The Denis O’Brien dossier: what happened to the USB memory stick?

Why did O’Brien give the memory stick to Martin Coyne? And who is ‘Employee 18883’?

The high-profile court case between Denis O'Brien and Red Flag consulting has a long and strange history. We take a look back at the events that lead up to the present day. Peter Murtagh reports.

One question stands out among the many that arise in the Denis O'Brien versus Red Flag Consulting legal action. Why did O'Brien give the USB memory stick, the sole piece of evidence upon which he launched his extraordinary case by seeking a search and seize warrant against Red Flag, to Martin Coyne, a man who has no qualifications in computer forensics as claimed and who has, according to experts who do have precisely those skills, damaged that evidence to the point of uselessness?

And in seeking to probe the many other questions around that single imponderable, a new figure had emerged in the saga to beguile those trying to make sense of it all.

He is “Employee 18883”, a previously unknown character in this opaque drama.

Envelope on desk

According to Denis O’Brien’s version of events, he – Denis O’Brien – returned to his office, the headquarters of

READ MORE

Communicorp

Group at 1 Grand Canal Quay, Dublin, to find that an envelope, marked for his attention, was sitting on his desk.

It is not known how it got there – Communicorp’s offices are protected by CCTV, so the person delivering it to the building might have been caught on camera – and it is not known if any internal mail distribution staff brought it to O’Brien’s desk and might be able to illuminate its provenance.

In any event, O’Brien opened the envelope and says that inside it, he found a USB memory stick. Written on the inside of the envelope itself there was also, he says, the access password for the stick, Chelsea10.

It was October 8th, 2015. Just two days before, the bulk of some 339 individual files had been downloaded from a Dropbox internet file-sharing account, where they had been put by Red Flag for Mark Hollingsworth. Hollingsworth is a sometime journalist who, unknown to everyone he approached in Dublin between July and September 2015 asking questions about the sources of leaks about O'Brien, was working with a London corporate intelligence-gathering company named Alaco.

Hollingsworth has acknowledged that the files given to him by Red Flag made their way to Alaco. The 339 files were mostly copies of articles that had appeared in Irish and international media about O'Brien – his life and career, and what the Moriarty tribunal said about him and Michael Lowry.

There were also some original documents, a draft speech by then Fianna Fáil TD Colm Keaveney, as well as profile and biographical material on O'Brien, whose tone and content made clear that they were not authored by fans of the businessman.

It is not known how the files got on to the memory stick and allegedly made their way to Denis O’Brien’s desk. But when later he saw them (and the precise date of that revelation is also not known) he says he was shocked, thought that they were “simply extraordinary” and confirmed his long-held suspicion of a criminal conspiracy to do him down.

O'Brien says he gave the USB to his solicitor, Aidan Eames, apparently without at that time reading the contents, and within a day, it was passed to Espion, a Sandyford-based company that specialises in cybersecurity and digital forensic analysis.

Espion says it was asked to “conduct a forensic analysis of multiple documents found on an encrypted SanDisk USB disc and to produce a report detailing the properties and features” of the “multiple documents” on the stick.

Espion's report, dated October 12th and which was the basis of his legal action for which he swore his first affidavit on October 13th, lists all the documents and shows a particular interest in several, notably one named "DOB/Water and Siteserv and Bank writeoffs/Irish Parliament statements and Inquiries", others dealing with media coverage and Keaveney's draft speech.

All the documents on the USB stick were held inside an encrypted “vault”, in effect a digital folder, access to which was protected by encryption.

Digital forensic investigation best practice guidelines, enunciated by Acpo, the Association of Chief Police Officers Association of England, Wales and Northern Ireland, and adhered to by all reputable digital forensic investigators, have it that an investigator should digitally copy something under investigation, set the original to one side and work only on the copy – probing it for date of creation, authorship, editing history and last use, documenting everything that is done, step by step – and retain that copy too.

In this way, the original evidence remains pristine, or unmolested, and can stand the rigours of being tested in any legal action, including the most hotly contested criminal trials.

This did not happen with the O’Brien USB, however. But far more serious than that sin of omission, were sins of commission – tampering with primary evidence – which were manifold.

On the afternoon of October 13th, lawyers acting for O'Brien had tried – but failed – to get their search and seize order (it is called an Anton Pillar order) but were granted instead what was a preservation order telling Red Flag, in effect, not to destroy anything and also not to reveal the existence of the order itself.

At 10.03 the next day, October 14th, as Red Flag was preparing to go to court to respond to this edict, several files in the encrypted vault on the USB stick were accessed directly.

They include a folder named “Irish Parliament statements and Inquiries” inside of which were the following files: “Anyone but Denis – don’t sell to Denis O’Brien.pdf”, “Fresh Siteserv row for IBRC.pdf”, “Irish Minister for Finance kept in dark over siteserv deal.pdf”, “Probe O’Brien’ dealings with special IBRC liquidator.pdf”, “Share trades spike before siteserv deal.pdf”, “Siteserv delivers for Denis O’Brien.pdf”, “Siteserv sold to Denis O’Brien firm for Ôé¼45 million.pdf”, “Siteserv story – digging for dirt.pdf”, “Siteserv – pulling the pieces together.pds”, and “State memo slams sitreserv.pdf”.

