THE INDEPENDENT MAGAZINE FOR LEGAL PROFESSIONALS
feature archives


 

 


Computer Forensics Comes of Age

Simon Janes, International Operations Manager,
Computer Forensics, Ibas Group

Extracting evidence based on computers is, in judicial terms, a relatively new concept. When most of us think about computer evidence we tend to think about hackers or paedophiles or other high-profile criminal cases. This certainly was true during its infancy years, but now the field of computer forensics is maturing and we can now see its future role in civil litigation and corporate governance.

Earlier this year we were called in by a firm of Lawyers who asked for our assistance in a particular corporate investigation. The investigation was not particularly extraordinary nor high profile, it was no different from any other case that a Lawyer may see every day of the week. What makes this case worthy of report is the strength and speed of which computer forensics produced tangible evidence where no evidence was thought to exist.

This case related to two companies both of who provided a specific service to its customers on a project-by-project basis. Each project was potentially worth many hundreds of thousands of pounds. Certain facts and details have been changed for obvious reasons.

The CFO of a company that we shall call the Green company had received a complaint that they had just been presented with a proposal that was identical to one already offered by a competitor, that we shall call the White Company. The customer’s complaint seemed to be that the Green offer was far more expensive and he inferred that it was the Green Company who was guilty of plagiarism.

The CFO made some preliminary enquiries and discovered that two former employees of Green, who only left the company nearly a year earlier, had formed the White Company. In the hope and belief that his company would not have committed plagiarism he set about establishing the truth. Reluctant to interview the two authors of the proposal document, who we shall call Mr A and Mr B, without substantive evidence he called his lawyers and so began our story. The CFO suspected that if the former employees who set up the White Company still had some close friends within his company and suspected that it might have been one or more of these friends who were now responsible for the plagiarism and not Messer’s A and B. An enquiry with the accounts department relating to similar projects showed that since the formation of the White company that Green’s revenue for those projects had dropped by more than 50% of that that was forecast.

The implications for Green were serious. Not only did it appear that Green had lost a great deal of revenue, they had apparently lost a number of significant customers and may also stand to be accused of plagiarism. Initial consideration was given to how to remedy the situation but short of interviewing Mr A and Mr B there was concern that the main source of evidence would be inside the White Company that would require a Civil Search Order to access.

Following some very astute detective work by the CFO it was established that Mr C was about to tender his resignation in favour of a job with the White Company. Although he was not part of the project team in question he did work in the same open-plan office. In this particular case the legal advisors were aware of what a computer forensic investigation could provide and so began our investigation.

As with any business environment any evidence that may be available was going to be based on a computer. The material believed to have been plagiarised were substantial documents containing details of the customer’s requirements and Green’s proposed solution and cost estimations. These documents were originally created by Mr A and B and stored on their company laptop computers. In order to plagiarise this document it would be necessary to copy the file, alter it, print it and present it as a White Company document.

Mr C’s laptop computer was examined and a forensic image acquired of the computer. Such an image is a bit-by-bit copy of the original and includes all of the data held on it even data that the user was unaware of or thought had long since been destroyed.

More than 500 documents and spreadsheets were found to reside on this computer. An examination of these revealed none that appeared to relate to the White company or appeared to have been used in any illicit manner. A more detailed examination of the unused areas of the hard drive was conducted. These are the areas where the best evidence can be found as generally users do not know what may be contained in them nor do they know how to access them.

 

Amongst other information we identified a large number of fragments that appeared to have originated from one single word processing document. These fragments contained a number of references to the Green Company, the White Company and two different legitimate customers of Green, including the original complainant. The majority of these fragments were reconstructed and found to originate from four temporary files created by a word processor. These temporary files, like any other, have time and date stamps relating to their creation as a temporary file. However when we extracted them as whole files we were able to examine their contents including additional time and date information that related to the file from which they originated.

The program creates these types of temporary files automatically while the original document was being written to or edited. Such files allow an automatic recovery of the work in progress should something go wrong but frequently provide us with vital information about how, when and what a computer program was being used for. Our examination revealed the original name of the word processing document and the fact that it had resided on a floppy disk while the editing had occurred. We were also able to determine that the file was copied onto the floppy at about 17:28 hours on 28th January 2003. The document was again opened for editing at 19:54 hours the same day and it remained open for at least 50 minutes. By calculating the chronology behind the fragments we were able to determine that during this period the name “Green” was replaced with the name “White” along with some other minor changes to the wording.

Further examination of other date and time information associated with the remainder of files residing on the hard disk revealed factual evidence that demonstrated that Mr C’s laptop was closed down at 17:17 hours on 28th January and started up again at about 19:48 hours the same day.

From an investigation point of view this evidence demonstrated that Mr C’s laptop was closed down and 11 minutes later a floppy disk was placed into a computer and the proposal document copied onto it. Approximately two and a half hours later someone using the same floppy disk and Mr C’s laptop, used his logon identity and password and opened the proposal file. The file was edited sequentially changing the name of the Green Company to the White Company during a 50-minute period. The edited file was then saved back to the floppy disk. At no time had the original file ever saved onto the laptop hard drive. There was no evidence that either the original or the edited file had not been printed out.

Further analysis of the evidence relating to Internet activity on the laptop revealed that the user of the computer had set up a web based email account purporting to be a representative of the White Company. This email account had been used to communicate with a large number of people and organisations, all of which appeared to be former customers of the Green Company. A significant number of these emails implicated two other current employees of the Green Company. These email messages dated back over a period of 14 months.

Further analysis showed that the user had also spent considerable time using the World Wide Web to search for high value domestic property and sports cars to purchase. There seemed to be good grounds to suspect that further investigation may reveal some tangible assets that may be the direct proceeds of Mr C’s illicit activity.

The computer forensic investigation was not only able to confirm Mr C’s involvement in plagiarism, breach of contract and possibly more but also to offer hard factual evidence implicating two additional conspirators. This evidence resided on a source readily available to the client and offered considerable support to the subsequent legal remedy.
This particular case was c It also demonstrates the requirement and value in adopting incident handling strategies that comply with Human Rights, Data Protection and Employment law. We all know what a computer can do for us as individuals; it is what you do not know it does that makes it an essential source of evidence in the corporate environment.

Computer Forensics is not just about the grubby bedrooms of computer hackers, it has now matured into the offices and boardrooms of commerce and industry.

   
Search WWW Search The Barrister