All posts tagged Computer Forensics

The danger of ‘deleted’ data

data theft, deletion

What computer forensics experts talk about when they talk about deletion

As computer forensics specialists, we are often asked about deleted data. Is something truly deleted? Can deleted data be recovered? What should we do with old laptops? We thought the best way to answer these questions would be to conduct an experiment to show that in computer science, deletion is more of a spectrum than a binary state. The experiment also demonstrates the importance of protecting data, even when the device is no longer in use.

Introducing Project Gumtree

Armed with just £20, we responded to an advert on community selling portal, Gumtree and purchased four ostensibly clean hard drives from the seller, who had advertised them as coming from old family laptops.  After payment and collection, we handed over the drives to our forensics team.

The first step of any forensics investigation is undertaking a procedure called ‘imaging’. Forensic imaging involves creating an exact copy of the hard disk, enabling investigations to be conducted without endangering or tampering with the original data held on the disk. Once we had imaged the Gumtree drives, the real investigation could begin.

Upon initial inspection, three of the hard drives appeared to be blank, as promised by the seller. The fourth simply showed the Windows base installation menu.  For the average domestic user, the seller’s privacy would have been protected but the first rule of forensics is deleted does not always mean deleted and we anticipated that we would be able to extract data from the seemingly blank disks.

Lost and found

Once we examined the imaged drives closely, we uncovered an incredible amount of information. Below is an overview of exactly what we found on each disk:

Data recovered from Disk 1

  • 1400 PDFs
  • 500 Excel Files
  • 200 Word Docs
  • 8 Powerpoint Presentations
  • 40,000 picture files

Although the seller had originally described the disks as coming from family machines, the information recovered suggested otherwise, with numerous documents detailing expenditure in excess of £120,000 on roof lights and £170,000 on installing cladding on a bridge walkway.  The drive also contained other invoices for tens of thousands of pounds as well as a cache of foreign language documents, all which suggested the disk was not used in a domestic context.

Data recovered from Disk 2

Disk 2 was the drive which had a visible base windows installation but nothing else.  However, once again we were able to recover a lot of data, the majority of which consisted of confidential documents taken from the internal file sharing system, Sharepoint. Files held on Sharepoint are for internal viewing only and therefore should not have been saved on the laptop, providing furher evidence that the seller of the drives had perhaps obtained them via dubious means.

Data recovered from Disk 3

Disk 3 also yielded some interesting data. We found 3,800 Google search terms that provided a great deal of insight into the life of the previous owner. For example, we saw that the owner had searched for Patisserie Valerie bakeries, swiftly followed by a search for gyms in a particular area. More intriguingly and perhaps disturbingly, hidden amongst quotidian work documents was a raft of files relating to philosophy and the occult.

Data recovered from Disk 4

Of all the data recovered from the drives, Disk 4 contained the most sensitive information. Unfortunately, our in-house counsel has advised that we cannot go into detail about the contents of the drives as they contain data related to the UK government as well as CCTV footage.

By the end of the exercise, it was clear that the drives were not from family computers. In total, we recovered around 10,000 official documents and there is evidence that they come from the same government department. Kroll Ontrack is currently taking steps to return the data and the disks to that department so they can conduct their own investigations as to how the data was stolen.

How to disappear completely

The difficulty of truly deleting data from devices is something of a double-edged sword. On the one hand, if data appears to be lost, chances are that with the assistance of an experienced forensics technician, the data can be recovered. Yet, if a company disposing of devices capable of storing data (which comprises of a surprisingly long list including satellite navigation systems, mobile phones, USB sticks and more), the information stored on there could potentially be accessed by a third party unless actions are taken to forensically delete date the data.

We would recommend that companies disposing of devices capable of storing data should contact a forensics provider to ensure all confidential data is unrecoverable by third parties.

If you would like to find out more about how computer forensics can help you support and secure your business, please join us for a breakfast seminar in Central London on 6th April.  The seminar is specifically designed for those working in human resources or employment law.  Please click here to register your place.

