Chapter 17. Close Quarters

JOHN P. GRANCARICH

Imagine that your company is conducting an internal investigation into an employee's alleged access to prohibited Internet Web sites. One worker has filed a sexual harassment claim against another, and counsel has instructed a computer forensics examiner to determine if the allegations are true. The examiner visits the company's office after business hours, creates a forensic image of the suspect's computer and performs an analysis back at the lab; he finds that the allegations are true and the suspect did access inappropriate and prohibited Internet Web sites over an extended period of time. The case seems open and shut — but is it?

The practice of computer forensics, a unique hybrid of legal knowledge and computer science, is undergoing remarkable growth and facing tremendous challenges. New software, new technologies and more creative attacks and intrusions often leave the computer forensics examiner one step behind, constantly playing catch up and having to perform research quickly to follow the particulars of the investigation in progress. If we also factor in that many computer examiners are not investigators or fraud examiners by training, we begin to understand the enormous burdens that this new breed of professional faces with endlessly creative fraudsters and criminals.

This leaves us with the question of what we should reasonably expect a computer forensics examiner, or any investigator for that matter, to achieve in a scenario such as the one outlined at the beginning of the chapter. Should we expect the investigator to confirm or refute the allegations at hand and do no more? Or is it his or her responsibility to exercise professional skepticism and question what he or she finds and press further, perhaps even attempting to disprove his or her case theory? Part of the answer to this question lies in what those findings are. And as we will see from this case, things are not necessarily what they seem when it comes to Internet-related investigations.

Polar Opposites

Alan Merseaux lived the good life. Born into privilege and an only child, he bounced around Europe as a young boy while his businessman father moved the family around, making his way up the corporate ranks in the financial services industry. It was a thrilling way to live for young Alan, and he was enamored with this seemingly random yet exciting way of life. He developed a reputation as a bon vivant when he hit his teenage years, fond of parties and indulging in an impulsive and aimless lifestyle. Living in Paris one year and Berlin the next, the possibilities seemed endless.

When Alan was in his early twenties his parents divorced. His father stayed in Europe while Alan and his mother moved to California to be closer to her family. The divorce was difficult on Alan and left him feeling like the rug had been pulled out from under him. What happened to the good life? California seemed boring compared to Europe, and he was not particularly fond of Americans to begin with. "So typical," he would think when his new countrymen would do something he didn't approve of. Nevertheless, he needed to find work and enjoyed tinkering with technology and electronics. With some experience in computers under his belt from his years at university and a connection made through his father, Merseaux landed a job as a computer systems analyst at Meridian Technologies. It was something to do and a way to make some money. Sharing office space with him at his new job was Eddie Walters.

In contrast to Alan, Eddie had lived a life of hardship and challenge. Eddie's father left the family when Eddie and his two younger brothers were young. Being the oldest child left Eddie in the man's role in their house. He started working early in life to help his mother make ends meet. A high-school teacher noticed Eddie's talent at taking things apart and putting them back together in shop class and suggested he learn about computer repair. He did just that, and over several years developed his skills in various technical jobs into a full-time position as a systems analyst at Meridian. He could help his family; he couldn't be happier with the turn his life had taken. Alan and Eddie came from two different worlds and neither could predict how their paths would cross and set off an unpredictable chain of events.

Meridian Technologies began as a two-employee computer-repair shop in Los Angeles in the 1980s. Started by college dropouts, Meridian had the good fortune to be in the right industry at the right time and it grew by leaps and bounds. It provided services ranging from systems administration and technology outsourcing to software development and programming. A few years later, Meridian had grown out of its original space on a nondescript street and moved to a larger and more prestigious location in the central business district of Los Angeles. It had 375 employees and counted as its clients many of LA's premier companies.

A Disturbing Claim

Jon Randall, Meridian's director of human resources, was sitting in his office the afternoon of June 18th poring over staffing reports when he heard a knock. Looking up, he saw Alan Merseaux standing at the door.

"Hey, Alan, what's going on?"

"I need to talk to you about something."

"Sure, come on in and have a seat. Close the door behind you." Randall had been in this position for several years and had a finely tuned antenna for when something was up.

