Case Highlights
1. The Background & Crisis
The Securities and Exchange Board of India (SEBI) detected highly suspicious trading patterns surrounding a massive publicly listed conglomerate just days before their quarterly financial results were announced. The stock prices fluctuated wildly, netting an unknown syndicate tens of crores in illegal profits.
SEBI suspected a coordinated insider trading ring operating at the absolute highest levels of the company (the C-Suite). However, when confronted, the top executives categorically denied leaking any confidential PDF reports. They handed over their corporate laptops and smartphones, confident that no evidence could be found.
2. The Threat Landscape & Challenges
These executives were highly tech-savvy. They had utilized encrypted, auto-deleting messaging platforms (such as Signal and Wickr), routed their personal communications through secure VPNs, and routinely wiped their browser histories and document caches. Standard IT audits found absolutely nothing incriminating.
3. Cyberen's Deep Forensic Methodology
- Mac Forensics: Several executives used Apple MacBooks with T2 Security Chips and FileVault encryption. Using MacQuisition, we successfully bypassed the logical barriers to acquire targeted physical images of the drives.
- Mobile Device Forensics: We utilized XRY and Cellebrite Physical Analyzer to perform deep, physical extractions of the executives' iPhones and Android devices, bypassing lock screens and accessing the root file systems.
- Database Carving: Even though the suspects used auto-deleting apps, SQLite databases do not immediately overwrite deleted data; they simply mark the space as "unallocated." Our analysts used Magnet AXIOM to perform Hex-level carving, painstakingly piecing together fragments of deleted Signal and WhatsApp conversations from the unallocated space.
- Timeline & Artifact Correlation: Using Autopsy, we built a master timeline. We correlated Windows Event Logs, macOS Unified Logs, and USB connection histories to prove that specific confidential PDFs were accessed and transferred to external, unencrypted thumb drives precisely 12 minutes before the leaked messages were sent.
4. The Takedown & Resolution
We successfully reconstructed the deleted messages. The carved data revealed explicit instructions sent from the CEO's device to an offshore shell company, dictating exact strike prices for put options based on the unreleased financial data.
Cyberen compiled a 500-page, airtight forensic dossier detailing exact timestamps, recovered messages, correlated IP logs, and chain-of-custody documentation.
5. Post-Incident Impact
The evidence was 100% court-admissible and completely irrefutable. SEBI used the forensic report to impose record-breaking fines on the conglomerate, ban the involved executives from trading, and initiate criminal proceedings for corporate fraud.