We were contacted by the Chief Security Officer of a defense contractor who stated that the Chief Information Officer of the company may be unlawfully accessing and reading both the CEO’s and the COO's emails. He also stated the emails he was allegedly reading were extremely sensitive. Furthermore, this investigation had to be conducted with utmost sensitivity as the CIO was a very valuable member or the organization was also related to the company's founder and the CEO. The tip was received by the CSO from an anonymous informant.


This case posed a variety of challenges to the team. First was the nature of the business the company was involved in. Second, the suspect was the CIO. Third, he was related to the CEO. Fourth, he had a laptop computer that he took home. Fifth, accessing exchange logs [if there were any] without his knowledge would be almost impossible. In addition, they wanted the investigation to be conducted in a totally covert fashion and without knowledge of the suspect.


Any time we have a case involving suspected misconduct by IT personnel, we call it a "special case." It is rather challenging to covertly investigate a member of the IT team. We had to think out of the box as to how we would accomplish our task. We eventually came up with a plan we felt would work. The CSO was a retired FBI agent and still had ties to the bureau. We told him that it would not be unusual for him to get a call warning him about the potential compromise of their network or the laptops of the executive staff [who had traveled overseas recently]. We would pretend to be private contractors working for a certain government agency investigating an undisclosed cyber threat. Because of who we were supposed to be and what they did, we would pretend that we could not share the details of our investigation with him. According to the plan, we would show up at the location while our suspect was working and would have his laptop with him. Following this strategy, we went into the CSO's office, called the CIO, and carried out an Oscar-worthy performance convincing him of who we were and what we were there to do. The CSO confirmed who we were and told the suspect that he had received the call and knew we were coming. The suspect was initially upset that the CSO did not share any of this with him prior to our arrival, but we convinced him that the CSO was instructed not to share the information with anyone pending our arrival. We asked the help of the CIO and his staff to gather all laptops belonging to executives who traveled overseas during the last three months, obviously knowing he was one of them. We forensically imaged a total of twelve laptops as part of the scenario. Carved internet artifacts showed that the suspect was in fact using a web-based interface to log into the CEO's and other executive's emails, among many other things that they were not aware of. Once we had recovered the proof from his laptop, we returned to the client's location and confronted the CIO with the evidence we recovered from his computer. When he saw the printouts, he admitted to every instance of misconduct we discovered.



Back to Case Studies