Case type: Criminal and civil law

Client: Financial services company

Parties involved: Company v. Former IT analyst

Mandate given to Firme H2E:

Document unauthorized access to systems and confidential databases

Duration: 20 business days

Context

A Quebec City financial services firm discovered that a former IT analyst had continued accessing its internal systems for several weeks after his termination. The company had neglected to revoke certain VPN access, and client database credentials had not been deactivated.

The former employee was suspected of viewing wealthy client files and downloading personal and financial information. The company feared a breach of privacy legislation and needed to document the extent of the intrusion for regulatory obligations and potential criminal prosecution.

The legal department retained Firme H2E to analyze system logs, reconstruct the former employee’s actions, and produce a court-admissible report.

Firme H2E Intervention

Step 1

Log Collection and Preservation

  • Acquired VPN, Active Directory, firewall, and database server logs
  • Created forensic images of involved servers
  • Documented chain of custody for each data source
Step 2

Access Analysis and Chronological Reconstruction

  • Correlated VPN connections with the former employee’s residential IP address
  • Analyzed SQL queries executed on client databases
  • Identified 312 client files accessed without authorization over a 23-day period
  • Detected mass downloads (CSV exports) of personal data
Step 3

Expert Report and Visualization

  • Produced a detailed technical report with visual intrusion timeline
  • Mapped accessed data: names, social insurance numbers, account balances
  • Calculated impact: over 4,500 potentially affected clients
  • Provided recommendations for mandatory notifications under privacy legislation
Result

Firme H2E’s report was used to file a criminal complaint for unauthorized access to a computer system (s. 342.1 of the Criminal Code).

The forensic evidence also served as the basis for a civil damages lawsuit.

The company was able to demonstrate to regulatory authorities that it had acted diligently by quickly documenting the incident. The former employee was charged and pleaded guilty to reduced charges, receiving probation and a ban from working in the financial sector.

Key Takeaways
  • Immediate access revocation upon departure is critical for security
  • System logs are valuable forensic evidence when properly preserved
  • Rigorous incident documentation facilitates regulatory compliance and legal recourse
Tools Used
  • Splunk (log analysis and correlation)
  • Magnet AXIOM (server forensic acquisition)
  • Microsoft Log Parser (Active Directory analysis)
  • Custom visual timeline (Firme H2E)
  • SHA-256 for log integrity validation

Have a case?

Submit it securely through our platform.

No emails. No delays. Use our dedicated submission system to get expert help fast.

Submit Your Case

Your information stays confidential and is reviewed by certified experts.