Is Your Personal Email Private At Work? (Part II)

In December we posted a link to an article about whether an employee who corresponded with her lawyer through her personal e-mail account on a company-owned laptop was protected by the attorney-client privilege. The employee was an Executive at a nursing agency in NJ who filed suit against her company, alleging sexual harassment and ethnic discrimination. The employer stated that they had reserved the right to look at “all matters on the company’s media systems” in its computer policy. The case being considered centers on whether the company’s computer policy carries more weight than lawyer codes of professional conduct, which govern attorney-client privileges.

The Supreme Court of NJ ruled on Tuesday that the company was not permitted to view her web based emails due to attorney-client privileges. The state’s high court found the company’s policy regarding e-mail use to be vague and noted it said “occasional personal use is permitted.”
“The policy does not address personal accounts at all,’’ the decision said.” The policy does not warn employees that the contents of such e-mails are stored on a hard drive and can be forensically retrieved.’’

We have worked several corporate cases where we were governed by attorney-client privileges. We were not permitted to view or produce any emails/files as per the agreement. This ruling will greatly affect companies and the computer policies they put in place. Companies must be very explicit in their policies when it comes to what employees are allowed to do on a work issued computer and the company must specifically state what information, if any, is protected as labeled as private/not viewable by the company.

We feel that whenever an employee is issued a work computer, that employee gives up his right to privacy on anything he does on that computer. While we feel it’s implied, other legal precedents must be set in order to standardize the proper usage of company issued computers. Our stance is that we feel the company was in the right to read the personal emails, but since the policy was vague and open to interpretation, the Supreme Court was left with no other decision than to side with the Plaintiff.

This is only the tip of the iceberg when it comes to legal rulings in the digital world.

We welcome any comments about this case, which can be found HERE

Internet Infidelity – A Case Study

From time to time we get called upon to work infidelity cases.  We recently worked on one involving a high profile celebrity.  We were retained by the celebrity when his security detail became suspicious that something was happening within the family.  Once we were given legal consent to search the computer, we forensically acquired the machine and started the analysis.

We began the investigation reviewing emails and internet history contained on the machine.  We found a web based email address used by the celebrity’s wife.  We conducted a keyword search on the entire drive for the web based email address.  After reviewing the results of the keyword search, we found that there were several emails exchanged between the celebrity’s wife and a member of her security team.  These emails were sexual in nature and contained graphic language.  The client asked us to produce all of the relevant emails for his review.  He then provided us with several other email addresses and we found additional incriminating emails on those address as well.  We found evidence that the wife and the member of the security detail were having an ongoing affair for several years.

Because we maintained the strictest confidentiality, the case has not made national news or even TMZ.

Corporate Fraud – A Case Study

This case study is about a corporate fraud case where an ex-CFO was suing his old company for money from stocks he claimed he was owed. The ex-CFO claimed that when he was hired there was an agreed stock payout upon his departure from the company. This alleged stock payout was written in an email from the CEO to the ex-CFO. The ex-CFO was claiming that his payout was much less than what was agreed upon in the email from the CEO. The company was adamant that the payout that was agreed upon by all parties was correct and not what the ex-CFO was claiming.

In case depositions the ex-CFO claimed that he always had problems with computers that were issued to him by the company. He stated that every time he had a problem, he would back his data up on an external hard drive before he took the computer for repairs. However, at the time of the court case he claimed he couldn’t locate the external hard drive. He had six computer issued to his during his two year employment at the company. Approximately a week after the suit was filed, he allegedly took his computer to Best Buy for repairs. He produced, what appeared to be, a Best Buy receipt to the court as evidence.

