Posted on by admin

When “Digital Forensics” Becomes Digital Storytelling


Why this exists

From time to time, documents circulate that make serious claims about people’s work and professional conduct. In my case, a forensic report produced in 2022 did exactly that and has since been shared online.

This page exists to provide a measured, evidence-based response, setting out the technical and evidential shortcomings in that report and explaining, in plain terms, why its conclusions should not be relied upon.

It is intended as a factual record and reference point, not as a campaign or a personal dispute.

Essentially, they had formed a view following a heavy employment tribunal loss that was very critical of their conduct (and praised mine).

They needed to manufacture a way to make their world view seem true – even though other people had bigger issues with them.

So – I want to explain, calmly and in plain English, why that report doesn’t meet reasonable technical or evidential standards — and why its conclusions shouldn’t be relied upon.

First, some basic context. I worked for the company from July 2018 to December 2020. The report was written in December 2022.

That timeline isn’t a footnote. It’s the whole story.

And one more thing, up front: anyone who has worked with me knows I’m painfully straight-laced about this stuff. I’ve spent my career in regulated, IP-sensitive environments. I don’t do “dodgy”. I wouldn’t steal an employer’s IP, and I wouldn’t even consider it. If I wanted a quieter life, that would be a very strange way to go about it.

Which is why the quality of this report matters.

1. The Time Machine Problem

A large chunk of the “evidence” in the report consists of historical digital artefacts:

  • Accounts created years before my employment
  • Domains with records from 2007, 2008, 2009, 2011, 2017
  • Old hosting, old IPs, old WHOIS entries

In other words: stuff from a different era. Some of it from when the iPhone was still a novelty.

Much of this predates my employment by many years. Yet it’s presented as if it somehow proves something about events years later.

That’s not forensic analysis. That’s time travel.

Historical existence ≠ current activity ≠ wrongdoing.

A domain from 2009 does not magically become evidence of misconduct in 2022.

A GitHub account from 2014 does not prove anything about a job that started in 2018.

Mixing old data with new accusations to create a sense of continuity is what I’d call timeline laundering. It looks impressive. It proves nothing.

2. “Association” Is Not Proof

The report leans heavily on phrases like:

  • “Associated via email”
  • “Connected through IP”
  • “Linked via historical WHOIS”

In technical terms, these are weak signals, not proof.

  • Owning an email address doesn’t mean you run a website
  • Sharing an IP doesn’t mean you control everything on it
  • Historical WHOIS doesn’t mean current ownership
  • Having an account doesn’t mean you used it for anything in particular

What the report does not show is more interesting:

  • No proof I uploaded any company code
  • No proof I deployed any system containing company IP
  • No proof I accessed company systems improperly
  • No proof any specific file was copied, taken, or reused
  • No proof any code anywhere matches any proprietary system

Instead, it swaps correlation for causation and hopes nobody notices.

3. The Missing Years That Actually Matter

If the allegation is IP misuse, the obvious question is:

What happened between July 2018 and December 2020, when I actually worked there?

The report doesn’t show:

  • Access logs
  • Data extraction events
  • Code diffs or comparisons
  • File hashes or provenance analysis
  • Any timeline of copying or reuse
  • Any overlap between my employment and alleged misuse

It jumps from “here’s some old personal infrastructure” to “here’s something we don’t like years later” and quietly skips the bit where evidence is supposed to live.

That’s not a small gap. That’s the entire case.

4. The “Sportsbook” That Was Actually a Mockup

One of the centrepieces of the report is the claim that a domain “hosts an old version of the sportsbook” and therefore must contain company IP.

It didn’t.

What existed there was a proof-of-concept branding mockup I created during my employment. It was:

  • Static HTML only
  • No backend
  • No trading logic
  • No platform code
  • No proprietary systems
  • No data
  • No operational capability

In other words: a visual mockup. The software equivalent of a cardboard cut-out.

This isn’t up for debate. The files are timestamped, and those timestamps place their creation squarely within my employment period. They were uploaded temporarily for convenience, the idea went nowhere, and they were forgotten about — because that’s what happens to most abandoned prototypes.

Calling this a “sportsbook system” is like calling a restaurant menu a fully staffed kitchen.

The report does no code analysis, no comparison, no architectural review, no provenance check. It simply accepts the client’s assertion — “this must be our IP” — and works backwards from there.

In software, appearance is not provenance. And here, the provenance is boring, legitimate, and timestamped.

5. The Autoresponder That Proves Everything (Apparently)

Another leap of logic goes like this:

  • A test message is submitted
  • An autoresponder replies
  • A reply address is observed
  • Therefore: personal association and control

Autoresponders can be legacy, copied, misconfigured, reused, or just wrong. The report never establishes:

  • Who configured it
  • When it was configured
  • Who controlled it at the relevant time
  • Whether it reflects current ownership

Treating this as identity proof wouldn’t survive five minutes in a serious technical review.

6. Being a Former Employee Is Not a Crime

Even if someone runs personal sites, demos, experiments, or side projects after leaving a company, that is not evidence of IP theft unless you can show:

  • The code came from the employer
  • It was taken without permission
  • It wasn’t independently developed
  • It wasn’t generic or open-source
  • It wasn’t prior personal work

None of that is shown here.

“Former employee” is a biography. It’s not evidence.

7. A Suspect-Led, Not Evidence-Led, Exercise

The shape of the report is pretty clear:

  1. A belief that IP was misused
  2. A search for a former employee
  3. Collection of historical OSINT artefacts
  4. Construction of an “association” story
  5. Recommendations for action

A proper forensic process would be:

  • Identify the allegedly stolen IP
  • Prove it matches the company’s code
  • Prove how it left the company
  • Prove who took it
  • Prove who deployed it
  • Prove intent or benefit

That chain simply isn’t there.

8. Context, Prior Litigation, and Public Distribution

There’s one more piece of context that matters. Before this report was commissioned, I had successfully brought and won an employment tribunal case against the same company. It was contested, and the outcome wasn’t in their favour.

It’s also relevant that this report was subsequently shared online in a way that appears calculated to cause reputational damage, rather than to address any legitimate technical concern. I do not assert, as a matter of fact, who was responsible. However, in the context of a prior, hard-fought tribunal case that the company lost, it is difficult to ignore the possibility that this distribution was driven by bitterness or grievance, rather than by any genuine forensic or legal purpose.

I’m not claiming to know anyone’s motives. But in any professional investigation, that background makes independence and rigour more important, not less.

When a report with that context:

  • Relies on weak correlations,
  • Skips basic technical verification, and
  • Makes serious allegations about a named former employee,

it’s fair to ask whether the level of care and objectivity was what it should have been.

9. On Standards and Consequences

Taken together, this report:

  • Ignores basic timelines
  • Treats association as proof
  • Fails to show any act of IP theft
  • Fails to show any misconduct during my employment
  • Relies heavily on assumptions rather than technical evidence

At best, that’s serious professional negligence.

At worst, given the strength of the allegations and the weakness of the evidence, it raises legitimate questions about reckless disregard for accuracy or malicious indifference to the consequences for the person being accused.

When you’re making allegations that can damage someone’s career and reputation, the bar is high. Here, it wasn’t met.

10. The Bottom Line

This report doesn’t prove wrongdoing. It tells a story built from old digital debris, weak correlations, and untested assumptions.

In technical, legal, and professional contexts, stories are not evidence.

And when stories are dressed up as forensics, real people pay the price.

This page reflects my understanding of the events described and is intended to provide technical and factual context only. It is not legal advice, and it is not intended to accuse or ascribe motives to any individual.

Leave a Reply