Skip to content

Data Exfiltration

ID: S1001

Description: An employee is suspected of unauthorized copying of sensitive data (code, trade secrets, etc) from internal systems to those outside of the company's control.

Are there any indications of anti-forensic efforts? F1007

Are there signs of staging data for future exfiltration? F1008

"Staging" refers to the collection of data of interest onto a local system, as a precursor step for future exfiltration of that data. When reviewing data from Questions in this Facet, look for unusual volumes of results (number or size of files downloaded or sent, for example).

  • Q1001  What files were downloaded using a web browser?
  • Q1004  What screenshots were taken on a computer?
  • Q1005  What files have ever been on a computer?
  • Q1006  What files are present on a computer?
  • Q1017  Were any files collected into a container?
  • Q1034  Was content copied from a file?
  • Q1035  Were any copies made of sensitive files?
  • Q1077  Were there bulk downloads from Google Drive?

Was any sensitive data sent externally via email? F1009

  • Q1016  What files were sent externally via email attachments?
  • Q1075  Is the recipient account controlled by the sender?
  • Q1076  Were the files screenshots?
  • Q1078  Were the files copies?
  • Q1079  Is there a history of communication with the recipients?
  • Q1080  How many external recipients does the email have?

Was any sensitive data exfiltrated via a physical medium? F1010

  • Q1003  What files were copied from a computer to a USB device?
  • Q1010  What was printed from a computer?

Was any sensitive data exfiltrated via a web service? F1011

  • Q1007  What files were synced or backed-up to external services?
  • Q1009  What interactions with external cloud storage sites did the actor have using their web browser?
  • Q1011  What files were sent or received by a chat application?
  • Q1025  What external accounts has the actor used in their web browser?
  • Q1038  Were any files sent via CLI utilities?
  • Q1084  What data was uploaded to a website via a web browser?

System Information F1012

  • Q1008  What programs are installed on a computer?
  • Q1081  Does the user have a recently provisioned host?

Were any files sent via other network media? F1026

  • Q1082  Were any files sent via AirDrop?
  • Q1083  Were any files sent via Bluetooth?