All posts in Case Studies & War Stories

The danger of ‘deleted’ data

by Lauren Grest on March 16, 2017 in Case Studies & War Stories with No comments
data theft, deletion

What computer forensics experts talk about when they talk about deletion

As computer forensics specialists, we are often asked about deleted data. Is something truly deleted? Can deleted data be recovered? What should we do with old laptops? We thought the best way to answer these questions would be to conduct an experiment to show that in computer science, deletion is more of a spectrum than a binary state. The experiment also demonstrates the importance of protecting data, even when the device is no longer in use.

Introducing Project Gumtree

Armed with just £20, we responded to an advert on community selling portal, Gumtree and purchased four ostensibly clean hard drives from the seller, who had advertised them as coming from old family laptops.  After payment and collection, we handed over the drives to our forensics team.

The first step of any forensics investigation is undertaking a procedure called ‘imaging’. Forensic imaging involves creating an exact copy of the hard disk, enabling investigations to be conducted without endangering or tampering with the original data held on the disk. Once we had imaged the Gumtree drives, the real investigation could begin.

Upon initial inspection, three of the hard drives appeared to be blank, as promised by the seller. The fourth simply showed the Windows base installation menu.  For the average domestic user, the seller’s privacy would have been protected but the first rule of forensics is deleted does not always mean deleted and we anticipated that we would be able to extract data from the seemingly blank disks.

Lost and found

Once we examined the imaged drives closely, we uncovered an incredible amount of information. Below is an overview of exactly what we found on each disk:

Data recovered from Disk 1

  • 1400 PDFs
  • 500 Excel Files
  • 200 Word Docs
  • 8 Powerpoint Presentations
  • 40,000 picture files

Although the seller had originally described the disks as coming from family machines, the information recovered suggested otherwise, with numerous documents detailing expenditure in excess of £120,000 on roof lights and £170,000 on installing cladding on a bridge walkway.  The drive also contained other invoices for tens of thousands of pounds as well as a cache of foreign language documents, all which suggested the disk was not used in a domestic context.

Data recovered from Disk 2

Disk 2 was the drive which had a visible base windows installation but nothing else.  However, once again we were able to recover a lot of data, the majority of which consisted of confidential documents taken from the internal file sharing system, Sharepoint. Files held on Sharepoint are for internal viewing only and therefore should not have been saved on the laptop, providing furher evidence that the seller of the drives had perhaps obtained them via dubious means.

Data recovered from Disk 3

Disk 3 also yielded some interesting data. We found 3,800 Google search terms that provided a great deal of insight into the life of the previous owner. For example, we saw that the owner had searched for Patisserie Valerie bakeries, swiftly followed by a search for gyms in a particular area. More intriguingly and perhaps disturbingly, hidden amongst quotidian work documents was a raft of files relating to philosophy and the occult.

Data recovered from Disk 4

Of all the data recovered from the drives, Disk 4 contained the most sensitive information. Unfortunately, our in-house counsel has advised that we cannot go into detail about the contents of the drives as they contain data related to the UK government as well as CCTV footage.

By the end of the exercise, it was clear that the drives were not from family computers. In total, we recovered around 10,000 official documents and there is evidence that they come from the same government department. Kroll Ontrack is currently taking steps to return the data and the disks to that department so they can conduct their own investigations as to how the data was stolen.

How to disappear completely

The difficulty of truly deleting data from devices is something of a double-edged sword. On the one hand, if data appears to be lost, chances are that with the assistance of an experienced forensics technician, the data can be recovered. Yet, if a company disposing of devices capable of storing data (which comprises of a surprisingly long list including satellite navigation systems, mobile phones, USB sticks and more), the information stored on there could potentially be accessed by a third party unless actions are taken to forensically delete date the data.

We would recommend that companies disposing of devices capable of storing data should contact a forensics provider to ensure all confidential data is unrecoverable by third parties.

