All posts tagged Digital Forensics

New Frontiers in Ediscovery

We are very excited to be launching the inaugural edition of our report entitled: ‘New Frontiers: An Insight into the global expansion of ediscovery.’    The report contains a compendium of 15 articles focusing on how ediscovery is being carried out in various countries around the world.  We have also have included a series of feature articles examining:

  • how ediscovery technology is being used to detect cartels
  • what uses are being found for ediscovery technology in the financial services sector
  • the latest trends in computer forensics
  • new technologies in ediscovery.

Ediscovery has evolved from its origins as a legal procedure used primarily in the USA and UK in litigation matters. Kroll Ontrack’s global expansion over the past ten years has shown there is demand across Europe and Asia for ediscovery technology to search for and review electronic evidence, particularly for competition matters and internal investigations. Download the full report here >>

What does ediscovery look like in 2015?

We asked our global network of legal consultants to report in depth on the state of ediscovery in their respective countries, providing insight into global trends around ediscovery adoption, uses and advances in technology.

The New Frontiers report documents how ediscovery is becoming an important element of the business landscape, even for countries that do not have an obligation to provide ediscovery as part of their legal framework. The important drivers for these countries, including Germany, France, the Netherlands, China and Singapore are more likely to be related to increased scrutiny by regulators, the transparency and compliance agenda, the need to manage mountains of big data and the overriding requirement to reduce legal cost.

Tim Phillips, Managing Director of Kroll Ontrack International Legal Technologies, commented:

“As a leader in the global industry, we believe it is important to document these changes and to highlight ediscovery’s rapid growth as a problem-solver for everything from regulatory compliance to dealing with dawn raids, and from unbundling legal services to forensic investigations.”

The New Frontiers report is available in full here.

No Video Evidence? No problem.

Computer forensics as a technical specialism is logical, precise and rigorous. The majority of cases we handle are very specific and clear cut, for example, proving a former employee has stolen data. Sometimes, however, clients come to us because of a feeling that something isn’t quite right in their businesses and we are asked to perform a more general forensic analysis. In both cases, Kroll Ontrack’s forensic examination can reveal surprising insights into the activities of a company’s employees that would not have been discovered were it not for forensic analysis.

A recent case handled by the CF team shows how a thorough forensic examination can not only prove client suspicions but also expose larger and previously undetected wrongdoing.

Meet our client

Our client runs a chain of ten retail stores. It is an established family business, with key roles usually filled by family members and trusted friends. Our client spoke warmly of the close-knit working environment within the stores and at the head office. However, after years of consistent growth, they noticed a slump in turnover from a couple of their stores.

Anecdotally, cashiers had assured management that the stores seemed just as busy as before and so were perplexed by the decreased income but till rolls don’t lie?

Our client, despite being faced with hard evidence that takings were down, had faith in the accounts given by his cashiers over the hard evidence from till records. He decided to visit the stores to see if he could get to the bottom of the missing funds.

On his tour of the shops, he visited one on a Saturday. Just as the cashiers had said, the shop was incredibly busy with plenty of paying customers. Yet when the evening came and the till was balanced, the numbers didn’t add up.

Increasingly suspicious, our client decided to check the EPOS (electric point of sales) system and discovered that many records had been deleted. This was something that a cashier would not be able to do and so our client knew that the culprit was someone with technological knowledge and access to the EPOS system. Next he decided to check to CCTV to see if he could identify cash being removed from the tills. However, the CCTV had been switched off for days at a time with the only footage being of an IT contractor entering and leaving the room.

Time to call in the experts

The client came to us initially asking us to investigate EPOS records and submitted the laptop used by the IT contractor for forensic imaging.

Our team of forensics experts was able to uncover 500 logins to the EPOS systems over a six week period. During these login periods transactions had been remotely deleted.

Digging deeper

The contractor’s laptop was further examined by Kroll Ontrack’s forensic team who uncovered some surprising evidence that not only confirmed the guilt of the contractor but also revealed even bigger crimes.

