Cygnus Law Solicitors (CLS) are situated on a busy high street in the populous area of Harborne, in Birmingham. They occupy the ground floor of a two-story building. The first floor is not accessible from the ground floor; it comprises 4 self-contained bedsits, each rented out to local professionals.

Police were called out to investigate a disturbance at the premises of Cygnus Law Solicitors at 04:15 on 6th August 2021. The disturbance triggered the intruder alarm at the solicitor's office which was set up to send an instant alert to the local police. Police reached the solicitor's office within a few minutes; an initial search showed no obvious sign of forced entry, but the rear fire exit door was found open (see fig.1 for the floor plan). Inside, the computer in Office 2 was turned on; all other computer equipment on the premises, other than a printer, appeared to be turned off.

Given the sensitive nature of the high-profile criminal cases that solicitors at CLS work on, a digital forensics incident response team is called immediately.

Upon arrival and initial inspection, the Digital Forensics Triage team make the following observations:

The CCTV system cameras and Linux-based server are turned off

The wireless router for the premises is turned on and appears to be functioning as normal

A device labelled 'WDBU6Y0040BBK' is plugged into the front USB port of the main computer in

Office 2, it appears to be running as the LED light on its side is flashing

The printer in Office 2 is also printing numerous pages of a document that appears to be a list of

current CLS clients

The computers in the reception area and Office 1 are found to have an unidentified USB device

plugged into their rear ports. The device is shown in Fig.2.

A Nokia 105 (4th Edition) phone is found on the floor near the rear fire exit door, it is turned on

and connected to the Vodafone network (see fig.3).

For a more detailed investigation, the computers, printers, USB devices and the Nokia phone will need to be taken back to the Digital Forensics lab for full inspection.

A suspect was arrested later that morning at his flat in Oldbury based on intelligence gathered from street CCTV footage obtained from the local council (although the footage does not show the suspect entering or leaving the premises of CLS, it does put him in close proximity around the time that the intruder alarm at CLS was triggered).

The CCTV footage shows the suspect running from the direction of the CLS premises and getting into a car that drove in the direction of where the suspect was arrested. Police were able to ascertain the make, model and registration details of the car. It became apparent that the suspect was already known to police for various minor burglary offences in the past. The suspect's flat was searched; the items seized included his Samsung A5 smartphone and a SanDisk Ultra 64 GB USB flash drive found in his pocket. The suspect had a Lenovo P50 laptop that was also seized, there was no other computer equipment in his flat. However, there were a number of printed documents found in his possession that appeared to be a partial list of clients at CLS; these were also seized. Interestingly, forensics investigators also found an Arduino with an ATmega32u4 device alongside another device labelled 'ESP8266' on his bedside table; it is not obvious what these devices are so they were also seized.

Further analysis by the digital forensics incident response team discovered a folder named 'spacehuhn' on the SanDisk Ultra 64 GB USB flash drive, there are many files and subfolders in this folder, but they are all encrypted using 256-bit AES encryption.

There are no other archived files and folders on the flash drive. The suspect was asked for the password credentials so that the data in the 'spacehuhn' folder can be investigated; he refused to cooperate by

remaining silent to all requests. The digital forensics analysts also investigated the computer from Office 2 and the USB device connected to its front port. It appears that the computer was logged into using the correct credentials and case data relating to CLS clients were being copied from the host computer to this USB device.

The computers at CLS appear to store their client details on the internal hard drive of the computer in Office 2; the computers in the main reception and Office 1 can access the client details through a shared folder using the internal network of the premises.

Although the computers are all password-protected, the hard drives are not encrypted. The computers are running Windows 7 Professional edition. The antivirus software seems to be kept up-to-date.

As part of the investigation, all staff at CLS were questioned regarding events leading up to the night of the intrusion at the premises. Staff at CLS do not recognise the Nokia 105 phone, the USB device labelled 'WDBU6Y0040BBK' nor the USB devices plugged into the rear ports of the computers in Office 1 or the reception area (see fig.2). None of the staff are under suspicion of having any involvement with the break-in.