An American regulatory body became involved in litigation against a French multi- national organisation.

A litigation support company instructed us to ensure the forensic preservation of the data on laptops belonging to high level board members of the organisation.

The project spanned over two weeks and meant visiting offices all over France.

Working closely with the legal team in France and the organisation itself enabled us to attend the various French cities and offices where the board members were and produce forensically sound images of their laptops. We arranged the collections so that the data could be copied whilst the users were otherwise engaged in meetings or at lunch and so on, minimising any disruption to their daily work.

The project was completed on time, within budget, even circumventing encryption and performing data recovery work on damaged hard disks without causing any delay or disruption.

A large engineering and manufacturing organisation received information that highly confidential and commercially sensitive information was being passed to their main competitor.

At very short notice we assisted the appointed legal team in acquiring a search order against the home of the Senior Engineer, employed by the competitor, who was alleged to be in possession of the confidential information belonging to the plaintiff.

On the morning that the search order was executed we briefed both the appointed legal team and third party independent solicitors appointed by the court.

The engineer was found to have computers containing over 2TB of data in his home.

It was found that paper files had been transferred to the competitor, the information had been digitised, put onto CD and then the original files were incinerated.

Subsequent investigation at the engineer's employer found that he had viewed the CD on his work laptop and that the information had actively been used within the organisation.

The engineer's employer received a large fine for making use of this information.

A large multi-national company had an online service which allowed customers to backup and access their data remotely. The management of the customers and their data was based on two Linux databases servers, a master and a slave for redundancy.

Due to an administrative error a system administrator accidently reformatted the partitions of both the master and the slave server simultaneously.

No users could login to the system and effectively all the data was gone for ever.

We were called in to assist with the incident response as the company’s own in house forensic team were not equipped to deal with the incident.

Remote memory dumps were taken from both servers and one of the mirrored hard disks was taken from each server and couriered directly to us.

We recovered 30GB of damaged database files, were also able to recover the schema structures and rebuild the database tables in to a virtual environment which we could give the client access to for verification.

After about 32 hours continuous work, working closely with the solution provider we were able to recover almost 100% integrity using the data recovered from the disks and the data in the memory dumps.

A travel company (Company A) approached us to investigate a 'denial of service' (DoS) attack on their website.

They suspected their competitors of attacking their website to damage their reputation in the light of a series of advertisements that Company A had put in the national press.

We immediately contacted the hosting company who were providing connectivity for company A's server. Network monitoring and logging devices were put in place to capture evidence of attacks on the server. We also acquired a forensic image of the server for analysis.

Using various techniques we setup a test environment and replayed network traffic. It was determined there was no denial of service or hacking attempt – merely a bug in Company A's web site.

When the adverts in the press were published the upsurge in traffic to the web server caused the web server applications to crash because of some badly written code and memory leaks.

We presented the results to Company A and indicated the modules of their site that we had identified as being the source of problem.

A client suspected an employee of misconduct after noticing an unusual amount of bandwidth being used up on his email account. The user subsequently tendered his resignation.

His mailbox was checked by the client and it was found to be very empty. Email server logs indicated many large messages being sent by him to his personal email account.

We were instructed by the client to analyse several month's worth of email server backup tapes and the user's laptop.

We found the user had sent a large number of commercially sensitive and confidential documents relating to company projects and clients to his personal email address. Using evidence from both the laptop and backup tapes the client was able to get an injunction against the employee.

Settlement was agreed and we were further instructed to remove all traces of our client's data from the employees personal email and computers.

Company A discovered that an employee had been running his own businesses during hours when he should have been working for Company A, and dismissed him. He declined an offer of two months pay and took Company A to an industrial tribunal.

We were then called in to forensically examine the employees work computer and uncovered extensive traces of several businesses operated by the employee during his contracted hours, unknown to Company A. We prepared the evidence in a format easily understood by the tribunal and legal teams.

The employee lost the industrial tribunal, the two months pay offer was withdrawn and he was ordered to pay all costs, including our charges.

Company A, a large multi-national business, received information through a ‘whistle blowing’ policy that a manager was using his budget to buy tools for his department but was actually selling them on eBay.

We located his eBay account online and captured the pages for all current and past item listings, including the photos. We identified the background in the photos as being a corner of a workshop at Company A. Then we made a forensic copy of the manager’s computer and he was suspended.

His work computer contained extensive records of his eBay activity and proved conclusively that he was photographing the tools in his workshop and then advertising them on eBay. Comparison of the tools with his budget spends and the eBay account demonstrated a very close correlation, with many thousands of pounds being siphoned off in this way over an extended period.

We prepared a Crown Court ready statement and evidential package which we handed to the Police. The manger was convicted of fraud, resigned from Company A and was ordered to pay compensation.