Any time we have a case involving suspected misconduct by IT personnel, we call it a special case. It is rather challenging to investigate a member of the IT team convertly. We had to think out-of-the-box as to how we would accomplish our task. We eventually came up with a plan we felt would work. The CSO was a retired FBI agent and still had ties to the bureau. We told him that it would not be unusual for him to get a call warning him about the potential compromise of their network or the laptops of the executive staff [who had traveled overseas recently]. We would pretend to be private contractors working for a certain government agency investigating an undisclosed cyber threat. Because of who we were supposed to be and what they did, we would pretend that we could not share the details of our investigation with him. According to the plan, we would show up at the location while our suspect was working and would have his laptop with him. Following this strategy, we went into the CSO's office, called the CIO, and carried out an Oscar-worthy performance convincing him of who we were and what we were there to do. The CSO confirmed who we were and told the suspect that he had received the call and knew we were coming. The suspect was initially upset that the CSO did not share any of this with him prior to our arrival, but we convinced him that the CSO was instructed not to share the information with anyone pending our arrival. We asked for the help of the CIO and his staff to gather all laptops belonging to executives who had traveled overseas during the last three months, obviously knowing he was one of them. We forensically imaged a total of 12 laptops as part of the scenario. Carved internet artifacts showed that the suspect was in fact using a web-based interface to log into the CEO's and other executive's emails, among many other things that they were not aware of. Once we had recovered the proof from his laptop, we returned to the client's location and confronted the CIO with the evidence we recovered from his computer. When he saw the printouts, he admitted to every instance of misconduct we discovered.