The NIST CFReDS Data Leakage Investigation
A corporate employee was suspected of systematically leaking confidential company data to a competitor. Over a three-day period, the suspect conducted a carefully planned operation that involved research, data exfiltration across multiple media, and active anti-forensic measures to hide their tracks.
Despite these countermeasures, investigators were able to reconstruct the full chain of events using digital artefacts that remained on the system — including file-system metadata, browser history, email artefacts, cloud logs, removable media traces, and Windows Search data.
This case is based on the NIST CFReDS Data Leakage scenario and illustrates how the five stages of digital forensics (Identification, Preservation, Analysis, Documentation, Presentation) apply to a real investigation.
| Forensic Stage | Suspect Tools | Investigator Tools |
|---|---|---|
| Identification | IE, Chrome, Google, Bing, Outlook | Write blockers |
| Preservation | — | FTK Imager 3.4.0.1, EnCase Imager |
| Analysis | Windows Search, USB RM#1 | PhotoRec |
| Exfiltration | Outlook, Google Drive, USB RM#2, CD-R | FTK Imager, EnCase |
| Anti-Forensics | CCleaner, Eraser | FTK Imager (artefact traces) |
📊 Case Study 01 — Results
Digital Evidence Classification & Data Acquisition
A company reports that confidential files were stolen from its office. Investigators arrive on scene and must classify the evidence they find, choose appropriate acquisition methods, and ensure that every piece of evidence is properly preserved for court.
| Evidence Found | Classification |
|---|---|
| A damaged office door | Physical Evidence |
| The employee's laptop (powered on) | Real Evidence + Volatile Data |
| An email warning about suspicious activity | Documentary Evidence |
| Login logs, CCTV footage, file access records | Digital Evidence |
| CCTV showing employee entering at midnight | Direct Evidence |
| Browser history — searches on file copying | Indirect/Circumstantial Evidence |
This case study covers the full data acquisition process: how investigators image drives (physical, logical, file-system, and live acquisition), why write blockers are essential, how hash values prove integrity, and what the order of volatility means for live systems. Understanding these principles is critical to producing court-admissible evidence.
📊 Case Study 02 — Results
Operation DataBreach — NovaTech Solutions Pty Ltd
NovaTech Solutions Pty Ltd is a Brisbane-based software company with 120 employees. On 10 March 2026, the Head of IT Security flagged a DLP alert: user account jthompson had accessed 847 files on the file server between 22:00 and 23:45 — outside business hours.
James Thompson, a Senior Software Engineer serving his notice period, was suspected of exfiltrating proprietary source code before resigning. CyberTrace Forensics was engaged to conduct an independent investigation across nine structured phases.
| Evidence Item | Description | Location |
|---|---|---|
| E-001 | Desktop PC — Dell OptiPlex 7090 | Desk 14, powered off |
| E-002 | Laptop — Lenovo ThinkPad T490 | Lid closed, possibly in sleep |
| E-003 | 32 GB SanDisk USB drive | Desk drawer, unlabelled |
| E-004 | DLP system alert logs | Server NOVA-DLP-01 |
| E-005 | Active Directory / Windows Event Logs | Domain controller NOVA-DC-01 |