Search Captions & Ask AI

Forensic Files - Season 8, Episode 39 - Hack Attack - Full Episode

December 16, 2021 / 22:58

This episode covers the computer crash at Omega Engineering, the investigation into its cause, and the eventual indictment of former employee Tim Lloyd. Key topics include data recovery, potential sabotage, and the impact on employees.

The crash occurred on July 31, 1996, when a worker attempted to boot up a computer, leading to a catastrophic failure of Omega's manufacturing systems. The plant's manager, Jim Ferguson, sought help from former network administrator Tim Lloyd, who had left the company shortly before the incident.

As the investigation unfolded, forensic experts from Kroll Ontrack and the Secret Service examined the hard drive and discovered that the data had been purged rather than simply deleted. This indicated potential sabotage, prompting a deeper look into Lloyd's actions prior to his departure.

Evidence pointed to a maliciously crafted time bomb code that triggered the deletion of critical files. The investigation revealed that Lloyd had been testing this code while still employed at Omega, leading to suspicions of an inside job.

Ultimately, Tim Lloyd was indicted for his role in the incident, which caused significant financial losses for Omega Engineering. The case marked a significant moment in legal history regarding computer crimes.

TLDR

A computer crash at Omega Engineering leads to an investigation revealing sabotage by former employee Tim Lloyd.