Like many overconfident or perhaps ill-informed crooks, the contractor had used the laptop to back up his personal mobile. Armed with this potential source of evidence our team got to work examining the mobile phone’s Internet history, emails and WhatsApp messages.

Using key word searches such as ‘cash’, ‘borrowing’ and ‘lend’, we uncovered messages showing that the contractor was having financial problems and as well as stealing money from the till he had been engaging in fraudulent activities.

Messages revealed he had set up a fake company, complete with a logo designed by a friend, using an account number and sort code that matched his wife’s bank account. This company had invoiced our client for thousands of pounds, processed and approved by a woman in finance who, tellingly, had sent photographs of an adult nature to the contractor.

The value of digital forensics

Without computer forensics, our client might have been able to prove the theft of cash from the till via eye witness testimony or additional CCTV footage but it is unlikely that the invoicing scam would have been uncovered as quickly potentially costing our client thousands more pounds.

This case is now going through the Courts and our client will hopefully be able to recoup some of his losses. But perhaps most importantly, the client’s business is running back to normal and thanks to the power of digital forensics, the fraudulent acts were uncovered quickly enough to minimise extended loss of income.

The Life Of A Computer Forensics Consultant

To those who don’t work in the industry, computer forensics has an aura of mystery. Portrayals on film depict a secretive world inhabited by maverick hackers and all powerful government organisations, both of whom have the capability to quickly and easily access and obtain data from any computer in the world.

Of course, whilst computer forensics is a very exciting field, we thought we’d give insight into what it’s really like to be a computer forensics consultant by getting one our experts to write about.

Aaron Watson, one of our computer forensics consultants, kindly agreed. Read his account of life in the world of computer forensics below:

Can you tell us about your job in a nutshell?

As a CF consultant my role involves the collection and investigation of electronic data. Both have their challenges and can be as complex and rewarding as each other. Having been at Kroll Ontrack for 4 years I have travelled to many countries, worked on hundreds of projects and collected many thousands of gigabytes of data. The role often involves responding to complex time critical situations, coming up with effective solutions to get the required results, be it collecting data in a very small time frame with a number of technical complexities or investigating unauthorised access to electronic data.

So what does a typical day as a Computer Forensic consultant look like?

I don’t think there is one to be honest! No day is ever the same and every day includes a challenge or three. At any one point in time I can be involved in a number of investigations across a number of countries working with various clients. Investigations can develop and change at a rapid pace, each having their own challenges and complexities, who knows where in the world I could be tomorrow! Mondays for the most part have some regularity in that we aim to have a team meeting to discuss on-going projects, availability and any issues. This gives us a chance to go over current projects and their requirements, but this thankfully is where the regulatory ends and the fun begins.

What does a computer forensic investigation involve?

Within the computer forensic team we often have clients coming to us with a situation which requires our investigation capabilities; some simple, some complex and on occasion, some very bizarre! The first port of call for a client is our sales team who then come to us with the general background information and requirement. An example of one of the more bizarre requests was received by my colleague, Joanna Ward. A dog owner whose third dog had died wanted to prove that the dog was ill before he purchased the dog and requested that we help to prove that the post mortem report had been electronically tampered with as it did not read in his favour. Unfortunately for him, we did not take the case due to the fact that he only had a copy of a copy of the document.

Most CF investigations conducted by Kroll Ontrack relate to employee investigations; be it intellectual property theft, access to inappropriate material or outright fraud. In most cases the investigation will lead to employee dismissal or prosecution but on the rare occasion we may act in the defence of the employee.

Forensic data collections and dawn raids

This is an area of the role I particularly enjoy and fortunately for me is the role which takes up most of my time. Clients often have a disclosure order whereby they have to disclose any and all electronic data relating to a matter. This data is often across a number of systems and depending on what country you are collecting the data from can come with local privacy regulations which can cause a number of difficulties. A data collection can start out in one of two ways, in an organised manner with time for scoping and planning or we find find ourselves in a last minute “we needed you in Romania yesterday” type of project. Let’s go with the first, a client calls our sales team requiring a data collection with a disclosure deadline three months away.

