Computer Forensics Inc. Electronic Evidence Experts
What's New? Tip of the Month Site Map
What's New? - Press Releases

Examples of Computer Forensics in Action

Don’t Jump to Conclusions…

A children’s education company had concerns that a management level employee was downloading web pages containing inappropriate adult images. While transferring files from the manager’s old laptop to a new laptop, an IT department employee noticed some images unsuitable for the workplace. The manager’s old laptop was immediately confiscated and sent to CFI for analysis. After a complete forensics analysis of the imaged hard drive, a small number of adult images were found on the manager’s laptop. Because they had been sent as email attachments, CFI was able to confirm that the management employee had not downloaded them from the Internet. CFI also confirmed there was no evidence of Internet browsing on inappropriate sites. Thanks to the unbiased and diligent examination by CFI’s forensic specialists, the management employee did not lose his job.

Link Files Link Evidence…

When a group of employees left one company to join a competitor, the former employer believed the employees had misappropriated its customer list. The former employees denied taking the list. The company hired CFI to examine the computers used by the former employees to see if there was evidence to the contrary. When the entire customer list was found on the former employees’ old computers, along with evidence that the customer list had been copied onto removable media, CFI examined the computers the employees were using at their new place of employment. The employees’ current computers contained a link file that indicated the customer list had been copied from removable media. CFI found the entire client list in the unallocated space on one of the hard drives. This evidence allowed the former employer to obtain an injunction prohibiting the former employees from contacting any of the names on the list on behalf of their new employer.

The Foiled Switcheroo…

Prior to departure, an employee of a sizeable agency was to return his company-issued laptop. The employee was leaving on good terms but when the day came to return the laptop the employee said it had been damaged and could not be produced. The agency wanted to make sure that none of its proprietary information had been copied from the laptop to removable media and contacted CFI to determine whether a forensics examination could be done on a damaged computer. After consultation with CFI, the agency required the employee to produce the damaged computer.
CFI’s forensics specialists were startled to discover that only one file remained on the allegedly damaged hard drive and the rest was wiped clean. To add to the mystery, the one remaining file was a resume for somebody unknown to the parties involved. Further examination of the hard drive’s unallocated space showed pricing and bidding information for an online buying service. It was eventually determined that the employee had copied proprietary files from his old drive, but bought a used hard drive on the Internet and switched it with the one in the laptop to hide his theft. Key to this finding was CFI’s discovery that the person whose name was on the resume was also the person who had been selling a used hard drive on the Internet.

What Lies Beneath…

The Defendant was suspected of making inappropriate postings to stock message boards, which then had a negative effect on a specific company stock. The victim company filed a lawsuit against the individual, in the belief that the defendant had used his company computer to make the suspected postings on the site. Plaintiffs requested Defendant's company's IT department create an evidentiary image copy of the hard drive.

CFI received five (5) CD-ROMs from the Defendant's company's IT department. Upon examination of the contents of the CD-ROMs, CFI determined the data was only a directory structure copy. A conference call with opposing counsel and their expert revealed that the expert had copied the directory structure to CD-ROMs and then installed Norton Utilities onto the Defendant's computer to search for any deleted data. Deleted files were placed into a "deleted items" folder on one of the CD-ROMs.

CFI explained to Plaintiff that CFI had only received 3 GB of data and there was probably 5 GB of unallocated space remaining to be searched on the hard drive. CFI explained to Plaintiffs that postings on a message board would be located on the Defendant's computer as an HTML file, most likely in the Temporary Internet Files directory or in unallocated space. Plaintiff agreed to take custody of the Defendant's computer, and to send it to CFI for an evidentiary image to be created. After evidentiary imaging and examination, CFI located 106 website postings that were sought by the Plaintiffs. All of the postings were located in unallocated space, and not the current file directory structure. None of the located postings were located on the CD-ROMs provided by the Defendant's expert.

And the High Bid Is…

A former employee was suspected of taking proprietary information with him when leaving a company and going to work for a competitor. CFI’s client believed the former employee's computer held important proprietary information, and requested that the hard drive be turned over for examination. The former employee turned over the hard drive to CFI’s Seattle laboratory. CFI created an evidentiary image of the hard drive and, upon initial review; it was determined to be a "clean" hard drive with a fresh installation of Windows OS. No files of the client existed on the hard drive; however, a few files related to Internet history were found. The files showed visits to Ebay auctions of computer hard drives.  After closer review of the Ebay web pages, CFI found the web page showing the former employee's name as the winner of the auction. There was also a photo of the hard drive matching the hard drive in CFI’s custody. CFI suggested that our client contact the former employee and requested the ‘real’ original hard drive.