Investigation of Insider Attacks With Computer Forensics

Cyber-attacks do not always originate from outside of the target organisation. Veritably around twenty-five percent of all data breaches occur from the inside, from employees or trusted individuals within the organisation (TechBeacon, 2018).

Employees that have access to internal records, intellectual property or intramural trade secrets need to be watched as closely as any external party or connection should be.

Why employees are a risk

Employees can trigger internal cyber-attacks, steal intellectual property or even publicly release internal affairs and private information for a number of reasons, which could include:

  • Bad experiences during their time with the organisation and seek payback or transparency.
  • Revengeful following something occurring at the organisation.
  • Disagree with internal organisational values.
  • Believe that some private information should be made public.
  • May have even mistakenly shared private information without knowingly doing so.
  • Acting maliciously from their knowledge of internal systems, in order to benefit themselves, others or bring chaos to the organisation.

Organisations must always control the flow of data both in and out of a workplace and for all connected devices on the network (Khoury, 2015); Or within range of networked devices such as laptops, file servers, email exchanges, networked printers, data-centre resources or digital conference facilities.

What needs to be locked down

All devices would ideally have optical drives removed where possible and USB ports should only be able to read data, not write it.

Emails should pass through a marshalling service to protect from viruses as well as scan for private information being sent out or suspicious communications in either direction.

Accessible websites must transfer through an internal proxy that allows only white-listed domains in order to prevent data from being uploaded to file sharing sites or from becoming victims of online scams and virtual loopholes.

Where additional loopholes exist

Depending on the Operating System on each device, there are a range of forensic techniques for investigating individual machines (Duquette, 2016).

Such as registry scans to show what activity took place on the machine, what files where accessed and how applications were used.

The event-viewer (system logs) is of particular interest when viewing a trail of activity along with evidence that can lead to additional case substantiation.

Real-time scans

It is very important that all of these and more scans are undertaken in real-time across the network and on all devices so as to make aware of things taking place as they happen, as opposed to after the fact when the attacks or theft may have had wider reaching circumstances.

With access to system logs and registry locations, a cybercriminal could simply remove these points of evidence so that nothing is later found (Mak, 2012). Bypassing proxies by connecting to tethered connections is another loophole that should be closed down immediately.

All traffic must pass through an organisational resource for it to be fully monitored.

In Summary

Without a high level of automated monitoring and fine-grained permissions, it is possible for individuals to bypass and circumvent security protocols and clear their traces so that cyber forensics are not able to build a pertinent and relevant case.


TechBeacon (2018) The 30 cybersecurity stats that matter most [Online], Available from: (Accessed on 6th October 2018)

Khoury, M. (2015) Investigation of insider attacks with computer forensics [Online], Available from: (Accessed on 6th October 2018)

Duquette, R. (2016) Using digital forensics to prevent intellectual property theft [Online], Available from: (Accessed on 6th October 2018)

Mak (2012) How Cyber Criminals Cover Their Tracks [Online], Available from: (Accessed on 6th October 2018)