If you would like to find out more about how computer forensics can help you support and secure your business, please join us for a breakfast seminar in Central London on 6th April.  The seminar is specifically designed for those working in human resources or employment law.  Please click here to register your place.

About Lauren Grest

Is it time for banks to take greater control of their legal spend?

by Ben Fielding on February 22, 2016 in Best Practice & Top Tips, Case Studies & War Stories, events, Pieces of Interest with No comments

Legal fees incurred by banks can have a huge impact on profits. Deutsche Bank provides a prime example of this; according to data from Bloomberg, they have spent more than any other European financial institution due to a combination of regulatory fines and litigation costs.  Around 1.2 billion euros were earmarked for litigation. These legal costs have, in part, led to the bank reporting a  2.1 billion euro loss in the fourth quarter with the bank’s stock falling to the lowest value since 2009. In contrast, Bank of America’s profits rose by 10%, in part due to a reduction in spending on legal fees.

This leaves in-house lawyers in an awkward position when regulatory scrutiny and in-progress litigation cases are unavoidable but they are facing more pressure to cut cost.

The first port of call for any in-house counsel managing regulatory investigations is usually a trusted law firm, Yet, with the culture of billable hours being so prevalent, are law firms in the best position to provide the improved efficiencies and reduced costs in-house counsel are seeking?

Indeed, such is the concern about spiralling legal costs that the Competitions and Markets Authority, an organisation more associated with causing legal fees, recently announced that plans to investigate law firms in light the following concerns:

  • Whether clients can drive effective competition by making informed purchasing decisions;
  • Whether clients are adequately protected from potential harm or can obtain satisfactory redress if legal services go wrong;
  • How regulation and the regulatory framework impact on competition for the supply of legal services.

Kroll Ontrack is hosting a seminar discussing this difficult topic, with speakers from leading banks (Lloyds, Barclays) and top law firms (Dentons and Humphries Kerstetter). In what will no doubt be a fiery debate, the panel will discuss:

  • How recent ‘big ticket’ regulatory investigations have affected the banking world
  • Using new technology to reduce expenditure
  • Leveraging buying power when using law firms and other professional service providers
  • Discussing the relative merits of fixed fee vs billable hour pricing structures
  • Examining the pros and cons of unbundling legal services

To register for the event, please click here.

 

 

 

About Ben Fielding

The Life Of A Computer Forensics Consultant

by Aaron Watson on May 28, 2015 in Case Studies & War Stories with No comments

To those who don’t work in the industry, computer forensics has an aura of mystery. Portrayals on film depict a secretive world inhabited by maverick hackers and all powerful government organisations, both of whom have the capability to quickly and easily access and obtain data from any computer in the world.

Of course, whilst computer forensics is a very exciting field, we thought we’d give insight into what it’s really like to be a computer forensics consultant by getting one our experts to write about.

Aaron Watson, one of our computer forensics consultants, kindly agreed. Read his account of life in the world of computer forensics below:

Can you tell us about your job in a nutshell?

As a CF consultant my role involves the collection and investigation of electronic data. Both have their challenges and can be as complex and rewarding as each other. Having been at Kroll Ontrack for 4 years I have travelled to many countries, worked on hundreds of projects and collected many thousands of gigabytes of data. The role often involves responding to complex time critical situations, coming up with effective solutions to get the required results, be it collecting data in a very small time frame with a number of technical complexities or investigating unauthorised access to electronic data.

So what does a typical day as a Computer Forensic consultant look like?

I don’t think there is one to be honest! No day is ever the same and every day includes a challenge or three. At any one point in time I can be involved in a number of investigations across a number of countries working with various clients. Investigations can develop and change at a rapid pace, each having their own challenges and complexities, who knows where in the world I could be tomorrow! Mondays for the most part have some regularity in that we aim to have a team meeting to discuss on-going projects, availability and any issues. This gives us a chance to go over current projects and their requirements, but this thankfully is where the regulatory ends and the fun begins.

