The problem

D-Co. had been subject to a takeover and the new directors were not on good terms with the previous directors. In fact, the relationship had broken down to such an extent that the new directors decided to bring a private prosecution against the old directors, alleging various types of misconduct, fraud and other unpleasantness.

Our involvement

We were called in, by the old directors' solicitors, to carry out an independent examination of the company's critical database. This contained customer details, order records and financial data. The new directors were alleging that the data showed that the old directors had been running the company in a very peculiar way. The new directors had instructed a digital forensics firm to examine the database for them and had produced several entries, from the database, which appeared to back up their allegations.

Fortunately, the digital forensics firm instructed had followed good practice and taken a complete image of the hard disc, rather than just a copy of the database. As soon as we started to examine the hard disc filesystem that contained the database, we noticed some discrepancies in timestamps as well as multiple copies of the database in question.

It looked like something unusual had happened to the hard disc prior to our involvement, so we started asking questions.

Eventually it became clear what had happened. Shortly after the takeover, the "server" which held the database had become infected with malware (a nasty little virus). The new directors had called in their IT support company to clean it up - a process which took about a week and which resulted in every file on the hard disc having a changed timestamp. 

After the clean-up, one of the new directors had taken the server home for safety and held it there for a couple of weeks before handing it over to the digital forensics firm for examination.

Unfortunately, there was absolutely no record of what this new director had done with the server while it was in his custody, and the IT support company couldn't give a detailed history of their actions either.

The problem

(well, the problem for the new directors really).

Effectively, there was a three week period where the history of the server was completely unknown. The director bringing the case had had access to the database during that time and nobody had a record of what had happened to the server while it was in his custody. It was entirely possible that he had modified the database to support his allegations, before handing it over to the professionals for examination. 

The only thing anyone could be sure of was that the data on the drive was present on the day it was handed over to the other digital forensics firm. Nobody could be sure where any of it had come from, or who had put it there, or when. The presence of multiple copies of the database, in different places on the drive, only served to add to the confusion as nobody could be absolutely sure which one was the real thing.

Our opinion

Given the possibility for tampering, and the lack of continuity/chain of evidence during the clean-up of the server and its sojourn in the new director's home, we believed that the data could not be relied upon. The judge agreed and dismissed the case against the old directors.

Cost to the client ? 

About 4 days of our time - but it saved their reputation and future careers.

The moral of the story

It doesn't matter how good your evidence looks, if you can't show how it came to exist - it's worthless.

Now would be a good time to read some of our guides on notes and continuity.

If you have a similar problem, please contact n-gate ltd. now.