Services
- Computer Forensics
- Document Forensics (Recovery & Analysis)
- Email forensics (Recovery & Analysis)
- Internet Forensics
- Intellectual Property Theft & Data Theft
- Computer Mis-Use
- Fraud Investigations Assistance
- Mobile Phone and PDA Analysis
- Audio Visual Analysis (CCTV)
- Litigation Support
- Live Data Acquisitions
- HR Support and Testimony
- Expert Witness and Testimony
- Phase I
- Phase II
- Phase III
- Phase IV
- Phase V
- Phase VI
- The End Result
Digital Investigations
Electronic Discovery
Case Studies
Background
Irish organisations are now faced with a litany of unprecedented challenges, as they brace themselves for tough times ahead in 2009. Never before have we seen organisations as cautious, as guarded, or as vigilant. One of the unfortunate consequences of this tough economic environment is the loss of staff by redundancy. However, another less obvious consequence is the prospect of former staff establishing competing companies, resulting in the potential for existing market share to shrink further.
Espion was recently engaged by a firm of solicitors to establish whether or not 3 former employees of their client, a software development company, had stolen valuable source code and client lists, and had used this information to develop a competing product, and approach their clients existing clients.
The triggers for these digital investigations are not confined to the obvious cyber crime spectaculars that capture media attention. Far more common are relatively low-level events such as contractual and employment disputes and data theft which, if not handled properly, can still cause considerable direct and indirect losses to organisations. One or more of these events will happen to most organisations within any given year.
Forensic Examination of Laptop Computers
A number of laptop computers were identified as previously used by the former employees while in employment at the software development company. Espion began by making a ‘bit-stream’ copy of the hard disk drives contained in these laptop computers.
In the vast majority of computer related forensic investigations, if individuals are under any form of suspicion, the organisation will need to be able to seize their PCs and make a proper forensic “image”, which produces a precise snapshot of everything on the hard disks (this includes deleted material which technicians may be able to recover). As such, it is critical that an investigator be intimately familiar with and follow an established set of best practice guidelines that serve to guide and direct the technical, and indeed non-technical, aspects of an investigation.
The only area where there are well-developed procedures for seizing digital evidence relates to data on hard disk – disk forensics – where a number of organisations have published guides. Many of them are based on the ‘Good Practice Guide of the UK’s Association of Chief Police Officers’ (ACPO), which has some useful principles. Indeed, one member of Espion’ forensic team is a former police officer and a member of New Scotland Yard’s computer forensic division.
To that end Espion strictly adhere to the ACPO guidelines when performing computer based forensic investigations, ensuring that any evidence recovered can be used as evidence in a civil or criminal trial if necessary.
It is essential to show objectively to a court both continuity and integrity of evidence. It is also necessary to demonstrate how evidence has been recovered showing each process through which the evidence was obtained. Evidence should be preserved to such an extent that a third party is able to repeat the same process and arrive at the same result as that presented to a court. Espion’s approach and methodologies are always mindful of these requirements.
The Analysis & Findings
Espion deployed forensic tools, primarily Guidance Software ‘Encase’ and Access Data ‘Forensic Tool Kit’ to interrogate the laptop’s hard disk drives. It quickly became obvious that many sensitive files, including source code and Microsoft Excel spreadsheets containing client information, had been accessed in the days prior to the departure of the former employees. This was a cause for concern. The analysis also established that many of the same files had been accessed on an external device attached to one of the laptops. An analysis of the computers registry identified the VID (Vendor ID) and the PID (Product ID) of the attached device. The registry also identified the exact time and date that this device was first attached to the computer, and this coincided with the date and time these files were being accessed on the internal server. Espion concluded that, in all likelihood, these files were copied from the server to this external device. Using the VID and the PID taken from the registry, further research identified the device as an Iomega external USB storage device.
The solicitors wrote to the 3 former employees informing them of the organisations concerns. After various communications, one of the former employees voluntarily produced an Iomega USB Disk Drive, giving permission to the organisation to inspect the disk for the presence of any data relating to the issue at hand. Espion performed a forensic analysis of the disk drive, and quickly ascertained that it had been recently formatted, and contained no data of interest. However, a detailed forensic analysis, using the specialised tools mentioned allowed Espion t recover a large number of files from the disk that had been deleted. Formatting a disk does not have the effect of permanently deleting data, it simply ‘marks’ the data as deleted, and renders it invisible to the windows operating system. Forensic tools and techniques have the ability of recovering this data and making it available for analysis.
The End-Game
Espion produced an ‘Evidentiary Report’ detailing our findings. The law firm quickly produced a stern letter to each of the former employees, notifying them of the findings, as well as the consequences of their actions. They quickly ceased trading, and permitted further searches of their personal computer equipment to provide assurance that they did not retain any additional data belonging to their former employer.
The Conclusion
Acting quickly and taking advantage of specialised forensic tools and techniques can provide insights and understanding into issues that may have previously been very difficult. Computer Forensics, if performed by trained experienced professionals, and offer compelling evidence that can bring about a swift conclusion to the most threatening of situations.
Espion operate a dedicated computer forensic laboratory, equipped with the most up-to-date forensic equipment. Espion’s forensic laboratory is the only computer forensic laboratory in Ireland certified to the ISO 27001 international standard for Information Security, ensuring our clients confidential data is secured to the highest possible standard.
Espion also operate a ‘mobile’ forensic laboratory. This is useful in that many of our clients require forensic analysis to be performed on-site at the client’s premises, ensuring that chain-of-custody issues are kept to a minimum, and confidentiality agreements and non-disclosure agreements can be easily maintained, and verified.
