“Wow, You Must See Some Interesting Things…”
Almost without fail, when someone hears digital forensic investigations, the first thing they say is, “Wow, you must see a lot of really interesting things.”
Truth is, most day-to-day investigations aren’t exactly riveting in the way people imagine. Sure, we regularly uncover actionable artifacts that make or break cases, everything from incriminating spreadsheets to emails that should have never been sent. We also come across more than our share of graphic images (some fascinating, some downright cringe-worthy). But those true “you’ve-got-to-hear-this” moments are rare.
Every so often, though, a case lands on our desk that hooks us with all its twists and turns. And they often start the same way: with someone else trying to solve the problem first, and failing.
A Case of False Alarms and Foul Play
A few years back, we were called in by a refinery. They were facing repeated false alarms in their access control system. Now, for most businesses, an occasional alarm is a nuisance. At a refinery, it’s a very different story. Each alarm event was shutting down a critical part of their operation, causing ripple effects that quickly turned costly.
The usual troubleshooting had already been done. Sensors were tested, doors checked, malfunctions ruled out. Still, the alarms kept coming. The facility’s internal security team was stumped.
Notably, their contract with an outside security guard firm was up for renewal. The client had already decided not to renew due to generally lackluster service, just enough to avoid breach clauses, but far from satisfactory. Yet ironically, part of the guards’ remaining duties was to help figure out these alarm issues before they wrapped up.
Enter Digital Forensics
Looking for an out-of-the-box approach, we decided to see what the computers might reveal. There were two client-owned machines routinely used in the office staffed by the contract guards. We forensically imaged both and began combing through them.
At first? Nothing. No smoking-gun emails, no obvious ties to the alarms. But we weren’t done.
Digging deeper, we found remnants of a program called Evidence Eliminator, an old utility designed to wipe traces of activity from a computer. That was intriguing, but still not a direct connection.
We kept at it. Zeroing in on the date of the last alarm, we ran targeted keyword searches (in various date formats) on the unallocated space of the drive. That’s when we finally struck gold: buried logging information that pointed to visits on that exact day to a little-known website tied to the alarm monitoring system.
The Hidden Back Door
Turns out, this was a rudimentary, beta-stage website with the ability to “trip” alarms remotely for testing. Hardly anyone outside the alarm station knew it even existed. Unfortunately for our client, one of the contract guards not only knew about it, he was friends with someone at the station.
Even more interesting, the client’s network proxy logs showed no record of the computer visiting this site. That’s because the guard had installed a modem in the computer. Despite being fully connected to the client’s secure network via Ethernet, he was dialing out through a completely separate ISP, effectively bypassing all internal oversight.
Evidence Eliminator? Not Quite.
Further forensic work confirmed the guard used dial-up to reach the site, trigger alarms, and avoid detection. And while the Evidence Eliminator software tried its best to cover his tracks, it couldn’t erase everything. There were still enough artifacts left to piece the story together.
Armed with our findings, the client confronted the guard company. They couldn’t refute the evidence. The contract was terminated on the spot. The client was also compensated for the investigation’s costs, and spared future headaches.
Why It Matters
It’s worth mentioning: although Evidence Eliminator itself is now defunct, plenty of similar tools exist today, like CCleaner or BleachBit. They’re often used to “clean up” systems. But as we’ve shown time and again, even when someone tries hard to scrub away incriminating evidence, it’s awfully difficult to truly wipe a drive clean.
As always, we’ve left out names and unnecessary details to protect our client’s confidentiality.
About Swailes Computer Forensics
Swailes Computer Forensics provides expert digital forensic services to law firms, corporations, and organizations nationwide. Our work includes investigations into intellectual property theft, employee misconduct, data breaches, and more. With decades of experience and a commitment to integrity and clarity, we help clients uncover critical evidence and take informed action.
If you’re facing a potential case of employee data theft or have concerns about unauthorized activity, contact us for a confidential consultation.