All posts tagged Computer Forensics

New Frontiers in Ediscovery

Ediscovery-New-Frontiers

We are very excited to be launching the inaugural edition of our report entitled: ‘New Frontiers: An Insight into the global expansion of ediscovery.’    The report contains a compendium of 15 articles focusing on how ediscovery is being carried out in various countries around the world.  We have also have included a series of feature articles examining:

  • how ediscovery technology is being used to detect cartels
  • what uses are being found for ediscovery technology in the financial services sector
  • the latest trends in computer forensics
  • new technologies in ediscovery.

Ediscovery has evolved from its origins as a legal procedure used primarily in the USA and UK in litigation matters. Kroll Ontrack’s global expansion over the past ten years has shown there is demand across Europe and Asia for ediscovery technology to search for and review electronic evidence, particularly for competition matters and internal investigations. Download the full report here >>

What does ediscovery look like in 2015?

We asked our global network of legal consultants to report in depth on the state of ediscovery in their respective countries, providing insight into global trends around ediscovery adoption, uses and advances in technology.

The New Frontiers report documents how ediscovery is becoming an important element of the business landscape, even for countries that do not have an obligation to provide ediscovery as part of their legal framework. The important drivers for these countries, including Germany, France, the Netherlands, China and Singapore are more likely to be related to increased scrutiny by regulators, the transparency and compliance agenda, the need to manage mountains of big data and the overriding requirement to reduce legal cost.

Tim Phillips, Managing Director of Kroll Ontrack International Legal Technologies, commented:

“As a leader in the global industry, we believe it is important to document these changes and to highlight ediscovery’s rapid growth as a problem-solver for everything from regulatory compliance to dealing with dawn raids, and from unbundling legal services to forensic investigations.”

The New Frontiers report is available in full here.

No Video Evidence? No problem.

Computer forensics as a technical specialism is logical, precise and rigorous. The majority of cases we handle are very specific and clear cut, for example, proving a former employee has stolen data. Sometimes, however, clients come to us because of a feeling that something isn’t quite right in their businesses and we are asked to perform a more general forensic analysis. In both cases, Kroll Ontrack’s forensic examination can reveal surprising insights into the activities of a company’s employees that would not have been discovered were it not for forensic analysis.

A recent case handled by the CF team shows how a thorough forensic examination can not only prove client suspicions but also expose larger and previously undetected wrongdoing.

Meet our client

Our client runs a chain of ten retail stores. It is an established family business, with key roles usually filled by family members and trusted friends. Our client spoke warmly of the close-knit working environment within the stores and at the head office. However, after years of consistent growth, they noticed a slump in turnover from a couple of their stores.

Anecdotally, cashiers had assured management that the stores seemed just as busy as before and so were perplexed by the decreased income but till rolls don’t lie?

Our client, despite being faced with hard evidence that takings were down, had faith in the accounts given by his cashiers over the hard evidence from till records. He decided to visit the stores to see if he could get to the bottom of the missing funds.

On his tour of the shops, he visited one on a Saturday. Just as the cashiers had said, the shop was incredibly busy with plenty of paying customers. Yet when the evening came and the till was balanced, the numbers didn’t add up.

Increasingly suspicious, our client decided to check the EPOS (electric point of sales) system and discovered that many records had been deleted. This was something that a cashier would not be able to do and so our client knew that the culprit was someone with technological knowledge and access to the EPOS system. Next he decided to check to CCTV to see if he could identify cash being removed from the tills. However, the CCTV had been switched off for days at a time with the only footage being of an IT contractor entering and leaving the room.

Time to call in the experts

The client came to us initially asking us to investigate EPOS records and submitted the laptop used by the IT contractor for forensic imaging.

Our team of forensics experts was able to uncover 500 logins to the EPOS systems over a six week period. During these login periods transactions had been remotely deleted.

Digging deeper

The contractor’s laptop was further examined by Kroll Ontrack’s forensic team who uncovered some surprising evidence that not only confirmed the guilt of the contractor but also revealed even bigger crimes.

