A Typical Week in Computer Forensics… Such a Thing?
Jérôme Torres Lozano is a Business Manager for Kroll Ontrack’s computer forensics service. He is responsible for managing a team of client managers and coordinating with consultants and investigators on nearly every engagement. He recently recorded highlights in a “typical” week and shares how there just may not be such a thing in the computer forensics world.
Monday - computer investigations
Another week begins and my commute to London is taking its toll. It is very early and already the e-mails are starting. Even before the sun as fully risen, I can tell this is going to be a week to remember!
By the time I arrive in the office an urgent meeting has been arranged with my team and the consultants to discuss the current projects we are handling and the need to potentially adjust the resource allocation.
Two urgent cases have just landed on our desks and the clock is ticking.
Agatha is already tied up with several cases this week: a court appearance for a legally aided case on the other side of the country and the other requiring an expert report, which must be completed by Thursday noon. A tall order, as there were 10 pieces of electronic media to investigate and a court date that was all too close. But nothing Agatha and the rest of the team haven’t seen before. Given all this, she is definitely not going to be able to help on the new jobs this week.
After some deliberation, a plan of attack is devised. Thomas is set to travel to the other side of the world to collect and filter highly confidential data in situ for an SEC enquiry - with his experience he perfect for the job. His experience includes several high-profile collections and investigations for countless government regulators, law enforcement and national government agencies. His last trip, to a much less glamorous destination, yielded no postcards so we are definitely expecting something this time!
That was the easy part and now the fun really begins. Carol is urgently calling travel agents to arrange flights (window seat of course), transfers, accommodations and the necessary clearances for Thomas. Meanwhile, Thomas who is going to be accompanied by Eugene, one of our new recruits, is busy packing all the equipment that will be needed on the mission. With so much kit to bring, Carol has to arrange for extra luggage allowances from the airline. So many boxes to tick and none of these details can be left to chance!
Tuesday - electronic evidence
Just as I see Thomas and Eugene off, I race back to the Board Room for an urgent meeting arranged at 9:30 last night. I have to meet two police officers from Wales who have come all the way to London to hand deliver two exhibits. The first is a CD believed to contain some images that they need retrieved. Only problem, it has been broken into two pieces! Given the sensitivity of the evidence on the CD, it heads directly to the clean room to the eagerly awaiting data recovery team. The other item they brought, a laptop found on the bank of a river not far away from the recovered body of a young man. Related or not, the data on that laptop drive needs to be recovered and thoroughly investigated.
With all the relevant paperwork completed, from chain-of-custody documents to tamperproof exhibit bags, the CD and water-damaged laptop drive are sent to our clean room technicians for data recovery. They like these types of recoveries, very rewarding when they are able to retrieve the data, they say.
Wednesday - data collection
My first order of business is to check in with Eugene and Thomas who have landed safely at their destination and already imaged eight hard drives before lunch! Next, I assign my colleague, Andrew, the Welsh Police projects and he checks in with the data recovery team and has some very favourable initial results! He’ll report back to the customer and given them a full status update.
With the recent jobs that came in and our consultants in various places around the world, I call a quick meeting with the department to have a status check on all active customer jobs. Fortunately, we were able to complete several reports and finalise investigations on a mobile phone and thumb drive for previous jobs in less time than anticipated so our resources are back on track. I’m spending the rest of my day with my team giving presentations to a law firm and a barrister’s chamber to help them understand the forensics process and even earn them some CPD points!
Thursday - IP theft investigation
Before I am even in the office, I am on the phone to another of our consultants. Vincent is briefing me on an intellectual property theft investigation he has been working on for the last week or so. He cannot contain his excitement because he has found the proverbial smoking gun! And I have to admit this one is too good to be true. Let me set the scene. The HR director of a large software company called us in a state of panic as ten senior members of staff had just resigned, leaving en masse. Naturally, suspicions were being raised that they planned to set up a business in direct competition. The client’s legal team needed evidence to get an injunction to prevent this happening. After clearly understanding the brief, our investigation ensued on the main suspect’s laptop. What Vincent uncovered was a series of little gems.
The first one was in the form of a business plan aptly entitled “Exit_Plan.doc”. Several versions of this document were found, although deleted, they were still present on the drive and contain the names of the employees that were going to leave and set up this new venture. This document was so detailed that it even included a timeline covering elements such as how part of our client’s customer database would be used and when the “group” were going to resign.
The icing on the cake proved to be records of an Internet site that had recently been used to register this new company website address! We are not always that lucky but these were rich pickings indeed. With the good news in tow, we arranged for an urgent meeting with the customer to present him with the findings. Needless to say, he was very grateful. Only a few hours later, we find out that the court date set for only a few weeks from now has been cancelled. Not surprisingly, the accused has settled and our testimony is no longer required.
Friday - forensic data recovery
As the week is winding to a close, I am informed that our clean room boys have done it again. In spite of the water damage and rust starting to form on the platters of the drive, they successfully recovered all the data. The CD recovery was trickier and not quite as successful but still some key files were retrieved and several partial files were recovered. All in all, both were considered a success and the Police were pleased to receive the call from Andrew.
Agatha reports in and says she presented that expert report on time despite her court appearance taking longer than expected. I call Thomas and Eugene and they were able to collect all the data from more than five different media formats, and still have time for a spot of shopping at the airport! They will be back late this evening and likely spending part of the weekend carefully filtering the data for a mid-week deadline.
I check my watch and notice the day is about over. I quickly decide to take one last look at my inbox before joining my colleagues at our usual Friday haunt. My attention is drawn to an email from my US counterpart: “Urgent Requirement – Computer analysis in Madrid”. I guess the usual Friday night haunt will have to wait this time!
Disclaimer
This document is neither designed nor intended to provide legal or other professional advice but is intended merely to be a starting point for research and information on the subject of legal technology. While every attempt has been made to ensure accuracy of this information, no responsibility can be accepted for errors or omissions. Recipients of information or services provided by Kroll Ontrack shall maintain full, professional, and direct responsibility to their clients for any information or services rendered by Kroll Ontrack.
Copyright 2007 Kroll Ontrack, Inc & Kroll Ontrack Legal Technologies Ltd.