What does a computer forensic investigation involve?

Within the computer forensic team we often have clients coming to us with a situation which requires our investigation capabilities; some simple, some complex and on occasion, some very bizarre! The first port of call for a client is our sales team who then come to us with the general background information and requirement. An example of one of the more bizarre requests was received by my colleague, Joanna Ward. A dog owner whose third dog had died wanted to prove that the dog was ill before he purchased the dog and requested that we help to prove that the post mortem report had been electronically tampered with as it did not read in his favour. Unfortunately for him, we did not take the case due to the fact that he only had a copy of a copy of the document.

Most CF investigations conducted by Kroll Ontrack relate to employee investigations; be it intellectual property theft, access to inappropriate material or outright fraud. In most cases the investigation will lead to employee dismissal or prosecution but on the rare occasion we may act in the defence of the employee.

Forensic data collections and dawn raids

This is an area of the role I particularly enjoy and fortunately for me is the role which takes up most of my time. Clients often have a disclosure order whereby they have to disclose any and all electronic data relating to a matter. This data is often across a number of systems and depending on what country you are collecting the data from can come with local privacy regulations which can cause a number of difficulties. A data collection can start out in one of two ways, in an organised manner with time for scoping and planning or we find find ourselves in a last minute “we needed you in Romania yesterday” type of project. Let’s go with the first, a client calls our sales team requiring a data collection with a disclosure deadline three months away.

The first step for us is to have a scoping call with the client which often includes a CF consultant, a lawyer from the law firm which approached us, possibly the end client and if we are really lucky someone from the end client’s IT department. The call allows us to get an understanding of the requirement, including the number of custodians (people who have access to the data), the type of devices they have and systems they have access to. We also look to discuss logistics including the site location/s, dates/times and availability of custodians. All of this information will make for a much more efficient data collection which means less time required onsite and as a result less cost to the client.

Ultimately we do have a lot of last minute “client panicking” type of data collections. We often have to take a quick assessment of the situation and have an educated guess as to what kit we need to take and how much data storage media we may require. We then get onsite and scope the job on the ground working closely with IT which if know their IT systems well will make for a much more efficient collection. In some cases we have had no IT support available at all (in one case they had all walked out) which meant we had to scope the complete IT infrastructure in order to determine all data storage sources in order to fulfil the requirements of the disclosure requirment. All of this makes for great technical challenges which for me are a great part of the job.

 Perks and pains of the job

Thankfully there are a far more perks than pains. The biggest perk for me is the variety of work and the lack of similar days. Closely in second place is the sheer number of interesting people we meet and places we get to visit, even if only to work in an office or a data centre for the most part. As a fan of travelling, I am generally a very willing volunteer and if it’s a particularly interesting case you’ve got me! As far as pains go I think pain would be a strong word but at times we can be dealing with quite repetitive processes which can involve playing the waiting game… This isn’t Spooks; we can’t image a hard disk drive or clone a phone in a matter of seconds!

Aaron’s FAQs

What exactly is it that you do?

Hopefully I have covered that bit.

If I delete my files can you recover them?

Well, that would depend on how you have deleted them and how long ago. For the most part, yes we can recover all, if not fragments of deleted files. As a general rule, if the files haven’t been overwritten there is a good chance they can be recovered.

Have you had to go to court?

As yet I haven’t but some might say if your findings and report are sufficient they shouldn’t need defending in court…

When travelling for work do you have any free time to explore?

For the most part no but sometimes yes. Ultimately it depends on a number of factors including the volume of work, the client and surprisingly the location. For example, the Spanish love to finish earlier in the day than us Brits. When I have some free time it’s usually in the evenings. I like to make the most of this free time and explore the local city/area with my camera in hand. On one occasion I was fortunate enough to have a free weekend when in the Ukraine. I think I made the most of this as I visited Chernobyl which I would recommend to anyone!