We examined his laptop that he used the last few months of his employment. We were ordered to locate the alleged email and/or any email communications between him and other executives at the company. We located a Microsoft Word document which included content that appeared to be an email. It had some of the headers found in an email (To, From, Subject, etc.), but was missing other relevant information. When we viewed the file’s metadata (defined as the data about data), we found that the author was the ex-CFO and the date and time created, accessed, and modified were consistent with his employment date. We also found that the Total Edit Time of the document was in the millions of minutes. The Total Edit Time tracks the amount of time you have a Microsoft Word document opened until you save and close it. Our initial thought was that the document was backdated. Backdating a document means to change the computer clock to an earlier date and/or time, create a document, and save it. The document then has a date and time stamp from that earlier date. The computer clock can then be reset to the current date and time to give the appearance that the document was created in the past. After extensive testing in the lab, and countless phone conversations with techs from Microsoft, we determined that what happened was that the ex-CFO set his computer clock to the date he began employment with the company. He then altered and copied the content of the stock payout email into a Microsoft Word document. He then saved the document with the changed date. With the document still open, he reset the computer clock back to the current date. After computing the Total Edit Time minutes, it gave an estimate of the created time in the document and the local time on the computer. We also found logs on the computer that showed that on a certain date and time, he changed the computer’s clock.

Once we presented this evidence to the lawyers, they requested through the court that the external hard drive be produced for a forensic examination as well. The ex-CFO again claimed he couldn’t find it, but after an order came from the judge he located it in his home office. We forensically examined the external drive and found the original email from the company detailing the stock payout option and found that the payout was different and much less than the one found on the ex-CFO’s computer. We also assisted the attorneys by working with the Best Buy corporate security team, and found that the receipt produced from Best Buy was fake and most likely created by the ex-CFO.

PCI President and Principal Forensic Examiner Douglas Vitale testified in United States District Court, as an expert witness in the case. After the testimony, the judged ruled in favor of the company. As of this posting, a criminal case against the ex-CFO has been initiated.

I Go To Image a Computer and a Fistfight Breaks Out – A Case Study

Here is an amusing tale from my career in the computer forensic field:

I was retained as a third party expert in a corporate embezzlement case. I arrived at the personal residence of the opposing party to image his computer, and luckily I brought along the two attorneys that retained me. When we arrived, we were met by the opposing side’s two attorneys and their computer forensic expert. When I started taking apart the computer to remove the hard drive, the opposing party became irate and started screaming right in my face. I tried to explain to him that the method I take to acquire drives is to physically remove the hard drive and hook it up to a write protect device. He wouldn’t listen and demanded that I put his computer back together and to leave it alone. After a couple of minutes (which felt like hours), my attorneys stepped in and then all four attorneys started screaming at each other and even began getting very aggressive by pushing and shoving each other. While this was happening, I sat quietly in the corner and contemplated a career as a travel agent. After several minutes, one of the attorneys decided to call the judge to have the situation resolved. Whatever the judge said (he spoke to all four of them individually), worked, and I was allowed to finally start imaging the hard drive using my method.

Corporate Embezzlement – A Case Study

An attorney who was representing a client that co-owned a business with his friend retained us to do forensic examination work.  The friend was responsible for the finances of the company.  One day the client decided to have a look at the finances, and discovered that his friend had been stealing millions of dollars from the business.   Since the relationship between the two parties turned hostile, the attorney requested that police officers accompany us when we conducted the forensic imaging on-site.

On the day of the forensic imaging, we, along with the police officers, first responded to one of the businesses and imaged three computers and a server.  We then went to the friend’s house and imaged two computers.  It was at the house where we were met with resistance from the friend and several of his family members.  He refused to turn over his computers, even after the police officers showed him the legal documentation.  He was irate and screaming at us for hours, until he spoke to his attorney who told him to calm down and let us do our work.

The first thing we reviewed on each of the computers was the financial files.  There were some QuickBooks files and hundreds of Excel spreadsheets containing financial statements.  We exported them out and brought in a forensic accountant to review the statements. We then looked through the internet history and the cached internet files.  We found several internet files showing online banking sites.  These files gave us bank names, account numbers, and other information that allowed us to create keywords to search on the drive.  After we ran the keyword search and reviewed the hits, we found several deleted financial statements and other files relating to the finances of the business.