The first step for us is to have a scoping call with the client which often includes a CF consultant, a lawyer from the law firm which approached us, possibly the end client and if we are really lucky someone from the end client’s IT department. The call allows us to get an understanding of the requirement, including the number of custodians (people who have access to the data), the type of devices they have and systems they have access to. We also look to discuss logistics including the site location/s, dates/times and availability of custodians. All of this information will make for a much more efficient data collection which means less time required onsite and as a result less cost to the client.

Ultimately we do have a lot of last minute “client panicking” type of data collections. We often have to take a quick assessment of the situation and have an educated guess as to what kit we need to take and how much data storage media we may require. We then get onsite and scope the job on the ground working closely with IT which if know their IT systems well will make for a much more efficient collection. In some cases we have had no IT support available at all (in one case they had all walked out) which meant we had to scope the complete IT infrastructure in order to determine all data storage sources in order to fulfil the requirements of the disclosure requirment. All of this makes for great technical challenges which for me are a great part of the job.

 Perks and pains of the job

Thankfully there are a far more perks than pains. The biggest perk for me is the variety of work and the lack of similar days. Closely in second place is the sheer number of interesting people we meet and places we get to visit, even if only to work in an office or a data centre for the most part. As a fan of travelling, I am generally a very willing volunteer and if it’s a particularly interesting case you’ve got me! As far as pains go I think pain would be a strong word but at times we can be dealing with quite repetitive processes which can involve playing the waiting game… This isn’t Spooks; we can’t image a hard disk drive or clone a phone in a matter of seconds!

Aaron’s FAQs

What exactly is it that you do?

Hopefully I have covered that bit.

If I delete my files can you recover them?

Well, that would depend on how you have deleted them and how long ago. For the most part, yes we can recover all, if not fragments of deleted files. As a general rule, if the files haven’t been overwritten there is a good chance they can be recovered.

Have you had to go to court?

As yet I haven’t but some might say if your findings and report are sufficient they shouldn’t need defending in court…

When travelling for work do you have any free time to explore?

For the most part no but sometimes yes. Ultimately it depends on a number of factors including the volume of work, the client and surprisingly the location. For example, the Spanish love to finish earlier in the day than us Brits. When I have some free time it’s usually in the evenings. I like to make the most of this free time and explore the local city/area with my camera in hand. On one occasion I was fortunate enough to have a free weekend when in the Ukraine. I think I made the most of this as I visited Chernobyl which I would recommend to anyone!

How did you get into the field of computer forensics?

From a young age I have had a passionate interest in computing and have always been inquisitive, some might say nosey. After finishing my A Levels I wasn’t particularly keen on University but found a Digital Forensics course which sounded like something I wanted to get into. This led me to Teesside University where I studied Digital Forensics which luckily for me got me internship with Revenue and Customs for 12 months as a Computer Forensic Technician. This was an absolutely fantastic kick-start to my career and from there I went on to work for Kroll Ontrack and here I am!

Do you like your job? Would you recommend it as a career?

I absolutely love the job but you have to have a certain mind-set and put in the hours when required to be successful. The challenges and interesting cases certainly outweigh the sometimes long hours and rare frustrations.

About Aaron Watson

Aaron Watson joined Kroll Ontrack in April 2011 and currently serves as a Computer Forensic Consultant in the London office. Aaron is involved as part of a team or as a lead consultant in forensic data collections both large and small in the UK and abroad in relation to discovery exercises and corporate and private investigations. Aaron has worked are large scale disclosure exercises and corporate investigations often for high profile clients or large corporations. These have ranged from investigations into Intellectual Property Theft, Computer Misuse, Fraud, Deception and corruption.