How did you get into the field of computer forensics?

From a young age I have had a passionate interest in computing and have always been inquisitive, some might say nosey. After finishing my A Levels I wasn’t particularly keen on University but found a Digital Forensics course which sounded like something I wanted to get into. This led me to Teesside University where I studied Digital Forensics which luckily for me got me internship with Revenue and Customs for 12 months as a Computer Forensic Technician. This was an absolutely fantastic kick-start to my career and from there I went on to work for Kroll Ontrack and here I am!

Do you like your job? Would you recommend it as a career?

I absolutely love the job but you have to have a certain mind-set and put in the hours when required to be successful. The challenges and interesting cases certainly outweigh the sometimes long hours and rare frustrations.

About Aaron Watson

Aaron Watson joined Kroll Ontrack in April 2011 and currently serves as a Computer Forensic Consultant in the London office. Aaron is involved as part of a team or as a lead consultant in forensic data collections both large and small in the UK and abroad in relation to discovery exercises and corporate and private investigations. Aaron has worked are large scale disclosure exercises and corporate investigations often for high profile clients or large corporations. These have ranged from investigations into Intellectual Property Theft, Computer Misuse, Fraud, Deception and corruption.

Agent 001 – What really happens during a “mock” dawn raid

by Thomas Cavro Dupont on October 6, 2014 in Case Studies & War Stories with No comments
Dawn raids matrix

Have you ever wondered what really happens during a mock dawn raid? I have had the opportunity to assist my forensic colleagues from Kroll Ontrack on several mock dawn raids in Europe so I will share with you what is actually going on behind the glamour and the mystery…

At dawn my four colleagues, who are forensic experts, and myself, are waiting incognito in a taxi a few hundred metres away from the premises that we are about to raid in an industrial and somewhat unfriendly location. No one apart from the CEO and Compliance Team of the company are aware of our presence and upcoming actions. My cell phone rings and we obtain the “go ahead” to enter the premises. Accompanied by external lawyers, we all enter the premises through a back door and register at a “pseudo reception” to obtain visitor passes. Then we are shown to a conference room which is where we will set up our IT and forensic equipment.

One of my IT colleagues lets out a deep sigh of despair after he realizes that we only have a single low speed network cable at our disposal and two power plugs to connect around 15 external hard drives and laptops from employees that are yet to come, but don’t panic, we brought several extension cables with us in case this should happen.

However, the single low speed network cable means that we will not be able to copy the server data from the conference room itself since that would take much too long; we have to be granted access to the central server room to connect directly to the server and copy server data rapidly. But we do not know where the server is located…is it onsite or somewhere else entirely?

We have to urgently speak to the local IT Manager, to find out where exactly the server is located. We are informed it is 25 km away from the current premises, and apparently it is up in the mountains so “it will take a while” to get there. I decide to go together with a forensic colleague to the offsite server location; we arrive there in 45 minutes after a hasty ride, to a very small and chilly room with a few server racks and many LED lights flashing intermittently. We start copying the data from the server but suddenly the server shuts down since it has detected an intrusion/hacker attack in an “Armageddon” atmosphere. Luckily, we manage to bypass the security breach in about half an hour and copy the relevant data in a couple of hours more.

In the meantime, my other forensic colleagues at the company premises have finally managed to obtain the necessary administrative rights and access from the local IT Manager. These codes will enable our forensic experts to start taking live images of the laptops from the company employees who have been selected as priority custodians (because of their role and position they are considered to be more likely to commit infringements or be exposed to competitors).

It is a race against the clock…as employees come into our conference room in groups of two by two we take their laptops, ask the employees to enter their passwords, sign our chain of custody form and we then run our forensic software to start the live image copying process of the laptop…all of this in just under 5 minutes per employee.