New Frontiers in Ediscovery

We are very excited to be launching the inaugural edition of our report entitled: ‘New Frontiers: An Insight into the global expansion of ediscovery.’    The report contains a compendium of 15 articles focusing on how ediscovery is being carried out in various countries around the world.  We have also have included a series of feature articles examining:

  • how ediscovery technology is being used to detect cartels
  • what uses are being found for ediscovery technology in the financial services sector
  • the latest trends in computer forensics
  • new technologies in ediscovery.

Ediscovery has evolved from its origins as a legal procedure used primarily in the USA and UK in litigation matters. Kroll Ontrack’s global expansion over the past ten years has shown there is demand across Europe and Asia for ediscovery technology to search for and review electronic evidence, particularly for competition matters and internal investigations. Download the full report here >>

What does ediscovery look like in 2015?

We asked our global network of legal consultants to report in depth on the state of ediscovery in their respective countries, providing insight into global trends around ediscovery adoption, uses and advances in technology.

The New Frontiers report documents how ediscovery is becoming an important element of the business landscape, even for countries that do not have an obligation to provide ediscovery as part of their legal framework. The important drivers for these countries, including Germany, France, the Netherlands, China and Singapore are more likely to be related to increased scrutiny by regulators, the transparency and compliance agenda, the need to manage mountains of big data and the overriding requirement to reduce legal cost.

Tim Phillips, Managing Director of Kroll Ontrack International Legal Technologies, commented:

“As a leader in the global industry, we believe it is important to document these changes and to highlight ediscovery’s rapid growth as a problem-solver for everything from regulatory compliance to dealing with dawn raids, and from unbundling legal services to forensic investigations.”

The New Frontiers report is available in full here.

No Video Evidence? No problem.

Computer forensics as a technical specialism is logical, precise and rigorous. The majority of cases we handle are very specific and clear cut, for example, proving a former employee has stolen data. Sometimes, however, clients come to us because of a feeling that something isn’t quite right in their businesses and we are asked to perform a more general forensic analysis. In both cases, Kroll Ontrack’s forensic examination can reveal surprising insights into the activities of a company’s employees that would not have been discovered were it not for forensic analysis.

A recent case handled by the CF team shows how a thorough forensic examination can not only prove client suspicions but also expose larger and previously undetected wrongdoing.

Meet our client

Our client runs a chain of ten retail stores. It is an established family business, with key roles usually filled by family members and trusted friends. Our client spoke warmly of the close-knit working environment within the stores and at the head office. However, after years of consistent growth, they noticed a slump in turnover from a couple of their stores.

Anecdotally, cashiers had assured management that the stores seemed just as busy as before and so were perplexed by the decreased income but till rolls don’t lie?

Our client, despite being faced with hard evidence that takings were down, had faith in the accounts given by his cashiers over the hard evidence from till records. He decided to visit the stores to see if he could get to the bottom of the missing funds.

On his tour of the shops, he visited one on a Saturday. Just as the cashiers had said, the shop was incredibly busy with plenty of paying customers. Yet when the evening came and the till was balanced, the numbers didn’t add up.

Increasingly suspicious, our client decided to check the EPOS (electric point of sales) system and discovered that many records had been deleted. This was something that a cashier would not be able to do and so our client knew that the culprit was someone with technological knowledge and access to the EPOS system. Next he decided to check to CCTV to see if he could identify cash being removed from the tills. However, the CCTV had been switched off for days at a time with the only footage being of an IT contractor entering and leaving the room.

Time to call in the experts

The client came to us initially asking us to investigate EPOS records and submitted the laptop used by the IT contractor for forensic imaging.

Our team of forensics experts was able to uncover 500 logins to the EPOS systems over a six week period. During these login periods transactions had been remotely deleted.

Digging deeper

The contractor’s laptop was further examined by Kroll Ontrack’s forensic team who uncovered some surprising evidence that not only confirmed the guilt of the contractor but also revealed even bigger crimes.