Episode

22:58
00:00:06
NARRATOR: A mysterious computer crash pushes a thriving manufacturing company to the brink of collapse, jeopardizing
00:00:13
the jobs of dozens of employees. There is no apparent cause. No obvious clues. Forensic investigators had to find out whether the disaster
00:00:24
was caused by a computer defect, human error, or sabotage. Today, there are over 700 million computers at work
00:01:00
in the world, any one of those holds millions of records vital to people, governments, and industry.
00:01:08
With millions of pieces of information in one small box can make that information vulnerable.
00:01:16
Omega Engineering manufactured high tech measurement devices for the United States Navy, NASA, and clients
00:01:23
around the world. A state of the art computer system at their New Jersey Plant, enabled Omega to quickly customize their products
00:01:31
to suit their customers' needs. The business was growing, and revenues were up. Then came July 31st 1996.
00:01:42
-It was a bad day in Omega on July 31st of '96. One of the workers got in about 8:00, 8:30 in the morning,
00:01:49
went to his or her workstation like they always did, and they clicked on the system.
00:01:56
They booted up the computer, and instead of coming on though, it said fixing. And the worker didn't know what was going on,
00:02:04
but fixing sounded pretty positive, so he let it run. And within seconds, the machine was down.
00:02:12
NARRATOR: But it wasn't that one machine that was in trouble. The manufacturing equipment in Omega
00:02:18
got its instructions from the computer server, the brains of a sophisticated system that could
00:02:24
store over 1,000 different programs. -Those 1,000 program built 25,000 different products,
00:02:31
and they could customize those products into 500,000 different pieces. So you talking about everything that the company can make.
00:02:40
NARRATOR: But now, in the span of just a few seconds, Omega's vital computer system had crashed.
00:02:47
The plant's manager tried to get the server up and running again, with no luck. Typically crucial files are periodically
00:02:54
copied from a server onto a backup tape. Omega thought they could restore the missing
00:03:00
programs from their backup. -And the backup tape was kept in a filing cabinet in the human resources office.
00:03:07
NARRATOR: But the tape wasn't there. With no computer programs to drive the manufacturing
00:03:13
process, plant operators had only one option, to complete the jobs that had already
00:03:18
been started before the crash. -Just to keep the machines running, to keep producing,
00:03:24
to keep people working, they just kept producing until they ran out of raw materials.
00:03:29
V. GRADY O'MALLEY (ASSISTANT U.S. ATTORNEY): But they ultimately created such a vast inventory
00:03:33
of those specific items, that they couldn't justify continuing it anymore. So they had to shut the plant down.
00:03:38
-One big problem that Omega had was that they hadn't hired a new network administrator.
00:03:42
NARRATOR: The former network administrator, a long time employee named Tim Lloyd, was now
00:03:48
working for another company. -He was the one who actually built the network in the Omega's health plant.
00:03:55
He was the genesis of their whole network. He knew it inside and out. He built it, and he was friends with these people.
00:04:02
-He was the designer for all the computer programming. He was the overseer of their network.
00:04:08
He maintained it. He secured it. He nurtured it. NARRATOR: The plant manager, Jim Ferguson,
00:04:14
called Lloyd to see if he could help solve the serious problem with Omega's computer system.
00:04:19
JIM FERGUSON (ON PHONE): Did you come across any-- you mentioned that you might want to look in the basement
00:04:24
for some old tapes, some backup tapes. TIM LLOYD (ON PHONE): Still looking. JIM FERGUSON (ON PHONE): OK.
00:04:28
Was there one tape or two tapes of backups? TIM LLOYD (ON PHONE): There was one tape
00:04:32
that was in the filing cabinet or-- NARRATOR: Omega was teetering on the brink of collapse,
00:04:41
with hundreds of jobs at stake, and no clues about what had caused the catastrophic shutdown of the computers.
00:04:53
Omega Engineering faced a crisis so immense, it could force the company out of business.
00:04:59
Two weeks earlier, the computer system that contained the plans for all their products had inexplicably crashed.
00:05:06
Time was running out. If Omega couldn't get its computer system back up, layoffs would be inevitable.
00:05:14
-What they lost was the ability to manufacture. And when you're a manufacturing company,
00:05:20
you're dead in the water. NARRATOR: Omega hired Kroll Ontrack, a Minnesota-based company that resurrects data
00:05:27
from crashed computers all over the world. -Any kind of media that actually store data onto, any time they
00:05:33
lose access to this, or for some reason becomes unreadable, we get involved to help restore the data.
00:05:41
NARRATOR: Bob Hackett, a computer forensic expert, began by examining the hard drive on Omega's server.
00:05:48
It's the heart of a computer, where information is magnetically encoded on a disc that's spinning
00:05:54
at 10,000 revolutions per minute. -Physically the hardware, which could be a hard drive or any components used to power
00:06:02
or drive the hardware could have failed, but everything seemed to be operational.
00:06:09
NARRATOR: The drive was physically undamaged. But retrieving the data would mean
00:06:14
examining the electronic contents. Contents that might reveal important evidence.
00:06:20
But Omega management now wondered if the crash might have been sabotage. So to safeguard the hard drive, they
00:06:28
turned it over to the Secret Service. Experts in Computer Fraud, the Secret Service
00:06:34
knew hunting for the loss programs might alter records on the drive. Even just turning on the computer
00:06:41
alters or overwrites some of the information. -From a forensics standpoint, you don't want write to that hard drive.
00:06:48
NARRATOR: The Secret Service made an exact digital replica of Omega's hard drive, a clone, that enabled Ontrack to examine
00:06:57
all the data stored in the original. What Ontrack investigators discovered was startling.
00:07:05
All that remained was fragmented computer code, mostly unintelligible even to computer experts.
00:07:13
This indicated the programs has not been simply deleted. Deleting a computer file erases only the name of the file.
00:07:22
The data actually remains in the computer's memory until it is replaced by something else.
00:07:28
So it's often possible to recover the information. But in this case investigators discovered
00:07:35
that Omega's programs had not only been deleted, they had also been purged. -If we take the analogy of a piece of paper on a desk,
