Kidnappers, Bottle Service, and Mobile Phone Forensics

Kidnappers, Bottle Service, and Mobile Phone Forensics
Judge Dan Hinde

The consultation call for this case started how they typically do. The attorney tells us how an employee allegedly jeopardized their company’s reputation. I was expecting the mundane, perhaps a problematic email sent to a customer or a Twitter rant that touched upon a third rail. However, when we got down to the details of this case, it raised my eyebrows, and with over a decade of working civil and criminal cases, my eyebrows rarely leave their designated location.

The employee’s story goes like this: he is on an international business trip and after working hard all week, decides to let off some steam by exploring the city. By the next morning, he is boarding a plane and returns to the States.

“I Was Kidnapped”

After about a week, accounting notices that the employee had racked up a five-figure charge on his corporate credit card with almost all of that accrued on a single night. The employee had never mentioned anything to his boss, accounting, or anyone else. When questioned, the employee recounts a harrowing experience. He claims that he was kidnapped, held the night in question for over six hours, all while the kidnappers kept him detained against his will, charging his corporate card on “extracurricular activities.”

The company’s leadership was suspicious, and they had every right to be. It seemed unusual that the card was not stolen, only compromised. First, according to the employee, the kidnappers returned it to him once they were partied out. Second, the employee never reported the attack to the international authorities, authorities stateside, or his own company.

At this juncture, Envista’s digital forensic experts join the story. The company’s representatives contacted Envista to perform a forensic examination of the employee’s iPhone. We performed the forensic extraction, or copy, of the data from the mobile phone and began the data analysis, which included recovered deleted data. Our team immediately noticed that applications were deleted shortly before the employee provided the iPhone to us for extraction, but we’ll come back to that in a moment.

An Apple Watch was connected to the phone and it had been permitted by the user to record health data. Miles of walking were recorded on the night in question, contradicting the employee’s claim that he was detained in a single location all night. Unless the kidnappers truly enjoyed watching someone walk in circles from sunset to sunrise. The kidnapping story is losing credibility by the moment, but motive has yet to be established.

Here we come back to those deleted applications. One of the applications was a text message application. Although the user deleted the application, we were able to recover the data from it. Also deleted was the Google Translate application.

After forensically stitching together the data artifacts, we recovered a message from the employee’s phone. The message was written in English, translated to the local language, and subsequently sent to an international number when the employee was catching a flight back home. The message read as follows, “Last night was amazing and I can’t believe you can’t find a man. Someday someone will find you and it will all end up perfectly. Find someone who has the same passions as you do. I want you to know how special you are, you are so beautiful, perfect by American standards. Words can’t express how much I will miss you.”

From the sent message, we were left with two options. One, the employee had a rare and severe case of Stockholm Syndrome. Two, this story had more holes that swiss cheese. As you have surely deduced, our examination assisted in a good outcome for the company. As to the employee, I don’t know what happened to him. Perhaps a fresh start at a new company or a really fun nickname at his current one.

*Disclaimer: Personal details and information from this story have been altered to protect parties involved.

Lars Daniel

Lars is the co-author of the book Digital Forensics for Legal Professionals. He also co-authored Digital Forensics Trial Graphics: Educating the Jury Through Effective Use of Visuals. Lars is an EnCase Certified Examiner (EnCE), a Cellebrite Certified Operator (CCO), a Cellebrite Certified Physical Analyst (CCPA), a Certified Telecommunications Network Specialist (CTNS), Certified Wireless Analyst (CWA), a Certified Internet Protocol Telecommunications Specialist (CIPTS), and a Certified Telecommunications Analyst (CTA). Contact him at 984.232.2158 or by email at [email protected].

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts