All posts tagged Data Theft

The danger of ‘deleted’ data

data theft, deletion

What computer forensics experts talk about when they talk about deletion

As computer forensics specialists, we are often asked about deleted data. Is something truly deleted? Can deleted data be recovered? What should we do with old laptops? We thought the best way to answer these questions would be to conduct an experiment to show that in computer science, deletion is more of a spectrum than a binary state. The experiment also demonstrates the importance of protecting data, even when the device is no longer in use.

Introducing Project Gumtree

Armed with just £20, we responded to an advert on community selling portal, Gumtree and purchased four ostensibly clean hard drives from the seller, who had advertised them as coming from old family laptops.  After payment and collection, we handed over the drives to our forensics team.

The first step of any forensics investigation is undertaking a procedure called ‘imaging’. Forensic imaging involves creating an exact copy of the hard disk, enabling investigations to be conducted without endangering or tampering with the original data held on the disk. Once we had imaged the Gumtree drives, the real investigation could begin.

Upon initial inspection, three of the hard drives appeared to be blank, as promised by the seller. The fourth simply showed the Windows base installation menu.  For the average domestic user, the seller’s privacy would have been protected but the first rule of forensics is deleted does not always mean deleted and we anticipated that we would be able to extract data from the seemingly blank disks.

Lost and found

Once we examined the imaged drives closely, we uncovered an incredible amount of information. Below is an overview of exactly what we found on each disk:

Data recovered from Disk 1

  • 1400 PDFs
  • 500 Excel Files
  • 200 Word Docs
  • 8 Powerpoint Presentations
  • 40,000 picture files

Although the seller had originally described the disks as coming from family machines, the information recovered suggested otherwise, with numerous documents detailing expenditure in excess of £120,000 on roof lights and £170,000 on installing cladding on a bridge walkway.  The drive also contained other invoices for tens of thousands of pounds as well as a cache of foreign language documents, all which suggested the disk was not used in a domestic context.

Data recovered from Disk 2

Disk 2 was the drive which had a visible base windows installation but nothing else.  However, once again we were able to recover a lot of data, the majority of which consisted of confidential documents taken from the internal file sharing system, Sharepoint. Files held on Sharepoint are for internal viewing only and therefore should not have been saved on the laptop, providing furher evidence that the seller of the drives had perhaps obtained them via dubious means.

Data recovered from Disk 3

Disk 3 also yielded some interesting data. We found 3,800 Google search terms that provided a great deal of insight into the life of the previous owner. For example, we saw that the owner had searched for Patisserie Valerie bakeries, swiftly followed by a search for gyms in a particular area. More intriguingly and perhaps disturbingly, hidden amongst quotidian work documents was a raft of files relating to philosophy and the occult.

Data recovered from Disk 4

Of all the data recovered from the drives, Disk 4 contained the most sensitive information. Unfortunately, our in-house counsel has advised that we cannot go into detail about the contents of the drives as they contain data related to the UK government as well as CCTV footage.

By the end of the exercise, it was clear that the drives were not from family computers. In total, we recovered around 10,000 official documents and there is evidence that they come from the same government department. Kroll Ontrack is currently taking steps to return the data and the disks to that department so they can conduct their own investigations as to how the data was stolen.

How to disappear completely

The difficulty of truly deleting data from devices is something of a double-edged sword. On the one hand, if data appears to be lost, chances are that with the assistance of an experienced forensics technician, the data can be recovered. Yet, if a company disposing of devices capable of storing data (which comprises of a surprisingly long list including satellite navigation systems, mobile phones, USB sticks and more), the information stored on there could potentially be accessed by a third party unless actions are taken to forensically delete date the data.

We would recommend that companies disposing of devices capable of storing data should contact a forensics provider to ensure all confidential data is unrecoverable by third parties.

If you would like to find out more about how computer forensics can help you support and secure your business, please join us for a breakfast seminar in Central London on 6th April.  The seminar is specifically designed for those working in human resources or employment law.  Please click here to register your place.

Only write the novel when you can solve the crime

A forensic mystery at Churchill War Rooms

When I first started as a Trainee Computer Forensic Analyst the sage advice I received from my manager was (as best as I can remember) “There are two types of people in this business: those that sit around figuring out how to commit a crime and the others that actually do it”.

When Tracey Stretton first suggested that my ‘creative’ imagination ought to be used for a “CF Murder Mystery” event I reeled.  Where do you start? How can I make it believable? What details are necessary for a mystery story?