After reviewing the evidence, we found that the friend was writing checks from the company to himself, but logging the checks as payment to bogus vendors.  Over the course of several years, the friend embezzled almost 2 million dollars from the company.  After interviewing the client, he stated to us that he trusted his friend and he had no reason to suspect that anything was going on.  He admitted that as co-owner he should have paid a little more attention to the finances.

The client obviously won the civil lawsuit and the friend was ordered to pay the money back to the company.  A criminal case against the friend is pending.

Corporate Investigation – A Case Study

We were retained by a private investigation firm who was involved in a corporate investigation for a major pharmaceutical company. All we were told was that there was “something happening” within the company, but the private investigators couldn’t figure it out. After several meetings with the General Counsel of the company and the private investigators, it was decided that we would forensically examine the computers of the fifteen top executives of the company. All parties decided on a date when the forensic imaging would take place, and we formulated a game plan.

We arrived at the company on the specified date and were met by a heavy security presence that was brought in to assist us in securing the employees computers. We went office to office accompanied by security personnel and told the employees to turn over their computers. We were met with a lot of resistance by some of the employees, but after a talk with the General Counsel, they reluctantly agreed to turn their computers over to us.

We started the forensic examinations of the computers by reviewing all of the employee’s emails and searching the hard drives for specific keywords provided by General Counsel and the private investigators. After reviewing the emails and keyword hits, we found some communications regarding a pharmacy not affiliated with the company. We then conducted a keyword search on all the hard drives for the outside pharmacy mentioned in the emails. We found evidence on seven of the hard drives that showed that these executives were taking pills that were deemed defective during the quality assurance process, and selling the pills at the outside pharmacy they all opened together. We notified the DEA and they took over the investigation.

We also found communications on one of the executive’s emails talking about hiring practices of the company. After we conducted a further examination of his hard drive, we found that he was hiring his friends and family and they were paying him a monthly fee for getting them the job.
At the conclusion of the investigation, eight of the executives were terminated and the company conducted an overhaul of their quality assurance and hiring policies and procedures.

Theft of Intellectual Property – A Case Study

We recently investigated a case of intellectual property theft at a graphic design company. We were retained by the President of the company who notified us that the week prior, four of his staff members unexpectedly quit and started their own competing company.

The President explained to us that the four employees that left were in charge of creating logos and graphics for customer advertisements. He explained that two of the employees were using company laptops and the other two were using their personal laptops. He also explained that whenever a logo was created, it was saved on an external hard drive that all of the employees had access to. The only data contained on the hard drive were client logos. The President also said that another employee notified him that the four employees in question came in the office late one night and copied the data from the external drives onto the two personal laptops. The office is monitored 24/7 by a surveillance system that is installed on a server, but when the President tried to view that video from that night in question, the video had been erased.

We started our forensic examination on the two company laptops. We searched the emails and chats contained on the machine to see if there was any communication between the four employees about leaving the company and starting their own. We didn’t find any communication between the four, but we did find an email sent to one of the employees from a website domain company which contained a receipt for the domain name purchase of the competing company. We also found letterhead with the competing company’s address and contact information on it. The email and the letterhead were created two weeks prior to the employees leaving.

At this point we wanted to see if we could obtain the “smoking gun” evidence that these two employees were connecting the external hard drive to their computers after hours. We were legally not able to conduct a forensic examination on the employee’s personal computers, so we decided to go back to the office and create a forensic image of the surveillance server to see if we could recover the deleted video.

The difficult part of the surveillance server was, not only recovering the deleted data, but also making it viewable through the surveillance software. After a couple of days we recovered what appeared to be the deleted video files and began working with the tech support team from the surveillance software company to convert the deleted files into a viewable format. A day later we were successful, and when we viewed the video with the client and his attorney we saw that at about 1:00 AM, the four ex-employees enter the office and connect the external hard drive to their computers. The attorney was satisfied with the findings and is currently pursuing civil and criminal charges against the four ex-employees.

