The case of O’Brien, the memory stick and a Rotterdam safe

When Mr Justice Colm Mac Eochaidh of the High Court made an order in favour of Denis O’Brien last October, the language he used left little apparent room for ambiguity.

“And so,” he said having laid the building blocks of law and logic, “in respect of the memory stick, I direct that it be given into the safekeeping of the plaintiff solicitor, to hold until further order, and that of course that there be no interference with the memory stick at all by anybody; it just be held on behalf of the litigation by your solicitor,” he said looking at Michael Cush, O’Brien’s barrister.

“Is it sufficient I make that order on a forthwith basis?” asked Mac Eochaidh.

To lawyers, forthwith means “without delay” or “immediately” or, in simple terms, “now”.

“Certainly, Judge,” said Cush. “No difficulty with that.”

But that is not what happened.

On December 21st 2015, the court heard that after the judge made his October 16th order, several files on the memory stick were altered and deleted.

Yesterday, there was further evidence that the stick, whose origin is unknown but which is central to O’Brien’s assertions of an illegal conspiracy against him, was outside the jurisdiction even as Mac Eochaidh was making his order – and that it remained abroad for a further 10 days after the High Court edict that it should be retained for safe-keeping by O’Brien’s solicitor in Dublin.

In this latest twist to the case of Denis O’Brien versus Red Flag Consulting, the saga bounces between Dublin, Hong Kong, Rotterdam and Riga.

O’Brien’s case against Red Flag is that the PR company, chaired by Gavin O’Reilly, a former chief executive at Independent Newspapers during O’Brien’s hard-fought battle to wrest control from O’Reilly’s father, Tony O’Reilly, is orchestrating an illegal conspiracy to defame him and damage his business interests. Red Flag denies the charge.

O’Brien’s lawyers initiated his action on October 13th last, seeking a civil search and seize order called an Anton Piller Order.

They also sought a so-called superinjunction preventing any public disclosure of their action.

The High Court refused to grant the rarely used orders. Instead, the judge opted for, in effect, a freezing order.

On October 16th, Mr Justice Mac Eochaidh followed this by granting a forensic imaging order so that the evidence O’Brien regarded as proving his case was preserved.

While details of O’Brien’s version of events leading to his action have changed since he swore his first affidavit on October 13th last, his core accusation has remained consistent.

The USB memory stick, he says, was sent to him, anonymously, at his Dublin office in Grand Canal Quay, arriving on October 8th.

He had the stick examined by experts; its contents “were simply extraordinary”, the businessman swore in his first affidavit.

It emerged subsequently that the memory stick, a SanDisk Cruzer Edge USB which was password protected, contained 339 digital files – Microsoft Word documents and PDFs in the main – in 40 digital folders.

It is not known if the USB stick had been used prior to the files and folders at the centre of the case being copied on to it.

The dossier

The dossier was created by Red Flag, on behalf of a client, which the consultancy has so far resisted naming, despite O’Brien’s best efforts.

However, its files were shared, via Dropbox, with Mark Hollingsworth who was purporting to be acting for the Sunday Times but from whom the newspaper has since distanced itself.

Most of it amounted to newspaper cuttings, along with a number of analyses of O’Brien’s career, entitled “Who is Denis O’Brien?”, “Denis O’Brien IPO Experience”, and “The Moriarty Tribunal Explainer”.

By the following day, the disk was with Espion, digital forensic analysts based in Sandyford, Co Dublin. On October 12th, it reported back to O’Brien.

In court the following day, Wednesday, October 14th, lawyers for Red Flag expressed concern as to how O’Brien had obtained the USB and they sought access to it, having engaged their own forensic experts, Stroz Friedberg, a large company with offices across the US Europe and Asia, and who number among their analysts several experts recruited from Britain’s intelligence services.

The judge said he would make a ruling in two days’ time.

However, between that statement being made by him in court on the 14th and his ruling being delivered on the 16th, the USB stick was taken out of Ireland.

Digitpol, a cybersecurity firm run from Hong Kong by an Irish man, Martin Coyne, specialises in unscrambling digital evidence after car crashes.

Its clients include Humberside Police; VbV, the Dutch bureau of vehicle insurance crime; and RDW, the Dutch driving licensing authority.

Coyne has worked as head of technical developments at the operational support unit of the Rotterdam-Rijnmond Police and describes himself as an expert in forensic computing and cybercrime investigation.

The USB stick was given to Digitpol on October 14th as lawyers were arguing in the Four Courts, by O’Brien’s solicitors, Eames Solicitors, just around the corner on Bow Street – much to the alarm of Red Flag defendants who remained in the dark until January 20th, 2016.

O’Brien had already retained Espion, which has ISO 27001 certification, the industry benchmark for expertise in digital security and systems management.

In his affidavit, which emerged during yesterday’s proceedings, Red Flag chief operating officer Garret Doyle said there was “no explanation” from O’Brien on why he needed to hire Digitpol when he had already hired “one of the best known and most respected information technology firms in the country”.

Coyne was in Dublin on October 15th speaking at an Insurance Ireland conference in Croke Park, where at 10am he gave a presentation on the use of technology in extracting electronic data from crashed vehicles.

According to a report attached to an affidavit, the seventh by Eames solicitor Diarmuid O’Comhain, Digitpol “was engaged. . . to undertake an analysis of the USB stick”.

That analysis was done not in Hong Kong but in the Netherlands, which is where Coyne brought the USB stick, arriving in Amsterdam later on October 15th after his Croke Park presentation.

Coyne brought the USB stick with him, underlining the care he took by later telling O’Brien’s solicitor that he carried it in a faraday bag.