Agent 001 – What really happens during a “mock” dawn raid

Dawn raids matrix

Have you ever wondered what really happens during a mock dawn raid? I have had the opportunity to assist my forensic colleagues from Kroll Ontrack on several mock dawn raids in Europe so I will share with you what is actually going on behind the glamour and the mystery…

At dawn my four colleagues, who are forensic experts, and myself, are waiting incognito in a taxi a few hundred metres away from the premises that we are about to raid in an industrial and somewhat unfriendly location. No one apart from the CEO and Compliance Team of the company are aware of our presence and upcoming actions. My cell phone rings and we obtain the “go ahead” to enter the premises. Accompanied by external lawyers, we all enter the premises through a back door and register at a “pseudo reception” to obtain visitor passes. Then we are shown to a conference room which is where we will set up our IT and forensic equipment.

One of my IT colleagues lets out a deep sigh of despair after he realizes that we only have a single low speed network cable at our disposal and two power plugs to connect around 15 external hard drives and laptops from employees that are yet to come, but don’t panic, we brought several extension cables with us in case this should happen.

However, the single low speed network cable means that we will not be able to copy the server data from the conference room itself since that would take much too long; we have to be granted access to the central server room to connect directly to the server and copy server data rapidly. But we do not know where the server is located…is it onsite or somewhere else entirely?

We have to urgently speak to the local IT Manager, to find out where exactly the server is located. We are informed it is 25 km away from the current premises, and apparently it is up in the mountains so “it will take a while” to get there. I decide to go together with a forensic colleague to the offsite server location; we arrive there in 45 minutes after a hasty ride, to a very small and chilly room with a few server racks and many LED lights flashing intermittently. We start copying the data from the server but suddenly the server shuts down since it has detected an intrusion/hacker attack in an “Armageddon” atmosphere. Luckily, we manage to bypass the security breach in about half an hour and copy the relevant data in a couple of hours more.

In the meantime, my other forensic colleagues at the company premises have finally managed to obtain the necessary administrative rights and access from the local IT Manager. These codes will enable our forensic experts to start taking live images of the laptops from the company employees who have been selected as priority custodians (because of their role and position they are considered to be more likely to commit infringements or be exposed to competitors).

It is a race against the clock…as employees come into our conference room in groups of two by two we take their laptops, ask the employees to enter their passwords, sign our chain of custody form and we then run our forensic software to start the live image copying process of the laptop…all of this in just under 5 minutes per employee.

If everything goes according to plan we manage to copy data from 15 laptops in just less than 5 hours. The server data located up in the mountains has also been copied in about 5 hours. Finally my forensic colleagues run a program, which looks very impressive with plenty of zeros and ones, to check the integrity of the data and to ensure that all necessary data has been copied with nothing lost on the way. All the data has been copied successfully: mission accomplished!

These exercises can be used by corporations to test their incident response plans as part of a proactive approach to compliance, as part of an internal audit to make sure that no wrongdoing is taking place, or just to familiarize the staff with the process of a dawn raid so that nobody panics in the event of a real one. Whatever the reason for them, we try to make it as realistic a process as possible to provide the best training.

About Thomas Cavro Dupont

Thomas Cavro Dupont is a Discovery Services Consultant at Kroll Ontrack in the EMEA region and is based in Germany. He advises lawyers around Europe and their clients on how to effectively manage electronically stored documents in matters such as competition, litigation and internal or regulatory investigations. Before joining Kroll Ontrack in 2014, he worked as an Associate in leading international law firms in Brussels, Paris and Madrid advising clients on competition law issues. Thomas also worked as a Project Manager for a major ediscovery provider in London specialising in ediscovery projects in the antitrust and finance areas. Thomas, who is legally qualified in Spain and France, obtained his Law Degree from the Universidad Pontificia Comillas in Madrid and received an LL.M. in European Legal Studies from the College of Europe in 2009. His native languages are Spanish and French and he is fluent in German and English.

Forensic Mythbusting: Luke ‘CF Guru’ Aaron explores some truths and myths about Digital Forensics.

Forensic Mythbusting

I get asked a small number of questions a lot of times, so I thought it useful to explore some of those questions in an expose of the main capabilities and myths of the forensics industry, as well as a few helpful hints.