If everything goes according to plan we manage to copy data from 15 laptops in just less than 5 hours. The server data located up in the mountains has also been copied in about 5 hours. Finally my forensic colleagues run a program, which looks very impressive with plenty of zeros and ones, to check the integrity of the data and to ensure that all necessary data has been copied with nothing lost on the way. All the data has been copied successfully: mission accomplished!

These exercises can be used by corporations to test their incident response plans as part of a proactive approach to compliance, as part of an internal audit to make sure that no wrongdoing is taking place, or just to familiarize the staff with the process of a dawn raid so that nobody panics in the event of a real one. Whatever the reason for them, we try to make it as realistic a process as possible to provide the best training.

About Thomas Cavro Dupont

Thomas Cavro Dupont is a Discovery Services Consultant at Kroll Ontrack in the EMEA region and is based in Germany. He advises lawyers around Europe and their clients on how to effectively manage electronically stored documents in matters such as competition, litigation and internal or regulatory investigations. Before joining Kroll Ontrack in 2014, he worked as an Associate in leading international law firms in Brussels, Paris and Madrid advising clients on competition law issues. Thomas also worked as a Project Manager for a major ediscovery provider in London specialising in ediscovery projects in the antitrust and finance areas. Thomas, who is legally qualified in Spain and France, obtained his Law Degree from the Universidad Pontificia Comillas in Madrid and received an LL.M. in European Legal Studies from the College of Europe in 2009. His native languages are Spanish and French and he is fluent in German and English.

Forensic Mythbusting: Luke ‘CF Guru’ Aaron explores some truths and myths about Digital Forensics.

by Luke Aaron on September 24, 2014 in Case Studies & War Stories with No comments
Forensic Mythbusting

I get asked a small number of questions a lot of times, so I thought it useful to explore some of those questions in an expose of the main capabilities and myths of the forensics industry, as well as a few helpful hints.

  1. Can you recover deleted data?

The answer is “yes, usually”. When data is deleted it remains on the drive, but is no longer traceable by the file registry. A good analogy is to think of a lazy librarian, who upon being instructed to remove an unwanted book, instead simply removes the index card but leaves the book on the shelf, the book is still there but no one has any way of knowing where to look. At some point in the future a new book is required to fill “the space” where the old book resides, the librarian now simply pushes the old book to the back of the shelf, now it is slightly harder to find (as it has a new book in front of it) but it is still lurking there on the shelf, if you know where to look.

Of course computers, like shelves, do not have an infinite amount of storage and eventually new data will overwrite old data. So the amount of usage since deletion and how much free space is available on the hard drive are key factors when advising on the likelihood of data being overwritten.

  1. Is it possible to forensically wipe a drive so nothing can be recovered?

Unfortunately yes, it is possible to forensically wipe a drive so that no data is recoverable. When used correctly, there are products available that will completely fill a Hard Drive with a random pattern of “0’s” and “1’s” thus stifling any efforts to recover data. Some wiping tools will even try to self-delete and hide the fact they have been run. By looking at a timeline of the usage on the device since the date of the deletion, we may be able to draw some conclusions as to the type of tool used and the date of deletion. However this shows why it is key to have robust polices on what can be downloaded to a device and how data is backed up and stored.

  1. Can you extract data from a mobile phone?

Whether we can recover data off a mobile phone depends almost solely on the make and model. The forensic industry is constantly playing catch up with new operating systems and proprietary file storage systems on mobile devices. We use a range of tools and techniques to increase the likelihood of extracting the relevant data, however a good initial guide of whether your handset is supported for extraction is freely available at www.cellebrite.com/mobile-forensics/support/ufed-supported-devices .

  1. Can you crack passwords?

The ability to crack a password depends almost entirely on the password. We can use “Rainbow Tables”, “Dictionary Attacks” and forensic tools to attempt to overcome passwords. However a sufficiently strong password is exceedingly difficult to crack in a reasonable time frame. In the password world, length is key. There are only 10 numerical values and approx. 20 symbols on a keyboard, so adding one to the end of a basic password does little. If a phrase that combines words such as “THEMERRYWIVESOFWINDSOR” or a series of unconnected words “HORSESTAPLEBATTERYGOAL” has been used, it may take hundreds of years of “brute force” processing to crack.