Like many overconfident or perhaps ill-informed crooks, the contractor had used the laptop to back up his personal mobile. Armed with this potential source of evidence our team got to work examining the mobile phone’s Internet history, emails and WhatsApp messages.

Using key word searches such as ‘cash’, ‘borrowing’ and ‘lend’, we uncovered messages showing that the contractor was having financial problems and as well as stealing money from the till he had been engaging in fraudulent activities.

Messages revealed he had set up a fake company, complete with a logo designed by a friend, using an account number and sort code that matched his wife’s bank account. This company had invoiced our client for thousands of pounds, processed and approved by a woman in finance who, tellingly, had sent photographs of an adult nature to the contractor.

The value of digital forensics

Without computer forensics, our client might have been able to prove the theft of cash from the till via eye witness testimony or additional CCTV footage but it is unlikely that the invoicing scam would have been uncovered as quickly potentially costing our client thousands more pounds.

This case is now going through the Courts and our client will hopefully be able to recoup some of his losses. But perhaps most importantly, the client’s business is running back to normal and thanks to the power of digital forensics, the fraudulent acts were uncovered quickly enough to minimise extended loss of income.

The Life Of A Computer Forensics Consultant

To those who don’t work in the industry, computer forensics has an aura of mystery. Portrayals on film depict a secretive world inhabited by maverick hackers and all powerful government organisations, both of whom have the capability to quickly and easily access and obtain data from any computer in the world.

Of course, whilst computer forensics is a very exciting field, we thought we’d give insight into what it’s really like to be a computer forensics consultant by getting one our experts to write about.

Aaron Watson, one of our computer forensics consultants, kindly agreed. Read his account of life in the world of computer forensics below:

Can you tell us about your job in a nutshell?

As a CF consultant my role involves the collection and investigation of electronic data. Both have their challenges and can be as complex and rewarding as each other. Having been at Kroll Ontrack for 4 years I have travelled to many countries, worked on hundreds of projects and collected many thousands of gigabytes of data. The role often involves responding to complex time critical situations, coming up with effective solutions to get the required results, be it collecting data in a very small time frame with a number of technical complexities or investigating unauthorised access to electronic data.

So what does a typical day as a Computer Forensic consultant look like?

I don’t think there is one to be honest! No day is ever the same and every day includes a challenge or three. At any one point in time I can be involved in a number of investigations across a number of countries working with various clients. Investigations can develop and change at a rapid pace, each having their own challenges and complexities, who knows where in the world I could be tomorrow! Mondays for the most part have some regularity in that we aim to have a team meeting to discuss on-going projects, availability and any issues. This gives us a chance to go over current projects and their requirements, but this thankfully is where the regulatory ends and the fun begins.

What does a computer forensic investigation involve?

Within the computer forensic team we often have clients coming to us with a situation which requires our investigation capabilities; some simple, some complex and on occasion, some very bizarre! The first port of call for a client is our sales team who then come to us with the general background information and requirement. An example of one of the more bizarre requests was received by my colleague, Joanna Ward. A dog owner whose third dog had died wanted to prove that the dog was ill before he purchased the dog and requested that we help to prove that the post mortem report had been electronically tampered with as it did not read in his favour. Unfortunately for him, we did not take the case due to the fact that he only had a copy of a copy of the document.

Most CF investigations conducted by Kroll Ontrack relate to employee investigations; be it intellectual property theft, access to inappropriate material or outright fraud. In most cases the investigation will lead to employee dismissal or prosecution but on the rare occasion we may act in the defence of the employee.

Forensic data collections and dawn raids

This is an area of the role I particularly enjoy and fortunately for me is the role which takes up most of my time. Clients often have a disclosure order whereby they have to disclose any and all electronic data relating to a matter. This data is often across a number of systems and depending on what country you are collecting the data from can come with local privacy regulations which can cause a number of difficulties. A data collection can start out in one of two ways, in an organised manner with time for scoping and planning or we find find ourselves in a last minute “we needed you in Romania yesterday” type of project. Let’s go with the first, a client calls our sales team requiring a data collection with a disclosure deadline three months away.