After both of them were seated, Alan began talking. His speech was slow and deliberate.

"For the last several months, Eddie has been going to porn sites and watching these graphic videos in the office. He looks at pictures on these Web sites too. I've tried to ignore it, but it's really getting to me. I asked him to stop a bunch of times and he just continues. I sit in the same cube as him, back to back, in the locked server room so even though I can't always see it when he's doing it I can hear it. I can't sleep at night, I feel sick and nervous when I'm here and I can't concentrate on my work anymore."

Randall looked at him and thought there might be something more. "Alan, is there anything else you want to me tell me?"

Alan sighed. "Two days ago he physically assaulted me in the office after I asked him again to stop. I feel very threatened, Jon."

Randall listened intently and then, with Alan still in the office, he called Tim Metzger, Meridian's in-house counsel. Metzger came in a few minutes later and joined the conversation. He asked difficult questions, sensitive questions, and heard what Alan had to say.

"Does anyone else work with the two of you in the server room? To your knowledge is anyone else aware of this?"

"No, it's just us, and I don't think anyone else knows about it. I didn't want to talk about it with anyone."

Metzger found the allegations extremely troubling — in addition to the physical and emotional toll these events were taking on Alan, if true, they would constitute harassment and potential liability for Meridian. In accordance with Meridian policy, Alan was immediately granted paid leave. After Merseaux left, Metzger and Randall were quiet for a few moments.

"We need to investigate this thoroughly," began Metzger. "If Eddie Walters is doing what Alan says he's doing we have a serious problem that needs to be addressed now. Who do we use to investigate a sensitive matter like this?"

Randall picked up the phone and began to dial.

Long-Distance Sleuthing

I was sitting in my office in New York late one afternoon when my phone started ringing. I looked at the display and saw it was Jon Randall. He only called me when there was a problem — as Meridian's resident corporate investigator, I was often tasked with conducting internal investigations and computer examinations. Randall explained the situation at Meridian's West Coast office, and I knew it was right up my alley. After getting the background on the situation I realized I had two immediate challenges: I needed to have Eddie's computer forensically imaged as soon as possible — it was getting late in the day — and the hard drive was 3,000 miles away.

After calling around a bit I found a trusted partner who could do the forensic imaging that night. I consulted with Randall and Metzger and decided to have Alan's computers forensically imaged, too. The reason is simple: When dealing with a claim such as Alan's, there was no way to determine at the beginning of an investigation what really happened. It was my job to preserve and gather the available evidence and reconstruct the events using that evidence.

While the forensic examiner was on-site imaging the computers, I worked with other internal resources at the company to preserve copies of server e-mails, e-mail backups, Internet proxy server logs and personal data on the network for further analysis. I was building my universe of information to work with.

The investigation was fast paced from the start, and too much for one person to do effectively. Plus the hard drives were on the other side of the country. The forensic examiner processed the image of Eddie's computer first while I developed an investigation methodology. I started by preparing the following for analysis: Eddie's Internet browsing history, cached images from his Internet activity and user-created folders in the event that he was saving files to his computer. It was a logical place to start and would relate directly to the claim.

I struck investigative gold right away. A review of images cached from the Internet revealed a substantial number of pornographic images viewed under Eddie's user account and of the type Alan had indicated in his complaint. There were also video files. On its face, the evidence supported Alan's allegations. But should I stop my investigation there? There were two ways to interpret these findings:

  1. Eddie downloaded prohibited images and videos to his computer.

  2. There were prohibited images and videos on Eddie's computer, but we did not have enough information to determine who put them there.

Role Reversal?

How can the second option be plausible if the information was located in Eddie's user account? I stepped outside of the digital realm for a moment and considered the physical layout of the work area and recalled that there were only two employees in a secured area — Alan and Eddie. Before coming to Randall about it, Merseaux alleged that Walters had been viewing prohibited material for several months. I thought about this point carefully; the time frame seemed too long to me. Why didn't he come forward at three months? Or at one month? If Alan felt harassed several months in, wouldn't he have felt harassed much earlier and come to Randall? Something didn't add up. I discovered another odd fact: Dozens of Alan's personal Yahoo! e-mails were cached on Eddie's hard drive. Eddie had also reimaged his own computer on the same day that Alan made the claim against him.

