It is often difficult to understand how digital forensics might relate to you, your firm or your case; therefore we have provided a number of anonymous case studies to enable you to draw comparisons and provide context to the services that CCL-Forensics can provide.
Select a case study to read from the lists below:
Mobile Phone Analysis – Drugs Importation »
Following a major police operation, a man was arrested on suspicion of importing class A drugs, worth over £100K.
As part of the investigation, a mobile phone belonging to the suspect was sent to CCL Forensics, with the instruction to attempt a retrieval of deleted SMS and call logs from the phone.
The phone was due to arrive at CCL on Friday with a request for an analysis and a full report to be completed by Monday.
One of CCL-Forensics highly trained analysts was able to retrieve all the information the Office In Case needed and a full report was sent back on Monday.
The man was later sentenced to 10 years imprisonment.
Computer Analysis - Internet History »
Some members of a large local authority's IT department were under suspicion due to lack of productivity. Managers suspected that they were wasting time by visiting social networking and internet auction sites during working hours.
CCL-Forensics was called in to investigate the computers of the three suspects, paying particular interest to internet history and chat logs.
The results of the investigation were even more damning than the council expected and gave a clear picture of the activities of the suspects. The report outlined that the employees had been using both online auction sites and their own websites to sell not only personal items but also goods belonging to the council, such as unused laptops, electrical cables and CDs.
This evidence backed up the testimony of witnesses within the department and gave the council everything it needed to suspend the employees pending a further enquiry. The local authority asked CCL-Forensics to investigate all other computers within the department to determine exactly which members of staff took part in - or helped to cover up - the misuse.
The three original suspects were eventually permanently dismissed with one junior member of staff receiving a warning for failing to inform management of the situation.
Computer Analysis - Terrorism »
A man suspected of being involved in terrorist activity was identified by Police and subsequently arrested.
His home computer was examined by the digital forensics team and incriminating evidence was found. This included a number of emails as well as internet history which showed that the accused had visited a number of extreme religious and terrorism websites.
His defence team decided to examine this evidence for themselves, by arranging for an independent digital forensics company to assess the evidence presented by the prosecution. This involved a full analysis of the computer with a review of the report submitted by the Police.
Computer Analysis - Drugs »
A man was arrested under suspicion of possession and supply of Class A drugs. His mobile phone was seized by Police and sent to be analysed.
A number of incriminating text messages were recovered from his mobile phone as well as some phone book entries which linked him to other suspects.
CCL-Forensics was employed by the defence team to investigate the claims made by the prosecution and to identify any further information which may be relevant to the case. CCL's analyst was able to find deleted text messages within the suspect's inbox which indicated that the drugs had been purchased for personal use, therefore the suspect received a reduced sentence.
E-discovery - Confidential file searching »
CCL-Forensics was called in by a large "top-20' legal firm to help them investigate a case which involved searching for documents and emails within a vast amount of electronic information.
The case was urgent and highly confidential and required an analyst to attend the scene as soon as possible.
As CCL-Forensics is constantly prepared to carry out round-the-clock work at very short notice, an on-call analyst was able to arrive at the solicitors offices in Central London - along with the necessary specialised equipment - within two hours.
The first task was to take a forensically sound exact copy of the suspect hard drive which had already been seized by the legal team. The drive was particularly large, and contained hundreds of gigabytes of data in various formats. Once this ‘imaging process' had been set up, the analyst met the legal team to discuss in detail the requirements of the case which centred on a number of crucial emails.
Having identified a number of important keywords and specific search terms, the analyst was able to index the data to home in on the most crucial files. The specialised tools used by CCL-Forensics meant this could be done in a fraction of the time of conventional search techniques saving time and ultimately money.
Crucially, it also meant that the legal team had instant access to deleted files, and those protected by passwords, meaning they had access to a wealth of data that they wouldn't ordinarily be able to view. The legal team were then presented with the indexed files in an easily searchable e-discovery format, enabling them to search for the messages and other information most relevant to the case.
All this was completed within 24 hours of the legal firm contacting CCL-Forensics and enabled them to take the necessary steps to continue with this urgent case.
E-Discovery - Internal fraud »
A well established clothing manufacturer, with a number of sites around the UK suspected insider dealing among one or more of its staff, after a number of major contracts with high-street stores were not being renewed. Concerns were heightened when it emerged the long-standing contracts were going to newly formed businesses.
An anonymous tip-off suggested detailed confidential information was being leaked from the company to these new competitors, with those responsible being paid for that information - although no names were mentioned.
The department which negotiated these contracts was large and spread across three sites, and the firm had little or no suspicion as to who, if anyone, was responsible for leaking the figures.
CCL-Forensics securely imaged terabytes of data from the company's servers, as well as collecting dozens of backup tapes and a number of filing cabinets full of printed documentation dating back several years.
This was carried out using covert techniques so as not to arouse suspicion, and with strict adherence to ACPO guidelines. This meant that should the company discover any suspicious activity, it could pursue legal action if it wished.
Using an e-discovery tool and techniques, CCL-Forensics was able to process this data (having first scanned in the paper documents and retrieved the data from the backup tapes), and cull any data that was not relevant. The documents were then categorised and presented in an easy-to-use format by the client company.
