Case Studies and Assignments – What we do
Having provided expert witness testimony, relating to computer forensic examinations for over two thousand five hundred criminal cases.
We have also undertaken digital investigations together with a number of complimentary services for both civil and corporate clients.
Either to assist with, resolution, recovery or litigation support.
A small sample of which are detailed below:
Note:
- Due to the confidential nature of assignments, information which lead to the identity of clients has been removed.
- A small number of anonymised reports, providing greater detail of our capabilities, are available upon request.
Investigations
Murder & Blackmail - Eastern Europe - Finance Sector
Background
The finance director of an East European branch of a UK company was found dead in his car. With a single shot to the head. The car having been discovered in a forested area, some distance from where he lived and worked. Local police had investigated the matter and classified it as suicide. Despite their being no suicide note, the car being locked, and no firearm being found in or around the car!
CCC were tasked with attempting to establish the real reason for the individual’s death. Including, whether any work-related matters could have a bearing.
Investigation
Having arrived at the regional offices, it soon became apparent that local management were, extremely economical with the truth. Neither would they allow access to the victim’s workstation. Stating that it had been re-allocated, his laptop and mobile phone having disappeared. Obtaining any kind of information was proving more than a little difficult.
The only way of getting access to the workstation was to visit the premises overnight when unoccupied and covertly obtain a forensic copy of the data stored on the workstation. Which head office agreed too and were able to provide alarm codes. Then without the knowledge of others, we were able to obtain a spare set of keys for the premises. The exercise was undertaken, and a forensic image of the hard drive obtained.
Forensic Examination
An analysis of the contents identified:
- A number of deleted files including spreadsheets
- Partial elements of false invoices.
- Details of the location of where the victim had been found
These were believed to be within a communication the victim had with others
The information demonstrated that:
- The victim was being blackmailed
- He had been creating documents and records to cover the fact that he had been using company monies to make the pay-offs.
- The location in the forest appeared to be their meeting place.
Further analysis of the false invoices created showed that the monies amounted to close £750,000.
Further investigation into the background of the victim and his lifestyle. Suggested that those involved with the blackmail, were likely to be associated with a local organised crime syndicate. And, having either refused or been unable to make any further payments. He was murdered to prevent him from possibly identifying those responsible for the extortion. Which also potentially explained, the police’s classification of the death.
Note: Due to the classification of the case and other company specific risk factors. No further action was taken, and neither was the matter ever reported on by the media.
Blackmail - Personal - Europe
Background
One of our clients received an SMS message, threatening blackmail, by placing compromising information into the public domain. They were asking for several million euros.
The client wanted those responsible, identified and dealt with without bringing the matter into the public domain.
Investigation
Enquiries in relation to the phone number associated with the messages. Only identified, the likely service provider, country of origin and that the number was from a range associated with ‘pay as you go’ services.
The blackmailers were told that the client would not deal with them directly and they would have to go through an intermediary. A confidant of the client’s would act on his behalf, which they agreed too.
As a consequence, an e-mail account with an appropriate name and mobile communications were set-up. That if searched for, would appear to be located in another country.
After a number of SMS communications, some seeking proof of material. The blackmailers agreed to communicate via e-mail, sending attachments they were unable to send via the phone. This provided an IP address, that was traced to an Internet cafe they were using.
Physical surveillance, at the café, timed to coincide with a phone call identified four individuals responsible.
Local legislation allowed for an ex parte order to be obtained, which in turn meant that all copies of potentially damaging information could be acquired, along with all electronic storage devices.
The blackmailers were also required to sign confidentiality agreements or risk the prospect of a lengthy term of imprisonment.
Asset ownership dispute - Off-shore tax havens
Background
This case is one of a number of cases that CCC have been involved, which have certain similarities. Due to the nature of this type of case, it has been running for a number of years and relates to:
Identifying the ultimate beneficial owner of a controlling interest in shares of an off-shore Company, the assets of which have a significant value.
The true identity of the owner having been shrouded in secrecy, with public records showing the owner and directors to be nominees. Using a number of off-shore nominee companies and trusts, located various well know tax havens around the world.
As with the other cases, this came about with the death of an individual and the subsequent disclosure of their will. In which, the company and its assets were to be distributed to heirs, leading to a number of legal challenges being made by various individuals with various proceeding staking place in two jurisdictions. In essence, the concealment had provided an opportunity for others to make an opportunistic claim, which if successful would have resulted in rightful beneficiary losing out.
The estimated value of assets in the region of $75,000,000 USD.
The dispute had been running for some years, with others having tried, without success to establish the truth.
Investigation
Having received instructions, we were able to gain access to the data held on two very old, non-working computers and an old mobile phone. We were also given access to some 45,000 pages of hard copy documentation, some faded and handwritten, relating to various companies and other entities, some dating back to the 1970’s.
