IT Group was instructed to forensically examine a laptop belonging to the Managing Director of a company after suspicions about his conduct with a supplier were raised following a noncompliance situation.
IT Group was asked to forensically examine the MD’s laptop to find evidence that would establish the nature of the relationship between the MD and the owners and employees of the supplier company, with instructions to focus on any reason that the business relationship was benefitting one side more than the other, or that there was any potential conflicts of interest in the relationship.
It was clear from the start of the interrogation of the laptop that efforts had been made to limit the findings of the investigation. The machine’s Documents, Desktop and Downloads had been emptied and software tools designed for formatting hard drives and deleting files were found installed on the machine. An examination of the internet history revealed that such tools had been searched for previously via Google. Incriminating files and data from the file system had, to an extent, been successfully removed.
IT Group was, however, able to carve data from unallocated sectors of the disk resulting in the successful recovery of evidence. Further to this, evidence locations that were simply not known to the MD of the company led to a successful case being built. The MD had plugged in - and backed up - two previous iPhone devices to the machine, which IT Group was able to extract and analyse alongside the laptop device.
Although a relatively thorough job of deleting evidence from the laptop had been completed, the iPhone backups held the majority of evidence that was recovered during the investigation. Emails, text messages and calendar entries led IT Group to the final conclusion and helped contextualise the relationship between the two parties.
Text messages of a personal nature were recovered and presented as evidence of a conflict of interest, and even led to the uncovering of aliases by matching these against the phonebook entries.
|Aaron Pickett is a Digital Forensic Examiner at IT Group specialising in Information Security, Computer Forensics and e-Disclosure. Aaron holds accreditation from Bond Solon Expert Witness Training, as well as UFED Cellbrite Mobile Phone Forensics, using both of these to assist IT Group to
stay at the vanguard of the Legal and Forensic Computing sectors.