[jgowdy]

As dguido posted below, the details are a bit different than the tiny pair of sentences you're basing your analysis on.

> On 12/12/2018 at approximately 10:30 a.m., Tan contacted his supervisor, advised he was resigning from Company A, and gave his two weeks' notice. Tan told his supervisor that he was returning to China to be with his family as he is the only child to aging parents. Tan told his supervisor that he did not currently have a job offer, but was negotiating with a few battery companies in China.

> Tan's resignation prompted Company A to revoke his access to company systems, and conduct a Systems Access review of Tan's computer activity.

> That review confirmed that Tan had accessed hundreds of files, including research reports. The reports included not only how to make Product A, which, according to Company A, is a complicated and technically difficult process, but also Company A's plans for marketing Product A in China and in cell phone and lithium-based battery systems. These files included information that Company A considers to be trade secrets and outside the scope of Tan's employment with Company A. The review revealed Tan downloaded restricted files to a personal thumb drive. In the course of his regular duties and responsibilities, Tan should have used his company issued laptop. Tan did not have authorization to use a thumb drive to download Company A files. Tan's supervisor confirmed that nothing in the downloaded files was within Tan's area of responsibility. Further Company A confirmed, through Tan's supervisor, Tan did not have a work related need to access or download the restricted files.

[ams6110]

How does this actually work? Does Windows keep a log of files accessed or copied? Or does the company install additional security software that audits this?

[reaperducer]

Windows has some of this. But if you want crazy levels of granularity there are plenty of software vendors to choose from.

My company knows every file every person accesses, where it came from, and where it went. They lock down computers down to the individual USB port. If you put a thumb drive in the wrong port Windows machine, a guy from IT Security shows up within 30 minutes.

That was the day I found out that if I try to charge my hotspot at work, it shows up as a USB drive.

[4684499]

> 15. Later that day, on 12/12/2018 at approximately 4:00 p.m., Tan sent the following text message to his supervisor:

    ... [Another Company A supervisor] was asking if there is anything I have with me associated with company IP. I have a memory disk that contains lab data that I plan to write report on, and papers/reports I plan to read at home. Now that I have been exited from (COMP ANY A), can you check what is the best way of handling the information and how sensitive they are? Can I still read the papers/reports from the memory disk?

> 16. After receiving the above text from Tan, Tan's supervisor asked him to return the flash drive (which Tan's text message referred to as a "memory disk") to Company A.

> 17. At approximately 5:15 pm on 12/12/18, Tan returned to the Research Technology Center at Company A where he provided a USB flash drive to his supervisor. The USB flash drive was Tan's personal property, which he was not authorized to utilize within Company A's space. There is no record of Company A having issued a USB flash drive to Tan.

[rando444]

You just turn on auditing features in Windows on your file servers. There are many third party tools that can help you sift through and retain logs, but the basics can all be done with vanilla windows os.

[raincom]

- Sharepoint access logs (the server side) - Corp IT has access to your machine, and can activate keyloggers to see what you are doing with the downloaded files. (the client side)

[ganoushoreilly]

There's lots of things in play, system logging, storage/file share logging, network traffic logging, authentication logs etc.

[yerich]

Thanks for the additional details. It was not present in the article, which is why I am glad I asked the question. It seems that the extent of the copying is greater than I had assumed from the original article's text.