Agent 001 – What really happens during a “mock” dawn raid

Have you ever wondered what really happens during a mock dawn raid? I have had the opportunity to assist my forensic colleagues from Kroll Ontrack on several mock dawn raids in Europe so I will share with you what is actually going on behind the glamour and the mystery…

At dawn my four colleagues, who are forensic experts, and myself, are waiting incognito in a taxi a few hundred metres away from the premises that we are about to raid in an industrial and somewhat unfriendly location. No one apart from the CEO and Compliance Team of the company are aware of our presence and upcoming actions. My cell phone rings and we obtain the “go ahead” to enter the premises. Accompanied by external lawyers, we all enter the premises through a back door and register at a “pseudo reception” to obtain visitor passes. Then we are shown to a conference room which is where we will set up our IT and forensic equipment.

One of my IT colleagues lets out a deep sigh of despair after he realizes that we only have a single low speed network cable at our disposal and two power plugs to connect around 15 external hard drives and laptops from employees that are yet to come, but don’t panic, we brought several extension cables with us in case this should happen.

However, the single low speed network cable means that we will not be able to copy the server data from the conference room itself since that would take much too long; we have to be granted access to the central server room to connect directly to the server and copy server data rapidly. But we do not know where the server is located…is it onsite or somewhere else entirely?

We have to urgently speak to the local IT Manager, to find out where exactly the server is located. We are informed it is 25 km away from the current premises, and apparently it is up in the mountains so “it will take a while” to get there. I decide to go together with a forensic colleague to the offsite server location; we arrive there in 45 minutes after a hasty ride, to a very small and chilly room with a few server racks and many LED lights flashing intermittently. We start copying the data from the server but suddenly the server shuts down since it has detected an intrusion/hacker attack in an “Armageddon” atmosphere. Luckily, we manage to bypass the security breach in about half an hour and copy the relevant data in a couple of hours more.

In the meantime, my other forensic colleagues at the company premises have finally managed to obtain the necessary administrative rights and access from the local IT Manager. These codes will enable our forensic experts to start taking live images of the laptops from the company employees who have been selected as priority custodians (because of their role and position they are considered to be more likely to commit infringements or be exposed to competitors).

It is a race against the clock…as employees come into our conference room in groups of two by two we take their laptops, ask the employees to enter their passwords, sign our chain of custody form and we then run our forensic software to start the live image copying process of the laptop…all of this in just under 5 minutes per employee.

If everything goes according to plan we manage to copy data from 15 laptops in just less than 5 hours. The server data located up in the mountains has also been copied in about 5 hours. Finally my forensic colleagues run a program, which looks very impressive with plenty of zeros and ones, to check the integrity of the data and to ensure that all necessary data has been copied with nothing lost on the way. All the data has been copied successfully: mission accomplished!

These exercises can be used by corporations to test their incident response plans as part of a proactive approach to compliance, as part of an internal audit to make sure that no wrongdoing is taking place, or just to familiarize the staff with the process of a dawn raid so that nobody panics in the event of a real one. Whatever the reason for them, we try to make it as realistic a process as possible to provide the best training.