Background:


We were retained by a mid-west bank to examine five computers that belonged to a bankrupt construction company. The bank had made a $35 Million loan to a large construction company that subsequently declared bankruptcy. The bank wanted to try to recover some of its losses. The principals of the company claimed that they were mere employees of the now-bankrupt company. They proved to be uncooperative during the bankruptcy proceedings. Most of the heavy construction equipment, valued at over $30 Million [on which the bank had the first lien], were missing.

Challenge:


The bank's attorneys obtained a court order to examine the company computers in order to determine where the equipment was located. The subject company turned over five computers to comply with the order, after fighting it in court for three months. We quickly determined that the subject company could not have been operating with only these five computers. It was clear that the subject company had not complied with the judge's orders. Of the five computers that were turned over, two had no data and appeared to have been unused for at least three years, while the other two had very little data of any value and apparently belonged to low-level clerks. The last computer, however, was rather interesting and had apparently belonged to the network administrator. It had two identical drives and they appeared to be mirrored. The forensic evidence showed that before turning it over, the network administrator had run a wiping utility to erase the data on the drives.

Response:


Detailed forensic analysis revealed the wiping software had failed to recognize the RAID array and had consequently wiped only one of the two hard drives. As a result, the data on the second drive was fully intact. We had evidence of intentional spoliation as well as the missing data. Investigators focused their attention on this drive. One investigator was tasked with examining retrieved files from this computer to uncover evidence that the subject company was hiding evidence in violation of the court order, while the rest of the team concentrated on uncovering evidence of the whereabouts of the missing equipment. While conducting his investigation, the lone investigator discovered a word processing document that contained a list of twelve company executives who had high-speed DSL lines. The document showed their assigned IP Addresses, billing information, etc. We now knew that there were at least twelve additional computers that were never produced. This one document alone proved that the subject company was hiding additional computers and had not surrendered them, which violated the court order. We immediately notified the bank's legal team and provided documentation to them. Meanwhile, a forensic team at our lab had great success retrieving solid evidence about the existence and whereabouts of the missing equipment. Many encrypted files were recovered that gave a complete picture of the subject company from accounting, to contracts, to payroll. One encrypted document contained a complete list of the equipment and their storage locations. One file, protected with a very strong password, proved to be difficult to crack. The forensic team put the entire collective processing power of twelve networked workstations in the Cyber Diligence Forensic lab to work with a massive Brute Force Attack on the encrypted file. The password was retrieved after fifteen and a half hours, and the complete inventory of all equipment and construction materials including their values, storage locations, driver's names, etc. was obtained. Contents of this file were immediately forwarded to the bank's legal team and to the field Investigators. Within days, most of the equipment was recovered. Furthermore, our investigators performed a detailed background investigation of the officers of the firm and their immediate family members. We then performed detailed assessments of all and quickly discovered that they had routed most of the borrowed money for the purchase of expensive homes and real estate on their wives’ and children’s’ names.

Results:


Within a few days, a contempt of court hearing was held where the investigator, who recovered the document, testified. The judge informed the firm’s attorney that unless his clients started telling the truth and cooperating fully with the court appointed trustee, the proceedings would stop being civil and turn into a criminal case.

Back to Case Studies