Do you already know your cyber attacker?

In 2003, my company was appointed by a private investigation agency to provide seizure and forensics services. The victim was a highly successful contracts agency (let's call it Contras) that had over the previous few months noticed its business drop off severely.

The downturn began when its offices were burgled. A rather strange robbery which left little physical evidence other than the forcing of a window and the opening of two computers that had their hard drives stolen. Nothing else appeared to have been taken.

At the end of the day following the theft, the founder and MD of the victim agency was advised of the resignation of three key sales staff. At the time, the events were not thought to be related. This was to change.

Within weeks the victim began losing business. A new competitor had entered the market. Strangely, the competitor's business name, Contris, was remarkably similar to the victim agency. The MD made some tentative enquires learning that the founders of the new company were the three recently resigned staff from his agency. He then learned that staff from this new agency had been approaching his customers saying that for unavoidable legal reasons there had been a slight change in company name, and that they would be re-invoiced by the newly named agency. This was clearly underhand and designed to trick customers to transfer their business.

A customer provided him with a new, but familiar-looking invoice which showed that not only were the three former staff poaching clients to a similarly named firm, but that they had also used a very similar company logo.

The MD immediately appointed a private investigation agency and a top London law firm with an impressive reputation in fighting fraud and copyright theft. The lead lawyer we will refer to as Gary Nesmith.

The private investigators rented an office next door to the new agency in West London setting up a fake recruitment company. They quickly befriended the three founders next door, sharing morning coffee and cakes and complementing them on the obvious success of their business. In the evenings, when all three had left their new offices, the investigators engaged in 'dumpster-diving' – exchanging their rubbish for the suspects and taking discarded documents back to their base to analyze with the MD and Gary Nesmith.

It became quickly apparent that many documents were printed output from a database remarkably similar to that used by the victim. This database was developed by the personal commission of the MD some years earlier. Gary Nesmith saw his opportunity and built a file of documents showing transactions entered by the suspects into the stolen copy of the database.

He put this file before a judge and sought a special court order to seize computers and other data processing equipment from the premises of the suspects' new office and from their homes. This order does not enlist Police assistance but uses supervising solicitors appointed by the court. At this point we were called in to assist in the case as forensics experts for the plaintiff.

Not only had Gary Nesmith succeeded in attaining a search and seizure order with his evidence of database theft, he had also managed to convince the judge to make a landmark ruling in UK law. This was to allow under supervision, the experts of the plaintiff, to delete from seized computers any data which belonged to the plaintiff. More on this ruling later.

Although convinced that his decision was correct and the application could not be denied, the judge remarked upon the grant referring to the application as "the most draconian seizure order I have ever had the responsibility to grant." The court appointed supervisors and additional experts to monitor us.

Early one morning we met with the investigator Gary and colleagues from his firm and the supervisors. As former police officers, both the private investigators and ourselves had experience of raid and seizure. We spent time planning the raids, our individual roles relying on existing and real-time surveillance intelligence provided by the private investigators. By midday the premises had been entered, thoroughly searched and any computers seized. Time was of the essence as the order required all initial work was executed on the same day so we went to work forensically imaging six computers, two hard drives and a PDA seized at one home location.

The investigators secured the consent of the suspects to take their computers away and we securely bagged, sealed and recorded each exhibit whereupon they were transported to Gary Nesmith's firm and locked away in a secure cabinet – the cabinet key being taken by the supervising solicitors.

During the next 48 hours we forensically analyzed the images of the seized computer exhibits and discovered the database which we recovered and accessed via a copy of the MDs client application. It soon became apparent that the database was indeed a stolen copy of that developed by Contras as a large amount of static data pre-dated the creation of the new agency and were exact copies of the original system.

In addition we recovered many Microsoft Office documents and document templates, the metadata of which clearly showed the original author to be the MD or one of his employees and the company to be none other than Contras.

At the offices of the London lawyers, we deleted any stolen information from the offenders' computers. Two of the computers booted straight into a database splash screen displaying the unchanged Contras logo!

By this time, the three offenders had admitted to taking copies of data without the knowledge or authority of the owner. The MD demanded compensation of £50k per person and an understanding that he would publish their names with details of the incident in the trade press the following month. The three reluctantly agreed.

This case was significant because there are precedents set in UK law that determine computer data as being that to which the concepts of ownership cannot be ascribed.

Regardless of whether Gary Nesmith had successfully obtained his search and seizure order due to the ignorance or sheer fatigue of the judge, we will never know (Gary had made his application in the early hours of the morning), but it is now a decision written into history which may be used to amend the data ownership precedent. From our point of view, we felt that justice had indeed been served.

A note on the burglary – while everyone acting for the plaintiff was certain the theft of the hard drives had been committed by one or more of the offenders, we could not prove this. The hard drives seized in the raid were probably the same as those stolen, but the MDs agency had never recorded the hard drive serial numbers against those of each host PC (neither had the PC supplier), so the matter remains unsolved. Maybe this is a lesson that can be learnt with the smart use of auditing software.

Neil Hare-Brown is an expert in forensics analysis and co-founder of QCC, a U.K.-based technical surveillance countermeasures specialist

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.