00:07:44
if I was to take that, crumple it up, and throw it in the wastebasket, that would be
00:07:48
equivalent to a deletion on a computer system. I could still go, grab that piece out of the garbage
00:07:53
can unfold it, and look at it. A purge would take that same piece of paper, run it through a shredder, take what came out
00:08:00
through the shredder, throw it up in the air. NARRATOR: Omega's data could never be recovered.
00:08:05
The focus now shifted to a forensic investigation into how and why the data was purged.
00:08:13
Greg Olson, an expert in the operating system used by Omega, examined the drive for signs of a virus.
00:08:20
A virus corrupts data by inserting it's own code into whatever program is being run.
00:08:26
-There are no viruses that would cause this particularly damage. NARRATOR: User error was another possibility,
00:08:33
an accidental deletion. -Very common, we find that a data loss has happened because a computer system administrator has
00:08:42
come in and reinstalled an operating system, or made a mistake by reformatting a hard drive.
00:08:47
And I was able to rule that out effectively by looking at the system. That clearly that that did not happen.
00:08:54
NARRATOR: Because the deletion was to surgical to be accidental. Only the key manufacturing programs had been destroyed.
00:09:03
If it was intentional, it could mean it was an inside job. -They would have to know where the specific programs are
00:09:11
being kept. It's not going to be some kid home alone after school who just randomly breaks into Omega's system,
00:09:19
and knows where those specific files are. You need someone who's on the inside, someone who knows where
00:09:25
the keys to the castle are hidden, and they know how to hurt the company. NARRATOR: The Secret Service first
00:09:31
looked at Tim Lloyd, the man who had designed Omega's computer system. He had recently left Omega for a job at another company.
00:09:38
Supervisors had given him a positive reference. V. GRADY O'MALLEY (ASSISTANT U.S. ATTORNEY):
00:09:42
They said he was a good worker. They said that he was excellent technically. They didn't want to prevent him from getting another job.
00:09:51
NARRATOR: Lloyd had left Omega three weeks before the computer crash. So he didn't have access to the building
00:09:57
to purge the manufacturing programs on the day of the crash. -They were kind of in a quandary as
00:10:04
to who else besides him could have done it. They thought maybe he hacked in from the outside.
00:10:11
But they said they had disconnected any contact from an outside modem, so they knew
00:10:16
that couldn't have been done. NARRATOR: Only supervisors had access to Omega's computer
00:10:21
system at a level necessary to cause this much damage. But there was a problem. -Just about everybody had supervisory rights.
00:10:31
And there were even some accounts that were set up with a name like 12345. It's a really strange name with absolutely no password.
00:10:39
So there was no security on this. NARRATOR: Which meant that the perpetrator could have been anyone.
00:10:52
Six months after the massive computer crash, Omega was struggling to stay afloat.
00:10:57
How had its proprietary software been completely deleted? Kroll Ontracks' Greg Olsen, an expert in the Novell operating
00:11:06
system that controlled the server, sifted the electronic flotsam of the company's hard drive.
00:11:12
-The problem is, is when you do a delete and a purge, the entire road map to know where
00:11:16
this data is is completely gone. So it's literally a needle in the haystack, and impossible to piece this information together.
00:11:23
All you're seeing is a collection of letters and numbers that don't really mean anything.
00:11:29
NARRATOR: Olson relied on sophisticated software to help him search for any suspicious commands.
00:11:35
-What I'm looking for is bits of code that I know in the computer world cause deletion.
00:11:41
In this particular case, what I was zeroing in on was any type of a delete, or even any type of a purge.
00:11:54
Where I really hit gold was when I started taking hits on the search for purge. NARRATOR: Eventually, Olson found a purge command
00:12:02
tied to five other lines of code. -That one seven 39 six, all six lines of this calendar essentially that caused it.
00:12:13
12345 NARRATOR: It was a dangerously efficient bit of programming. -We called it a time bomb, and the actual fuse
00:12:21
was six lines of code. And what it was is really a set of steps that the computer would go through, some checks.
00:12:26
NARRATOR: The first line simply checked the date and compared it to July 30th 1996,
00:12:32
the day before the server crashed. -This fuse can be attached to anybody that's logging in.
00:12:39
So when you come in, what the fuse does is it checks the date. And if it's after the date in the fuse,
00:12:45
it would actually light the time bomb to actually do the deletion. NARRATOR: The second line of code accessed the server.
00:12:53
The third line was a logon command for the mysterious user, 12345, a kind of computer ghost.
00:13:02
The unsuspecting user and 12345 were logged in on the same machine. But 12345 provided the supervisory status
00:13:13
needed to perform deletions. The next line accessed the manufacturing programs. The fifth line launched a program labeled, FIX.EXE.
00:13:25
When Olson looked at the code for this program, he found a troubling clue. The code had been generated from a commonly available deletion
00:13:35
program, but it had been reconfigured to fool anyone using the system. -It did modify the intents of deletion,
00:13:43
but the message that appears on the screen that would normally say, deleting this file, deleting this file,
00:13:49
actually said, fixing this file, fixing this file. NARRATOR: The code was also rewritten to ignore safeguards,
00:13:56
automatically answering yes to the question, are you sure you want to delete these files?
00:14:02
The last line of code was the purge command, making the material unrecoverable. -It would happen relatively fast.
00:14:11
You could go get a cup of coffee, read the front page of the paper, and come back,
00:14:15
and it's all done. It's all gone. NARRATOR: And all the user had to do was turn on the computer.
00:14:21
But Olson and Hackett found other purge commands as well. -That one has a test directory.
00:14:30
NARRATOR: Three similar sets of code dated for February, April, and May. But they only deleted a useless test folder,
00:14:38
which would have gone undetected by the company. -What I deduced from that is essentially somebody
00:14:44
was doing some testing of the application, this particular time bomb to make sure that it would work
00:14:50
before it was truly implemented, and ready to go. NARRATOR: It appeared the tests were done
