Case Study 1 — The Case That Was Won at Deposition
A departing-engineer trade-secret case looked, on paper, like a dozen others — until the opposing expert tried the two attacks that sink most civil forensic work: "it was malware, not my client," and "your timestamps are fake." Both ran straight into a report that had already answered them. This is the capstone thesis made concrete: a case is mostly won beforehand, in the discipline of the document, by an examiner who ran every phase of the lifecycle instead of leaping to the interesting artifacts.
Background
Apex Motion Controls (AMC) builds industrial-automation controllers. A senior controls engineer — the custodian, whose Windows profile was lvargas — resigned on 2026-04-30 and joined a direct competitor. Within weeks AMC suspected the engineer had taken proprietary motion-control source code and a calibration dataset that represented years of tuning. Counsel retained you to examine the company-owned workstation the engineer had used. Authority was corporate and consent-based: AMC owned the machine, the engineer had signed an acceptable-use policy, and a monitoring login banner was in force. The matter was civil; there was no warrant and no law-enforcement involvement.
You did the unglamorous things first, exactly as Chapter 5 and the capstone lifecycle prescribe. Before touching a byte of analysis you wrote an investigation plan whose testable questions each carried a disconfirming check, an authority-and-scope memo, and an authority-and-ethics memo with a contraband contingency. You assigned exhibit number AMC-2026-014, verified the delivered image apex-ws-07.E01 against its sidecar (container hash) and re-verified the acquisition hash on load, made a working copy, confirmed its hash matched, and opened a chain-of-custody log. None of this was interesting. All of it would matter.
The investigation
The analysis braided four evidence layers, no one of which you let carry a conclusion alone.
The operating-system artifacts told the device story. Chaining USBSTOR, MountedDevices, and the jokafor-equivalent MountPoints2 key under the lvargas profile placed a Kingston DataTraveler (serial 50E5C1A2…, volume serial 7F2A-94C1) first connected on 2026-04-27 18:33:11 UTC. LNK files and Jump Lists showed the source-code archive and the calibration dataset opened from that volume serial, and the $UsnJrnl:$J change journal recorded the matching file-create events on the E: drive. Four mechanisms, one sequence.
The browser and SRUM layer answered the cloud question. A TYPED navigation to a personal webmail login appeared on 2026-04-28 20:10 UTC, and SRUM (SRUDB.dat) showed the browser process sending ≈310 MB outbound in the following half hour — a figure consistent with the archive's size, though, as you noted in the finding, an aggregate counter is not a packet capture.
The anti-forensics pass found a cleaner that, like anchor #2's CCleaner (Chapter 30), convicted itself. BleachBit had run once in the cleanup window; its own Prefetch entry recorded the execution time, its configuration was present under the user hive, and the dated holes it left — recently-wiped MRUs whose last-write times sat in the window — were themselves evidence that something had been cleaned, and when. And on one archive you caught a timestomp:
TIMESTOMP DETECTION (MFTECmd) — motion_profiles.zip
─────────────────────────────────────────────────────────────────
$STANDARD_INFORMATION Born: 2019-03-02 08:00:00.0000000 <- forged
$FILE_NAME Born: 2026-04-27 18:41:55.7720913 <- kernel truth
$UsnJrnl:$J FILE_CREATE 2026-04-27 18:41:55 <- corroborates
─────────────────────────────────────────────────────────────────
=> $SI predates $FN by ~7 years with zeroed sub-seconds: classic
manipulation. True creation 2026-04-27 per $FN + USN.
Crucially, you also ran — and reported — the disconfirming checks. You searched for malware and remote-access tooling and found none. You found no event 1102 (Security log cleared) and no event 4616 (system clock change). You tested whether automated synchronization could account for the outbound bytes, and the deliberate TYPED login argued against it. Each negative finding went into the report as a finding, not a non-event.
