Background
An investigation was undertaken into a member of staff who was alleged to have stolen a number of pieces of IT hardware from a company and subsequently sold them on eBay.
The company was not aware that any computers were missing, and went on to conduct a full inventory. The subject was subsequently arrested, with all items of digital media seized for forensic acquisition and analysis. A full sales history of the subject, traced through eBay, showed many other sales of IT equipment. As the subject was responsible for the asset tracking of such IT equipment, it was very difficult to establish what had belonged to the organisation.
Objectives
The Forensic Computing Unit (FCU) was called in, with the following objectives:
- To make a forensic copy of all digital media and conduct analysis on it.
- To conduct a keyword search for the company name, in an attempt to recover any data indicating ownership.
- To ascertain whether the subject had been creating pirate DVDs.
- To recover any serial numbers that may help the company to identify the machines.
Investigation
The FCU acquired a number of pieces of digital media, including PCs with the hard drives removed, USB thumb drives and USB external drives. These were all acquired in a forensically sound manner.
From the outset of the analysis, it was apparent that the PCs contained large amounts of material which could be considered unsuitable for a work computer - including pictures and large video files. This information was passed to the investigating officer and the company, and disciplinary steps were taken prior to the full criminal investigation.
The initial analysis showed a number of emails relating to the sale of other items on eBay, but the company had such a poor asset tracking process that none of the items could be traced back to the company. An email was located on one machine which showed correspondence between two members of staff at the company (one being the subject of the enquiry) regarding the passing on of a 'redundant' PC belonging to the company. The other person involved in the correspondence was tracked down and the PC seized. This PC was also forensically acquired and analysed for information to show that it had once belonged to the company.
Many full files and fragments of data were located on this PC which showed that it had once been the property of the company. A full report outlining the findings of the investigation was generated by the FCU and presented to the investigator.
Outcome
The subject was identified and admitted stealing equipment worth £2,500 when he appeared at the magistrates' court. He was given two six-month sentences, to run consecutively, suspended for 24 months. He was also ordered to undertake 300 hours of community service and pay £2,489 compensation.