No Video Evidence? No problem.

22 June 2015 by Adrienn Toth

Computer forensics as a technical specialism is logical, precise and rigorous. The majority of cases we handle are very specific and clear cut, for example, proving a former employee has stolen data. Sometimes, however, clients come to us because of a feeling that something isn’t quite right in their businesses and we are asked to perform a more general forensic analysis. In both cases, Kroll Ontrack’s forensic examination can reveal surprising insights into the activities of a company’s employees that would not have been discovered were it not for forensic analysis.

A recent case handled by the CF team shows how a thorough forensic examination can not only prove client suspicions but also expose larger and previously undetected wrongdoing.

Meet our client

Our client runs a chain of ten retail stores. It is an established family business, with key roles usually filled by family members and trusted friends. Our client spoke warmly of the close-knit working environment within the stores and at the head office. However, after years of consistent growth, they noticed a slump in turnover from a couple of their stores.

Anecdotally, cashiers had assured management that the stores seemed just as busy as before and so were perplexed by the decreased income but till rolls don’t lie?

Our client, despite being faced with hard evidence that takings were down, had faith in the accounts given by his cashiers over the hard evidence from till records. He decided to visit the stores to see if he could get to the bottom of the missing funds.

On his tour of the shops, he visited one on a Saturday. Just as the cashiers had said, the shop was incredibly busy with plenty of paying customers. Yet when the evening came and the till was balanced, the numbers didn’t add up.

Increasingly suspicious, our client decided to check the EPOS (electric point of sales) system and discovered that many records had been deleted. This was something that a cashier would not be able to do and so our client knew that the culprit was someone with technological knowledge and access to the EPOS system. Next he decided to check to CCTV to see if he could identify cash being removed from the tills. However, the CCTV had been switched off for days at a time with the only footage being of an IT contractor entering and leaving the room.

Time to call in the experts

The client came to us initially asking us to investigate EPOS records and submitted the laptop used by the IT contractor for forensic imaging.

Our team of forensics experts was able to uncover 500 logins to the EPOS systems over a six week period. During these login periods transactions had been remotely deleted.

Digging deeper

The contractor’s laptop was further examined by Kroll Ontrack’s forensic team who uncovered some surprising evidence that not only confirmed the guilt of the contractor but also revealed even bigger crimes.

Like many overconfident or perhaps ill-informed crooks, the contractor had used the laptop to back up his personal mobile. Armed with this potential source of evidence our team got to work examining the mobile phone’s Internet history, emails and WhatsApp messages.

Using key word searches such as ‘cash’, ‘borrowing’ and ‘lend’, we uncovered messages showing that the contractor was having financial problems and as well as stealing money from the till he had been engaging in fraudulent activities.

Messages revealed he had set up a fake company, complete with a logo designed by a friend, using an account number and sort code that matched his wife’s bank account. This company had invoiced our client for thousands of pounds, processed and approved by a woman in finance who, tellingly, had sent photographs of an adult nature to the contractor.

The value of digital forensics

Without computer forensics, our client might have been able to prove the theft of cash from the till via eye witness testimony or additional CCTV footage but it is unlikely that the invoicing scam would have been uncovered as quickly potentially costing our client thousands more pounds.

This case is now going through the Courts and our client will hopefully be able to recoup some of his losses. But perhaps most importantly, the client’s business is running back to normal and thanks to the power of digital forensics, the fraudulent acts were uncovered quickly enough to minimise extended loss of income.