Using a combination of computer forensics, eDiscovery processes, combined with traditional investigation techniques. We were able to trace the history of the assets, and their purchase original purchase by a nominee company, using a solicitor, which we came to know was used by the deceased. From that point we found a correspondence address in U.S. that the solicitor and other parties had used as a forwarding address for the deceased during the 1980’s. Enquiries at the accommodation address revealed that the correspondence was forwarded to another solicitor based in Paris.
Searches of the data recovered from the computer revealed that two firms of solicitors resided at the address. One had been used occasionally for known business activities. Whilst the other, had been used by the deceased as a document store. Two of which were relevant to the investigation:
- One of the documents being a ‘letter of wishes’ relating a to a discretionary trust, the assets of which were the shares of the company owning the assets.
- The other a letter relating to the original purchase of assets for just over $150,000 USD
Through further investigation, we were also able to show that those challenging the will had also potentially committed a number of criminal offences, which if proceeded with…
Say no more, job done.
Intellectual Property Theft – Oil & Gas Sector - UK
Background
A new client involved in the development of innovative technologies relating to identification and extraction of other sources of energy had become concerned that they were being targeted by as a result of a break-in at one of the executive’s homes.
Investigation
Having been provided with rudimentary details of the client’s network. CCC deployed a black box and began to monitor the network for unusual activity. After a short while, activity was found whereby the client’s mail server and back-up, were being specifically targeted.
CCC were also able to identify the source of the attack as emanating from a legitimate third-party connection.
Further investigation established that specific the email accounts being targeted belonged to members of staff primarily responsible for the drafting and submission of patent applications on behalf of the client, effectively acting as a central point where information was collated.
Our client trusted the third-party and with their co-operation we were able identify a wireless access point close to a busy external area that had been compromised. Making it impossible to specifically identify those responsible for the attack.
The systems were secured, and additional recommendations were made to further protect communications and data.
Industrial Espionage – Consumer Sector - North America
Background
As part of a bi-annual internal security audit that had been undertaken. We were asked to confirm the findings of an examination of router logs which had not identified any abnormal activity.
One anomaly was found, where on the same three days of the week, for the previous four weeks, a workstation had come to life at 3 am, broadcasting packets of data. The audit team had deemed that this was as a result of a poorly configured scheduled command and did not warrant further investigation.
Investigation
CCC were asked to double check, by monitoring the activity and collecting more data than the router was able to do. From the examination of the additional data we were able to determine that following the schedule command further human activity was evident.
The workstation in question was found to be physically located in one of the few areas of a site, that it was possible to gain access to without passing CCTV cameras that were located at the main doors and majority of walkways.
As a result of further monitoring and a review of the activity already acquired that the user was targeting systems that specifically related to research and development systems. It was also possible to determine that an authorised user’s credentials had been obtained. Allowing a level of access to the network.
A combination of electronic monitoring and traditional surveillance established that:
A research scientist, having been dismissed was looking for employment. He’d been made aware that a competitor of our client, would look favourably on a person with useful information. As a consequence, he had identified the cleaning company responsible for the client’s premises and got a job with them. Having obtained legitimate access to the premises. He had been able to find a person’s user credentials. He had also been able to increase his privileges to administrative status and gaining unrestricted access to the sensitive research data, by sniffing a small segment of the network.
The subsequent physical surveillance of the suspect made it possible to identify the potential recipient of the research data. Allowing for legal proceedings to be initiated, preventing the use of the data by others for a significant period of time, leaving the ‘cleaner’ without a job!
Fraud Investigation (Covert) – Finance Sector – Balkans
Background
The head office of a global company became suspicious after unusually and unexpectedly low figures had been received from one of the regional offices. With little or no explanation as to the reasons for this and CCC were asked to investigate the matter, without the regional office becoming suspicious.
At the time the offices were in the process of having a new payroll system deployed, which presented an opportunity to visit the regional offices on the premise of assisting with installation and setup and local roll-out, while undertaking a covert internal investigation.
Investigation
As a result of gaining access to data, evidence was found showing that a number of the management team were in the process of setting up a rival company and had diverted client funds in order to do so. Some of which had been covered up, by falsifying internal accounts, reducing sales and increasing purchases.
A forensic examination of one of the suspects workstations also found evidence of false invoices being created that purportedly came from Suppliers. Information recovered from jump lists, also found references to other correspondence relating to the new Company, which had been created using the workstation, having been stored on a USB Key.
With the details of the new company known, other enquiries were made which further confirmed ownership.
During the course of setting up the company we were able to establish that a minimum of £5m had been diverted and used to purchase assets for the new company. The majority of those assets being recovered.
The result of which was that our client, went through a restricting process, would prevent this type of activity being undertaken on such a scale without detection.
Note: The new payroll system was successfully deployed!
Other Assignments
Security Review, Audit & Penetration Testing – Transport - UK
This project was conducted over an eight-month period for a FTSE 100 with more than one hundred locations in the UK.
Background
At the time the main entity had been in the process of taking over a number of other companies, some of which would have been considered ‘hostile’.