By then it was the next morning, and a long first night of work was behind me. I sat in my office and thought about what had happened up to that point. How did Alan's e-mails get on Eddie's computer? Was Alan using Eddie's computer to download the illicit materials? How credible was Alan? The pieces weren't fitting together yet and, after consulting with Randall and Metzger, we decided to examine Alan's computer as well. I continued to dig into Eddie's data while I readied myself for the results from Merseaux's. I didn't know what to expect.

The West Coast examiner called me later that day with some preliminary information. Given the serious nature of Alan's allegations against Eddie, I was more than a little surprised to hear the examiner tell me three very important and troubling pieces of information:

  1. Alan's Internet browsing history indicated that Alan himself had visited various pornographic Web sites over a period of several months.

  2. His hard drive had also been reimaged on the day he made the claim against Eddie.

  3. A keystroke logger was installed on Alan's computer.

Things had just become a lot more complicated. I needed to assess what evidence I had and synthesize it into a chronology to move the investigation forward. The challenge was that the evidence I had at that point — all of it electronic — left me with gaping holes as to what was really occurring and I couldn't build a story without filling in some of those blanks. Alan's claim did have some merit, but now his credibility was questionable too. There were too many important concerns unanswered. I needed to broaden the scope of the investigation and put the key players in place and time. I continued to picture the physical area they both worked in, with access restricted to just the two of them, and my mind raced with the possibilities.

A Fruitful Harvest

My next step was to circle back to the recovery and harvesting phase of the investigation to identify and pull together various sources of evidence to build my case. For this second round I focused on the following:

  • Domain controller logs, which would tell me who was logged into each computer and when

  • Video of the public areas in the company that would help me track Alan's and Eddie's movements

  • Floor plans of the office to help me get a sense of what the space looked like

  • Access key records to various floors, offices and secure areas

  • Interviews of Randall and Metzger

The ultimate goal was to divide what we knew and could prove versus what we did not know. Once I had the second round of evidence in hand, the pieces began to fall into place more quickly. I started with the physical security access logs to determine where each person was at various times and what doors they passed through during the day. In his discussion with Randall and Metzger, Alan stated that Eddie physically assaulted him in the server room for nearly 30 minutes, between 5:00 and 5:30 PM. My analysis of the physical access logs, however, showed that while Alan was in the server room from 5:00 to 5:30 PM, Walters was only there for five minutes.

I next looked at the domain controller logs for Alan's computer for the day of the alleged assault. When a computer is part of a Windows domain, the domain controller log displays a chronology of logins for that particular computer. (A Windows server domain is a group of computers running the Windows operating system that interface with a central directory database. This directory contains the user accounts and security information for the members of the domain. In a domain, the directory resides on a computer that is configured as a "domain controller" — a server that responds to security authentication requests.) The records on Alan's log showed that Eddie logged into Alan's computer twice on the day of the alleged assault. What was he doing? To find this out I merged data from the physical access logs, domain controller logs and the Internet history to show that Eddie had logged in to Alan's computer using his own account, run various searches for and installed keylogging software and then logged off Alan's computer. The keylogging software would capture Alan's keystrokes and save them to a file that Eddie could access later.

What about the reimaging of Eddie Walters's computer? A subsequent follow-up call to Randall established that just after Alan Merseaux made his initial claim in Randall's office, Alan, Randall and Metzger went to a conference room on the 14th floor to discuss the matter in detail from 2:00 to 5:00 PM. Eddie's computer revealed that he had reimaged his hard drive during that same time frame. Was this a coincidence, or did Eddie learn about the meeting somehow? A look at the access logs for the 14th floor showed that Eddie visited the floor during Alan's meeting and left via a different exit. He would have passed by the conference room and could easily have seen the meeting in progress.

Regarding Alan's personal e-mails that were found cached on Eddie's computer, it appeared that the keylogging software likely accounted for this. It provided Eddie with access to Alan's Yahoo! e-mail user name and password. Alan's screen name was unique and could be easily searched for online — I thought maybe given his questionable credibility I might find some Internet social-networking activity for him. And I did. Lots of it. He appeared on Web sites such as MySpace, Facebook and multiple dating Web sites. I even found one nude photo of him. I created an account on the Web site and preserved this significant piece of evidence.

