Labor & Employment
A local bank fired their IT manager after several of the bank’s tellers filed sexual harassment complaints against him. When the bank executives arrived at work the morning after his termination, they found their computer networks inoperable and their servers erased. The IT manager was immediately suspected, but surveillance cameras showed no sign of his entry into the building after he was let go. The bank wanted to find out what happened, so they contacted their attorneys and hired Avansic to collect images of the servers and the IT manager’s computer.
One of Avansic’s experts made forensic images of the manager’s workstation at the bank, as well as the server computers. When the imaging process was complete, the forensic copies were brought back to Avansic’s laboratory for investigation. Once all of the evidence was collected, the bank hired a local IT firm to begin repair of the network and computer problems. Since no one was physically present at the time of the destruction, Avansic’s forensics examiners searched for evidence of a remote connection to the bank’s servers. The examiner also took note of the specific times the files were deleted. Avansic found that the user “administrator” had logged into the server approximately one hour after the IT manager left the bank, and the connection had originated from a web address that was eventually traced to the general location of his house. The former IT manager was one of two people with knowledge of the “administrator” password. Further expert investigation revealed that the method used to delete files suggested it was someone with knowledge of the server’s file structure and location.
Taken together, each of these pieces of information was used to build a case that the former manager had remotely logged in to the bank’s computers and maliciously deleted key business data. These results were reported to the bank and their attorneys, who brought formal charges against the former IT manager.