Banner background texture

ABI Case Study - How Employees Steal Data - Episode 1

White curve graphic
Friday 7th May, 2021 | Author: Jon Munsey [Member (F2110)] | Filed under: Case studies

This is the first in a series of real-world cases that I will be sharing with you.

I don't think many people realise what is possible when forensically examining a computer - hopefully, this series will change that and increase awareness.

The Quantum

Net losses were estimated at a staggering £1.2 million in sales over a two-month period.

The Back Story

The client was observing sales decreasing (read - nose diving!) in one of their most profitable divisions.

This division specialised in making components for the mobile telephone industry – they had other competitors in Europe – but their technology was a market leader.

The CEO instructed the Head of I.T to investigate the activities of two key employees that were suspected to be passing trade secrets and pricing information on to a competitor.

The internal investigation yielded no results, as like most organisations, the level of auditing/logging carried out by their infrastructure was set so low – it did not hold any record of user activity whatsoever! (We see this 99% of the time). In our experience internal investigations usually yield poor or incomplete results.

Time to Call the Expert

I was contacted and commissioned to analyse the two employees’ computers – our product the Device Activity Check (or DAC) was carried out and after a day of analysis, it was discovered that the employees had been passing valuable information to the said competitor!

What Caused the Loss?

The competitor was approaching our clients’ customers and offering them a 20% reduction on the price of supplied parts to many of our client's customers who were interested only in the bottom line - immediately switched to the competitor’s identical product.

How did They do it?

So how did they get the information out of the company?
Did we see records of relevant documents being opened in quick succession? - No.
Did we see project files being copied to USB memory sticks? - No.
Did we see uploads to One Drive or other cloud storage? – No.

The answer was rather ingenious – they used the “Print Screen” key on the keyboard, to take a screen grab of documents they were using as part of their daily work routine.

They then pasted these screen grabs, one after the other, over a period, into a single word document named “house plans.docx”.

They were also clever and used the built-in image compression feature of Word, so that the document did not appear overly large on the disk. (A Word document that is hundreds of megabytes in size is a dead giveaway!).

How Did They Hide It?

The employee was in the process of building a house and their corporate mailbox contained literally thousands of messages between builders, architects, suppliers, estate agents and his spouse over a long period of time.

The “houseplans.docx” word document was perfectly camouflaged as the employee sent it to his personal Gmail account as he had many other related documents

How Did I Find it?

I found it twice!


The document was first located during a keyword search - the client had provided us with relevant customer names.

Because our systems use OCR (Optical Character Recognition), the word document had been opened by our computer, automatically scanned and any text that appeared in images/photographs was added to the case index.

Luckily for the client, when the employee pressed the print screen key and captured the screen (as a digital image/photo) the customer’s name was onscreen at the time.

This was picked up by the computer and when the customer’s name was entered as a search keyword, that document was flagged as responsive (it contained the customer’s name).


We can see what documents a user opens. The list goes way back to when the computer was first used, so we saw the same “houseplans.docx” file being opened when the employee arrived for work each day – same time, like clockwork.
The document was then closed at the end of the day and the cycle repeated the next day, until he had collected enough information and sent the document out to his home email.

Why did They do it?

The two employees had been offered positions with the competitor, on higher salaries with a lump sum of £50,000 being paid to them for the information they had stolen.

What Happened in the end?

Neither employee received their new job...or the £50,000 payment.
They were immediately terminated from our client's employment and litigation commenced against the unscrupulous competitor who was forced into liquidation once the legal process concluded with a judge ordering substantial damages to our client.

Enjoyed the read? Look out for Episodes 2 & 3 to follow

Article submitted by Jon Munsey – Full member F2110. Jon is an ex-Police computer forensics expert and operates Computer Forensics Online Limited. For further information see or