Why these files were singled out, and by whom, is not known. Equally, what, if anything, was done is impossible to tell but the fact that the originals were accessed which means that, in the world of crime scene investigation, the evidence is no longer pristine.

“It’s a bit like a CSI investigator examining a piece of DNA without wearing surgical gloves,” said one forensic analyst.

The precise whereabouts of the USB at 10.03 on October 14th is unknown, at least to this reporter. But later on that date, Denis O’Brien’s lawyers were arguing before Mr Justice Colm Mac Eochaidh, and Red Flag’s lawyers, that all of the files on the USB needed to be forensically imaged immediately because their client – O’Brien – feared that the evidence on which his case was based – the USB stick – might be tampered with.

And that is what happened but it was done by O'Brien's agent, Martin Coyne, whose story keeps changing as the Denis O'Brien/Red Flag saga has unfolded.

The investigator

Denis O’Brien and Martin Coyne know each other. Coyne’s company,

Digitpol

, has worked for O’Brien’s company,

Digicel

, and what O’Brien says are “his associated companies” without specifying which one or what services have been provided by Coyne/Digitpol. O’Brien says that in this instance, he asked Coyne to further analyse the USB stick because of Digitpol’s “background as a digital investigations and cyber fraud investigations business”.

However, Coyne is not a digital forensic investigator. He was employed once at the centre for cybersecurity and cybercrime investigation in University College Dublin. He does not have a degree and UCD has no record of him achieving any qualification or certification from the college, notwithstanding a sworn affidavit assertion to the contrary from an Eames solicitor.

Coyne’s talents, which even his critics acknowledge he has, are in vehicle forensics – extracting data from vehicles involved in crashes.

His ideas sometimes had a flash of brilliance about them. For instance, at UCD he was trying to develop a surveillance gadget, of the sort police might attach to the car of a criminal suspect to help monitor their movements, that could leech power from the vehicle itself, thereby extending its life well beyond the limits of its own battery.

"It was very clever," says one former colleague. "But he's a Walter Mitty character and this is the problem with Martin."

Digitpol is a registered company with only one known employee – Martin Coyne. According to itself, however, it has "computer forensic laboratories" in New York, The Netherlands, Hong Kong and China.

The Irish Times visited the company's purported base in Hong Kong, located in the impressive-sounding Bank of America Tower in the city's Admiralty area. It appears, however, to be an accommodation address only, a place that forwards mail and messages, and provides similar assistance to multiple companies.

The location, size and staffing, if any, of Digitpol’s labs allegedly in New York and China are unknown.

In the Netherlands, the company, or rather Martin Coyne, operates from a rather characterless-looking office in a mundane business park in the commuter town of Barendrecht, about 15km southeast of Rotterdam.

It is from here that three reports have emanated, each one attempting to explain what happened to the sole body of evidence in Denis O’Brien’s case against Red Flag after the USB stick was taken there by Martin Coyne on October 14th.

Two days after that, on October 16th, Mr Justice Mac Eochaidh directed that the USB be given to Eames solicitors "forthwith", to be held by them and not interfered with pending a full hearing of O'Brien's conspiracy and defamation case against Red Flag.

But far from being given to Eames forthwith, the USB stick remained outside the jurisdiction of the High Court for a full 10 days – until October 26th – during which time files were accessed, deleted and altered in a way and to a degree that qualified forensic digital analysts say renders the USB as useless in evidential terms. Eames has since asserted it asked for the return of the stick before that date.

In his first report, dated January 21st, 2016, Martin Coyne says that while the USB was in his office in Barendrecht, it was taken in and out of a radio frequency identification (RFID) safe, a secure place for critical evidence, access to which was “recorded and signed by senior management”.

Each version of Digitpol’s three reports, which Coyne says were compiled from memory, shows nonetheless what purports to be a printout of a log recording access to the safe. It is headlined, somewhat stoutly in bold lettering, Access Log to Vault.

While Coyne’s memory allows accurate recall down to the precise minute – 0601h, 1205h, 0605h, to give examples – much of the rest of his recall is faulty, on his own admission.

The people accessing the safe and handling the USB stick included in the first report Coyne and two colleagues, named as R Smit and D Pinter. However, R Smit appears to be a Rotterdam police vehicle controller and cosmetics importer friend of Coyne, while D Pinter appears to have been Coyne's partner.

The revelation that Coyne was in fact in Riga, Latvia, when the purported digital record of the RFID safe had him in the Netherlands examining the USB, prompted report number two, dated February 2nd, 2016.

On this, Coyne’s name was replaced by Smit’s for the key dates.

But the revelation that Smit is in reality a Rotterdam police vehicle controller gave birth in turn to report number three, dated March 4th, 2016. The pair met when Coyne did some vehicle crash investigation work with the city’s police department.

In this third report, Smit has vanished, to be replaced by the intriguing “employee number 18883”, whose shadow now falls across Denis O’Brien’s USB stick evidence.

