Forensic Case Studies

Computer Forensics - SecurityWe have helped a wide range of organisations get evidence of illegal and inappropriate use of their company computers. The following scenarios are specific examples of the problems some of our clients have faced in the past. For reasons of client confidentiality and legal sensitivity, actual names have been changed.

Case Study 1:

X, the sales manager of Company A gives 4 weeks notice. Soon after he leaves, Company A receives advice from a number of clients that they received emails from an unknown Hotmail account containing defamatory information about Company A.

Computer Forensics NZ Ltd (CFNZ) is instructed to search for evidence on X’s PC that the emails originated from it.

During the briefing CFNZ suggests that the PC be examined for any evidence of any confidential data being copied to removable external media during the preceding 4 weeks.

Every bit and byte on the PC’s hard disk is acquired and preserved using rigorous procedures as employed by NZ Police, the Serious Fraud Office, NZ Customs etc. The data is then meticulously analysed and various data (deleted) and system files are recovered showing that email data was created at the date and time that X was known to be operating the PC.

Detailed analysis also shows that during the last 3 days of X’s employment 1 MYOB data file and 1 Microsoft Access file were copied to a USB drive. The files and detailed report are provided to Company A and appropriate discussions are held with the company’s legal advisors for recommended action.

Case Study 2:

Computer Forensics - Cyber CrimeIt was noticed by her manager that C’s work output had been dropping over the previous 3 weeks, which coincided with the provision of broadband Internet to her department. It is visually established that she is spending many hours Internet ‘surfing’, which is specifically banned under her terms of employment.

She is cautioned appropriately but she continues with the unauthorised activity. Workmates also note that pornographic images are seen on her PC after the second caution.

The company subsequently dismisses her and within 14 days the company receives formal advice that it would be served with a charge of unjustified dismissal.

The manager convinces Management that all correct procedures were followed and that the Internet use was clearly beyond any amount or type that could be considered reasonable. Management decides to contest the action, especially as a significant amount of money is at risk, and instructs CFNZ to analyse her PC for evidence of excessive Internet activity and deliberate entry to pornographic sites.

Analysis of her PC by CFNZ shows that incontestable evidence exists proving conclusively that the company’s assertions were correct.

Finally, costs are awarded to the employer.

Case Study 3:

Employee M is discovered stealing product from Finished Goods Store during lunch break. M is told to collect his personal effects from his office and report to the accountant in 30 minutes for final pay reconciliation.

The next day his company laptop is inspected and the PC is found to have been formatted. Unfortunately, M’s PC contained important time-sensitive company data that was in My Documents and not part of the regular network backup. CFNZ is contacted and briefed as to the types of files required and queried as to whether it would be possible to determine the actual time that the disk was formatted.

Within seven days CFNZ has successfully recovered the complete suite of data and has absolutely ascertained that the formatting took place when M was known to be in the office collecting personal items.

The company seeks legal advice regarding the appropriate action to take because of the malicious deletion activities.

Case Study 4:

Employee F suddenly resigns from company G and establishes a company in direct competition.

CFNZ conducts a detailed briefing session with management and legal counsel of company G. The PC previously used by employee F is delivered to CFNZ and an evidential copy of all data on the hard disk drive is made and preserved.

The deleted file area undergoes detailed analysis and evidence is found of Company G’s confidential marketing data sent as email attachments to a private email account. F deleted draft of a business plan for the new competitive company is also recovered.

A full report is presented to management of company G and the ex-employee F makes appropriate reparation.

Case Study 5:

A major organisation was facing a crisis, when a very senior member of staff was under suspicion of downloading thousands of pornographic images from the internet. He vehemently denied it all, but the case against him looked very serious.

Our detailed and sustained analysis of internet use and traffic pinpointed a clash of IP addresses on the system. The evidence started to point towards the organisation’s system administrator, but he denied it.

As we dug deeper, we proved that it was the administrator who’d been using his local desktop system to access numerous pornographic websites. Over three months, he had visited 1200 pornographic websites and downloaded over 15,000 images. To cover his tracks, and in an attempt to frame a senior manager, he had been altering his local system IP address so the trail led to his senior manager colleague.

Our expertise in computer forensics and incident response meant we were able to unravel the mystery. It saved an innocent person’s job and good name, and uncovered the real culprit. The senior manager was cleared of all involvement, and his reputation was restored.

Before our involvement, the system administrator had claimed he knew nothing at all about the downloading of pornography. But in the end he had to confess, confronted with the evidence we uncovered. He no longer works for the organisation.

Case Study 6:

After a local dairy was robbed at gunpoint, it was found that the media file located on the hard disk drive of the Digital Video Recorder linked to the store’s CCTV system was corrupted and provided authorities with no clue as to the identity of the perpetrators.

We were able to successfully recover the media file and repair it to a state where it could be replayed on an ordinary computer system. This helped with the identification of the offenders as well as providing incontestable evidence as to their involvement in the crime.

The pair is now serving a 12 year prison term.