Sampling of e-forensics Cases

Hired by Plaintiff to carry out a Court ordered production request. The judge was not satisfied with the documents produced by the Defendant, and ordered a computer forensic specialist to search Defendant’s systems for responsive documents related to insurance claims filed against the moving company.

E-forensics went onsite and assessed all environments where ESI resided and could possibly locate responsive documents. Data was located on two insurance claims systems — the company is self-insured. One was an older commercial application on an AS/400 using a DB2 database, and the other was a proprietary system using SQL Server. An SQL Server data warehouse and a commercially available document management system were searched. In order to locate new responsive claims which the company had not produced, We wrote and ran various SQL queries; used BusinessObjects to query and analyze the MS SQL Server data, and wrote scripts to tally and remove duplicate hits.

Work resulted in the production of additional responsive documents.

Engaged by carrier’s outside counsel to design and implement a forensic ESI acquisition and evidence processing plan in support of anticipated e-discovery requests. E-forensics devised a plan to forensically acquire ESI from various locations using Logicube’s MD5 and Encase. Files were extracted from active space, and carved from unallocated, pagefile.sys and hiberfil.sys from files, and then providing these files to an e-discovery service provider who in-turn staged files in Clearwell. The carrier’s e-mail format was Groupwise, and due to Clearwell’s inability to natively process Groupwise, we converted the e-mail to Microsoft PSTs.

Engaged by the Superintendent of Banks (SIB) and one of the Big 5 auditing firms to provide advisory services to with respect to identifying all electronic stored information (ESI) and developing a strategy for forensically acquiring relevant ESI, and prepare for staging into an e-discovery platform. We met with SIB government officials, local lawyers and U.S. lawyers to define the scope and budget for the acquisition phase.

Upon approval, E-forensics traveled to the country and put together a local team to assist in forensically acquiring ESI. Tools used in the acquisition and hash verifications included Encase, Logicube’s MD5 and FTK Imager. ESI was gathered from workstations, servers with internal storage and SANs with logical RAIDs, log files from networking and internetworking devices.

E-forensics’ role was to act as the computer forensic specialist for a Court appointed receiver, which was a forensic accounting firm. E-forensics was on the scene when the operation was seized, and assessed the technical environment to disconnect all remote connectivity and preserve all of the electronic evidence. Thereafter, e-forensics supported the receiver, and the FBI with general e-discovery and providing forensic images and reporting from the AS/400 and various servers and workstations. The case involved a factoring company, which borrowed funds from the bank, and after defaulting on the loans a lawsuit was filed. The lawsuit alleged that owners of the factoring company had swindled funds to other companies owned by them.

Upon arrival e-Forensics assessed the environment and disconnected routers and modems. Thereafter, servers and workstations were shut down and imaging process began using Encase and FTK Imager. Upon completion, images were staged for viewing in Encase and started providing ad-hoc reports. E-forensics mounted e-mail for viewing and ran various keyword searches and carved unallocated space for all relevant Microsoft compound documents. Encase images were provided to the FBI as per their request, and to opposing counsel. Mr. Peña testified for the prosecution as an expert witness and the electronic evidence was introduced through its testimony.

Hired by the Plaintiff in this case, we were asked to carry a court order and forensically image twenty-five computers from Defendant’s operation. Thereafter, we were directed by Plaintiff’s counsel to determine if the source-code of the reservation management system originated or was the genesis of the Plaintiff’s reservation system. The lawsuit entailed allegations that a former computer programmer and sales executive started up a competing company after the non-compete period lapsed, but used Plaintiff’s reservation software system as the core for their system.

E-Forensics assisted counsel on drafting the motion for the forensic acquisition protocol, and carried it out on the twenty-five computers. Thereafter, e-Forensics staged the Plaintiff’s system and the Defendant’s SQL Server based system side-by- side for GUI comparison. Keyword searches were executed using Encase on Plaintiff’s servers and developer workstations to ascertain if Plaintiff source-code existed. E-Forensics then proceeded to examine the data schema of Defendant’s SQL tables and compared them to the Plaintiff’s data structures and noted that through the order and case (upper/lower) that the Defendant’s tables were created from either an import of the Plaintiff’s files or simply typing the field names while viewing Plaintiff’s files.

