As of June 1, 2024, Vestige Digital Investigations is part of ArcherHall, a leading digital forensics, e-discovery, and cybersecurity service provider.
The Vestige team that you know and trust will continue to serve you at ArcherHall. Our expanded team, capabilities, and infrastructure will allow us to serve you and your clients even better.

Behind The Wheel: Human tendencies and digital forensic evidence on devices

Articles

Behind The Wheel: Human tendencies and digital forensic evidence on devices

Vestige Logo
by Vestige Staff

There is a phenomenon when we are driving our personal vehicles where we as humans enter a state of mind that leads us to believe nobody is really paying attention to us. We eat, play with our phones, shave, pick our noses, apply make-up, sing at the top of our lungs, shake our fists at other lousy drivers and I have even seen someone reading a newspaper that was draped over the steering wheel during my morning commute while they were traveling at 85 MPH. You mean one way glass was not a part of the deluxe package when I purchased my car? In our cars, we are in a state of mind where our awareness of what others can see is diminished! This human tendency is heightened when we are operating our personal electronic devices.

One could argue that the explosion of the Internet in our lifetime can be partially attributed to the anonymity it provides.There is a certain assumed level of privacy when we are “behind the wheel” of our electronic devices. I was reminded again of this expectation when watching a NBC news clip where a reporter covering the Olympic Games in Sochi, Russia brought a brand new iPad and iPhone along on the trip. The news reporters, along with a security consultant watched as each of the devices were hacked within a day of turning them on. The news reporter provided a warning to the millions of visitors and athletes to simply leave your device home if you want to avoid a headache. Will the majority heed the warning? The hacker is well aware of this human tendency and will certainly capitalize on it during the Olympic Games.

Many of our clients are made aware of human tendency after going through a forensic examination.   I have investigated countless computers, cell phones, tablets, servers, memory sticks and more over the years where employees have been suspected of intellectual property theft.  It is oftentimes eerie how this human tendency manifests itself when employees decide to steal. For example, we had a client who had an employee who was an engineer working on one of the latest gadgets at the time.  This engineer traveled all over the country and assisted from everything from building prototypes to designing and building the production lines.  The engineer had access to plant blue prints, machine settings, customer lists and all sorts of sales data.  Due to a recent poor pay increase, the engineer decided to move on to none other then the direct competitor in the industry.  Before officially resigning, he sent countless emails to the competitor who recently welcomed him with open arms.  In fact, he utilized his corporate email account at the victim company to do so!  He also backed up his corporate phone to his home computer for later referencing.  The engineer connected several memory sticks and hard drives to copy diagrams, photos and even sales data.  Suddenly, the engineer panicked and realized his human tendency!  He installed a free data destruction utility on his corporate computer.  He proceeded to attempt to erase evidence from his computer the day before he resigned, but the damage was done.  This engineer fell victim to this human tendency that nobody is paying attention.  The engineer was in shock as Vestige provided a timeline of events that detailed the intellectual property theft and cover-up.

We are also hired by companies to investigate their employees’ computers for all sorts of activities, including evidence of IP theft. The human tendency leads some employees to play games on the Internet, surf the web most of the day or even view pornography on their corporate machines!

A number of years ago, one of our clients received an anonymous letter along with their customers and other stakeholders that contained some confidential information that no outsider should have had access.  The letter was received from an anonymous Internet web email account.  Our client was not sure if it was a hacker that stole this information or if this was an inside job.  Vestige was brought in to trace the origins of the email message including who sent the email message.  First, the header of the email message was examined to find the originating IP address of the message.  This IP address was then utilized to determine what Internet Service Provider (ISP) leased out the IP address.  Oftentimes, attorney’s issue subpoenas to the ISP at this point to determine what residence or company was assigned the IP address of interest.  This requested information includes the name of the subscriber, billing address, log in information and other identifying information or logging that varies from ISP to ISP.  We help guide attorneys with what to ask for from ISPs.  Depending on the ISP and the quality of the subpoena, a response from an ISP may take days, weeks or months.  While waiting for a response from the ISP, we took another approach to determine the author of the email.  The client’s email server was searched for any instance where the same IP address was utilized within the company’s email system.  As a result on a few occasions, an internal employee of the company sent an email from their personal address to someone else in the organization.  Even though it was likely we had the culprit, IP addresses oftentimes switch between subscribers over time and to avoid a coincidence, additional analysis was pursued.  Prior to our client confronting the employee, we created a forensic copy of their computer. We were able to analyze Internet histories to determine that the suspected employee was in fact logged into the same web email service moments before the problematic message was received by our client.  Vestige analyzed other activities taking place on the computer such as files created, files modified, Google searches, new articles read and other information such as what username was logged in at the time to determine that there was a high likelihood the suspected employee sent the email message.  As Vestige called to report their findings the following morning, our client informed us that they received a confession from the suspected employee moments before our call.  This employee was upset and sent an email that caused all sorts of problems.  They thought by signing up for an anonymous email account and sending the email from home nobody would be able to trace it back to them.  They fell victim to the human tendency and as a consequence lost their job.

So as you watch the Olympics this year, read email, connect to free public WiFi, post pictures on FaceBook or are playing “Angry Birds” on your iPhone, do not forget that you are leaving behind all different types of digital evidence.  When you are faced with litigation, do not discount the power of the human tendency when it comes to electronic devices as a solid witness that can be benefit to your case or a situation you face with an employee.