  1. Can you recover deleted data?

The answer is “yes, usually”. When data is deleted it remains on the drive, but is no longer traceable by the file registry. A good analogy is to think of a lazy librarian, who upon being instructed to remove an unwanted book, instead simply removes the index card but leaves the book on the shelf, the book is still there but no one has any way of knowing where to look. At some point in the future a new book is required to fill “the space” where the old book resides, the librarian now simply pushes the old book to the back of the shelf, now it is slightly harder to find (as it has a new book in front of it) but it is still lurking there on the shelf, if you know where to look.

Of course computers, like shelves, do not have an infinite amount of storage and eventually new data will overwrite old data. So the amount of usage since deletion and how much free space is available on the hard drive are key factors when advising on the likelihood of data being overwritten.

  1. Is it possible to forensically wipe a drive so nothing can be recovered?

Unfortunately yes, it is possible to forensically wipe a drive so that no data is recoverable. When used correctly, there are products available that will completely fill a Hard Drive with a random pattern of “0’s” and “1’s” thus stifling any efforts to recover data. Some wiping tools will even try to self-delete and hide the fact they have been run. By looking at a timeline of the usage on the device since the date of the deletion, we may be able to draw some conclusions as to the type of tool used and the date of deletion. However this shows why it is key to have robust polices on what can be downloaded to a device and how data is backed up and stored.

  1. Can you extract data from a mobile phone?

Whether we can recover data off a mobile phone depends almost solely on the make and model. The forensic industry is constantly playing catch up with new operating systems and proprietary file storage systems on mobile devices. We use a range of tools and techniques to increase the likelihood of extracting the relevant data, however a good initial guide of whether your handset is supported for extraction is freely available at .

  1. Can you crack passwords?

The ability to crack a password depends almost entirely on the password. We can use “Rainbow Tables”, “Dictionary Attacks” and forensic tools to attempt to overcome passwords. However a sufficiently strong password is exceedingly difficult to crack in a reasonable time frame. In the password world, length is key. There are only 10 numerical values and approx. 20 symbols on a keyboard, so adding one to the end of a basic password does little. If a phrase that combines words such as “THEMERRYWIVESOFWINDSOR” or a series of unconnected words “HORSESTAPLEBATTERYGOAL” has been used, it may take hundreds of years of “brute force” processing to crack.

  1. Can you crack encryption and is Truecrypt still safe to use?

The short answer is no. The major encryption algorithms in use today are not possible to crack of themselves. However, most successful attacks are against the security protocol surrounding the encryption (how you exchange or store the encryption key for example).

Having undertaken research on the so-called “demise” of Truecrypt, in our opinion there is no basis to believe that it is suddenly unsafe to use for the transport of data. Scare stories and hearsay aside, there is no reason to suspect that a product used safely and securely for many years since the previous update would become redundant and unsecure overnight. The developers, whose identity remains a mystery, clearly have their reasons for not wishing to continue with the development of Truecrypt and not wishing to pass the baton to a company or the wider internet, but that does not diminish from their previous good work which makes Truecrypt still the most viable encryption solution for the transport of data.

  1. Can you forensically image a hard drive in 5 minutes, using a mobile phone, you know, like Jack Bauer does?

“No, no, no” My message to Jack Bauer, Chloe O’Brien, the rest of the staff at CTU (all 24), Gil Grissom (CSI) and Sir Harry Pearce KBE (Spooks) is to stop making us real forensic folk look bad.

Forensic Imaging and investigation takes time. A forensic image creates an exact replica of the drive, so the fact the drive only has 50GBs of active data is irrelevant, the image captures all the unallocated spaces of the drive as this is where “our lazy librarian” (see point 1) has hidden the deleted data. The amount of time taken to create a forensic image depends on the size of the Hard Drive and the speed of the connection. For reference purposes we would expect to image at a rate of approximately 80GB per hour, so a 1TB Hard Drive could take up to 13 hours to forensically image. Investigations are conducted in accordance with ACPO guidelines and adhere to a strict chain of custody with contemporaneous notes protocol; this ensures that any evidence uncovered can be used in court.