This is a soft pouch made of layered conductive mesh, nylon and polyurethane and which is favoured by police and intelligence agents because it protects digital information being attacked by remote wiping devices or bugs, and also shields it from tracking devises.

In his report for Eames Solicitors, Coyne mentions Digitpol offices in Barendtecht, a district south of Schiedamsedijk and Rotterdam city centre, but gives no address.

Inside Digitpol’s Dutch offices, there is an RFID safe, which may be opened and closed only with a small fob, similar to the keys used by cars and electronically-operated gates, or a swipe card similar to a bank card.

Digitpol’s RFID safe kept a log of when it was opened, and by whom. For extra security, “access to the safe is only granted digitally with the presence of two persons, one of whom needs to have senior management control access permissions”, as Coyne put it in a report to Eames, dated January 21st, 2016.

According to the log, the UBS stick was put into the safe at 1405 on October 15th by an “R Smit”.

The following day in Dublin, Mr Justice Colm Mac Eochaidh ordered that the USB stick be held only by Eames Solicitors and not interfered with “at all by anybody”.

Two days later in Rotterdam on October 18th, Martin Coyne took the stick from his special safe just after noon, his associate, R Smit, returning it at 2am on the 19th.

And so it continued over several days, the USB was taken in and out of the safe, its movement being recorded by the safe’s access log.

Digitpol’s January 21st report to O’Brien’s solicitors, which was detailed yesterday in the High Court, reveals no instruction from them to have the stick returned to Dublin in compliance with the High Court order of October 16th.

Instead, according to Digitpol’s record of who operated the safe, described as “access log to vault”, Coyne removed the stick from the safe on October 23rd at 0601, returning it later that day at 1630.

He had it again the next day, October 24th, again at 0601 precisely, returning it to the safe at 2100.

He had it out again on the 25th, this time at 0605, putting it back in at 1700.

Final removal

The final removal of the stick from the safe was on October 26th, this time by a D Pinter. It was returned to Eames Solicitors in Dublin later that day.

Coyne’s account of his accessing the safe in Rotterdam between October 23rd and October 24th is interesting because on October 23rd, he attended and made a presentation to a training seminar – 1,880km away in Riga, Latvia.

The seminar was hosted by the European branch of the International Association of Auto Theft Investigators and Coyne talked about Cube, a crime investigation project set up in 2009 by the Rotterdam Police, co-funded by the Netherlands ministry of justice.

While the section of Digitpol’s website detailing company news has ceased to exist in recent days, confirmation that Coyne was indeed in Riga may be had from readily available online photographs of him at the seminar.

As revealed yesterday in the High Court, Coyne filed an amended report to Eames on Tuesday of this week in which the “access log to vault” was changed.

No longer does it show Coyne opening and closing the RFID safe on October 23rd and 24th.

Now, the record shows that it was Smit who removed and put back the USB on those dates and the initial arrival of the stick in the safe on October 15th had also changed.

It was not, after all, there at 1405. It arrived at 1800. The significance of this change is unclear.

Digitpol’s report of its work on the USB stick concludes with an assertion that “it was not part of Digitpol’s instruction or intention to interfere with the USB stick”.

It says: “Any interference has had no material impact on the USB stick nor on the documents contained within the encrypted cylinder and that comprise the Dossier.”

The experts at Stroz Friedberg beg to differ. Stroz has a track record when it comes to data deletion and retrieval.

In the News of the World phone hacking scandal and subsequent investigation, Stroz reconstructed several years of emails that had been deleted from an account of Murdoch’s former editor and chief executive Rebekah Brooks.

A report by Stroz, dated January 27th and detailed yesterday in the High Court, notes that both Denis O’Brien’s sets of experts, Espion and Digitpol, “have confirmed that significant changes were made to the USB drive due to a failure to follow best practice”.

Stroz continues: “As a result of the numerous changes and additions of data to the USB drive, key forensic artefacts may have been destroyed.”

Stroz concludes: “It is now impossible to recover the USB device to its original condition, or to know exactly what data may have been modified or lost.”

But O’Brien’s side would have known this because their own experts, Espion, told them the same – on October 15th, the day the USB stick was given to Martin Coyne by Eames Solicitors, and taken out of Ireland.

Prompted by questioning from Red Flag, on that day an Espion expert, Damir Kahvedzic, filed an affidavit through Eames Solicitors to which, as exhibit 01/DK/01, was attached a supplementary Espion report to the company’s original report that underpinned O’Brien’s initiation of the case.

“If a forensic deletion of data is performed then it may be impossible to recover or detect the data deleted,” said the Espion supplementary report.

“It is relatively easy to perform a forensic deletion and freely available software and guides can enable any individual with basic IT knowledge to carry out such forensic deletions that may not be detectable.”

The report said also that where a file has been modified, “for most file types the previous version of the data is not recoverable once a change has been made and the file saved”.

The suggestion that data critical to O’Brien’s case was interfered with was described yesterday as “outrageous” by his barrister, Martin Hayden.

The “encrypted chamber” of the USB stick had “not been in any way accessed or interfered with”, he asserted.

However, in his affidavit, Garret Doyle is blunt in its criticism of O’Brien and Eames, his solicitors.

Doyle accuses them of failing to comply with Mac Eochaidh’s order of October 16th at which juncture the USB stick “was being held out of the jurisdiction by an entity whose existence and involvement was not disclosed. . . “

He continued: “Despite the clear intention of the court, the memory stick was interfered with by both Espion and Digitpol on multiple occasions. . .”