IT forensics cases

The reality of business in any jurisdiction is that the errant or dishonest employee will happen. Likewise, the incidence of unethical management practices or the passing of key, unauthorized information to competitors for personal gain is simply never going to disappear.

As opposed to many consultancies, Corporate Due Diligence and Investigation does NOT typically ecommend an immediate IT forensic or financial forensics audit when such suspicions arise. The turbulence created by such audits cannot always be undone, and an audit that does not reveal true, admissible evidence may often create disastrous legal controversy, especially in the face of very pro-employee work laws on the books throughout the CIS and CEE.

That said, there is a time and place for forensics audits. Usually, such are recommended following discreet external and internal OSINT and HUMINT phases to determine the true nature of alleged infractions. Once the likelihood of such infractions are at least partially confirmed and once the true issues of an investigation are narrowed down to achievable goals our financial and IT forensics teams will step in.

Such a conservative approach protects you in the following fashion:

  • It guards you from perceived wrongful accusations that whether true or not may still be used against you in employers court/civil litigation.
  • It enables deeper knowledge of purported infractions prior to expensive IT and financial forensics audits, thus allowing the creation of strategies ranging from legal prosecution to pre-emptive defense to negotiation and crisis PR.
  • The deep and discreet investigations prior to forensics will enable you to avoid taking on too much risk with regard to data protection law.
  • In the end, narrowing down final targets for internal forensics audits will save you money

In practice, CDDI typically gets many types of requests. These include the following:

Scenario 1: Accounts and money has been diverted from the company. Although most assume that criminals have simply "hacked into the system," often there is someone inside a company who has leaked information. Based on such information, criminals then (and much more effectively) hack into a company's IT system using very specific information that allows a true social engineering scam--i.e. the diversion of funds.

The following is a typical investigator approach to such a scenario (please keep in mind that all such scenarios differ, and approaches must be appropriately tailored to address a specific crime. Such an approach is often recommended after an external inquiry/detective investigation.

1a. Analysis of the security level of the computers and servers  (serving mail server, vpn access, the network, etc.) is undertaken.

1b. Identification of people with access to computers, servers. Investigative activities are targeted to identify those  behavior over longer periods (not limited to the incident itself).

1c. Identification of persons with access to services, such as email accounts, VPN, etc. Follow-up IT surveillance is also undertaken to characterize the behavior of these individuals.

1d. Forensics unit investigations are then undertaken, which typically include:

            A. Making a copy of computer hard drives 1 to 1 (cloning)
            B. Hard disk copying of servers 1 to 1 (cloning)
            C. Making a hard disk backups for 1 to 1 backups (cloning)
            D. Sealing computers
            E. Investigative activities performed on running systems (depending on the situation)
            F. Investigative activities carried out in the investigating laboratory

1e. At this point, investigators are prepared to realize the report in terms of:

            A. Preparations for the attack (incident description)
            B. Persons involved in the incident (company personnel or hacker or both)
            B. How the attack was undertaken
            C. Evidence submission
            D. A proposal to counter similar situations

Scenario 2:    A company president or vice president or director is sending sensitive information to a competitor (and getting paid or being promised a job). In such a situation the client often wants scans of emails/laptops, etc.

Here the primary investigative activities are conducted on the computer used by person involved in the incident. Nevertheless, the mail server and all services provided by the company,  which are used to transmit information from/to the company must also be checked. Actions generally apply to a single unit and server and roughly represent the following:

2a. Identification of persons with access to said computer or server. Investigative activities are thus undertaken determine the behavior of a person over a long period of time (not limited to the incident itself).

2b. Identification of persons with access to certain IT services present in the company, including email accounts and services that can be used to send information out of the company domain. Investigative activities here are focused to illustrate a person's behavior over a longer period of time (not limited to the incident itself).

2d. Forensics unit investigations include the following:

 A. Creating a forensics copy of the computer hard drive 1 to 1 (cloning)
 B. Copying the server disk 1 to 1  (cloning)
 C. Creating a copy of the backup disk 1 to 1  (cloning)
 D. Sealing Computers
 F. Investigative activities, which are then carried out in the investigating laboratory

2e. Once the above information is gathered, investigators realize the report in terms of:

            A. Proceedings (history of the incident)
            B. Evidence submission
            C. Proposals to counteract similar scenarios