Respond

The deleted ticket home

How a forensic laptop examination revealed a rogue partner's return plans

Deleted flight booking recovered
1
Return window identified
3 months
Rogue partner traced
Located

The situation

A regional NSW business chain discovered that a significant amount of money was missing. A business partner suspected of involvement had fled the country, leaving behind a company laptop. The remaining business owners needed to trace the rogue partner and gather evidence of the financial fraud.

Details in this case study have been altered to protect client confidentiality. The core facts, forensic methodology, and outcomes are accurate.

What we found

Forensic examination of the company laptop revealed a critical piece of evidence: a “deleted” air ticket showing the rogue business partner had booked a return flight to Sydney within three months of departing the country. The deletion indicated an attempt to conceal future travel plans, but forensic recovery techniques retrieved the booking in full.

How we responded

NDF conducted a forensic examination of the abandoned laptop:

  • Forensic imaging of the device to preserve all data, including deleted files, in a forensically sound manner
  • Deleted file recovery targeting travel bookings, financial records, and communications that the user had attempted to remove
  • Evidence analysis to identify information relevant to the fraud investigation, including the recovered flight booking
  • Intelligence support to help the client trace the rogue partner using the recovered travel and financial data

The outcome

The recovered air ticket gave the client a concrete timeline for the rogue partner’s planned return to Australia. This intelligence, combined with other evidence gathered from the laptop, helped the client trace the individual and build their fraud case. What the departing partner assumed was permanently deleted turned out to be the evidence that enabled the business to pursue recovery.

Lessons for similar organisations

  • Deleted does not mean gone. Users who delete files from a laptop rarely understand that forensic techniques can recover that data. This is especially true when the deletion is hasty.
  • Company devices are company evidence. When an employee or partner departs under suspicious circumstances, any company-owned devices left behind should be forensically preserved immediately.
  • Act fast on device preservation. The sooner a forensic image is taken, the more recoverable data will be available. Delays risk data being overwritten or devices being remotely wiped.