By far the quote I found most helpful was from Andrew Hixson, of the James Bond short stories.

“I only write the novel when I can solve the crime”.

After the initial shock had worn off I quickly realised that I had been given a free ticket.  Without any billable time pressures I could finally, once and for all, take the time to work out from start to finish all aspects of a full ‘crime’.

The core of the plot came about in our first brainstorming session.  The event was to be limited both in time and, as alcohol was likely to be involved, complexity.  We needed a goldilocks computer security incident which was ‘just right’.

The simplest story is often the most believable, so it’s no surprise that we went with good old fashioned larceny.  After all, barring the consequences, we all can think of a way to steal data.

Between myself, Julian Sheppard and Tony Dearsley we collectively had enough stories about thieves and experience with thefts to provide a whole mini-series, not just one evening.

One of the more entertaining ideas we came up with was the discovery of a USB key found in the Channel Tunnel, equally laid on a rail across the Anglo-Franco border (The Discovery).  Unfortunately Sky Atlantic beat us to it and unveiled The Tunnel.  I still maintain that they took my idea and filmed an entire series in two weeks, just to throw me off!

Writing up the suspects and their backstory caused the most concern.  Each time I mentioned the name of an obscure fictional British or American spy there would be worried looks between colleagues.  “Is he day dreaming again?”, “What has this got to do with The War Rooms?”, “Why aren’t you on billable work?” was often asked.

Working out the details was easy once we had realistic characters.  Ultimately, for each of our suspects we laid out their motives and opportunities so as to leave a trail of clues to be picked out by our guests.  The plot becomes something far more interesting when we cheat and use the imagination of others to fill in the gaps.

In the words of Tolkien “Good stories deserve embellishment”, so it was decided that in order to describe a unique story we would need a unique visual guide.  This was Dial D for Data Theft, not Death by Powerpoint!

With judicious use of motion sickness inducing Prezi we were able to develop an interesting, if quirky, set of ‘slides’.

And then suddenly it was time for us to set out to the Cabinet War Rooms!

What a night it was! A perfect combination of story, location and audience.  Indeed the audience participation was, as I expected, the most inventive part of the presentation.

When asked why they thought a particular culprit was guilty, some of the answers were not exactly scientific:

Shifty Eyes”
“He owns a Porsche.”
“She reminds me of my ex-wife”

However, my favourite quote of the night goes to the guest who wrote on his guessing card:

“It was Felix [because] his shirt is far too tight and he’s a liar!  There’s no way he’s 6’10”! 5’11” at MOST“.

Then, with a bottle of something nice to the winning entry from our audience (none of the above were winners, sadly) we wrapped up the evening with an exciting dénouement and final farewell.

Is there a nephologist in the building?

Cloud computing

Nephologist  (nɪˈfɒlədʒɪst)
-noun (rare)
(meteorology) an expert or specialist in the study of clouds

The advent of cloud computing and cloud storage has undoubtedly had a huge impact on the business and forensic stratosphere. An increasingly common answer to the question “where is your data stored?” is a shrug of the shoulders and a point to the sky.

This can have a serious impact on the security of an organisation’s data and on any subsequent forensic investigation. No longer is the dishonest employee required to employ cloak and dagger tactics to smuggle hardware from the premises. No longer are we called upon to investigate physical items that can be removed to a secure lab and, as such, Computer Forensic investigators are becoming nephologists.

Data can be transferred, synced and/or downloaded outside the firewall in minutes, so it is more important than ever to know what data is vital to your business and who can access it. We recently undertook an investigation where an employee in a data sensitive industry had installed a well-known cloud storage facility, transferred thousands of files and then Google searched “how to uninstall [cloud storage facility]”. The elapsed time from install to uninstall was a little more than 4 minutes, and if the internet history for the device had not been available, the outcome of that matter could have been very different.

There are clearly huge business advantages associated with the cloud, however, bearing in mind the strapline for the cloud service of a leading provider: “your stuff, anywhere”, the prudent business owner must exercise caution when choosing the right cloud service for business sensitive data.

If you do fancy a bit of atmospheric storage, Kroll Ontrack’s team of experienced ‘techno-nephologists’ are able to assist you in implementing a bespoke Forensic Readiness Plan to ensure that you are perfectly placed to prevent the loss of key data, and also on hand to help uncover key evidence if an incident does occur.

Webinar: The Changing Face of Data Theft


This past week saw the long awaited, and therefore highly anticipated, final instalment of the Kroll Ontrack Autumn/Winter Webinar series, entitled “The Changing Face of Data Theft”.

If you a) didn’t manage to catch it or b) have always wondered what Dimbleby would sound like if he was Welsh, then fear not, for the recording can be found here…  Webinar Video

And just in case the pace of this action packed discussion is too much for you, here’s an overview of the headline topics that came up in the discussion. Synopsis

We were extremely fortunate to be joined by Dan Morrison of Grosvenor Law and E.J. Hilbert, Head of Cyber Investigations at Kroll Advisory Solutions, who both shared their vast experience of handling data loss incidents.

Dan stressed of the importance of having properly drafted (and signed) employment contracts. Ensuring that they are fit for the technology abundant in the modern workplace and ensuring that properly drafted post-termination covenants are both in place and enforceable.

E.J advises that the threats and technology being used is not new, but that organisations don’t fully understand the existing threats in the first place and that the biggest weakness in any company is the human. The curiosity to click on an obscure email from a friend or to simply click “yes” just to remove a pesky pop-up from their screen, remain significant threats to corporate data, and education is vital to ensure that your employees don’t put your data at risk.

And I…well I just did an introduction and asked a few questions (in addition to making many attendees weak at the knees with my “Dimblebyesque” moderation and dulcet Welsh tones).

All-in-all a well-attended and thoroughly engaging seminar and for that I must thank Dan and E.J.

Until next time…!


As we approach the end of 2013 it is only natural to look to the future and wonder what 2014 will bring.  Kroll Ontrack gathered together a panel of industry experts, supplied copious bubbly drinks (to help with the creative juices) and cajoled them into giving up their predictions for next year.  My personal favourite:

Kroll Ontrack will achieve ediscovery world domination!

On a less aggressive note, the predictions identify a number of themes that were also hot topics in 2013.  “Data Protection will be top of the agenda” from one law firm partner.  Hidden behind all the cross-border matters, data protection has always been a lingering issue for any lawyer. However, since the surreptitious release of NSA files, the day to day café discussion has been emotional and heated. This has led politicians, companies and law firms in EMEA, and other parts of the world, to review practices and procedures in relation to information provided to other countries, and especially to the US. An extensive overhaul of the EU’s data protection regulation is due in 2014 with fines of up to €100m and mandatory data protection officers.  This far-reaching data protection regulation is due to replace Europe’s 1995 Data Protection Directive, following a vote by the European Union.   This new regulation is likely to result in complex technological, process and governance challenges for organisations across Europe.

“A major law firm will suffer a cyber attack”.  This is not so much a new prediction for 2014, as a continuation of a theme from 2013.  A major city law firm successfully fought a ‘drive by’ or ‘watering hole’ attack in October 2013, but it has highlighted the vulnerabilities in the legal profession.  If you attack a corporation, you get one company’s information.  If you attack a law firm, you potentially get hundreds.  As corporations strive to keep their IT infrastructure airtight, one must ask whether their legal advisors are doing the same when handling sensitive and privileged data.

“Discovery of Twitter (private messages) and Facebook accounts”.  I think we can lump these in under the general heading of  “social media”.  Without the express co-operation of the account holder, what options are there for discovery?  Using talented forensic consultants there is a possibility of finding fragments of data previously accessed on a hard drive but unless you have the user name and password the only option to obtain a full data set is a court order to the service provider.

“The first request from a lawyer will be ‘can I use predictive coding on this matter’?”  Whilst predictive coding is on the rise, our first question would be how much data, how long do you have to review?  If the matter fits we will happily unleash our expertise on said lawyer, providing consultancy and guidance. Predictive coding is finally entering the mainstream, and as we see it being used more and more often as lawyers become familiar with the technology, I can see lawyers asking for its use, rather than it being suggested to them.

Finally, is there potential for a shift in the way ediscovery is approached? Perhaps ediscovery will start being considered as part of the integral process of litigation, competition cases and internal investigations and “In 2014 the worlds of law, technology and business will finally converge as they should!”