Sexual Harassment In The Workplace – A Case Study

We investigated a case where a female employee quit her job as an administrative assistant to the CEO and a couple of months later brought a sexual harassment lawsuit against the CEO and the company.  The woman claimed that the CEO was sending her sexually explicit emails, constantly persuading her to go out with him in emails and on voice mails, and sending her pornographic images via email.

We started the investigation by examining the CEO’s computer.  We wanted to review the CEO’s emails to find evidence of any emails of a sexual nature that was sent to the administrative assistant.  After reviewing the emails on the CEO’s machine we found several pornographic emails being sent between the CEO and the IT Director, but none that were sent to the administrative assistant.  We did find business related emails sent between the CEO and the administrative assistant, but nothing that suggested sexual harassment.  We did find file wiping software that was installed a couple of days after the company was made aware of the lawsuit.  This file wiping software was designed to permanently delete and overwrite files and folder and the unallocated space of the hard drive.  The unallocated space is the area where a file resides when it is deleted, but not yet overwritten.  The file can still be recovered if it resides in the unallocated space.  We were not able to recover exactly what files were overwritten.  We also found emails between the CEO and the IT Director that talked about “taking care of this problem” and “covering our tracks”.

We then examined the Administrative Assistant’s computer. We reviewed her emails and did not find any evidence of sexual harassment.  We did, however, find that the same file wiping software was installed on her machine as on the CEO’s and it was installed on the same date.  When we questioned her about the software, she claimed she did not install it and had no idea who had access to her computer.  We also found out that she uses a program that records phone conversations on the computer as audio files.   We reviewed these files and found four conversations between her and the CEO, where he is persuading her to go on a date with him.  She kept incessantly denying his advances.

After reviewing the little evidence we had found, we decided to examine the IT Director’s computer.  We found a wealth of evidence on his hard drive.  Contained on his hard drive were all of the sexually explicit email communications between the CEO and the Administrative Assistant .  After further investigation, we found out that the CEO forwarded all of the relevant emails to the IT Director.  The IT Director was the person who installed and ran the file wiping software on the CEO’s and Administrative Assistant’s computers in order to remove evidence of the relevant emails on both of their computers.

At the conclusion of this investigation, the IT Director was forced to resign and the Administrative Assistant won her lawsuit against the company.

Chat History

In today’s tech-savvy world, more and more people are communicating via chat programs.  These programs can provide a wealth of evidentiary value, but are the most difficult to recover.  The most popular chat programs are Yahoo, Skype, AIM, and MSN.  Some social networking sites like Facebook have a built in chat function as well.

Chat programs are difficult to recover because they are typically not logged on the hard drive.  Unless the user has activated logging, all chat takes place in RAM (random access memory). Using our forensic software, we can attempt to recover dates and times a user logged in to the chat program, a contact list of users, and in some cases, the actual chat.

The forensic community has just released a program that will now sort out and recover chats from Facebook.  We have used this program to find evidence of internet infidelity.

For more information on chat programs, contact Precision Computer Investigations (info@computerinvestigations.net).

Image/Video Recovery

Similar to file recovery, images and videos, both active and deleted, can play an important role in a digital forensics. It can be as simple as retrieving those old vacation pictures or the investigation of intentionally deleted pictures or movies.

Pictures and videos can come from a variety of sources. They can be downloaded from a digital camera/camcorder, smartphones, iPods, and any external storage media. When a user visits a website, the internet browser caches all of the images from that site. These images reside in the temporary internet file folder on the hard drive. Often times the images and video are intentionally deleted by the user to hide their activity. Some users download indecent images and video from the internet, pass them along to other users, and then delete the files. Using our forensic software, we have the ability to recover the deleted photos and videos from the hard drive.

We investigated a case in a corporate office, where an offensive image was downloaded from the internet and set as a desktop background without the user’s knowledge. We were called in to investigate the source of the image and who could have committed the act. By viewing the image using our forensic software, we concluded that the source was downloaded from an internet website. By looking at the date and time stamp of the image, we found that the image was downloaded after normal working hours by someone outside of the company.

For more information contact Precision Computer Investigations (info@precisioninvestigations.net).