Defendants deposed Mr. Peña on all computer related aspects of the case. Thereafter, e-forensics provided expert witness testimony in one hearing where it successfully demonstrated that the developer had changed the date on his workstation to deceive the Plaintiff in this case. Furthermore, it was shown that the Defendant used a CD to burn a copy of the Plaintiff’s source-code just prior to handing the computer over for forensic imaging.

E-forensics’ role in the matter was to perform forensic analysis and expert witness testimony on behalf of Defendant. The Plaintiff filed a alleging Defendant was gaining unauthorized access to the Plaintiff’s computer network, and thus to e-mail and other proprietary and confidential materials located on the network, in violation of various statutes.

Forensic analysis was primarily focused on firewall forensics, which entailed analysis of firewall logs and identifying and classifying rejected packets to determine nature of rejections. Analysis was performed on electronic evidence provided by Plaintiff, and the case involved a few hearings and ultimately went to trial.

Hired by Court appointed Receiver on behalf of the Federal Trade Commission to assist in the seizure of a web hosting company which hosted many pornographic sites. The Defendant was accused of processing stolen credit cards.

The day of the seizure, we entered as the computer forensic specialist for the Receiver and shutdown all remote connectivity. In addition, we obtained all login credentials and worked with FTC computer forensic specialists in the acquisition of workstations and logical acquisitions of MySQL Server based tables containing billing information. We performed velocity analysis of billed credit cards to identify trends of frequently used cards, and calculated revenue for varying periods. As a support role for the FTC, we provided results of analysis and copies of the billing records for the FTC to stage on their systems.

Engaged by Plaintiff to determine if former account executive breached his employment contract. Forensically imaged the Subject’s computer using Logicube’s MD5. Staged and analyzed the forensic images in Encase. Through basic registry analysis, log files and examination of file date and time stamps, established that the user had in fact misappropriated sensitive client information by copying the data to a USB thumb-drive. The Windows Link files revealed that the user had accessed the client contact information from the USB drive after it was copied.

Engaged by the plaintiff to image computers of the former developer and a few other so-conspirators, and (through Court order) of the competing web servers and other computers belonging defendants. PHP and HTML source-code reviews and comparisons were performed between Plaintiff’s and Defendant’s web sites, and opined in a Court filed affidavit on the apparent theft of Plaintiff’s code. In addition, identified and parsed out developer’s iPhone text messages from an iPhone .mddata file (iPhone content backup created from a synchronization with a computer) on his iMAC desktop. Many of the SMS messages proved to be key evidence in the matter, as it shed light on the players involved and the means by which the content was ported to the competing sites. Moreover, the messages were instrumental in establishing a timeline of events.

The IT Manager of a South Florida firm is fired and the following day the former employee logs into network and brings down the metro-e erases the Active Directory and clears the Cisco router configurations resulting major disruptions to the business which endangered lives due to staff’s inability to review patient records and coverage eligibility.

E-forensics was called in to head up the electronic investigation and assist local law enforcement. Provided advisory services on bringing the system back online immediately after relevant systems (computers and logs) were preserved. An analysis was performed to reproduce the results, which among other things, revealed through the System Event that the former employee had logged in and initiated the deletion of users and shutdown the Exchange Server. It was also learned that the employee had partially wiped a company laptop prior to returning the computer.

Findings and images were provided to the assistant State attorney’s computer forensics team, along with hash values and chain of custody documentation.

CONTACT

  •  800.967.7697
  •  305.667.4603
  •  305.667.4472
  •  info@e-forensicsinc.com
  • 6262 Bird Rd. Suite 2B
  • Miami, Florida 33155
 

INQUIRY