Home > Knowledge > Blog

When Employees Depart with Data: The Power of Triage

Nov 4, 2025

Digital Forensic Insights from David Greetham

 

Accessing confidential or proprietary data is easier than ever for the average employee, and one report shows they are nearly 70% more likely to take data right before leaving a company. What does this look like in practice? In a high-profile example from a few years ago, a Yahoo employee who left to work for a competitor allegedly moved 570,000 documents to two personal external storage devices 45 minutes after receiving the new job offer. Yahoo sued the employee for $5 million plus punitive damages.

In a perfect world with an unlimited budget, you would conduct a full forensic analysis on every departing employee’s device to prevent issues like this. But, in the real world, how can you manage this risk while still using your resources responsibly? 

One of the most common services we provide for clients, forensic triage, answers this question. Triage is an early-stage forensic collection and analysis process that can quickly reveal whether sensitive data was accessed, copied, or transferred prior to an employee’s departure—before costs spiral. 

Our forensic triage process focuses on three high-impact areas of data analysis that can provide a clear picture of information potentially taken after departure. The initial three areas we analyze are: 

  1. Email: Did this person send any information to a personal account like a Gmail, Hotmail, or Yahoo address?
  2. Internet history: Are there any suspicious searches—a real example I saw recently: “download tools to delete evidence”—or any links to cloud services like Dropbox or Google Drive that indicate data was copied?
  3. USB devices: Have thumb drives or external hard drives been plugged into the employee’s computer, and, if so, what specific data did they transfer and when did it happen?

There is an incredible amount of information you can learn from analyzing these three areas. Internet searches (like the one mentioned above) indicate the employee’s goals and intent. Thumb drives and cloud links show file names and reveal what was taken. And dates attached to these actions establish a narrative. 

On the other hand, you may find nothing suspicious, which is also good news. Instead of spending large sums analyzing devices and data on a hunch, you have a snapshot that can guide your strategic decision to either do more analysis or leave it alone. 

That ability to make a confident decision is ultimately what drives the power of forensic triage. It’s confidence in the results and your ability to make an informed decision, confidence in the cost and timing (we offer this service at a fixed rate, and it takes only a few days), and confidence in the integrity of your valuable data. In a world where data issues are getting exponentially more complex, having that kind of confidence feels like a superpower. 

If you’re interested in learning more about our forensic triage process, please reach out

Explore More
Close Modal

Our Framework

Understand.

During this phase, we work to step away from any assumptions and guesses about what our customers needs, and let our research findings inform our decision-making. We learn more about our customers, their problems, wants, and needs, and the environment or context in which they will use the solution we offer.

Our Framework

Define.

During the Define phase, we analyze our research findings from the Understand phase and determine what is the most important problem to solve — and why. This step defines the goal. Then we can give a clear problem statement, describing what our customers’ needs are that we are trying to solve, making sure that we heard and defined their problem correctly.

Our Framework

Solve.

This phase is an important part of the discipline in our process. People often settle for the first solution, but the most obvious solution is often not the right one. During the Solve phase, we brainstorm collaboratively with multiple stakeholders to generate many unique solutions. We then analyze our potential solutions and make choices about which are the best to pursue based on learnings in the Understand phase.

Our Framework

Build & Test.

This phase is critical in developing the right solution to our customers’ problem. An organized approach to testing can help avoid rework and create exceptional outcomes. Starting small and testing the solution, we iterate quickly, before deploying solutions across the entire project.

Our Framework

Act.

During this phase, the hard work of prior phases comes to life in our customers’ best solution. The research, collaboration, and testing performed prior to project kick-off ensure optimal results.

Our Framework

Feedback.

At the project completion, we convene all stakeholders to discuss what went well, what could have been better, and how we might improve going forward. We call these meetings “Retrospectives,” and we perform them internally as a project team, and with our external customers. The Retrospective is one of the most powerful, meaningful tools in our framework.

Next