Case Study 1 — The Method That Cleared the Innocent
A senior engineer was criminally accused of stealing trade secrets, and the company's first, panicked look at his laptop "proved" it. A second examiner who actually followed the forensic process proved something else: that the first look had destroyed the evidence, and that the facts, examined honestly in both directions, did not support the charge.
Background
This is the courtroom anchor's quieter cousin — not the most consequential case in the book, but the one that best shows why the method exists. It also inverts the IP-theft anchor you will meet in Chapter 16: same fact pattern, opposite outcome, because here the disciplined examination did what discipline is for — it found the truth rather than the convenient story.
A defense-contractor's controls engineer, call him the subject, resigned to join a competitor. Within days, his former employer alleged that he had copied a proprietary firmware repository to a personal USB device on his last night — a potential federal trade-secret theft. The company's IT lead, certain of guilt and eager to help, did exactly what Chapter 5 warns against: he booted the returned laptop on his own Windows workstation, browsed the user profile, found a .lnk file pointing at an external volume, and copied a handful of files to a network share "as evidence." He then wrote a two-paragraph memo: the engineer connected a USB drive and took the repository. Law enforcement opened a matter. The subject faced charges that would end his career.
Defense counsel retained an independent examiner to test that conclusion. What follows is the forensic process applied to a case the first responder had already nearly ruined.
The investigation
Phase 1 — Identification. The examiner inventoried every source, not just the laptop: the returned laptop (Dell Latitude, service tag recorded), the IT lead's workstation (now itself evidence, because it had touched the original), the network share holding the copied files, the company's USB-device and VPN logs, and the endpoint-security agent's history. "A black laptop" is not a source; a serial number, a capacity, and a recorded power state are.
Phase 2 — Preservation. The original drive was — finally — removed, attached through a validated hardware write-blocker, and imaged to E01 with both MD5 and SHA-256 computed and verified. But the examiner recorded a fact that would shape everything: the drive had been booted and browsed after seizure. The acquisition hash was honest, but it was the hash of a drive whose last-access timestamps, journal, and unallocated space had already been disturbed by the IT lead's "quick look."
[Acquisition — Item 01, subject laptop]
Acquired: E01, hardware write-blocker (validated 08:30 same day)
MD5: 4d1c... (fictional) : verified
SHA-256: 9f02... (fictional) : verified
NOTE: device was powered on and browsed post-seizure by company IT
prior to write-blocked acquisition (see chain-of-custody gap).
Phase 3 — Analysis, in both directions. The examiner formed the company's hypothesis as something that could be disproved: on the final night, the subject attached a USB device and copied the repository to it. Then she tested it honestly.
The .lnk file the IT lead trumpeted did reference an external volume — but its own embedded timestamps showed it had been created the morning after seizure, on the IT lead's workstation, when he browsed the share. It was an artifact of the investigation, not the crime. The USB device history in the registry showed the last removable device connected to the subject's laptop eleven days before his last night, not on it. The repository's $FILE_NAME MFT timestamps (which survive casual tampering) showed no bulk access in the final week. And the endpoint agent's log showed something the company memo had omitted: the subject's account had been flagged for a malware beacon three weeks earlier, and a second user account — a shared service account — had accessed the repository during the window in question.
The examiner pursued the exculpatory leads as rigorously as she would have pursued inculpatory ones. She built a timeline (Chapter 21 owns the technique) that placed the only relevant repository access on the shared account, from a session the subject demonstrably was not logged into. The "evidence" of theft dissolved into an artifact the first responder had manufactured and a malware infection no one had checked for.
Phase 4 — Reporting. The report separated facts from opinion, referenced each finding to its artifact (offsets, timestamps, log lines, hashes), and stated its limitations plainly — including that the post-seizure handling had irreversibly altered some timestamps, so certain questions could no longer be answered at all. Its central finding was not "he is innocent" but the disciplined, defensible version: the available evidence does not support the allegation that the subject copied the repository to removable media on the night in question, and the principal artifact cited in support of that allegation was created post-seizure by company IT.
The charges were dropped.
The analysis
-
The original is sacred — and "just looking" is not free. The IT lead changed the evidence the instant he booted the drive, fabricating the very
.lnkartifact that became the case's centerpiece. He did not lie; he contaminated. The method exists precisely because well-meaning contamination is indistinguishable, after the fact, from tampering. -
Test for disconfirmation, or you are building a case, not finding the truth. The first responder sought confirmation and found it everywhere. The independent examiner stated the hypothesis so it could fail — and it did. An examiner who only looks for guilt will always find it.
-
The method that convicts the guilty is the method that clears the innocent. Identical rigor — write-block, image, hash, timeline, both directions — produced an acquittal here and would have produced a conviction had the facts been different. That symmetry is the moral center of the discipline; it is why your loyalty is to the facts, not the client.
-
$STANDARD_INFORMATION` lies; `$FILE_NAMEand independent logs corroborate. No single artifact decided the case. The exculpatory conclusion rested on agreement across the registry, the MFT's tamper-resistant timestamps, the.lnkinternals, and the endpoint log. Corroboration across independent sources is how you reach a conclusion proportionate to the evidence. -
Honest limitations are credibility, not weakness. The report conceded that contamination had permanently destroyed some answers. That candor made the rest of the report more believable, not less — the examiner who says "this can no longer be determined" is far harder to impeach than one who overreaches.
Discussion questions
-
The IT lead's "quick look" created the
.lnkartifact that anchored the accusation. Explain, in terms of last-access timestamps and the NTFS journal, exactly how booting the drive could manufacture evidence — and why a write-blocked image taken first would have prevented it. -
The examiner stated the company's theory as a hypothesis that could be disproved. Rewrite the IT lead's conclusion ("he took the repository") as a falsifiable hypothesis, and list three artifacts whose absence would tend to disconfirm it.
-
⭐ Suppose the facts had pointed the other way — the USB history did show a device attached at 02:14 on the final night, and the
$FILE_NAMEtimestamps did show bulk access. Write the two-sentence finding the examiner would then have reported, and explain why the same disciplined process makes that inculpatory finding as defensible as the exculpatory one here. -
The report's central finding was carefully not "he is innocent." Why does a forensic examiner report what the evidence does and does not support, rather than a verdict? What is the difference, and whose job is the verdict?
-
The contamination permanently destroyed some timestamps, so certain questions became unanswerable. Identify one such question in this case, and explain why "this can no longer be determined" is a complete and professional finding rather than a failure (theme: know your limitations).