Author: Bradley J. Bartram, Vice Preside of Information Technology & CTO
Sometimes engagements require more than the standard level of service and expertise. It is no secret that anyone with sufficient room on a credit card can purchase forensic software and a computer to drive it. Unfortunately, it takes more than a suite of software or a high-powered computer to satisfy some situations. More often than not, some engagements rely heavily on experience with a broad range of software and hardware configurations and the cleverness of the examiner based on years of experience in order to see results.
Take for example the case of a client who dismissed a senior executive. This company allowed senior management users to use issued devices with very little oversight. In this case, the executive was using an Apple Macintosh laptop. The company had been watching various activities of this executive for a while, as they appeared to be suspicious and cause for concern. When the executive caught wind of the investigation, he decided to begin taking advantage of the Macintosh operating system’s built in encryption and encrypted his entire home directory along with all records of his activities on the company owned laptop computer.
After the executive was terminated, the company decided to retain the services of a forensic consultant (not DIGITS), who promptly scanned the laptop’s hard drive with a standard forensic suite and obtained only one result. The examiner was not fluent in Macintosh computers, but recognized the encrypted directory and informed the company that no further results were possible.
The company decided the answer provided by their forensic consultant was not good enough and hired DIGITS. We were able to leverage our knowledge of the operating system to get enough relevant information on the software versions running on the laptop to realize some data might be available. Through much research on the algorithms used and sifting through raw, unstructured data, DIGITS was able to recover over 81,000 items from the encrypted drive including Microsoft Word documents, Excel spreadsheets, PDF files, Internet History and Cache data, and two complete non-company related email boxes being used for communication with the company’s direct competitors.
In the end, the company was pleased to be able to take action against their employee with proof in their possession provided by DIGITS. It was ultimately based on our experience and training that allowed DIGITS to be successful in recovering data from a piece of evidence that a user made affirmative steps to render unrecoverable.
Other forensic examiner – 1; DIGITS – 81,000