Like many overconfident or perhaps ill-informed crooks, the contractor had used the laptop to back up his personal mobile. Armed with this potential source of evidence our team got to work examining the mobile phone’s Internet history, emails and WhatsApp messages.

Using key word searches such as ‘cash’, ‘borrowing’ and ‘lend’, we uncovered messages showing that the contractor was having financial problems and as well as stealing money from the till he had been engaging in fraudulent activities.

Messages revealed he had set up a fake company, complete with a logo designed by a friend, using an account number and sort code that matched his wife’s bank account. This company had invoiced our client for thousands of pounds, processed and approved by a woman in finance who, tellingly, had sent photographs of an adult nature to the contractor.

The value of digital forensics

Without computer forensics, our client might have been able to prove the theft of cash from the till via eye witness testimony or additional CCTV footage but it is unlikely that the invoicing scam would have been uncovered as quickly potentially costing our client thousands more pounds.

This case is now going through the Courts and our client will hopefully be able to recoup some of his losses. But perhaps most importantly, the client’s business is running back to normal and thanks to the power of digital forensics, the fraudulent acts were uncovered quickly enough to minimise extended loss of income.

The Life Of A Computer Forensics Consultant

RMP_MG_7679

To those who don’t work in the industry, computer forensics has an aura of mystery. Portrayals on film depict a secretive world inhabited by maverick hackers and all powerful government organisations, both of whom have the capability to quickly and easily access and obtain data from any computer in the world.

Of course, whilst computer forensics is a very exciting field, we thought we’d give insight into what it’s really like to be a computer forensics consultant by getting one our experts to write about.

Aaron Watson, one of our computer forensics consultants, kindly agreed. Read his account of life in the world of computer forensics below:

Can you tell us about your job in a nutshell?

As a CF consultant my role involves the collection and investigation of electronic data. Both have their challenges and can be as complex and rewarding as each other. Having been at Kroll Ontrack for 4 years I have travelled to many countries, worked on hundreds of projects and collected many thousands of gigabytes of data. The role often involves responding to complex time critical situations, coming up with effective solutions to get the required results, be it collecting data in a very small time frame with a number of technical complexities or investigating unauthorised access to electronic data.

So what does a typical day as a Computer Forensic consultant look like?

I don’t think there is one to be honest! No day is ever the same and every day includes a challenge or three. At any one point in time I can be involved in a number of investigations across a number of countries working with various clients. Investigations can develop and change at a rapid pace, each having their own challenges and complexities, who knows where in the world I could be tomorrow! Mondays for the most part have some regularity in that we aim to have a team meeting to discuss on-going projects, availability and any issues. This gives us a chance to go over current projects and their requirements, but this thankfully is where the regulatory ends and the fun begins.

What does a computer forensic investigation involve?

Within the computer forensic team we often have clients coming to us with a situation which requires our investigation capabilities; some simple, some complex and on occasion, some very bizarre! The first port of call for a client is our sales team who then come to us with the general background information and requirement. An example of one of the more bizarre requests was received by my colleague, Joanna Ward. A dog owner whose third dog had died wanted to prove that the dog was ill before he purchased the dog and requested that we help to prove that the post mortem report had been electronically tampered with as it did not read in his favour. Unfortunately for him, we did not take the case due to the fact that he only had a copy of a copy of the document.

Most CF investigations conducted by Kroll Ontrack relate to employee investigations; be it intellectual property theft, access to inappropriate material or outright fraud. In most cases the investigation will lead to employee dismissal or prosecution but on the rare occasion we may act in the defence of the employee.

Forensic data collections and dawn raids

This is an area of the role I particularly enjoy and fortunately for me is the role which takes up most of my time. Clients often have a disclosure order whereby they have to disclose any and all electronic data relating to a matter. This data is often across a number of systems and depending on what country you are collecting the data from can come with local privacy regulations which can cause a number of difficulties. A data collection can start out in one of two ways, in an organised manner with time for scoping and planning or we find find ourselves in a last minute “we needed you in Romania yesterday” type of project. Let’s go with the first, a client calls our sales team requiring a data collection with a disclosure deadline three months away.