The data was hosted on secure servers in the UK, with instant access available by the client at any time. The client was able to prove that there was a leak of information from within its staff and took the appropriate action.
Computer Analysis - Indecent Images »
The suspect had already stated that they had an alibi for a certain period of time as they had lent their computer to a friend. The investigation therefore focused on dates surrounding this period so that any evidence could be linked to that particular suspect.
CCL analysts found that the source of the printed pictures discovered in the office could have actually been when the computer was used the previous year (outside the period that the suspect had an alibi). Our analysts also discovered that software had been used to try to erase the images, however, string text and partial images were discovered in unallocated space. This evidence was enough to charge the suspect with the possession of indecent images.
Computer Analysis - Theft »
The Police seized two laptops in a raid and needed to establish the whereabouts of the owners as the laptops were believed to have been stolen.
CCL-Forensics’ analysts examined each laptop. The first owner’s details were found relatively quickly as our analyst discovered a number of word documents containing all of their details.
The other was much more problematic but our analyst was still able to find the owner’s name.
The client was pleased that all possibilities had been exhausted and proceeded to charge the suspect with theft and handling stolen goods.
Computer Analysis - Employee Misuse »
A multi-national company secured the services of CCL-Forensics Ltd to assist in an employee disciplinary hearing. It was alleged that the employee, had been downloading extreme pornography onto his workstation. He insisted that he was not responsible, however, the Company decided to suspend him pending further investigation.
CCL analysts secured his workstation and began a detailed analysis of the device, starting by taking a forensic digital copy of the workstation’s hard drive. On investigation, CCL uncovered from the device a number of extreme pornographic images, however, it was also established that the images had been downloaded at a time when a temporary worker also had access to the workstation. CCL-Forensics produced a technical report and witness statement to that fact.
Computer Analysis - Illegal Firearms »
A suspect had been arrested under suspicion of purchasing illegal firearms and importing them into the UK.
The firearms were seized by the Police in transit and during a subsequent search of the suspect’s house, however, further evidence was needed to link the suspect with the items seized and to identify if additional purchases had been made.
Analysis of the hard drive exhibit resulted in evidence of four transactions made during a period of one year.
Computer Analysis - Operation Ore »
The US Postal Service raided an address in America which was found to be the base of a world-wide Internet based child pornography site. The investigations in the US identified numerous UK subscribers to the paedophile site. This information led to a nationwide UK police operation named Operation Ore. CCL-Forensics have conducted in excess of 50 Operation Ore cases for a number of Police Forces. The below case studies are typical:
As part of this operation, a suspect was identified as having downloaded indecent images of children from the website during 1998/99. The suspect was traced by the personal details, credit card and email address he had registered on the website server.
The suspect was arrested for possession of indecent images of children. A search warrant was executed under Section 4 of the Protection of Children Act 1974 and various items, including a computer and removable media, were seized from his premises.
CCL-Forensics Ltd was asked to examine the computer’s hard drive and removable media for any indecent images of children and also to identify any evidence of the suspect having made or distributed indecent images.
The hard drive and the removable media were imaged using a forensic imaging tool. The image files taken of these exhibits were then interrogated for any such graphic files. The user’s email accounts and internet history were also examined to determine if any evidence of distribution existed on the computer.
A forensic report was produced outlining our findings, which was to be presented as an exhibit during the court hearing. As a result of our report the Defendant changed their plea to guilty and court attendance was not required.
Computer Analysis - Rape »
The victim reported a serious incident to the Police alleging that she was raped on several occasions by the suspect, both as a child and as an adult. During interview, the victim recalled that the suspect had, on at least one occasion, loaded images of her taken after the assault onto his computer. However, she could not recall if these images were saved or what format they were in. Police arrested the suspect and seized the computer and removable media from his premises.
CCL-Forensics was asked to forensically examine the removable media, in this case a number of floppy disks, to identify if any indecent images of children existed and if any of these were the victim.
The floppy disks were imaged and the imaged files subsequently examined. Several notable graphic files were found. These were extracted and recorded to CD. The CD was then sealed and securely returned, together with a forensic report, to the investigating authority for review.
Computer Analysis - Stolen Vehicles »
One such container was intercepted at a UK port by HM Customs and the Police were informed. The Police traced the syndicate to a freight shipping company which also ran a legitimate business operation. The premises were raided and computer equipment and paperwork was seized. Two shipments already in transit were intercepted and searched whereupon Customs discovered further motor vehicles within the containers. The ships were ordered to return to port.
CCL-Forensics was asked to forensically examine the computer and removable media (a number of CDs and floppy disks) taken from the premises to identify any shipping documentation which could be connected to this criminal activity.
The computer’s hard drive and removable media were imaged and the imaged files subsequently examined. Several electronic documents were found which would substantiate the Prosecution’s claim against the defendants. These files were printed and formed the appendix to a forensic report which was submitted as an exhibit to the court. CCL-Forensics was then requested to provide the investigating authority with further documentation which was submitted to the Crown Prosecution Service.
