Computer Forensics Case Examples
Theft of Intellectual Property
The President of a software development company and its lead programmer resign within a short period, each claiming that they had not found other jobs. A mirror image of these former employees' computer hard drives was made and searched. Deleted files showed that the President was working on a start-up budget and was negotiating a long-term software development contract. Recovered e-mails and attachments showed that the lead programmer was sending confidential files to his home computer. A preliminary injunction was obtained preventing the former employees from starting a competing business.
Employment Law: Wrongful Dismissal
An employee files a wrongful dismissal case due to age discrimination. The company claims that the employee was not performing adequately and submits performance appraisal reports from the employee’s supervisors discussing major mistakes that the employee had made. A computer forensics investigation uncovers that these performance appraisal reports were electronically modified after the employee had been fired. Further investigation of the company back-up tapes found earlier versions of the performance appraisal forms without any reference to the alleged mistakes. The company reaches an out-of-court settlement with the employee.
Family Law: Divorce
In a divorce case, a computer forensics examination was performed on the husband's home computer and discovered that the computer contained a second hard drive which had been temporarily disconnected. A mirror image of the hard drive was performed and password protected spreadsheets were located. Using password cracking capabilities, hidden assets, in the form of online stock purchases and financial records were discovered.
Due Diligence: Mergers & Acquisitions
After a purchaser company brought a suit against a vendor company regarding the sale of one of its subsidiaries, the purchaser, using computer forensics, discovered a deleted e-mail and spreadsheet attachment showing that at the time of the sale, the vendor knew its subsidiary was not a viable going concern contrary to the representations that had been made in the closing documents.
Fraud Investigation
Allegations were made that senior executives of an insurance company were involved in a procurement fraud through the use of inflated vendor contracts and kickbacks. Computer forensics was applied including data mining on the company's accounts payable files to identify specific vendors; the accounting system was interrogated for patterns in payments made to the specified vendors; intelligence gathering regarding vendors and its employees was obtained from public and proprietary databases; imaging hard drives of specific computers and identifying previously deleted documents. Based on findings, the senior executives of the insurance company were fired.
Construction Law
A construction company, throughout the course of a major project, had received and performed various additional requirements from a government agency who refused to pay for these overages at the end of the job indicating that they were part of the original bid. All electronic data residing on hard drives belonging to key employees as well as backup tapes was copied and searched. Evidence was located in the form of e-mails that this government agency had in fact, requested and approved the additional work.
Securities Fraud: Misrepresentations
A manufacturer announces that it has entered into a major supply contract and its stock price increases dramatically. Over the next several weeks, insiders sell a significant portion of their shares and the manufacturer completes a secondary offering. Shortly after, the manufacturer announces than the supply contract has not been as lucrative as expected due to the specification requirements. A computer forensics examination is undertaken which indicates that the insiders knew that the design specifications would severely impact the value of the contract from the outset.
Corporate Hacking Attempts
A company launches a new secure online service several weeks before its competitor. During the launch, the company notices a disproportionate number of hack attempts into its site. Computer forensic tools are utilized to track the hackers back to the competitors' internet address. A quick phone call is made to the competitor and all hacking attempts cease.