1

So basically at the beginning of the year a database of intellectual property (IP) disappeared at the close of a falling out between some upper-level employees and the executive staff at my company. Why there was no backup, or why no one suspected anything foul is beyond me.

I did a little digging of my own in the database software logs and $UsnJrnl (using JournalViewer) and discovered that: the database management software has three distinct launch timestamps within the course of an hour. In that hour, the UsnJrnl shows basically every file in the database volume undergoing within the span of those timestamps:

Security_Change

Security_Change; Close

File_Delete; Close

Is this reasonable evidence to suspect, considering the tensions, that an employee may have maliciously tampered with the database and deleted everything? The database software may only be accessed from a single desktop PC, by a generic company login. The database is housed on an onboard HDD on the same PC.

CKM
  • 111
  • 3
  • 2
    With just the information you've given, all you can say is that someone or some process intentionally deleted everything. Do you have logs of where it was accessed from at those times? Or user IDs for the accesses? Can it only be accessed from internal systems? If not you have no grounds to assume it was internal tampering, nor who / what did it. – Οurous Nov 08 '16 at 00:07
  • The database software may only be accessed from a single desktop PC, by a generic company login. The database is housed on an onboard HDD. – CKM Nov 08 '16 at 00:09
  • As far as I can tell, remote access is also disabled for this computer (admin privileges are disabled for accounts here as well). The best anyone can do is VPN to our local server housed on-site if they need locally shared files. But that wouldn't (to my knowledge) give them access the database HDD housed on a separate desktop. – CKM Nov 08 '16 at 00:20
  • At least on those grounds I'm suspecting someone deleted company files internally! – CKM Nov 08 '16 at 00:22
  • That is a good assumption. I doubt you could prove anything just from the logs because it's a generic login, but there is enough correlation to be suspicious. – Οurous Nov 08 '16 at 01:52

0 Answers0