Respond

The clock that lied

Uncovering a deliberate attempt to disguise when a laptop was erased

Deliberate clock manipulation detected
Confirmed
Likely erasure month established
1
Resolution enabled through evidence
Negotiated

The situation

A high-tech manufacturing company suspected that an employee had stolen proprietary company designs. The employee’s company laptop was retrieved for investigation, but there were concerns that evidence may have been tampered with or destroyed.

Details in this case study have been altered to protect client confidentiality. The core facts, forensic methodology, and outcomes are accurate.

What we found

Forensic examination confirmed that the laptop had been erased. More significantly, NDF established that the system clock had been deliberately altered to provide a misleading date for the erasure. This was not an accidental reset or a system error. Someone had intentionally manipulated the timestamp to obscure when the data destruction occurred. Despite the manipulation, NDF was able to identify the likely month and year when the erasure actually took place.

How we responded

NDF conducted a detailed forensic examination of the laptop and associated cloud evidence:

  • Device forensics to confirm the erasure and recover any residual data or metadata
  • Clock manipulation analysis to detect the timestamp alteration and establish the true timeline
  • Cloud evidence review to supplement the device examination with data from cloud services associated with the employee’s account
  • Timeline reconstruction to identify the likely month and year of the actual erasure, despite the deliberate obfuscation

The outcome

The evidence of deliberate clock manipulation and the reconstructed erasure timeline gave the company a strong evidentiary position. Rather than pursuing a matter based on suspicion alone, the company was able to negotiate with the employee from a position of documented, forensic evidence. The investigation also highlighted the need for security controls that would prevent employees from erasing company devices without authorisation.

Lessons for similar organisations

  • Anti-forensic techniques leave their own evidence. Manipulating a system clock to disguise an erasure date is a deliberate act that itself becomes evidence of intent. Forensic investigators are trained to detect these techniques.
  • Device erasure is not the end of an investigation. Even when a laptop has been wiped, metadata, cloud evidence, and forensic artefacts can often reconstruct what happened and when.
  • Prevent, do not just detect. Companies holding valuable IP should implement controls that prevent employees from erasing company devices, such as BIOS-level protections and mobile device management policies.