  1. Can you tell me who sent a specific email?

If the email came from an anonymised webmail account (Gmail, Hotmail etc), then almost certainly not. The IP address will merely refer back to the host server (e.g. Google or Microsoft), and the hosts will almost never give up account holder details without a court order. If the email is a corporate email, then it may be possible to trace the source IP address, but it’s pretty rare that this is the position.

  1. Can you tell me when a specific email was sent or received?

Generally a received email will contain some metadata from which we can determine provenance. The email has left the sender’s email server, bounced around the internet and landed in your email server, this path leaves data inside the email that may be analysed. A sent email goes straight from your outbox to your sent items folder, it doesn’t touch any servers and therefore there are no external times/dates that attach to it. So in the absence of a read receipt you will not be able to provide evidence that the email was sent, received or read.

  1. Can you tell me who I should call and when?

Yes, absolutely. You should call us straight away. All of our pre-consultancy services are free of charge, so we will be able to tell you what can be done and how we can help, quickly and at no cost. Simply call 0207 549 9600 and ask to speak with a member of the forensics team.

Only write the novel when you can solve the crime

A forensic mystery at Churchill War Rooms

When I first started as a Trainee Computer Forensic Analyst the sage advice I received from my manager was (as best as I can remember) “There are two types of people in this business: those that sit around figuring out how to commit a crime and the others that actually do it”.

When Tracey Stretton first suggested that my ‘creative’ imagination ought to be used for a “CF Murder Mystery” event I reeled.  Where do you start? How can I make it believable? What details are necessary for a mystery story?

By far the quote I found most helpful was from Andrew Hixson, of the James Bond short stories.

“I only write the novel when I can solve the crime”.

After the initial shock had worn off I quickly realised that I had been given a free ticket.  Without any billable time pressures I could finally, once and for all, take the time to work out from start to finish all aspects of a full ‘crime’.

The core of the plot came about in our first brainstorming session.  The event was to be limited both in time and, as alcohol was likely to be involved, complexity.  We needed a goldilocks computer security incident which was ‘just right’.

The simplest story is often the most believable, so it’s no surprise that we went with good old fashioned larceny.  After all, barring the consequences, we all can think of a way to steal data.

Between myself, Julian Sheppard and Tony Dearsley we collectively had enough stories about thieves and experience with thefts to provide a whole mini-series, not just one evening.

One of the more entertaining ideas we came up with was the discovery of a USB key found in the Channel Tunnel, equally laid on a rail across the Anglo-Franco border (The Discovery).  Unfortunately Sky Atlantic beat us to it and unveiled The Tunnel.  I still maintain that they took my idea and filmed an entire series in two weeks, just to throw me off!

Writing up the suspects and their backstory caused the most concern.  Each time I mentioned the name of an obscure fictional British or American spy there would be worried looks between colleagues.  “Is he day dreaming again?”, “What has this got to do with The War Rooms?”, “Why aren’t you on billable work?” was often asked.

Working out the details was easy once we had realistic characters.  Ultimately, for each of our suspects we laid out their motives and opportunities so as to leave a trail of clues to be picked out by our guests.  The plot becomes something far more interesting when we cheat and use the imagination of others to fill in the gaps.

In the words of Tolkien “Good stories deserve embellishment”, so it was decided that in order to describe a unique story we would need a unique visual guide.  This was Dial D for Data Theft, not Death by Powerpoint!

With judicious use of motion sickness inducing Prezi we were able to develop an interesting, if quirky, set of ‘slides’.

And then suddenly it was time for us to set out to the Cabinet War Rooms!

What a night it was! A perfect combination of story, location and audience.  Indeed the audience participation was, as I expected, the most inventive part of the presentation.

