CY4OR have had extensive experience implementing search and seize orders, and have been appointed by the court on a number of occasions. Once instructed, CY4OR executed a search and seize order on the suspect’s office and subsequently seized four personal computers for forensic analysis. The organisation requested that CY4OR provide information on how long the fraudulent business had been operating, its financial records, and who was supplying the suspect with medicine.
An examination of the Outlook email identified correspondence between the suspect and his web designers, which indicated that the business had been launched in September 2003. In order to confirm this, an internet query (known as a Whois Query) of the suspects trading website was conducted.
The Whois is a central database that stores information on domain name registrants and their registration dates. The domain names relating to the suspect’s business were all registered at around the same date as the correspondence to the web designer. The date of this set up was further confirmed by business plans found on the personal computers.
The review of databases located on the computers successfully highlighted information on drug suppliers to the company. Furthermore, the associated metadata provided confirmation of the database’s origin. Metadata is hidden information relating to the document; in this case the metadata contained information completed during the database program installation. The metadata confirmed that the database had originated from the suspects machine.
The financial information relating to the business appeared to have been deleted at some point. A common misconception is that file deletion completely removes the data from the media; this is not the case. When a user deletes a file, the area of disk that occupies the file is simply marked as being available for re-use. The operating system may then choose to overwrite that area, or a portion of it with another file.
Although this information would not be recoverable by the average IT user, using advanced techniques it was possible to recover a deleted file, apparently containing relevant financial information. Again the metadata allowed CY4OR to review hidden information; this time on the document history. It identified the history of saving the file and that the company’s accountant had been involved in the falsification of accounts.
The computer forensic investigation provided the organisation with sufficient information to approach the suspect and successfully prosecute. The information collected adhered to ACPO guidelines and was retrieved in a forensically sound manner, so that it was entirely admissible in court.