In conclusion, the most important predictions of the year ahead:

  •  “Warrington Wolves to win the rugby league super league”
  • “Royal Wedding – Harry and a posh blond”
  • And most importantly “We discover Sherlock can fly”

Amsterdam: The Layover – E-Crime congress 2013

Don't Panic: Responding to Data Theft

Day 1

4:00 pm – Nexus, Farringdon Street, London
Here’s some wise advice – never answer your phone when your train is leaving in 15 minutes. Robert Jones learned this the hard way and as a result he had to set a new track record Nexus – City Thameslink Station, in under 2 minutes. “Surely that can’t be done!” I hear you cry. Well thankfully Rob, like all Kroll Ontrack employees, is a finely tuned athlete and has been training for marathons, and so made it with seconds to spare. Robbie J, quite literally going the extra mile to keep his clients happy. So the three intrepid travellers – Luke Aaron, Robert Jones and myself – got the train on time and were on our way to Gatwick airport.

5:30 pm – Gatwick Airport, Departure Lounge
Dinner consisted of tortilla chips, guacamole sauce and some random roasted vegetables, eaten with one of those silly security knives, more handle than blade, hardly gourmet cuisine. “That’ll be £9.50 please sir” –“How much? For some crisps and a dip” so lighter in the pocket, but ‘heavy’ on food we headed to the plane. After the traditional security routine – put toiletries in small evidence bag, take off coat, jacket and belt, unpack laptop, put all small change in tray (not that we had much left after dinner), get tray jammed by eight others in machine, get patted down by male security guard, feel violated, put belt back on, lose passport and boarding card, panic, find passport and boarding card in pocket you didn’t know existed, re-pack entire contents of luggage – we boarded the plane. Without naming names, it was the orange and white budget one that sounds like Cheesypet, who have started to allocate seats nowadays, much to the consternation of familiar Cheesypet travellers who had prepared for the scrum to get a seat near the front of the plane. We finally took off and were on our way to Amsterdam.

10:00 pm – Hotel Okura, Amsterdam
An hour later we landed on Dutch soil with the final destination as the Okura hotel. A fine and opulent hotel, the pinnacle of which was the remote controlled blind between the bath and bedroom. Rob claims he overheard Luke getting at least half an hour of entertainment by continually sending it up and down.

Day 2

12:25 pm – Hotel Okura, Amsterdam
After building up the stand with extreme precision, it was Luke Aaron’s time to shine at his debut as a Kroll Ontrack speaker. His educational seminar was entitled ‘Don’t panic: Responding to data theft’. In the 35 minute slot Luke explained to around 25 captivated visitors, from a variety of backgrounds including banking, telecoms and software companies, what policies and procedures every company should embrace regarding to a possible data theft. The presentation was very well received and was for many an eye-opening introduction to the world of data theft response.

Luke Aaron on data theft

2:25 pm – Hotel Okura, Amsterdam
Now it was time for Robert Jones and his special guest, Misha lutje Beerenbroek, Head of EC Competition and Trade at Baker & McKenzie, Amsterdam to impress the crowd. This pairing, which some (Rob) have compared to the compliance world’s equivalent to Jimmy Page and Robert Plant*, rocked the conference with a talk centred around ‘Using innovative technology to audit for compliance’. With a very relaxed and open approach the duo riffed away on regulatory trends towards cross-border investigations and fines, the growth of a compliance culture and the benefits of building strong compliance programmes to be better prepared for the risk of regulatory intervention in relation to antitrust, corruption and other issues.  A particular topic which got the audience talking was the frank discussion of approaches taken by companies when weighing up the problem of carrying out an internal investigation to defend the company, versus the risk of infringing an employee’s personal rights and data privacy laws. It was clear this gave many visitors a new perspective on internal audits and some audience members were still humming away afterwards to the tune of ‘Communication Breakdown’ (or ‘email analytics’, as we like to call it).

*Of ‘Led Zeppelin’ fame – apparently some people have never heard of them.

7:00 pm – Schipol, Departure Lounge
After re-hashing over dinner we came to the conclusion that it was a productive day. With our data centre in Germany due to be operational in late January and our French data centre to come online shortly afterwards, hopefully congresses like this will help make more businesses aware of our continued commitment to providing solutions in Continental Europe.

About Jasper van Dooren

Jasper is part of the Electronic Evidence Consultancy team, which provides scoping consultancy and advice to potential clients in ediscovery or computer forensics matters. He also assists clients by providing demonstrations, presentations, documentation and advice before and during project engagements to ensure that expectations and legal requirements are being met. Jasper graduated from Utrecht University, Netherlands, with a Master’s degree in Private law before moving to London.