The first step for us is to have a scoping call with the client which often includes a CF consultant, a lawyer from the law firm which approached us, possibly the end client and if we are really lucky someone from the end client’s IT department. The call allows us to get an understanding of the requirement, including the number of custodians (people who have access to the data), the type of devices they have and systems they have access to. We also look to discuss logistics including the site location/s, dates/times and availability of custodians. All of this information will make for a much more efficient data collection which means less time required onsite and as a result less cost to the client.

Ultimately we do have a lot of last minute “client panicking” type of data collections. We often have to take a quick assessment of the situation and have an educated guess as to what kit we need to take and how much data storage media we may require. We then get onsite and scope the job on the ground working closely with IT which if know their IT systems well will make for a much more efficient collection. In some cases we have had no IT support available at all (in one case they had all walked out) which meant we had to scope the complete IT infrastructure in order to determine all data storage sources in order to fulfil the requirements of the disclosure requirment. All of this makes for great technical challenges which for me are a great part of the job.

 Perks and pains of the job

Thankfully there are a far more perks than pains. The biggest perk for me is the variety of work and the lack of similar days. Closely in second place is the sheer number of interesting people we meet and places we get to visit, even if only to work in an office or a data centre for the most part. As a fan of travelling, I am generally a very willing volunteer and if it’s a particularly interesting case you’ve got me! As far as pains go I think pain would be a strong word but at times we can be dealing with quite repetitive processes which can involve playing the waiting game… This isn’t Spooks; we can’t image a hard disk drive or clone a phone in a matter of seconds!

Aaron’s FAQs

What exactly is it that you do?

Hopefully I have covered that bit.

If I delete my files can you recover them?

Well, that would depend on how you have deleted them and how long ago. For the most part, yes we can recover all, if not fragments of deleted files. As a general rule, if the files haven’t been overwritten there is a good chance they can be recovered.

Have you had to go to court?

As yet I haven’t but some might say if your findings and report are sufficient they shouldn’t need defending in court…

When travelling for work do you have any free time to explore?

For the most part no but sometimes yes. Ultimately it depends on a number of factors including the volume of work, the client and surprisingly the location. For example, the Spanish love to finish earlier in the day than us Brits. When I have some free time it’s usually in the evenings. I like to make the most of this free time and explore the local city/area with my camera in hand. On one occasion I was fortunate enough to have a free weekend when in the Ukraine. I think I made the most of this as I visited Chernobyl which I would recommend to anyone!

How did you get into the field of computer forensics?

From a young age I have had a passionate interest in computing and have always been inquisitive, some might say nosey. After finishing my A Levels I wasn’t particularly keen on University but found a Digital Forensics course which sounded like something I wanted to get into. This led me to Teesside University where I studied Digital Forensics which luckily for me got me internship with Revenue and Customs for 12 months as a Computer Forensic Technician. This was an absolutely fantastic kick-start to my career and from there I went on to work for Kroll Ontrack and here I am!

Do you like your job? Would you recommend it as a career?

I absolutely love the job but you have to have a certain mind-set and put in the hours when required to be successful. The challenges and interesting cases certainly outweigh the sometimes long hours and rare frustrations.

About Aaron Watson

Aaron Watson joined Kroll Ontrack in April 2011 and currently serves as a Computer Forensic Consultant in the London office. Aaron is involved as part of a team or as a lead consultant in forensic data collections both large and small in the UK and abroad in relation to discovery exercises and corporate and private investigations. Aaron has worked are large scale disclosure exercises and corporate investigations often for high profile clients or large corporations. These have ranged from investigations into Intellectual Property Theft, Computer Misuse, Fraud, Deception and corruption.