Skip to content

Data Infiltration

ID: S1002

Description: An employee is suspected of taking confidential information or trade secrets from a prior employer and introducing it to internal systems.

  • Q1005  What files have ever been on a computer?
  • Q1006  What files are present on a computer?
  • Q1014  What files did the actor open on their computer?
  • Q1027  Are there any sudden changes in the number of files on a device?

Has the actor introduced any ExternalCompany files to Company assets via downloading? F1002

  • Q1001  What files were downloaded using a web browser?
  • Q1008  What programs are installed on a computer?
  • Q1009  What interactions with external cloud storage sites did the actor have using their web browser?
  • Q1015  What syncing activities did external "cloud storage" applications do on a computer?
  • Q1025  What external accounts has the actor used in their web browser?
  • Q1026  What files were downloaded from messaging apps?
  • Q1031  How much network traffic was there to/from a machine?

Has the actor introduced any ExternalCompany files to Company assets via removable storage devices? F1003

  • Q1002  What USB devices were attached to a computer?
  • Q1012  What files were copied from a USB device to a computer?
  • Q1013  What files are present on a USB device?