  1. Can you crack encryption and is Truecrypt still safe to use?

The short answer is no. The major encryption algorithms in use today are not possible to crack of themselves. However, most successful attacks are against the security protocol surrounding the encryption (how you exchange or store the encryption key for example).

Having undertaken research on the so-called “demise” of Truecrypt, in our opinion there is no basis to believe that it is suddenly unsafe to use for the transport of data. Scare stories and hearsay aside, there is no reason to suspect that a product used safely and securely for many years since the previous update would become redundant and unsecure overnight. The developers, whose identity remains a mystery, clearly have their reasons for not wishing to continue with the development of Truecrypt and not wishing to pass the baton to a company or the wider internet, but that does not diminish from their previous good work which makes Truecrypt still the most viable encryption solution for the transport of data.

  1. Can you forensically image a hard drive in 5 minutes, using a mobile phone, you know, like Jack Bauer does?

“No, no, no” My message to Jack Bauer, Chloe O’Brien, the rest of the staff at CTU (all 24), Gil Grissom (CSI) and Sir Harry Pearce KBE (Spooks) is to stop making us real forensic folk look bad.

Forensic Imaging and investigation takes time. A forensic image creates an exact replica of the drive, so the fact the drive only has 50GBs of active data is irrelevant, the image captures all the unallocated spaces of the drive as this is where “our lazy librarian” (see point 1) has hidden the deleted data. The amount of time taken to create a forensic image depends on the size of the Hard Drive and the speed of the connection. For reference purposes we would expect to image at a rate of approximately 80GB per hour, so a 1TB Hard Drive could take up to 13 hours to forensically image. Investigations are conducted in accordance with ACPO guidelines and adhere to a strict chain of custody with contemporaneous notes protocol; this ensures that any evidence uncovered can be used in court.

  1. Can you tell me who sent a specific email?

If the email came from an anonymised webmail account (Gmail, Hotmail etc), then almost certainly not. The IP address will merely refer back to the host server (e.g. Google or Microsoft), and the hosts will almost never give up account holder details without a court order. If the email is a corporate email, then it may be possible to trace the source IP address, but it’s pretty rare that this is the position.

  1. Can you tell me when a specific email was sent or received?

Generally a received email will contain some metadata from which we can determine provenance. The email has left the sender’s email server, bounced around the internet and landed in your email server, this path leaves data inside the email that may be analysed. A sent email goes straight from your outbox to your sent items folder, it doesn’t touch any servers and therefore there are no external times/dates that attach to it. So in the absence of a read receipt you will not be able to provide evidence that the email was sent, received or read.

  1. Can you tell me who I should call and when?

Yes, absolutely. You should call us straight away. All of our pre-consultancy services are free of charge, so we will be able to tell you what can be done and how we can help, quickly and at no cost. Simply call 0207 549 9600 and ask to speak with a member of the forensics team.

About Luke Aaron

Is there a nephologist in the building?

by Luke Aaron on March 19, 2014 in Case Studies & War Stories with No comments
Cloud computing

Nephologist  (nɪˈfɒlədʒɪst)
-noun (rare)
(meteorology) an expert or specialist in the study of clouds

The advent of cloud computing and cloud storage has undoubtedly had a huge impact on the business and forensic stratosphere. An increasingly common answer to the question “where is your data stored?” is a shrug of the shoulders and a point to the sky.

This can have a serious impact on the security of an organisation’s data and on any subsequent forensic investigation. No longer is the dishonest employee required to employ cloak and dagger tactics to smuggle hardware from the premises. No longer are we called upon to investigate physical items that can be removed to a secure lab and, as such, Computer Forensic investigators are becoming nephologists.

