a mysterious computer crash pushes a
thriving manufacturing company to the
brink of collapse jeopardizing the jobs
of dozens of employees there is no
apparent cause no obvious clues forensic
investigators had to find out whether
the disaster was caused by a computer
defect human error or sabotage
today there are over 700 million
computers at work in the world any one
of those holds millions of records vital
to people governments and industries but
millions of pieces of information in one
small box can make that information mul
neural Omega engineering manufactured
hi-tech measurement devices for the
United States Navy NASA and clients
around the world
a state-of-the-art computer system at
their New Jersey plant enabled Omega to
quickly customize their products to suit
their customers needs the business was
growing and revenues were up then came
July 31st 1996 it was a bad day to make
on July 31st of 96 one of the workers
get in about 8:00 8:30 in the morning
went to his or her workstation like they
always did and they flipped on the
system they booted up the computer and
instead of coming on though it said
fixing and the worker didn't know what
was going on but fixing sounded pretty
positive so he let it run and within
seconds the machine was down but it
wasn't that one machine that was in
trouble the manufacturing equipment at
Omega got its instructions from the
computer server the brains of a
sophisticated system that could store
over 1,000 different programs those
1,000 programs built 25,000 different
products and they could customize those
products into 500,000 different pieces
so you're talking about everything that
the company can make
but now in the span of just a few
seconds omegas vital computer system had
crashed the plants manager tried to get
the server up and running again with no
luck
typically crucial files are periodically
copied from a server onto a backup tape
Omega thought they could restore the
missing programs from their backup and
the backup tape was kept in a filing
cabinet in the Human Resources office
but the tape wasn't there with no
computer programs to drive the
manufacturing process plant operators
had only one option to complete the jobs
that had already been started before the
crash just to keep the machines running
to keep producing to keep people working
they just kept producing until they ran
out of raw materials but they ultimately
created such a vast inventory of those
specific items that they couldn't
justify continuing anymore so they had
to shut the plant down one big problem
that Omega had was that they hadn't
hired a new network administrator the
former network administrator a longtime
employee named Tim Lloyd was now working
for another company he was the one who
actually built the network in the omegas
health plant he was the genesis of their
whole network he knew it inside and out
he built it and he was friends with
these people he was the designer for all
the computer programming he was the
overseer of of their network he
maintained that he secured it he
nurtured it the plant manager Jim
Ferguson called Lloyd to see if he could
help solve the serious problem with
omegas computer system did you come
across any uh you mentioned that you
might want to look in the bait you were
going to look in the basement for some
old tapes and backup technology okay
was there one tape or two tapes of
backups do it there was one tape that
was
filing cabinet drei Omega was teetering
on the brink of collapse
with hundreds of jobs at stake and no
clues about what had caused the
catastrophic shutdown of the computers
Omega engineering faced a crisis so
immense it could force the company out
of business two weeks earlier the
computer system that contained the plans
for all their products had inexplicably
crashed time was running out if Omega
couldn't get its computer system back up
layoffs would be inevitable what they
lost was the ability to manufacture and
when you're a manufacturing company
you're dead in the water
Omega hired Kroll Ontrack a Minnesota
based company that resurrects data from
crashed computers all over the world any
kind of media that actually store data
onto any time they lose access to this
or for some reason becomes unreadable we
get involved to help restore the data
Bob Hackett a computer forensic expert
began by examining the hard drive on
omegas server it's the heart of a
computer where information is
magnetically encoded on a disk spinning
at 10,000 revolutions for a minute
physically the hardware which could be a
hard drive or anything components used
to power or drive the hardware could
have failed but everything seemed to be
operational the drive was physically
undamaged but retrieving the data would
mean examining the electronic contents
contents that might reveal important
evidence but Omega management now
wondered if the crash might have been
sabotage
so to safeguard the hard drive they
turned it over to the Secret Service
experts in computer fraud The Secret
Service new hunting for the lost
programs might alter records on the
drive even just turning on a computer
alters or overwrite some of the
information from
forensic standpoint you don't want to
write to that hard drive the secret
service made an exact digital replica of
omegas hard drive a clone that enabled
on track to examine all the data stored
in the original what Ontrack
investigators discovered was startling
all that remained was fragmented
computer code mostly unintelligible even
to computer experts this indicated the
programs had not been simply deleted
deleting a computer file erases only the
name of the file the data actually
remains in the computer's memory until
it is replaced by something else so it's
often possible to recover the
information but in this case
investigators discovered that omegas
programs had not only been deleted they
had also been purged if we take the
analogy of a piece of paper on a desk if
I was to take that crumple it up and
throw it in the wastebasket
that would be cooled into a deletion on
a computer system I could still go grab
that piece of paper out of the garbage
