Wen an employee deletes your files

Often, we only measure the value of things when its too late and we lost them. Today, we have a thought for your files and data without which your business would be compromised.

After several years of service, your employee has decided to leave you and is starting his notice period. Before leaving definitively, he will of course give back the computer and other equipments you had entrusted to him.

But what about the data?

Hardware is easy to assess, in terms of purchase or replacement cost. The unit is euro (often less than € 2,000) and your accountant can provide you with a more precise estimation of the value of these depreciable tangible fixed assets.

Free-Photos @ pixabay
Free-Photos @ pixabay

For data, it's more complicated. Their value can be estimated by the competitive advantage they give you. But also by the investment needed to produce them (and that we have since forgotten). It is usually when we lose this data that we measure the full value of these intangible assets.

From experience, they are very valuable. If you've lost them, call in an expert. If it's not too late, set up external (and journalized) storage and backups.

Little stories to scare yourself

With our forensic experts activity, we often get called when data is lost. Professional secrecy forbids us to reveal details so these stories are adapted (from real facts).

John, software craftsman

For 5 years, John has been developing web applications for his employer's clients. As these applications often look alike, he has managed to isolate the common code that allows him to focus on developing the modules that make the difference.

As he often anticipate the needs of their prospects, John has developed a few modules in advance so when one client ask for them, he just needs to integrate and adapt quickly. This considerably reduces the cost of services and helps win many customers.

Tama6 @ pixabay
Tama6 @ pixabay

Following a change in the management team, John is no longer in tune with his employer and his motivation has gone. After several heated discussions, the red line was crossed and the management decides to fire him.

Conscientious, he took the time to clean his workstation. To delete his few personal data, he cleaned everything, reinstalled the system as new, then brought back the source codes of the applications he was developing as well as the necessary tools. His colleagues will be able to take advantage of this very clean environment to continue working.

After a month's notice when he passed on his plans, he left the company.

Unfortunately, another month later, a customer follows up on a quote for a specific module because the price seems very attractive to him. The salesperson remembers that John had told him to have a module all ready but after having searched his computer, we will not find any trace of these modules of which he had the secret.

An estimate being equivalent to a contract, the service had to be carried out… at a loss.

Irene, commercial

Irene is a sales representative for an accounting firm. As she often visits clients, she was provided with a laptop computer that she uses when she travels extensively in the countryside. This is convenient, so she can access and update all data about customers and prospects.

Having family problems and no longer thriving in her job, she decides to quit her position and "resigns". Her employer would like her to transfer her contacts information to her colleagues but due to medical problems she will be on sick leave during her notice and after returning her laptop she will not come back.

analogicus @ pixabay
analogicus @ pixabay

After asking a computer friend for help, the laptop no longer contains any business data. Coincidence? many customers terminate their contracts on the same date and with the same letter. We also learn that Irene has found a new job with a competitor.

Sued for unfair competition (among other things), Irene defends herself... If the termination date is the same, it is because these are the classic closing dates for accounting years. If the letter is the same, it is because it is a model found on the Internet. If the computer is empty, it is because the employer deleted the data to make it bear the responsibility for the drop in activity and take revenge because Irene sued him at the labour court (because overtime payment).

In the meantime, the laptop has been reassigned to a former colleague. The few traces it might still contain have long been overwritten by its new user. No data and no digital evidence can be extracted.

Recovery plan

Very often, it is too late and there is a loss of data after the employee has left. More problematically, in the rush to save what can be saved, we commit blunders that can destroy traces, invalidate evidences or prevent future expertises.

If you are in this case, your employee has left and you have empty equipment, here are some advice from the arsouyes: do not touch anything and call a professional.

Don't touch anything

Even if you don't have legal action in mind (yet), it is still safer not to use the material and take the risk of crushing traces it may still contain.

geralt @ pixabay
geralt @ pixabay

Every time you use it, you are bound to write new data (if only temporary files and event logs). The more you use it, the more you will overwrite old data.

Whether you want to recover the data, or prove that areas have been intentionally deleted permanently, it is better to leave them alone and wait for professional intervention.

Call a professional

In a rush, it is tempting to ask the nearest goodwill for help, but it is rarely a good idea.

WikiImages @ pixabay
WikiImages @ pixabay

Geek friends usually do more damage than anything else because, without the necessary rigor and training, they can overwrite data, leave their own traces, and contaminate media. Their intervention will compromise any subsequent expertise.

Your IT staff is surely trained in recovery tools, but this time the problem is about conflict of interest. If it turns out that legal action is necessary, their findings may have no legal value (files recovered or no recoverable files), or worse, have contaminated the media, making it useless.