Then you correlated and wrote proportionately. The conclusion did not say the engineer stole anything. It said the evidence was consistent with copying of the proprietary source and dataset to a removable device on 2026-04-27 and transmission via personal webmail on 2026-04-28, and it stated plainly, in the limitations section, that the artifacts tied the activity to the lvargas profile and a device — not to a specific person — and that the device itself had not been provided for examination.
The deposition
The opposing expert deposed you and tried the two classic attacks.
The Trojan/SODDI attack. "Couldn't malware have copied these files without your client's knowledge?" You pointed to the negative finding already in the report: you had searched for malware and remote-access tooling and identified none; you could not exclude every possibility, but the evidence found none, and the deliberate TYPED login was inconsistent with an automated process acting alone. There was nothing to improvise, because the answer was written down months earlier.
The timestamp wedge. "Timestamps can be faked — how can you trust any of your dates?" You agreed that $STANDARD_INFORMATION` can be altered — which is exactly why you corroborate every load-bearing time against the kernel-maintained `$FILE_NAME and the USN journal. Then you noted that one archive had been backdated, and that you had detected and reported it. The attack meant to undermine your dates instead demonstrated that you catch the very manipulation it invoked.
The opposing expert never got to "so you're telling us he stole the data?" — and if they had, the proportionate conclusion gave them nothing to push against. The matter settled on terms favorable to AMC within weeks of the deposition.
The analysis
-
Integration beat brilliance. No single artifact won this case; the braid did. The USB device history, the LNK access from a specific volume serial, the USN file-create records, and the timeline converged — and convergence across independent subsystems is not something an alternative explanation can easily fabricate. An examiner who had found only the USB history and stopped would have had a lead, not a finding.
-
Negative findings pre-answered the strongest attack. The single most effective moment in the deposition was citing a negative finding — "I searched for malware and found none" — that had been written before any challenge existed. Disconfirming checks are not busywork; they are how you discharge the duty to seek exculpatory evidence and how you retire the SODDI defense before it opens.
-
Trust the kernel's clock, and flag the forgery yourself. The timestamp wedge fails against an examiner who corroborates
$SI` against `$FNand the USN journal as a matter of routine. Detecting and reporting the one backdated archive turned a planned attack into a demonstration of thoroughness — the inverse of the chapter's War Story, where an examiner who trusted one$SItime lost credibility on the whole report. -
Proportionality is armor. Because the conclusion said "consistent with" and never "stole," there was nothing to walk back and no overstatement to expose. The pressure to give counsel a clean "yes, he did it" is the most dangerous pull in the field; resisting it is what let every other finding stand unimpeached.
-
The report won the deposition before it started. Every disciplined answer pointed back to something already in the document — a negative finding, a corroborated timestamp, a proportionate conclusion, a scope statement. That is the entire reason you write the report the way phase 11 prescribes: the case on the stand is mostly won beforehand, in the discipline of the writing.
Discussion questions
-
The examiner ran the anti-forensics pass and the disconfirming malware check even though the "interesting" evidence (USB history, cloud upload) was already in hand. Argue why skipping those phases under deadline pressure would have been the costliest possible economy in this case.
-
Walk through how the deposition would have gone if the examiner had concluded "the engineer stole the source code" instead of "consistent with copying." Which question becomes unanswerable, and how does the overreach contaminate the other, well-supported findings?
-
The braid rested on four independent mechanisms. Pick any one of them to remove (say, the USN journal) and assess whether the conclusion still stands — then explain what "independent" really requires for two sources to count as genuine corroboration rather than the same evidence twice.
-
The examiner's authority did not reach the engineer's personal phone or the webmail provider's server-side contents. Explain how scope discipline protected the case rather than weakened it, and what legal process would be required to reach the provider-held data (Chapter 31).
-
⭐ This was a civil money case. Map each disciplined practice that won the deposition — verified hashes, negative findings, kernel-clock corroboration, proportionate conclusions, scope limits — onto the gravest variant, the courtroom anchor case (Chapter 28), and argue whether the identical lifecycle would carry that far heavier matter, and what would change if it did not.