When asked why they thought a particular culprit was guilty, some of the answers were not exactly scientific:

Shifty Eyes”
“He owns a Porsche.”
“She reminds me of my ex-wife”

However, my favourite quote of the night goes to the guest who wrote on his guessing card:

“It was Felix [because] his shirt is far too tight and he’s a liar!  There’s no way he’s 6’10”! 5’11” at MOST“.

Then, with a bottle of something nice to the winning entry from our audience (none of the above were winners, sadly) we wrapped up the evening with an exciting dénouement and final farewell.

Mrs. Brown with the USB drive in the HR Office

Have you ever wondered what the life of a Computer Forensic Consultant is like? What am I saying, of course you have, who hasn’t?

But set aside the fast cars, glamorous women and shaken beverages for the moment, and think about the work they perform. What is it to think like a Forensic Investigator, to seek out digital evidence and uncover the truth?

Well today (or Thursday 24th April to be more accurate) is your lucky day. Come and join us at the historic Churchill War Rooms for food, drinks and general conviviality, plus a chance to help conduct a true to life computer forensic investigation. Successfully pick out the shady perpetrator and enter the prize draw.

But bear in mind, as Sherlock Holmes once said, ‘There is nothing more deceptive than an obvious fact’ so be sure to look closely to figure out what is relevant and dodge the red herrings.

If you would like to come to the event then please sign up here:

We very much look forward to seeing you on the evening.

Is there a nephologist in the building?

Cloud computing

Nephologist  (nɪˈfɒlədʒɪst)
-noun (rare)
(meteorology) an expert or specialist in the study of clouds

The advent of cloud computing and cloud storage has undoubtedly had a huge impact on the business and forensic stratosphere. An increasingly common answer to the question “where is your data stored?” is a shrug of the shoulders and a point to the sky.

This can have a serious impact on the security of an organisation’s data and on any subsequent forensic investigation. No longer is the dishonest employee required to employ cloak and dagger tactics to smuggle hardware from the premises. No longer are we called upon to investigate physical items that can be removed to a secure lab and, as such, Computer Forensic investigators are becoming nephologists.

Data can be transferred, synced and/or downloaded outside the firewall in minutes, so it is more important than ever to know what data is vital to your business and who can access it. We recently undertook an investigation where an employee in a data sensitive industry had installed a well-known cloud storage facility, transferred thousands of files and then Google searched “how to uninstall [cloud storage facility]”. The elapsed time from install to uninstall was a little more than 4 minutes, and if the internet history for the device had not been available, the outcome of that matter could have been very different.

There are clearly huge business advantages associated with the cloud, however, bearing in mind the strapline for the cloud service of a leading provider: “your stuff, anywhere”, the prudent business owner must exercise caution when choosing the right cloud service for business sensitive data.

If you do fancy a bit of atmospheric storage, Kroll Ontrack’s team of experienced ‘techno-nephologists’ are able to assist you in implementing a bespoke Forensic Readiness Plan to ensure that you are perfectly placed to prevent the loss of key data, and also on hand to help uncover key evidence if an incident does occur.

Into the Shadows

Into the Shadows

Some time ago, we received a request for digital forensic work. The scope of the enquiry was “a network administrator is under investigation and has deleted all of their email from the Exchange server, destroyed the backups, purged the dumpster, deleted their localised Outlook email content and then wiped all of the free space on their laptop. Can you find their email please?” Impossible?  Well, maybe not, because if you look in the darkest recesses of a computer you might get lucky; some data might be lurking in the ‘shadows’.

The Volume Shadow Copy service on Windows based computers (available in Windows Vista through to Windows 7) is ‘on’ by default. It ultimately offers the user the ability to restore previous versions of files or carry out complete restoration of previous configurations that the Windows OS has ‘conveniently’ backed up on the local drive. In Windows 8 this service is still present but is now called ‘File History’.

Whilst these ‘shadows’ are not accessible via normal analysis tools they can be accessed using forensic tools and can include Internet history, pictures, documents and complete email containers (OST’s) that may have been since deleted from the ‘live’ files of a user. Consequently, it was time to get out the forensic toolkit!