Data can be transferred, synced and/or downloaded outside the firewall in minutes, so it is more important than ever to know what data is vital to your business and who can access it. We recently undertook an investigation where an employee in a data sensitive industry had installed a well-known cloud storage facility, transferred thousands of files and then Google searched “how to uninstall [cloud storage facility]”. The elapsed time from install to uninstall was a little more than 4 minutes, and if the internet history for the device had not been available, the outcome of that matter could have been very different.

There are clearly huge business advantages associated with the cloud, however, bearing in mind the strapline for the cloud service of a leading provider: “your stuff, anywhere”, the prudent business owner must exercise caution when choosing the right cloud service for business sensitive data.

If you do fancy a bit of atmospheric storage, Kroll Ontrack’s team of experienced ‘techno-nephologists’ are able to assist you in implementing a bespoke Forensic Readiness Plan to ensure that you are perfectly placed to prevent the loss of key data, and also on hand to help uncover key evidence if an incident does occur.

About Luke Aaron

Into the Shadows

by Julian Sheppard on March 5, 2014 in Case Studies & War Stories with No comments
Into the Shadows

Some time ago, we received a request for digital forensic work. The scope of the enquiry was “a network administrator is under investigation and has deleted all of their email from the Exchange server, destroyed the backups, purged the dumpster, deleted their localised Outlook email content and then wiped all of the free space on their laptop. Can you find their email please?” Impossible?  Well, maybe not, because if you look in the darkest recesses of a computer you might get lucky; some data might be lurking in the ‘shadows’.

The Volume Shadow Copy service on Windows based computers (available in Windows Vista through to Windows 7) is ‘on’ by default. It ultimately offers the user the ability to restore previous versions of files or carry out complete restoration of previous configurations that the Windows OS has ‘conveniently’ backed up on the local drive. In Windows 8 this service is still present but is now called ‘File History’.

Whilst these ‘shadows’ are not accessible via normal analysis tools they can be accessed using forensic tools and can include Internet history, pictures, documents and complete email containers (OST’s) that may have been since deleted from the ‘live’ files of a user. Consequently, it was time to get out the forensic toolkit!

After a few hours of analysis, we recovered the complete OST email container of the network administrator that totaled 2.5GB in capacity and held over 3,000 emails that ranged over 2 years. It included the incriminating evidence that the client wanted (and the administrator had tried to hide) which showed that the administrator had been accessing other people’s email accounts in an unauthorized manner, and collating sensitive HR material within their own email account.

In conclusion, when all else fails and you think there is no hope, have someone train a light on the shadows, you might be in luck.

About Julian Sheppard

Julian has extensive experience with a broad spectrum of criminal and data breach investigations, computer security compliance and auditing. With a counter-intelligence background specialising in information systems and document security, he is trained and certified in digital forensic examination techniques by various government, local and international law enforcement agencies. Prior to joining Kroll Ontrack, Julian spent 22 years serving as a member of the Royal Air Force Police serving within the SIB Computer Forensics Unit dealing with indigenous military and civilian police investigations. Since leaving the military Julian has worked as a digital forensic specialist working on several high-profile criminal cases for law enforcement and civil cases. Julian has experience presenting in court as an expert witness and is an EnCase Certified Examiner (EnCE).

Dawn Raids this week: be prepared

by James Farnell on May 17, 2013 in Best Practice & Top Tips, Case Studies & War Stories with No comments

The London offices of BP and Shell were raided on Tuesday by the European Commission.  Statoil ASA in Norway also confirmed that they had been raided and were under investigation.  At the same time, our own panel of legal and technical experts was gathering to discuss the second in our series of webinars concerning electronic evidence in Europe entitled ‘Dawn Raid Survival’.  The topic and timing for this discussion could not, indeed, have been more appropriate…   If you did miss this session, there is a summary below or if you would like to listen to the webinar again in full, please see below:

Next webinar: Given the success of our last two sessions, I urge you to join us for our third webinar in this series on the 28 May at 14:00 CET: “Electronic Discovery: A Foreign Concept in Europe?”. To register please follow this link http://www.krollontrack.co.uk/webinars/electronic-discovery-a-foreign-concept-in-continental-europe/

We will be joined by Claire Bernier (partner at Altana, Paris), Santiago Gomez Sancha (Director of Information Services, Uria Menendez, Madrid), and Tina Shah (Electronic Evidence Consultant, Kroll Ontrack, London).

