Often we get a call from a company when a fired employee is using pilfered proprietary information. Sometimes it is helping a competitor steal clients. Sometimes it is just to get even.
A local company that values its reputation heard from clients about emails with false statements against the company. Since the company had low turnover it wasn’t hard to guess who might have had access to the client list and was recently fired.
By analyzing the IP addresses in headers of the emails a common thread was detected. All of the emails appeared to come from the same place. Whois lookups indicted that the computer was at a local school. A bit of investigating revealed that the computer was in a public computer lab.
With permission of the building staff we determined which computer was assigned the IP address (in this unusual situation it was given a routable address). After informing the school IT manager of the situation we arranged to purchase the computer including its hard drive.
A forensic analysis clearly indicated that the suspect had used the computer to send the emails to clients. Because the company owner knew the suspect, his family, and his pastor, he was able to arrange a meeting where the suspect was confronted. The suspect accepted their suggestion to become accountable for his behavior.