Image showing an NHS ambulance.


The Chief Executive and Director of Finance of an ambulance trust were suspected of setting up a private business together and not informing the trust. Furthermore, it was alleged that when the business got into difficulty they used money from the trust to clear its debt.


The Forensic Computing Unit (FCU) was called in, with the following objectives:

  1. To make forensic copies of the hard drives of both subjects' PCs and the servers that they were using, and conduct analysis on them.
  2. To make forensic copies of the Blackberrys of both subjects and conduct analysis on them.
  3. To search for information relating to the formation and running of the venture.
  4. To search for any correspondence between the two subjects.
  5. To search for any relevant financial information.


The Forensic Computing Specialist removed the hard drive from the first subject's PC and connected it to a forensic workstation using a write blocker. A forensic copy of the hard drive was then taken, and the original hard drive was replaced in the machine. The process was repeated for the second computer.Data from the BlackBerrys were also forensically extracted.

The servers were acquired using the EnCase Field Intelligence Module (FIM), which allows the data to be captured in a live environment (the server does not need to be shut down). Files from each of the subjects' networked file storage areas were forensically copied to a DVD to which no further changes could be made. Their email files were captured in a similar manner from the trust's email server.

A search for email correspondence between the two parties was conducted, and all emails were exported for review by the investigator. SMS (text) messages from the BlackBerrys were also presented to the investigator.

A keyword search was conducted over all the data for information relating to the venture and financial information. A number of documents and spreadsheets were identified which appeared to be relevant to the case. These were presented to the investigator. A number of deleted text fragments recovered from the hard drives also contained relevant data.

A full report outlining the findings of the investigation was generated by the Forensic Computing Specialist and presented to the investigator.


The subject was identified and admitted stealing equipment worth £2,500 when he appeared at the magistrates' court. He was given two six-month sentences, to run consecutively, suspended for 24 months. He was also ordered to undertake 300 hours of community service and pay £2,489 compensation.