As a consequence, variety of problems were being encountered, that were beginning to have an adverse effect on business. These included being subjected to a number of malicious computer attacks. Including the introduction of viruses and other rogue programmes and the physical destruction of hard drives containing critical systems and data, by causing the systems to short circuit. By strategically placing a screwdriver across the positive and negative terminals.
Apart from this some of the ‘newco’s’ did not have any IT security policies or procedures in place. There was no commonality between systems. In short it was all a bit of a mess.
With IT security related incidents occurring in quick succession, putting at risk company assets and insufficient internal resources CCC were asked to:
- To provide I.T. with a long-term workable security solution across all networks, reducing incident and risk.
- Investigate recent incidents and provide a workable interim security solution for critical systems.
- Seek to identify any ‘habitual’ rogue employees.
The first two elements were accomplished in three phases:
- Review and establish the level of security within the networks, identifying vulnerabilities and associated risks.
- Make recommendations to remove or minimise the risks to an acceptable level.
- Deploy recommendations, including the development, testing and roll-out of common secure builds across all connected businesses.
The review comprised of:
- External and internal penetration testing
System audit:
- Access control
- Operating systems
- Data
- Auditing policy
- Policy implementation
- Physical server security
Architecture:
- Remote access points
- Firewalls/Routers
- Mail servers
- Servers, UNIX and Windows
- SAP applications, including, operating system and underlying databases
- Telephone switches
- Rogue Wi-Fi access point audit
Deployment:
Resulting in the following being developed and rolled-out:
Secure builds:
- Servers, both UNIX and Windows based
- Desktops
- Laptop builds, including email and disk encryption for key staff
- The provision of an IT Security Policy, compliant with ISO/IEC 17799:2005
Additional areas covered, included:
A review of physical security in respect of critical systems, with the provision of recommendations where applicable.
- Telephone switches, to prevent external unauthorised access and internal misuse.
- SAP Servers
- Wi-Fi Access points
- Removal of rogue access points
- Provision of a bespoke intrusion detection system, providing the client with additional pro-active monitor capabilities.
Rogue employees
Although it would appear that a number of ‘rogue employees had been responsible for some of the initial the incidents, only one was positively identified during the course of this project, with action being taken.
Dual Verification
The unusual circumstances surrounding the incidents and subsequent sequence of events, caused the client to seek confirmation from a direct competitor. Confirming the quality of the work undertaken by ourselves.
Their conclusions were that, the work undertaken was methodical, using a systematic approach producing good results.
Third Party Review- Finance Sector - UK
Background
In a review for a finance house, we were asked to undertake an out of hours visit to one of their trading departments.
As in the past, the purpose was to establish whether it was possible to access confidential data on systems or be able to monitor the network.
Findings
Having undertaken similar exercises for the client in other departments, we were aware that part of policy stated that workstations should be switched off, when the user was not at work.
At the outset of the review, with no one else in the office, computer fans could be heard running. Two computers were found to have been left on next to each other. On examination, it was found that the employees had also managed to bypass another control. Allowing them to create schedule commands, effectively preventing their connections to both trading accounts and a bank account from timing out. At the time bank account had a balance close to £3,000,000.
The two employees had also prevented the computers activity lights from being seen by others. One, had covered the LED’s with blu-tack and the other by removing the LED lights from the housing in the workstation.
When asked, the employees said, that as the systems took so long to boot-up and connect. Every time they switched them off, it would take twenty minutes to get back on-line. By which time, any possible trading advantages for the day, were likely to be gone, thereby costing the company money. Although they knew it was contrary to policy, they seemed oblivious to the associated risks.
At one point, one of the employees tried to suggest that, the reason for switching the machines off, was that it was part a power saving exercise. – A more robust measures were subsequently deployed, preventing any re-occurrence.
Security Review – Penetration Testing & Provision of ISO 7799:2005 Security Policy – Oil & Gas Sector – UAE
Requirements:
As part of a global security review our client sought to:
- Establish whether current security measures in place provided adequate protection, and
- Create and implement an I.T. Security Policy and procedures compliant with ISO 7799:2005.
Services provided:
- An assessment of the client’s current network, identifying any potential weaknesses.
- The preparation of an RFP’s, to potential suppliers of both hardware and software for possible solutions to needs identified.
- The evaluation of responses and proposed solutions received by potential vendors.
- The supervision of the implementation of identified acceptable solutions.
- An audit of the client network after the implementation of solutions.
- The provision of an IT security policy compliant with ISO 7799:2005
- The provision of training in relation to the maintenance and management of information security, within the environment.
Our expertise and experience, uniquely combines electronic forensic skills, with an understanding of corporate finance.
Asset Tracing – Audit – Computer Security – Digital Forensics – Due Diligence – eDiscovery – Fraud Investigation
Intelligence Gathering -Passwords Analysis – Penetration Testing – Wireless Security
Services underpinned with expertise and experience.