After a two week trial in which CCL-Forensics was asked to give evidence, the jury found the company directors and their associate guilty. The fourth defendant was found not guilty, owing to their marginal involvement.
Covert - Procurement Fraud »
Anomalies were noticed and following advice from the Police, the Authority called in CCL-Forensics Ltd to investigate. After a covert operation to image (produce a forensic copy of all of the data on the media) the computer of the suspected employee, the copy was transported back to CCL-Forensics’ laboratory for analysis.
After an initial investigation, CCL analysts found evidence of funds moving to the suspect’s account. The analysts were able to provide evidence that the alleged suspect was not only moving funds from the Authority, but also from a number of other companies with which it had an association. The Police were informed and the employee was suspended pending further investigation.
Mobile Phone Analysis - Video retrieval »
CCL-Forensics Ltd was asked to analyse a mobile phone in relation to a serious assault case. It was alleged that a young boy had conducted a serious assault on another child while his friend took pictures on his mobile phone. The young boy initially denied all knowledge of the incident, until the Police were informed that there was evidence on the mobile phone.
Using a wide range of specialist software, our analysts recovered the pictures in question in a forensically sound manner following ACPO guidelines. They also recovered a deleted multimedia text message sent to another child with one of the pictures attached to it.
Covert - Fraud Investigation »
The report showed that the suspect had been putting transactions through to their own account and there were traces of such actions on the hard drive. The Police were informed, the company dismissed the employee and criminal proceedings commenced.
Mobile Phone Analysis - Child Disclosure »
CCL-Forensics were approached by a Police client who were in the possession of a mobile phone which had been used by a child to make a video disclosure concerning sexual abuse.
The child had refused to use Police video equipment and would only make the disclosure on her own mobile phone, which was unfortunately not easy to analyse. CCL-Forensics were able to retrieve several snaps of video footage, with sound, which were then downloaded onto CD and passed to the Forces Child Protection Unit.
Computer Analysis - Intellectual Property Theft »
A large manufacturing company became suspicious that one of its former sales staff had been stealing the company's intellectual property, after noticing a drop in sales following his departure.
The employee in question had left the company several months ago and made no secret among his workmates that he was planning to start work at a rival organisation. The subsequent lack of business led his former bosses to suspect that he had stolen their customer database for use at his new company.
CCL-Forensics was engaged by the company's legal team to investigate the former employee's workstation and found that a removable hard drive had been used to remove data from the server on the day he left the company.
This new information meant that the courts were then able to order the former employee's home computer be seized. An examination of this machine then revealed that the database had indeed been copied from an external hard drive and viewed on a number of occasions.
During this examination, a number of further incriminating files were recovered from the hard drive of the suspect's home computer, including emails to his prospective new boss giving details of his plans to boost sales at his new company.
Throughout this period, both CCL's Account Manager and the analyst working on the case remained on-call and worked evenings and weekends to ensure that the demands of the court were met.
The case was taken to the civil courts, with the suspect being charged with theft of intellectual property.
Mobile Phone Analysis - Deception »
It was alleged that a number of people were taking part in a large deception, which involved the importing of stolen goods. Following a covert operation by the police, several suspects were arrested with a large number of mobile devices being seized.
CCL-Forensics was instructed by the law enforcement agency to forensically examine the mobile phones to ascertain whether there were any calls made to, and received from, a specific number.
The mobile phones were analysed using a number of different tools and several call records relating to the specified telephone number were found. This information was extracted and a report was produced. The phones were then sealed and securely returned, together with the forensic reports, to the investigating authority for review.
Mobile Phone Analysis - Harassment »
An allegation of harassment was made whereby the victim was apparently receiving telephone calls and SMS messages thought to originate from an ex-partner. The suspect was arrested his mobile phone was seized and forwarded to CCL-Forensics.
CCL-Forensics was asked to examine the mobile phone to ascertain whether there had been any SMS messages and calls made from the suspect's handset to the victim within a specified time frame.
The mobile phone was analyzed and several SMS messages and call records were found which would incriminate the suspect. A full report was provided to the prosecution and the CCL-Forensics analyst who worked on the case was called as an Expert Witness in the trial.
Digital Analysis - Sexual Harassment »
A male Finance Director of a large organisation had been accused by several female employees of acting inappropriately and harassing them verbally, by email and text message.
Following a series of complaints, the HR department contacted CCL-Forensics based on a recommendation from a lawyer. To avoid arousing suspicion, CCL suggested its Analysts undertook a covert operation involving attending the office out-of-hours to take a forensic copy of the suspect's computer. Because much of the evidence was thought to be contained within emails, the server was also imaged to capture the details of any correspondence.
In addition, the organisation confiscated the suspect's company mobile phone.
This evidence was taken to CCL-Forensics' secure laboratories and our specialised computer and mobile phone analysts set to work. A number of emails and text messages were discovered which had been sent by the suspect to his female colleagues over a period of six months. It was also revealed that he had been using his PC to download pornography, a practice strictly prohibited by the company's acceptable use policy.
A detailed report was provided to the client, who suspended the employee immediately. They are now making the decision as to how to proceed.