can unfold it and look at it a purge
would take that same piece of paper run
it through a shredder take what came out
through the shredder throw it up in the
air
Omega's data could never be recovered
the focus now shifted to a forensic
investigation into how and why the data
was purged Greg Olson an expert in the
operating system used by Omega examined
the drive for signs of a virus a virus
corrupts data by inserting its own code
into whatever program is being run there
are no viruses that would cause this
particular damage user error was another
possibility
an accidental deletion very common we
find that a data loss has happened
because computer system system
administrators come in and reinstalled
an operating system or made a mistake by
reformatting a hard drive and I was able
to rule that out effect
by looking at the system that clearly
that that did not happen because the
deletion was to surgical to be
accidental only the key manufacturing
programs had been destroyed if it was
intentional
it could mean it was an inside job they
would have to know where these specific
programs are being kept it's not going
to be some kid home alone after school
who just randomly breaks into Omega
system and knows where those specific
files are you need someone who's on the
inside someone who knows where the keys
to the castle are hidden and they know
how to hurt the company The Secret
Service first looked at Tim Lloyd the
man who had designed omegas computer
system he had recently left Omega for a
job at another company supervisors had
given him a positive reference they said
he was a good worker they said that he
was excellent
technically they didn't want to prevent
him from getting another job
Lloyd had left omega three weeks before
the computer crash so he didn't have
access to the building to purge the
manufacturing programs on the day of the
crash they were kind of in a quandary as
to who else besides him could have done
it they thought maybe hacked in from the
outside but they said that they had
disconnected any contact from an outside
modem so they know that couldn't have
been done only supervisors had access to
omegas computer system at a level
necessary to cause this much damage but
there was a problem just about everybody
had supervisory rights and there were
even some a council was set up with a
name like one two three four five it's
really strange name with absolutely no
password so there was no security on
this which meant
that the perpetrator could have been
anyone
six months after the massive computer
crash Omega was struggling to stay
afloat how had its proprietary software
been completely deleted troll on tracks
Greg Olson an expert in the Novell
operating system that controlled the
server sifted the electronic flotsam of
the company's hard drive the problem is
is when you do a delete in the purge the
entire roadmap to know where this data
is is completely gone so it's literally
a needle in the haystack and impossible
to piece this information together all
your scene is a collection of letters
and numbers that don't really mean
anything
Olson relied on sophisticated software
to help him search for any suspicious
commands what I'm looking for is bits of
code that I know in the computer world
caused deletion in this particular case
what I when I was zeroing in on was any
type of a delete or even any type of a
purge so from here
you are search for purge
we have a hit where I really hit gold
was when I started taking hits on the
search for purge eventually Olsen found
a purge command tied to five other lines
of code that one seven thirty 96 all six
lines of these colder
it was a dangerously efficient bit of
programming we called it a time b*mb and
the actual fuse was six lines of code
and what it was is really a set of steps
that the computer would go through some
checks the first line simply checked the
date and compared it to July 30th 1996
the day before the server crash this
fuse can be attached to anybody that's
logging in so when you come in what the
fuse does is it checks the date and if
it's after the date and the fuse it
would actually light the time b*mb to
actually do the deletion the second line
of code accessed the server the third
line was a logon command for the
mysterious user one two three four five
a kind of computer ghost the
unsuspecting user and one two three four
five were logged in on the same machine
but one two three four five provided the
supervisory status needed to perform
deletions the next line accessed the
manufacturing programs the fifth line
launched a program labeled fix dot exe
when Olson looked at the code for this
program he found a troubling clue the
code had been generated from a commonly
available deletion program but it had
been reconfigured to fool anyone using
the system it did modify the intensive
deletion but the message that appears on
the screen that would normally say
deleting this file to leave this file
actually said fixing this file fixing
this file the code was also rewritten to
ignore safeguards automatically
answering yes to the question are you
sure you want to delete these files the
last line of code was the purge command
making the material unrecoverable
it would happen relatively fast you
could go get a cup of coffee read the
front page of the paper and come back
and it's all done it's all gone and all
the user had to do was turn on the
computer but Olson and Hackett found
other purge commands as well that one
has a test directory three similar sets
of code dated for February April and May
but they only deleted a useless test
folder which would have gone undetected
by the company what I deduced from that
is essentially this was somebody was
doing some testing of the application
this particular time b*mb to make sure
that it would work before it was truly
implemented and ready to go it appeared
the tests were done while omegas former
computer manager Tim Lloyd was still at
the company The Secret Service ran a
background check and learned that Lloyd
had been disciplined for run-ins with
coworkers shortly before leaving the
company there was conflict that broke
