|
|
 |
In early 2001 Sanderson Forensics were instructed to act on behalf of a major international company with offices in most countries, including one in Rumania. The salient points of the case are:
The country manager (A) in Rumania had been suspected of defrauding the company and had been suspended
A new manager (B) had been temporarily appointed in his stead
B had been given As' old laptop computer after the company IT team had repartitioned, reformatted and reinstalled the operating system and applications
B had used the computer for about 6 weeks
Sanderson Forensics were asked to look at the computer for evidence of fraud.
It is interesting in this case that the major forensic software tools of the day did not have the facility to ‘carve’ documents from the areas of the disk that are currently unused, i.e. those areas of the disk that have contained files but the files have since been deleted.
We wrote a software application to specifically carve Microsoft Word and Excel files from the unused portions of the disk and to save them as individual files.
The fifth such file extracted was a document showing A granting shares to a company in Cyprus to four of his senior managers. The company in Cyprus provided services to As' company.
This was a classic ‘smoking gun’ document and based mainly on this but supported by further documents a case of large scale fraud was proven. The parent international company, on the strength of our findings, decided that fraud was so endemic within the Rumanian office that the only recourse was to cease operations there.
|
|
|
