, media pre-release content). On one page, produce: (1) the scope of a legal hold — which systems/logs you would preserve and which routine process you must stop; (2) a chain-of-custody line for the primary device, written to a contested-matter standard; (3) a list of at least four independent corroborating sources (across different systems) and what each proves; (4) a unified timeline of six to eight rows; and (5) one bounded conclusion plus one explicit statement of a line you would not cross (an over-reach you refuse, and why). Mark any claim you cannot support "unknown — would require X."
Key Takeaways
- The setting changes the weighting, not the toolkit. An insider, contested-matter investigation uses the same forensics as an external-intrusion case but leans hard on §25.3 — legal hold, chain of custody, and legal soundness — because the deliverable is evidence that must survive an adversarial courtroom.
- Legal hold first, then investigate. Once litigation is anticipated, the priority is to preserve (and stop routine deletion/wiping) under counsel's direction; the defensive instinct to dig is subordinated to building defensible evidence.
- The order-of-volatility principle adapts. With no live incident and a contested matter, the soundest action can be to never boot the evidence, imaging the disk cold — the same principle (don't destroy fragile evidence) applied to a different situation.
- Corroborate across independent systems. USB-history registry artifacts and
$MFTstaging on the laptop were made defensible by independent badge, repository, email, and cloud-tenant logs the insider could not control — multi-source corroboration (§25.5) is what beats "it might have been someone else." - Authorization is the line between a case and a contamination. Aldridge proved exfiltration to a personal account using its own tenant audit log — never by accessing the personal account. Reaching onto systems you do not control can be a crime and can taint the evidence; bounded claims and respected boundaries are what make findings hold up.