The first step for us is to have a scoping call with the client which often includes a CF consultant, a lawyer from the law firm which approached us, possibly the end client and if we are really lucky someone from the end client’s IT department. The call allows us to get an understanding of the requirement, including the number of custodians (people who have access to the data), the type of devices they have and systems they have access to. We also look to discuss logistics including the site location/s, dates/times and availability of custodians. All of this information will make for a much more efficient data collection which means less time required onsite and as a result less cost to the client.

Ultimately we do have a lot of last minute “client panicking” type of data collections. We often have to take a quick assessment of the situation and have an educated guess as to what kit we need to take and how much data storage media we may require. We then get onsite and scope the job on the ground working closely with IT which if know their IT systems well will make for a much more efficient collection. In some cases we have had no IT support available at all (in one case they had all walked out) which meant we had to scope the complete IT infrastructure in order to determine all data storage sources in order to fulfil the requirements of the disclosure requirment. All of this makes for great technical challenges which for me are a great part of the job.

 Perks and pains of the job

Thankfully there are a far more perks than pains. The biggest perk for me is the variety of work and the lack of similar days. Closely in second place is the sheer number of interesting people we meet and places we get to visit, even if only to work in an office or a data centre for the most part. As a fan of travelling, I am generally a very willing volunteer and if it’s a particularly interesting case you’ve got me! As far as pains go I think pain would be a strong word but at times we can be dealing with quite repetitive processes which can involve playing the waiting game… This isn’t Spooks; we can’t image a hard disk drive or clone a phone in a matter of seconds!

Aaron’s FAQs

What exactly is it that you do?

Hopefully I have covered that bit.

If I delete my files can you recover them?

Well, that would depend on how you have deleted them and how long ago. For the most part, yes we can recover all, if not fragments of deleted files. As a general rule, if the files haven’t been overwritten there is a good chance they can be recovered.

Have you had to go to court?

As yet I haven’t but some might say if your findings and report are sufficient they shouldn’t need defending in court…

When travelling for work do you have any free time to explore?

For the most part no but sometimes yes. Ultimately it depends on a number of factors including the volume of work, the client and surprisingly the location. For example, the Spanish love to finish earlier in the day than us Brits. When I have some free time it’s usually in the evenings. I like to make the most of this free time and explore the local city/area with my camera in hand. On one occasion I was fortunate enough to have a free weekend when in the Ukraine. I think I made the most of this as I visited Chernobyl which I would recommend to anyone!

How did you get into the field of computer forensics?

From a young age I have had a passionate interest in computing and have always been inquisitive, some might say nosey. After finishing my A Levels I wasn’t particularly keen on University but found a Digital Forensics course which sounded like something I wanted to get into. This led me to Teesside University where I studied Digital Forensics which luckily for me got me internship with Revenue and Customs for 12 months as a Computer Forensic Technician. This was an absolutely fantastic kick-start to my career and from there I went on to work for Kroll Ontrack and here I am!

Do you like your job? Would you recommend it as a career?

I absolutely love the job but you have to have a certain mind-set and put in the hours when required to be successful. The challenges and interesting cases certainly outweigh the sometimes long hours and rare frustrations.

About Aaron Watson

Aaron Watson joined Kroll Ontrack in April 2011 and currently serves as a Computer Forensic Consultant in the London office. Aaron is involved as part of a team or as a lead consultant in forensic data collections both large and small in the UK and abroad in relation to discovery exercises and corporate and private investigations. Aaron has worked are large scale disclosure exercises and corporate investigations often for high profile clients or large corporations. These have ranged from investigations into Intellectual Property Theft, Computer Misuse, Fraud, Deception and corruption.