Dawn raid survival

In Tuesday’s raids the Commission had concerns the companies involved may have colluded in reporting distorted prices to a Price Reporting Agency in order to manipulate the published prices for oil and bio-fuel products.  For any suspected activity which negatively impacts on competition within the European marketplace, both the Commission and National regulatory authorities have power to intervene directly and ‘raid’ companies for evidence the activity.

How raided companies should respond in such volatile and high-stress situations, and what practical steps they should take was discussed by our panel which included: Dr Helmut Janssen (partner at Luther in Brussels and Dusseldorf), Julie Catala Marty (partner at Bird & Bird, Paris), and Rainer Ziener (Computer Forensic Consultant at Kroll Ontrack, Stuttgart).

Some of the main themes discussed were as follows:

Whilst the powers of the European Commission and National Authorities are broadly the same, important differences exist.  Helmut and Julie compared notes on the specifics of both the French and German authorities as compared to the Commission’s practices.  For example, Helmut pointed out that whilst the EU Competition authorities are authorized to enter premises to copy relevant information, German competition authorities have the right to physically remove property from the premises (including hard drives, phones and computers) for later analysis at the authorities’ office.  Companies should therefore take local legal advice as to how to respond in each case.

Julie provided a list of essential and practical tips companies should follow in the event of a dawn raid:

  1. Contacting a legal representative is the first thing to do, and the company should request that the investigation is not commenced before an advisor is present.  Mr Dirk van Erps (Head of Forenisc IT Group, Cartel Directorate of DG Comp) who was in attendance at our webinar clarified that the Commission would generally wait up to 20 minutes for a representative to arrive at the raided premises before commencing the investigation, but not longer.
  2. Legal advisers should check the scope of the investigation, in particular for details of the products concerned, the type of behavior and the time period under investigation.
  3. The company must keep track of the information the authorities are taking so they can collect their own copy and the legal teams can start reviewing it and organising their defence as soon as possible once the authorities have left.
  4. Informing the staff of what is going on is of paramount importance.  They should stay calm, not answer questions beyond the scope of the investigation or comment outside the company.  They must not destroy or delete documents and must remember that the company is under a duty to cooperate fully.
  5. It is also was important to keep the business running and Julie suggested the authorities could be asked if it is possible to use equipment needed to continue basic operations.

The panelists also discussed the difficulties that arise when legally privileged information falls into the hands of the authorities and how to handle the restitution of this information.

In terms of the IT aspects of raids, Rainer Ziener of Kroll Ontrack emphasized that different types of data storage media and IT architecture make the job of extracting information quickly quite challenging.  Being prepared ahead of a raid by having a data map and inventory of hardware was strongly recommended.  This ensures both that cooperation with the authorities can take place, but also facilitates the rapid formulation of a legal strategy and defence once the authorities have left.  It could take significantly more time to assist a company after a dawn raid if it does not have a detailed knowledge of the firm’s IT infrastructure.

Julie emphasized that Mock Dawn Raids help reduce the risk of mistakes during an actual raid (which can be extremely costly).  They test the reflexes of the business and help assess the risk of company infringing the law.

About James Farnell

Qualified solicitor (commercial and intellectual property law) with four years international business development experience following four years of legal practice. Experienced in analysis and research of new business opportunities and developing new business strategy. Excellent project and people management skills. Successful record in developing new business products and revenue streams within the legal sector.