How It Started: Not Your Typical Digital Case
This week brings another story from our archives. Unlike most of our digital investigations, this one began with a traditional business investigation.
Our client needed help looking into an employee’s claim of a personal injury that allegedly happened on company property during work hours. The employee insisted they were properly using a piece of equipment when it suddenly failed , blaming “faulty equipment” and pointing to the company as responsible.
What stood out to our client was there were no witnesses, despite this employee typically working alongside several others. Naturally, they checked the CCTV footage, but found nothing to support the claim. Still, something about the digital video recording (DVR) system didn’t sit right with them.
Digging Deeper: A Look Inside the DVR
The client wanted to exhaust all avenues, so we were brought in to examine the DVR itself. Many DVRs are essentially specialized computers with large-capacity hard drives to store video. This one was no different.
We forensically imaged the device, using a write-blocker to protect the original data, and then indexed and rebuilt its file tables, carving the drive to look for any video files beyond what the DVR interface showed.
Unfortunately, we quickly discovered the timeframe of the alleged incident was just outside the DVR’s retention window. The DVR was set up to overwrite itself at roughly 40 days, and we were too late for the footage. Or so it seemed.
A New Trail: Connection Logs Tell a Story
While combing through the DVR, we found something else: logs showing computers that had connected to the DVR, and these logs extended beyond the 40-day overwrite limit.
Roughly half a dozen machines (actually seven) had remotely connected to it. The catch? All connections were made under the same generic admin account (literally named “Admin”). So, we couldn’t see what was done or by whom.
Tracking Down the Machines (Without Raising Suspicion)
The only clues we had were IP addresses. So we carefully audited computers in the business to figure out who typically used which machine.
To avoid alerting anyone, just in case an employee was involved, we worked discreetly and in concentric circles, checking different computers in waves so it didn’t disrupt operations or tip off anyone we might later need to question.
Management’s gut feeling helped us narrow the focus to two computers worth a deeper look. We created forensic images of both.
What We Found on the Computers
Computer 1
This machine had definitely connected to the DVR. We found a substantial amount of video content downloaded from it, but none of it covered the date in question, nor did it reveal anything useful for the investigation.
Computer 2
This machine was suspiciously clean. No DVR video, no internet history at all. That’s usually a red flag. Digging further, we discovered the computer had recently been “cleaned” with CCleaner, a tool that deletes cache files, logs, and browser history.
The good news? It hadn’t been used to overwrite or wipe files. That meant we still had a chance to carve unallocated space and look for leftover data.
The Breakthrough: Finding the Smoking Gun
We turned to carving the drive, especially its pagefile and unallocated space, looking for video files. We uncovered hundreds of video fragments. About two-thirds through the review, we hit the jackpot:
Video showing the employee jumping up and down on the equipment after hours, clearly misusing it in a way that led to damage. Shortly after, another video showed the same employee, apparently after the incident, with no one else around.
This was exactly what our client needed.
The Conclusion: Technology Always Leaves a Trail
With the evidence in hand, management interviewed the employee and got the real story. The worker had planned to damage the equipment so they wouldn’t have to work, hoping to still get paid. But in the process, they slipped and actually hurt themselves. Seeing a bigger opportunity, they decided to try for a bigger payout by claiming the equipment was faulty.
Fearing the cameras had captured the stunt, they worked with a friend who had DVR access to delete the footage. What they didn’t realize was that simply viewing the video on another computer left enough artifacts behind for us to recover it.
In the end, the employee’s claim was denied, and both individuals were terminated.
A Last Word: Why We Love Digital Evidence
This case perfectly illustrates how technology intertwines with nearly everything we do, and how many people don’t understand the depth of the footprints they leave behind.
Fortunately for our clients, there’s almost always digital evidence somewhere often invisible to the person trying to cover their tracks. And that’s why we love what we do.
About Swailes Computer Forensics
Swailes Computer Forensics provides expert digital forensic services to law firms, corporations, and organizations nationwide. Our work includes investigations into intellectual property theft, employee misconduct, data breaches, and more. With decades of experience and a commitment to integrity and clarity, we help clients uncover critical evidence and take informed action.
If you’re facing a potential case of employee data theft or have concerns about unauthorized activity, contact us for a confidential consultation.