by Pete James
O-Alerts and the Executive
Sometimes, the smallest of artifacts can make a big difference in a case.
In the final days of his employment at a start-up tech company, a C-level executive searched through the company’s internal network and downloaded several critical files that contained very sensitive intellectual property. The C-level executive walked out the door with the data. The next day, he started his new job at a competitor.
We were asked to conduct a forensic exam of his computer to find out if there was any data he might have taken to his new job. His computer turned out to be full of interesting evidence, but an O-Alert was especially useful.
So what is an O-Alert? If you regularly use Microsoft software, you’ve undoubtedly closed a file and were presented with a pop-up window like the one below. It is asking if you want to save the changes you made to your file.
This is a courtesy reminder from Microsoft. It occurs when you’ve opened a Microsoft Office file, made a change to the file, and attempted to close it before saving it. This pop-up window is called a Microsoft Office Alert, better known as an O-Alert.
The change to a file can be as simple as resizing a column in Excel, adding an extra line to a Word document, or removing a picture from a PowerPoint.
The O-Alert Breadcrumb
This courtesy pop-up is entered into a log on your computer, which means computer forensics examiners can analyze it. Even if the file is no longer accessible, the log of the O-Alert persists.
In the matter we were investigating, an Excel spreadsheet was downloaded, saved to his computer, transferred to a thumb drive, and then deleted from the computer. While the spreadsheet was on his computer, he made a modification to the file and attempted to close it without saving it. This is where the O-Alert log entry proved useful. Belowis a similar notification.
The Log Entry
Examining the log reveals some important details about the underlying file: the date, time, software program being used, and the name of the file.
While the file was no longer on the computer, the evidence showed that there was interaction with the file on a specific date and time. Armed with this information, you can effectively counter any argument that someone did not have knowledge of a file.
Simply opening and closing a document will not prompt an O-Alert, but this activity will create other artifacts your computer forensics examiner will find during their examination.
What if the file is not on the computer but on an external drive or shared drive? Not to worry. Since the software is installed on the computer, and the software is generating the log entry, it will still be recorded.
So what happened with our C-level executive? Did he take the data? After approaching him with information from the O-Alert, he became spooked. He confessed to taking the files we identified. Ultimately, he confessed to taking more files from other computer systems.
These, and many other interesting artifacts, leave a trail of evidence a computer forensics examiner can find for you.
If you have questions about what a computer forensics examiner can find, shoot us a note at firstname.lastname@example.org or a comment below.
Pete James, Managing Director of Computer Forensics
Pete James is the Managing Director of Computer Forensics for Precision Discovery. A Navy veteran, retired Sheriff’s Lieutenant, and certified forensics examiner, Pete provides unique investigative skills and perspective to our clients. He’s passionate about how computer forensics can tell a story – often stories that weren’t meant to be told!