Unless you chose to make no legal action ever, I advise you to contact forensic experts. Not only are they used to this type of operation (retrieving files from mediums) but their oath makes their findings usable in court. With their experience, they can even advise you on your options and the best steps to take.

We would be happy if you

but, we promise, we won't blame you if you find a colleague on one of the lists of forensic experts.

Continuity plan

Of course, the best thing is to anticipate problems before they occur and thus avoid them. Simply. In this regard, our advice is rather simple:

Human resources

In all the cases we’ve seen, the origin of the problem has always been in the social relationship between employers and employees. Misunderstandings, poor consideration, work atmosphere, ... When an employee destroys data, it is to harm the employer (or obtain an advantage to his detriment, which amounts to the same thing).

Absolutevision @ pixabay
Absolutevision @ pixabay

Before even considering the IT resources to avoid these situations, it is important to manage people because to our knowledge, no employee who is well in his job poses a problem.

This subject alone deserves a article blog whole life to be treated and we leave a little of the editorial line of the arsouyes.

Local shares

If all your employees are present on site, you are probably already using file sharing. All workstations have a shared folder which is physically stored on a dedicated server. This is convenient because everyone can then work collaboratively on the documents.

If you are not using them, it may be the time to think about it because in addition to facilitating collaboration, they also facilitate backup, which is always good to gain...

Free-Photos @ pixabay
Free-Photos @ pixabay

No matter what system you use for sharing (there are lots of solutions), there are two things you should pay attention to:

The point of activating logging is to deter the smart ass who would like to delete files discreetly before leaving. Since the operation is recorded, it’s therefore anything but discreet.

Note that this logging involves personal data and is thus covered by the GDPR. you don't need consent but still need to communicate and secure. To find out more, you can turn to the dedicated page of the CNIL.

If you have a permanent sysadmin, he should be able to set up these mechanisms. If you do not have one, call a professional who can advise you and set up the appropriate configuration.

Limitations: As these shares are made on servers in your possession and over which you have all rights, a lawyer could question the validity of these event logs that you could have falsified. It will then be necessary for an expert to examine all the elements and all the traces to give his opinion on the probability of a fake (it happened to us, we will tell you about it another time).

Remote shares and clouds

While most system administrators love to have their servers at home (that is, on company premises), strictly from a digital proof perspective, outsourcing does bring benefits.

geralt @ pixabay
geralt @ pixabay

The provider, as a trusted third party, will have fewer conflict of interest problems and it will be much more difficult to question observations drawn from their systems and their logs. The constraints here are the same as before, being able to prohibit deletion in certain directories and having a log of file operations.

Again, your administrator will be able to handle all of this (he will probably be disappointed but will understand) and if you don't have one, a professional can advise you according to your needs. If some employees have deported positions (e.g. teleworking or itinerant), depending on your habits and IT skills, some solutions will be more suitable than others.

Limitations: even if it is a little suicidal for an employee to remove content under these conditions because he could be held responsible, it can still happen (if only by clumsiness, real or feigned) and above all, it will not bring back lost data...

Backups

The final stage is therefore to add a backup system. Automatic by the way. Then, whatever the reason, if something goes missing, you can recover it 🤩.

If you don't already have a backup system, it is the time to think about it.

analogicus @ pixabay
analogicus @ pixabay

The principle is to make a copy of your data, on another computer (good), in another building (better) or with a professional service provider (best). If anything happens to the original data, you can retrieve the files needed to fill the gap.

Since data can take up a lot of space, especially if you want daily backups over several months, the tools implement additional backup strategies:

  • Full Backup: As the name suggests, this is about backing up all data. To restore, all you have to do is retrieve the backup. It's simple, but it quickly takes up space.
  • Differential backup: Here, we will save what has changed since the last total backup. It saves network bandwidth and space on the server. To restore a data, you must use the total backup and apply the differential to it.
  • Incremental Backup: This time, we only back up what has changed since the last backup (total or not). We save a little more bandwidth and space. To restore, it is necessary to start from the total then apply all the increments to it.

The subtlety in our case is that we may not realize the loss until several days (weeks?) After its removal. No matter what backup solution you choose, you should be able to review time, more or less far depending on how long you plan to take to verify the data.

That being said, trust your system administrator, or your favorite professional, they know how to manage it all very well and can adapt to your constraints: amount of data, frequency of modification, bandwidth, duration, budget, ...

Limitations: here you don't risk much if it isn't handling errors when you have to restore the data, but if you do exercises regularly, that won't happen.

And next ?

Now you have a great working atmosphere, journalized file shares to work collaboratively, and backups. You don't lose anything, there are just a few small details to work out.

If you have a big doubt about the loyalty of an employee and have not yet set up logging or backup, it is still best to contact a lawyer and / or a legal expert who will be able to advise you on the best actions to take in your particular case.