Background

As part of a bi-annual internal security audit. We were asked to review the findings of a report stating that no abnormal activity had been found by staff analysing various firewall and router logs.

During our review, one anomaly warranted further investigation. For the past month at 3am, on the same three days of the week the same workstation came to life. The initial review had attributed the activity to a poorly configured 'at' command and did not warrant further investigation.

Investigation

It transpired that the workstation in question was in one of the few areas it was possible to access without passing CCTV cameras covering the main entrances and walkways within the facility.

CCC was asked to monitor activity emanating from the workstation, as well as reviewing historical data. An examination of historical data determined that similar activity had not previously occurred. Electronic monitoring identified the activity as human as opposed to an automated command.

Further monitoring identified the activity being aimed at targeting systems relating to the research and development of new products. It was also possible to determine that an authorised user's of those systems credentials was being used to gain access to restricted areas of the network.

Following a combination of electronic monitoring and traditional surveillance, the person identified as being responsible for accessing the computer was found to be a cleaner employed by a contracted third party. It further transpired that 'the cleaner' was in fact an out of work research scientist who had been dismissed for what was described as 'inappropriate activity.'

Now looking for work, he was looking to either sell or use the information as a bargaining chip to gain employment a competitor of the client's. His knowledge of computer systems, had allowed him to identify a vulnerability in the system which he’d used to increase his privileges to administrative status, giving him unfettered access to all areas of the research network.

Surveillance also found him visiting a competitor of the client. However, action was taken to ensure the client's research would remain proprietary for a significant period and the 'cleaner' still looking for better employment.

For more information regarding any of the services associated with this assignment, please email:

[email protected]

Background

A long-standing client working in the Oil and Gas industry who was at the forefront of developing innovative technologies relating to identifying new sources of ocean borne energy had become concerned they were being targeted because of a break-in at an executive’s home where there was evidence of documents being examined but little taken. Our examination also found that items had been moved in an area where the telephone lines and routers that provided intra and internet services entered the property.

Investigation

Having been provided with rudimentary details of the client’s business and home networks, CCC deployed black boxes to monitor activity. Within days we found that their mail server and back-up servers were being targeted. With the source of the attack initially being identified as an existing legitimate third-party connection.

Further investigation found the email accounts being targeted belonged to members of staff working on the patent applications for the new technologies.

As the client trusted the third-party, and with their co-operation, we were able to identify a wireless access point of theirs which had been compromised. After a very short period of monitoring and on advisement our client took the view securing their systems was a more prudent approach, which they were.

For more information regarding any of the services associated with this assignment, please email:

[email protected]

Background

This is one of several cases which CCC has undertaken where there are similarities. A case that had already been running for a number of years before CCC became involved. That relates to identifying the ultimate beneficial owner of shares in an off-shore company. A company which at the time controlled significant assets. Where the true identity of the owner had been shrouded in secrecy. With public records recording layers of nominee companies or directors as having control. With off-shore nominee companies and quasi trusts located in various tax havens around the world being used for that purpose.

As with other cases, this came about because of an individual’s death and subsequent disclosure of their will. Which stated they were the ultimate beneficiary of the assets held by the company. The disclosure led to a number of legal challenges being made by various individuals with proceedings taking place in different jurisdictions.

The concealment of the ultimate beneficial owner had provided opportunities for others to make claims that, if successful, would have resulted in the rightful beneficiary losing out.

The estimated value of assets held being in the region of $45,000,000 USD.

As mentioned, the dispute had already been running for some years with several other unsuccessful investigations having taken place. With some clearly aimed at causing those named significant hardship, with their assets being frozen as they now fell within one of those claims they were close to destitution.

Investigation

Having received instructions, we were eventually given access to the data held on two ancient, non-working computers and an outdated mobile phone. We were also given access to more than 45,000 pages of hard copy documentation. Consisting of copied bundles of the same documentation and a small number of faded facsimiles, telex messages and handwritten notes dating from the 1970’s.

Using a combination of computer forensics, eDiscovery processes, combined with traditional investigation techniques. We were able to trace the history of the assets and recover documents which confirmed the purchase of the assets by the deceased through another nominee company formed prior to the existence of the companies that had been at the centre of this investigation.

From this point we were able to identify additional correspondence between the deceased and other parties in the USA and France using accommodation addresses during the 1980s. From which it was possible to identify a solicitor based in Paris who had acted on behalf of the deceased.

Searches of the data recovered from the computers identified two more firms of solicitors who at the time of interest had shared the same address. Both had been instructed by the deceased, one had been used for business activities, with the other being used as a document store, from which two further relevant documents were identified.