After a few hours of analysis, we recovered the complete OST email container of the network administrator that totaled 2.5GB in capacity and held over 3,000 emails that ranged over 2 years. It included the incriminating evidence that the client wanted (and the administrator had tried to hide) which showed that the administrator had been accessing other people’s email accounts in an unauthorized manner, and collating sensitive HR material within their own email account.

In conclusion, when all else fails and you think there is no hope, have someone train a light on the shadows, you might be in luck.

About Julian Sheppard

Julian has extensive experience with a broad spectrum of criminal and data breach investigations, computer security compliance and auditing. With a counter-intelligence background specialising in information systems and document security, he is trained and certified in digital forensic examination techniques by various government, local and international law enforcement agencies. Prior to joining Kroll Ontrack, Julian spent 22 years serving as a member of the Royal Air Force Police serving within the SIB Computer Forensics Unit dealing with indigenous military and civilian police investigations. Since leaving the military Julian has worked as a digital forensic specialist working on several high-profile criminal cases for law enforcement and civil cases. Julian has experience presenting in court as an expert witness and is an EnCase Certified Examiner (EnCE).

E-Discovery and E-Investigations Forum 2013

Visits to countless hotels with their endless Las-Vegan style psychedelic carpets, exchanging a metric ton of business cards with sales folk in  shiny suits, shinier badges and yet shinier teeth and a veritable bounty of canapés and foods on sticks that so epically fail to satiate one’s hunger. All of the above can only mean one thing…conference season is well and truly upon us.


Rob and Luke at AKJ

That time of year where the legal technology industry crams in a quarter’s worth of conferences in to a 3 week period, so that everyone can feel slightly more comfortable with the fact that everyone will be mentally checked out from mid-November until we’re safely into 2014 and our New Year’s resolution requires us to work harder.

But the season isn’t all pretentious canapés and teeth whitening, it can’t all be fun and games! Occasionally, as a subject matter “expert” in one’s field, you are asked to share your knowledge with a room full of strangers; and that is precisely what I was asked to do when chairing a panel discussion entitled “Protecting data in business and in investigations”. I was joined by Martin Pratt, Head of the Employment Group at Gordon Dadds Solicitors in Mayfair and E.J Hilbert, Head of Cyber Security at Kroll Advisory Solutions and regular creator of  audible gasps as he tells people of his 8 years spent as an FBI secret agent countering international hacking (no prism jokes please).


Luke at AKJ

The discussion was incredibly well received and the feedback has been overwhelmingly positive. Huge thanks for this must go to the two gentlemen mentioned above, whom I, in a Dimblebyesque way, merely pointed in what I hoped to be an interesting direction and let their vast experience and expertise come across to the audience.  I know from feedback, that some even took some helpful hints back to office with them that day. I can hear you all thinking “Luke, helpful takeaways from a conference seminar? Such a thing does not exist, I just go for the chicken ballotine with quince jelly.”

At a high level, the points are basic. For external threats, it’s all about educating staff. The identity of external threats may have shifted, but their methods continue to be repeated ad nauseam.  As long as people are still using their dog’s name or favourite football team as their password, hackers will always be able to crack it. As long as people follow links, even those that appear to come from a trusted source, their ‘email to click’ ratio will remain high and this method remains viable. So change your obvious password to a phrase instead. You won’t forget “tobeornottobe” in a hurry, but it’s infinitely harder to crack. Instead of clicking that link you’ve been sent, Google the name, find the original source and then decide whether to trust that email or not.

For internal threats the messaging is more important than ever: control who can access data. Categorise it so that staff have access to data required for their job but nothing else and ensure that your employment contracts are fit for the modern workplace, and regularly updated.

We have been asked to present further on this topic of data theft/loss in business at both the E-Crime forum in Amsterdam on the 28th November 2013 and as the final part of our current Webinar series  which is set to broadcast in early December. They promise to be excellent discussions and if at all possible I strongly urge people to register and listen in.

Until then, look after yourself and each other.