00:14:56
while Omega's former computer manager, Tim Lloyd, was still at the company. The Secret Service ran a background check
00:15:04
and learned that Lloyd had been disciplined for run-ins with coworkers shortly before leaving the company.
00:15:10
-There was conflict that broke out between other employees, between management, between supervisors.
00:15:17
-He would bottleneck projects just because he was in charge of the projects. That he hadn't tested projects before they
00:15:25
went into production. And so there were a lot of problems. One person even testified that he had elbowed
00:15:31
a female coworker in the workplace. NARRATOR: On August 21s, Secret Service agents
00:15:38
searched Lloyd's home and garage, looking for evidence to tie him to the malicious code.
00:15:44
They found circuit boards, computers, more than 500 disks, several hard drives, and data tapes.
00:15:52
What immediately stuck out was the tape labeled backup with the dates May 14th 1996 and July 1st 1996.
00:16:03
Authorities suspected it was the missing backup tape from omega, but it was blank.
00:16:09
-The dates that we found on some of the tapes had a format date of early August.
00:16:16
-We learned that the backup tape had been reformatted or essentially erased a matter of days
00:16:21
before the search warrant was executed. The next thing we had to do was try to establish additional evidence that would support our theory
00:16:35
that Lloyd was the guy. So what we did was, for example, we went to his time cards.
00:16:41
NARRATOR: Lloyd's time card showed that he worked late on days in February, April and May.
00:16:46
Each time, just prior to the test runs of the time bomb. Then Hackett and Olson found a copy of the time bomb
00:16:54
on one of Lloyd's hard drives. -So the same lines of code that Ontrack had pieced together
00:17:03
from the downed server, they found those lines intact in Tim's home. NARRATOR: A relatively new statute made computer sabotage
00:17:14
a federal offense, if it affected a computer used in interstate commerce and caused more than $5,000
00:17:20
worth of damage. Tim Lloyd was indicted by a grand jury. His case would be the first test of the new law.
00:17:34
Prosecutors in New Jersey say the computer crash devastated omega engineering, leading to $10 million of lost business,
00:17:43
$2 million of reprogramming cost, and 80 employee layoffs. -Probably would have done less damage to the company,
00:17:51
if he had done it with a real bomb. -Doesn't matter really what happens to the building
00:17:54
if your data is gone. -It is a white collar crime that's a very serious crime. It's a non-violent crime, but you know what?
00:18:01
You don't know what the implications are of people losing their jobs. You know maybe there was violence that occurred
00:18:08
as a result of some of these folks losing their jobs, maybe domestic violence. Timothy Lloyd's four week trial began in April 1998.
00:18:17
It would be one of the first criminal cases to explore the arcane world of computer code.
00:18:24
-How would an attorney who hadn't before this had a lot of technical expertise, go into a really high tech field
00:18:34
and explain it to a jury? You're not going to show them fingerprints. You're not going to show them a smoking gun or a bag of coke.
00:18:43
NARRATOR: At trial, prosecutors argued that Lloyd had fallen out of favor with his supervisors,
00:18:48
and grown resentful when he was reassigned. Investigators had been able to prove that Lloyd
00:18:56
developed the time bomb code at home. Then worked late so that he could install and test
00:19:03
the code in secret. He planned on quitting. And was in the process of interviewing
00:19:08
with another company, when he was fired. In fact, he told the recruiter at his new company
00:19:14
that everybody's job at Omega is in jeopardy. He made the remark on July 31st, the same day
00:19:23
the computer crashed. -How would he know that? On the date that that time bomb, nobody even at Omega knew that.
00:19:32
They thought they had a computer problem. That's all they knew. But everybody's job?
00:19:36
I think that was a remarkable find, and something that the jurors were able to pick up on.
00:19:43
NARRATOR: But the most compelling evidence was the bits of code the computer experts found.
00:19:49
-And to have this maliciously damaged and delete and purge all the data from this point
00:19:57
without really having any idea that this was actually happening, and to do it in such a short, quick fashion
00:20:03
was very clever. -And he was gone. Being fired actually helped him. And he probably sat back there and said,
00:20:10
now they'll never connect me to this. But we were able to find a hard drive in this house that had that command on it.
00:20:20
Had we not found that, then he would have gotten away with it. Once you find it at his house, how do you explain that away?
00:20:27
NARRATOR: The jury found Lloyd guilty. Various appeals kept him free for almost four years.
00:20:34
But in 2002, he began serving a prison term of 3 and 1/2 years, and ordered to pay $2 million in restitution.
00:20:44
Lloyd claims he is innocent, and it's someone at omega accidentally deleted the programs.
00:20:50
He says he could have proved that at trial, but his attorney advised him not to take the stand.
00:20:56
-He's the consummate egotist. I think he is absolutely livid that he was discovered.
00:21:02
I think that he was fully intent on getting away with it. In fact, I think consistent with his personality,
00:21:10
he was actually prepared, perhaps, to ride to the rescue. I think that there was a point in time when he was actually
00:21:17
prepared to say, I found it, and I'd ride to the rescue. But when Ferguson says, we're bringing
00:21:23
in the Secret Service-- FERGUSON (ON PHONE): We're at a very, very serious phase.
00:21:27
We're actually bringing in the federal authorities at this point. TIM LLOYD (ON PHONE): I don't blame you.
00:21:31
FERGUSON (ON PHONE): They've taken a real genuine interest in coming in here. Matter of fact, they may be in tomorrow.
00:21:37
-I think that changed his mind. NARRATOR: Omega Engineering never fully recovered, but is still in business.
00:21:45
Kroll Ontrack track was given an award by the Secret Service for the unique role they played in a case
00:21:52
that paved new legal ground. -It was interesting, simply because it was one of the first cases of this type that we had seen.
00:22:02
-Omega made a lot of technical mistakes, but their biggest mistakes were caused by human factors.
00:22:10
It was because they trusted Tim. It was because they had real affection for Tim,
00:22:15
and they thought that he was family. And you let family get away with a lot more
00:22:19
than you would anybody else. You give them a lot more rope to hang themselves with.