• One document being a ‘letter of wishes’ which related to a discretionary trust. The assets of which were the shares of the company owning the assets now valued at $45,000,000 USD.
• The other, a letter relating to the original purchase of those assets for just over $150,000 USD.

Through further investigation, we could also show that those challenging the will had also committed several criminal offences. Which if successfully proceeded with would not only invalidate their claim but also potentially bar them from continuing in practice within their current roles.

Say no more, job done!

For more information regarding any of the services associated with this assignment, please email:

[email protected]

The body of the finance director of an east European branch of a UK company had been found in his locked car. Having been discovered in a remote forested area favoured by lovers some distance from both his home and usual place of work. The cause of death, a single shot to the head. No firearm had been reported as being found either in or near the car and the local police had closed the case classifying it as suicide.

Having previously worked for the company on another matter, CCC were asked to assist with this investigation. The purpose of which was to establish the background surrounding the individual's death and whether any work-related matters had a bearing.

Investigation

Once at the regional offices, it soon became clear that most of the local management were either resentful of our presence or were being deliberately obstructive. Preventing access to the victim’s office, moving his workstation to another location and ‘losing’ his laptop and mobile phone having had them returned by the police without examination.

Effectively, the only way we were going to get unfettered access to the workstation and other potentially relevant information was to gain access overnight when the offices were closed and covertly obtain a forensic image of the data stored on the workstation. Which involved surreptitiously obtaining a spare set of office keys as well as the alarm codes from head office.

Having successfully obtained a forensic copy of the computer’s hard drive an analysis of the contents found that:

• On the day of our arrival, the workstation had been the subject of a lot of activity. With a large number of files being accessed and then deleted. Once recovered, these were found to be spreadsheets and other company trading documents.
• Found in the file slack were the remains of two false invoices created on the machine.
• Elements of communication between the victim and others which contained details of the location where the victim had been found.

Based on information found additional enquiries found:

• The victim to be the subject of blackmail.
• To service the extortion, he had been creating false records, including invoices, to cover the fact that he had been diverting company monies to make the pay-offs.
• The location where the body was found had been a regular meeting place for the exchange of monies.

Further analysis of the false invoices identified a loss close to £1 million.

An investigation into the victim’s background and lifestyle suggested that he had been involved with those responsible for blackmailing him for some time. And they in turn were associated with local organised crime. Having reached a point where he could no longer make payments, he was murdered. The association with the local Mafia it transpires was the reason for the Police’s early classification of the case as suicide.

Note:

Given the apparent collusion between local police and organised crime a corporate decision was made that no further action be taken.

For more information regarding any of the services associated with this assignment, please email:

[email protected]

Background

We were contacted by one of our clients who had received an SMS message from an unknown mobile phone number demanding the payment of several million euros. Non-payment would result in the publication of compromising information potentially resulting in greater loss.

The Client’s request was that:

• Those responsible be identified, and then dealt with in such a way that they were no longer a threat.
• That the investigation, findings and result remain confidential and did not find their way into the public domain.

Investigation

Through a series of communications with those making the demands limited information was provided in an effort to demonstrate their capability to fulfil their claims.

Enquiries in relation to the phone number associated with the messages. Only identified, the service provider, country of origin and that the number was from a range associated with ‘pay as you go’ services.

The blackmailers were then informed that the client had appointed an agent to act on their behalf who they would have to deal with using email, which they agreed too.

An e-mail account with an appropriate domain name, together with mobile communications, was set up. That if searched for, would appear to be associated with a country in which the client was well known.

A series of further SMS communications took place seeking further proof of the existence of compromising material, which the blackmailers reluctantly agreed to provide via an anonymized e-mail account. Sending a photograph as an attachment which they were unable to do via their phone. The information within the email provided sufficient information to trace the message as originating from an internet café in southern Europe.

Physical surveillance of the café was organised to coincide with the response and a call to being made to the blackmailers, which in turn led to identifying four individuals, one of whom was a former employee of the client.

Local legislation allowed for ex parte orders to be obtained, allowing for all copies of potentially damaging material and electronic storage devices to be seized and destroyed.

The blackmailers were also required to sign a form of NDA admitting their part in the crime which if not complied with would result in them serving a term of imprisonment.

Note:

When early copies of the ‘damaging material’ were forensically examined, they were found to be composites created using sophisticated technology. With copies of the originals used being found in an encrypted file on one of the blackmailer’s laptops.

For more information regarding any of the services associated with this assignment, please email:

[email protected]