Scenario:

You are working for a Civil Digital Forensics firm and have been hired by the Buy n Large Aerospace firm to identify a threat actor who is leaking future project plans and concepts to a competitor.Over the last month, Buy n Large has suspected someone has gained access to their systems, and released their future development and other intellectual property documents to their biggest competitors.Although they are not certain, the Chief Executive Officer believes the perpetrator is a disgruntle employee, because the company recently began dumping large amounts of garbage and other toxins into landfills because it allowed them to reap a higher profit margin.The CEO notified you that 80 percent of the employees went on a week long strike when the decision was first made a little more than a month ago, and that the data leaks started right after the employees returned to work. Buy n Large does not have a sophisticated Cybersecurity team, and the only data they can provide is 48-hours worth of Network Router Logs.The few members of the Cybersecurity team which does exist, has recommended the company capture all network packets from all computers which are logged onto the network for a period of two weeks.Through questioning of the Cybersecurity team, you have learned that Buy n Large provides computers for all staff, and allows the staff to utilize their computers to conduct personal business.You also learned that the computers must connect to the internal network via VPN, in order to have access to an internet website.Therefore, if you conduct a network based packet collection, you will potentially collect information on any and everything the employees utilize their computers for.

I need help answering these questions:

1. Is there a potential Fourth Amendment Issue when collecting ALL of the packets on the Network?Why or why not?
2. Are there any recommendations for any specific filters on the type of traffic which is captured?(IE Specific Protocols, packets, etc) If yes, what information would you include/exclude from collection.
3. If looking for an Internal Threat Actor, what types of network traffic would you look for?What about an external Threat Actor?
4. Is there an alternative means to prove the identity of the threat actor, without completing a total network traffic collection?

I also need help finding sources. Thank you