A Day in the Life… of a Computer Investigator

January 1, 2003

Early hours of the morning – returned to the headquarters after working on-site at a Search and Seizure order.

Have spent a frustrating day in a northern UK town. Although this small community seems quite pleasant it has actually been the destination for Vogon’s staff working on Search and Seizure orders on several occasions. My trip, which this time lasted three days, has been fairly typical – a badly worded court order needed to be re-written to include several key issues. The technicalities of what a computer investigator needs to do during a Search and Seizure order are quite complex and are regularly misinterpreted by clients and lawyers, leading to confusion. These days we normally take the lead on the preparatory phrasing of the court presentation, leaving no scope for misunderstanding or ambiguity.

Anyway, the roads are empty and the journey back is quiet. The materials seized (some back-up tapes) and the images taken (five PCs, two laptops and a small server) are been signed into our custody stores. I have already telephoned the on-call engineers to ensure they are fully awake and ready for work by the time I arrive and, from the smell of pizza wafting from the ground floor, they are clearly preparing themselves for an overnight session. When forensic work is urgent we can, and do, provide 24/7 services from our labs, on a worldwide basis. On occasions we have provided complete on-site investigations – flying in staff and equipment to a range of destinations.

I fill in the job sheets, specifying what needs to be done with the various images and tape back-ups. This particular enquiry relates to an allegation of intellectual [roperty theft by a former employee and I need to talk this over with the lawyer working with us. As with many cases like this, the computer evidence may well prove vital to the outcome.

I am off home – fortunately only 5 minutes from the office – and will hopefully get some well-earned sleep. A client and his lawyer are coming in tomorrow (or is it today?) to make a preliminary pass through some data, when we believe the core issues will relate to dates and times on various Word documents.


Still seems very early although it is now about 9.30. Rick, a fellow investigator, has collected our client from the local train station and they are in the office with coffee. Fortunately for me, we are able to set up several systems to view data from our forensic servers and this is up and running on my arrival.

Over the next couple of hours we go back over the client’s story: the case involves a company which decided to make redundancies due to a downturn in business. After completing the redundancy programme the company was served with notice of intended proceedings for unfair dismissal by 33 of their former employees, some of the claims suggesting sexual discrimination. Prior to the selection of those to be made redundant the management had received e-mails, with a spreadsheet attachment, to help them make the decision in a fair and reasonable way. Some of the employees attached documents to support their claims, including e-mails between some of the management team regarding the redundancies. A further e-mail is alleged to have come from the UK-based VP Operations and appears to contain some anti-female comments.

In order to clarify the situation I have agreed to document the claim and counter-claim for the client and also provide a summary analysis of the computer materials so that we are able to draw up a plan of action, as well as a budgetary guideline.

When the client leaves just after lunch I sit down with another colleague, Ailsa, to go through the key issues of the claim, dates and the summary information on the computer materials and also the date information we have. This will take a day or two to go through in detail, and at the end of the process we will have effectively drawn a crude time-line analysis, with the key issues highlighted. It will also give us the simple set of evidence, which we are trying to demonstrate is either out of context, or has been fabricated.

Following this discussion I am able to consider many of our other existing and potential clients and take some time to listen to my voicemails, which seem to accumulate very quickly. One particular message sounds very interesting – it is some form of alleged shipping fraud involving a ship owner sinking his vessel as an insurance claim. I contact the client to evaluate the situation and conclude that a colleague will attend their offices in Hamburg to discuss the matter fully, freeing me up to review the case over the weekend and give it my full attention next week.

Contact my colleague Chris. He is ideal to attend on-site in Germany: having spent years on military service in Germany, he has acquired polished attention to detail, fluent German, and a German wife. He contacts the client, who are so impressed they decide they would like to have his assistance for the duration of the work.

Finally I am able to go home at a reasonable time, I seem to have spent the last four days doing nothing but work. I managed to be persuaded to take one last phone call – another on-site job. Having lost out on Hamburg I discover that my exotic location is. that town in the North!