out between other employees between
management between supervisors he would
bottleneck projects just because he was
in charge of the projects that he hadn't
tested projects before they went into
production and so there were a lot of
problems one person even testified that
he had elbowed a female co-worker in the
workplace on August 21st Secret Service
agents searched Lloyd's home and garage
looking for evidence to tie him to the
malicious code
they found circuit boards computers more
than 500 disks several hard drives and
data tapes what immediately stuck out
was a tape labeled backup with the dates
May 14 1996 and July 1st 1996
authorities suspected it was the missing
backup tape
megha but it was blank the dates that we
found on some of the tapes had a format
date of early August we learned that the
backup tape had been reformatted or
essentially erased a matter of days
before the search warrant was ex*cuted
the next thing we had to do was try to
establish additional evidence that would
support our theory that Lord was the guy
so what we did was for example once was
time cards Lloyd's time card showed that
he worked late on days in February April
and May each time just prior to the test
runs of the time b*mb then Hackett and
Olson found a copy of the time b*mb on
one of Lloyd's hard drives
so the same lines of code that on-track
had pieced together from the downed
server they found those lines intact in
Tim's home a relatively new statute made
computer sabotage a federal offense if
it affected a computer used in
interstate commerce and caused more than
five thousand dollars worth of damage
Tim Lloyd was indicted by a grand jury
his case would be the first test of the
new law prosecutors in New Jersey say
the computer crashed
devastated Omega engineering leading to
10 million dollars of lost business two
million dollars of reprogramming costs
and 80 employee layoffs probably done
less damage to the company if you had
done it with a real b*mb doesn't matter
really what happens to billing if your
data is gone it is a white-collar crime
but it's a very serious crime it's a non
violent crime but you know what you
don't know what the implications are
people losing their jobs you know maybe
maybe there was v*olence that occurred
as a result of some of these folks
losing their jobs maybe domestic
v*olence
Timothy Lloyd's four week trial began in
April 1998 it would be one of the first
criminal cases to explore the arcane
world of computer code how would an
attorney who hadn't before this had a
lot of technical expertise go into a
really high tech field and explain it to
a jury you're not going to show them
fingerprints you're not going to show
them smoking g*n or bag of coke at trial
prosecutors argue that Lloyd had fallen
out of favor with his supervisors and
grown resentful when he was reassigned
investigators had been able to prove
that Lloyd developed the time b*mb code
home then worked late so that he could
install and test the code in secret he
planned on quitting and was in the
process of interviewing with another
company when he was fired in fact he
told the recruiter at his new company
that everybody's job at Omega is in
jeopardy he made the remark on July 31st
the same day the computer crashed how
would he know that on the day that that
time b*mb nobody even had omegam do that
they thought they had a computer problem
that's all they knew
but everybody's job I think that that
was a remarkable find and something that
the jurors were able to pick up on the
most compelling evidence was the bits of
code the computer experts found and to
have this maliciously damage and delete
and purge all the data from this point
without really having any idea that this
was actually happening and to do it in
such a short and quick fashion was very
clever and he was gone being fired
actually helped him and he probably sat
back there and said now they'll never
connect me to this but we were able to
find a hard drive in his house that had
that command on it had we not found that
then he would have gotten away with it
once you find that at his house how do
you explain that away
the jury found Lloyd guilty various
appeals kept him free for almost four
years but in 2002 he began serving a
prison term of three and a half years
and ordered to pay two million dollars
in restitution
Lloyd claims he is innocent and that
someone at Omega accidentally deleted
the programs he says he could have
proved that at trial but his attorney
advised him not to take the stand he's
the consummate egotist I think he is
absolutely livid that he was discovered
I think that he was
fully intent on getting away with it in
fact I think consistent with his
personality he was actually prepared
perhaps to ride to the rescue I think
that there was point in time when he was
actually prepared to say I found it and
I'll ride to the rescue but I think when
Ferguson says we're bringing in the
Secret Service we're at a very very
serious stage we're actually bringing in
the federal authorities at this point I
don't blame me on that they've taken a
real genuine interest in coming in here
about a fact they may be in tomorrow I
think that that changed his mind
Omega engineering never fully recovered
but is still in business Kroll Ontrack
was given an award by the Secret Service
for the unique role they played in a
case that paved new legal ground it was
interesting simply because it was one of
the first cases of its type you know
that we had seen no mega made a lot of
technical mistakes but their biggest
mistakes were caused by human factors it
was because they trusted Tim it was
because they had real affection for Tim
and they thought that he was family and
you let family get away with a lot more
than you would anybody else you give him
a lot more rope to hang themselves with
Oh
Oh
08x39 - Hack Attack
Watch/Buy Amazon Merchandise
Documentary that reveals how forensic science is used to solve violent crimes, mysterious accidents, and outbreaks of illness.
Documentary that reveals how forensic science is used to solve violent crimes, mysterious accidents, and outbreaks of illness.