Microsoft’s most up-to-date operating system, Windows 10, brings with it some quirks that business operators need to be aware of – particularly if their staff use computers equipped with solid state hard drives (SSDs).
One of the changes with Windows 10 is that by default it automatically discards a number of operating system artefacts after 30 days. Because SSDs are designed to automatically overwrite unused disk space, some key artefacts relied upon in forensic investigations are deleted and automatically overwritten.
This means that employers need to act quickly if they suspect departing employees may be stealing data or intellectual property. If you don’t move fast, key evidence could be deleted or compromised.
While the use of Windows 10 and SSDs isn't enough to prevent a comprehensive forensic examination from recovering evidence relating to the theft of business information, it can definitely hamper an investigation.
The best way to prevent this is to have systems in place to detect deceptive employee behaviour. You do this by deploying endpoint monitoring in employee computers so that information theft is picked up early, allowing the business to be alerted and ready to respond proactively.
Endpoint monitoring involves the deployment of a covert piece of software on employee computers which is configured to send alerts when confidential information is accessed, copied to USB or attached to email.
If you don’t have endpoint monitoring in place, the simple act of turning off the employee’s computer stops the internal clock ticking and could give your business time to make vital decisions about the need to analyse the employee’s computer.
Your first step should be to contact a forensic IT specialist who can get into the system before the critical deletions take place and preserve important evidence.
If you would like to know more about endpoint monitoring or what you should do to preserve evidence of employee crime, please give us a call.