Forensic Case Files: Reviving a Samsung Galaxy S3
December 13, 2016
Putting a USB thumb drive through a snowblower won't always have a happy ending
Forensic Case Files: A Thumb Drive’s Winter’s Tale
December 28, 2016
Show all

Forensic Case Files: Impersonating Your Ex-Boss

Leonardo Dicaprio, playing infamous con man and forger Frank Abagnale, on the set of Steven Spielberg's "Catch Me If You Can" along with the real Frank Abagnale.

Leonardo Dicaprio, playing infamous con man and forger Frank Abagnale, on the set of Steven Spielberg's "Catch Me If You Can" along with the real Frank Abagnale.

If my forgeries looked as bad as the CBS documents, it would have been ‘Catch Me In Two Days’. – Frank Abagnale

 

Frank Abagnale, infamous con man, forger, and impostor (played by Leonardo DiCaprio in Catch Me If You Can, based on Abagnale’s autobiography of the same name), may very well have had the devil’s own luck. But fortunately, most of the world’s would-be Frank Abagnales are not quite so adept at covering their tracks and escaping the consequences of their actions.

In this case study, the owner of an HVAC business engaged our forensics lab for hard drive forensic analysis. The owner, a well-known expert in the environmental balancing industry discovered that an ex-employee was providing forged certification documents in his name.  At some point in time, said employee apparently made a stamp of their ex-boss’s signature and National Environmental Balancing Bureau (NEBB) certification seal and used it to pose as them. The forged signature and seal found its way to an unknown number of HVAC certification reports without our client’s knowledge or consent. The boss discovered their employee had even had a physical rubber stamp made in order to impersonate them.

Adobe Photoshop's "clone stamp tool" isn't quite what the client's ex-employee had in mind.

Adobe Photoshop’s “clone stamp tool” isn’t quite what the client’s ex-employee had in mind.

Our client wanted to know the extent of the damage, fearing that their reputation was at stake. He submitted hard drives from two laptops, which the duplicitous employee had been using as part of their work. The boss suspected that the employee had deleted files from these devices before returning them. He wanted to recover as many of the fraudulent reports as possible, so he could potentially pursue legal action against their ex-employee.

Hard Disk Drive Forensic Investigation

Both of the laptops we received for our hard disk drive forensics investigation contained two hard drives each. One hard drive contained the operating system for the computer and all of the user’s programs, while the other provided additional storage space. We would have to sift through all four hard drives in total to dig up whatever evidence existed of the ex-employee’s deceit.

We didn’t want to meddle with the original hard drives, though. In digital forensics, it is standard practice to work on a copy of the user’s data, rather than the user’s original data. That way, there’s no chance of making any changes to the original data, and contamination or damage to the original devices is prevented.

A write-blocking device like this proves quite useful for hard drive forensic analysis.

A write-blocking device like this proves indispensable for hard drive forensic analysis.

For this case, we docked each of the four hard drives in a Wiebetech Forensic Ultradock write protection device. This device blocks any “write” commands sent to the drives, ensuring on a fundamental level that it is impossible to alter the data on them. To image the drives, we used FTK Imager. We then successfully verified the disk images and confirmed that we had indeed created exact, bit-for-bit copies of the original hard drives.

Dredging Up Deleted Files

With our exact forensic images in hand, we could continue with our hard drive forensic analysis and pore over the active and deleted files on the four hard drives.

When you’re using your computer, it may be common sense to think that once you’ve dragged a file into the Recycle Bin (or Trash Bin) and emptied the bin, that file is gone forever. But we here at Gillware know better. Deleting a file doesn’t automatically erase it. What it does, though, is effectively hide the file and mark the space it occupies as “up for grabs” the next time you need to write data to the disk. If a hard drive remains in use after you’ve deleted a file from it, that file will eventually disappear as new data tramples over it. If, on the other hand, you cease using the drive after you delete a file, the deleted data will remain relatively pristine.

These two computers hadn’t seen much use after our client retrieved them from the ex-employee in question. As a result, most of the data that had been deleted was unspoiled.

Hard Drive Forensic Analysis Results

Leonardo Dicaprio, playing infamous con man and forger Frank Abagnale, on the set of Steven Spielberg's "Catch Me If You Can" along with the real Frank Abagnale.

Leonardo Dicaprio, playing infamous con man and forger Frank Abagnale, on the set of Steven Spielberg’s Catch Me If You Can (2002) along with the real Frank Abagnale.

While everyone has a distinctive signature, nobody writes theirs in exactly the same way twice. And so when you find two (or more) documents with identical signatures, you’ve likely come across a forgery.

We uncovered a plethora of Microsoft Word documents and Excel spreadsheets, as well as Adobe PDF documents. These files had embedded images of signed NEBB seals and signatures in the name of our client. We even found a Microsoft Word template created specifically for the purpose of making stock forged certifications. Our forensic analysis turned up over 350 certification documents with identical signatures spread across the four hard drives. By checking the metadata associated with each file, we could provide the creation dates and other information for each of the suspect files.

We compiled our findings and reported the results of our hard drive forensic analysis to our client, including a spreadsheet listing the details of the apparent forgeries and representative documents showing instances of fraud and signature forgery by the former employee.

1 Comment

  1. […] Will Ascenzo at Gillware Digital Forensics provides a write-up of a recent job regarding forged certification documents created by an employee of a client. Will was able to recover a significant number of the forged documents (that had been deleted) and parsed their internal metadata to garner additional insight. Forensic Case Files: Impersonating Your Ex-Boss […]

Leave a Reply

Your email address will not be published. Required fields are marked *