Badges

This episode stands out for the following:

  • 80
    Most shocking
  • 80
    Biggest twist
  • 75
    Most intense
  • 75
    Most surprising

Episode Highlights

  • A Mysterious Computer Crash
    A thriving manufacturing company faces collapse due to an unexplained computer crash.
    “There is no apparent cause.”
    @ 00m 16s
    December 16, 2021
  • The Time Bomb Code
    Investigators discover a malicious code designed to delete vital data.
    “We called it a time bomb, and the actual fuse was six lines of code.”
    @ 12m 18s
    December 16, 2021
  • Tim Lloyd's Indictment
    Tim Lloyd is indicted for causing $10 million in damages through computer sabotage.
    “His case would be the first test of the new law.”
    @ 17m 23s
    December 16, 2021
  • The Jury's Verdict
    Tim Lloyd is found guilty, leading to a prison sentence and restitution.
    “Had we not found that, then he would have gotten away with it.”
    @ 20m 27s
    December 16, 2021
  • Omega's Ongoing Struggles
    Despite the crash, Omega Engineering remains in business but never fully recovers.
    “Omega made a lot of technical mistakes, but their biggest mistakes were caused by human factors.”
    @ 22m 06s
    December 16, 2021

Episode Quotes

  • It was a bad day in Omega on July 31st of '96.
    Forensic Files - Season 8, Episode 39 - Hack Attack - Full Episode
  • What they lost was the ability to manufacture.
    Forensic Files - Season 8, Episode 39 - Hack Attack - Full Episode
  • You don't know what the implications are of people losing their jobs.
    Forensic Files - Season 8, Episode 39 - Hack Attack - Full Episode
  • I think he was fully intent on getting away with it.
    Forensic Files - Season 8, Episode 39 - Hack Attack - Full Episode

Key Moments

  • Crash Day01:42
  • Investigation Begins05:24
  • Data Purged07:42
  • Time Bomb Discovery12:18
  • Trial Begins18:17

Tension Over Time

Words per Minute Over Time

Vibes Breakdown