His MySpace account was particularly revealing. It was a public profile that anyone could find by browsing through his posted information. I spent some time each morning for the next few weeks monitoring Alan's Internet activity and building a profile of him. Although he claimed physical and emotional distress when he made his complaint to HR, I found comments on his MySpace page that directly contradicted that:

  • "Are you ready to party?"

  • "So where will you be tonight? ... I am your new stalker."

  • "Thank you so much for the wonderful experience of last Saturday night."

  • "We should go and have a blast tonight."

  • "I had a blast with you guys! Where is the next party?"

Photo Finish

Then there was Photobucket.com. It is a Web site that allows users to upload, organize and label their pictures. Users can make their accounts public or private. Again, Alan had created a public site for anyone to see using his Yahoo! e-mail address as the profile name. After he made his claim to HR, he was immediately granted paid leave, and in subsequent follow-up calls Alan stated severe emotional and physical distress caused by the events in the workplace. He had also retained an attorney and was considering filing a claim against Meridian. But his Photobucket page told a different story: It contained a picture of Alan partying at a trendy hotel in New York City a week after his initial complaint — a period during which he was supposed to be in extreme distress.

I compiled the facts against both Alan and Eddie and set up a conference with Randall and Metzger. The evidence made sense and flowed chronologically to me, but I wanted to make sure I could explain any technical jargon in layman's terms. Before presenting a report for review, I asked myself, "If I had no prior experience in this field would I be able to understand this?" I also prepared a timeline that displayed the evidence in chronological order.

What I ultimately presented Randall and Metzger with was a story of two bad apples who, over a period of several months, both viewed prohibited pornographic images and videos from the Internet at the office. Then, for reasons unknown, they became involved in a workplace confrontation that escalated into Walters spying on Alan, and Merseaux filing a fraudulent claim for workplace harassment.

Randall and Metzger interviewed Eddie about what had transpired. The evidence of his Internet activity and his installation of the spyware on Alan's computer was shown to him piece by piece, and he was asked questions about each. (A standard investigative technique is to show evidence to a suspect one piece at a time instead of altogether; this builds psychological pressure.) But Eddie refused to answer any questions in the interview and was let go from Meridian.

Alan ultimately filed his threatened claim against Meridian, asking for several hundred thousand dollars. Meridian responded by showing Alan's attorney what we had gathered: the prohibited Internet usage, the MySpace posts and the picture at the hotel. The evidence clearly refuted his claims of physical ailments and emotional distress. To make the whole sordid episode go away, Meridian made a very low settlement offer to Alan, which he quickly accepted.

Some weeks later Randall was flying coach from Los Angeles to New York. Looking toward the front of the plane he observed a young, stylishly dressed man in first class having drinks and chatting up the other passengers. It was none other than Alan Merseaux, likely spending what was left of his modest settlement on a first-class flight to New York.

So typical.

Note

Lessons Learned

The goal of any investigation is to discover and present the truth, regardless of which side it favors. If the evidence you discover appears sufficient to build your case, would you try to dig further or would you accept your findings at face value? The answer may be, "it depends." This case began as a harassment matter that evolved into a fraud investigation based on Internet use, and both the claimant and respondent turned out to be at fault. Certain characteristics of the case (the several-month period of prohibited Internet use Alan alleged of Eddie, and their close quarters in the server room) was enough for me to question the evidence and conduct further investigation. The investigator's job is to fit the pieces together, to make a whole out of the parts. To do that we cannot jump to conclusions — we must assemble as many facts as we can find into a cohesive story. We need to follow each investigation through to its end, even when we are not sure where the evidence is leading us.

About the Author

John P. Grancarich, CFE, is the Practice Support Manager of Electronic Discovery Consulting at Paul Hastings Janofsky & Walker LLP. He has extensive experience directing and managing electronic discovery and investigative projects on a global scale, including computer examinations, analysis and reporting. He is a Certified Fraud Examiner and an EnCase certified computer examiner.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.188.96.232