In report number three, Coyne explains himself thus, having reread reports one and two, which he himself wrote: “It was noted that certain inaccuracies were contained in the prior reports and it was determined to carry out a complete review and amend the prior reports.

“In this regard, in the previous reports, it was stated that R Smit was the person that operated the safe. In fact, R Smit was not the person that operated the safe. For the avoidance of doubt, R Smit is an associate of Digitpol but was not involved in this case. The person that actually operated the safe is an associate of Digitpol since 2013 and works solely in Digitpol’s covert unit. In light of this associate’s role in Digitpol’s covert unit, his current involvement in a sensitive criminal investigation and the high degree of publicity attaching to the current proceedings it is not proposed to disclose this individual’s identify further.”

So what was “employee number 18883” actually doing? According to report number three, he was taking the USB stick to the “investigation team” who “decided to deploy” various software forensic tools, including one named Cellebrite, to examine it.

From the other side of Europe, meanwhile, Coyne himself "deployed" Cellebrite "via a secured VPN [virtual private network] tunnel from a remote location in Riga, Latvia".

We asked a cautious digital forensic analyst about this. “It is probably not plausible,” he said. “You probably could set up a remote connection that enabled you [do this] but also, if you have a forensically [qualified] individual there [in Rotterdam] with their hands on this, it begs the question why you need to be remote accessing it from another country in a really convoluted manner? It is not possible to say that it couldn’t have happened but it does seem very odd.”

But it is the cack-handed and invasive examination of the USB's encrypted chamber that is most telling. The team of digital forensic experts retained by Red Flag, a US-headquartered company named Stroz Freidberg, that was founded by former FBI agents and includes on its staff former officers with Britain's internal security service, MI5, found the USB was contaminated and altered significantly.

On October 24th, 2015, the day the USB was finally returned to Dublin in compliance with the High Court order, Coyne accessed the stick one last time and ended up accidentally creating eight new files.

“But it gets worse,” said an analyst familiar with the evidence in the case. “Not only were these files created, Digitpol then deleted them. Their eventual explanation was this was an accident, caused by incompetence.

"They're saying that when they were using Cellebrite to copy the device, but when you're copying, you say 'here's what I'm copying from' and 'here's what I'm copying to'. But you have to tell Cellebrite which is which, so you've got two connections, and they got it the wrong way around. . . What Digitpol did was try to delete the evidence of what they'd done; so they deleted the files back off and didn't document it!"

It was not until December 11th that Stroz got access to the USB stick and uncovered what had been done to it. Martin Coyne’s role as keeper of the USB stick for 10 crucial days remained unknown to all bar O’Brien’s side until January 21st – 100 days after the case began.

Litigation focus

The focus of O’Brien’s litigation against Red Flag has shifted somewhat in recent weeks to his seeking a High Court order for discovery – the legal power to obtain from Red Flag all documents relevant to the case and, in particular, the identity of Red Flag’s client on whose behalf the dossier of documents on the USB stick was created.

Meanwhile in Barendrecht, Digitpol’s European headquarters are strangely quiet. Number 73 Ebweg is a rectangular-shaped, two-storey, semi-detached premises, almost identical to every other black metal and deep brown building in the small business park. There is no nameplate but above the door, in a first-floor window, there a small telescope similar to those favoured by birdwatchers, and a CCTV camera lens.

The blinds are drawn but behind the entrance door is an office with a dark interior. There is a large black TV screen mounted on a wall and, in the centre of the room, a glass-top conference table and four chairs.

The room is otherwise bare. The rear of the building appears to be a separate premises, number 51. It is like a lock-up garage and inside an ageing VW car is having its battery charged in a room cluttered with aluminium tubing and personal gym equipment.

Martin Coyne is an affable and not unfriendly man. In a brief encounter four weeks ago as he arrived for work, he explained that he was unable to discuss the case.

O’Brien’s case against Red Flag was engaging, though, he remarked.

“I think it’s an interesting case and I think there’s a lot of qualities in it, you know,” he said. “I mean, on one hand, it’s amazing that these people [Red Flag] put such documents together.”

He felt certain that witnesses – Smit, Pinter and “employee number 18883” – would give evidence at the trial, when eventually it takes place.

“Well, I’d imagine if the judge requires it, they would, yeah,” he said.

The all too brief chat turned to an inquiry about his qualifications.

“How’s the weather in Ireland?” he responded. “There’s always less wind here.”

Denis O’Brien versus Red Flag Consulting

Denis O’Brien claims that Red Flag, a Dublin-based PR company, assembled a dossier of files on him and that this fact, together with the files themselves, shows there is a criminal conspiracy to damage him and his businesses, and to defame him. The dossier is contained on a USB memory stick that is at the centre of his High Court action against the firm.

Red Flag denies this and has refused to name the client on whose behalf the dossier was assembled.

Much of the animus directed at O’Brien, generally and in the dossier, concerns the 2011 findings, by the Moriarty tribunal, that then minister for communications Michael Lowry “secured the winning”, for O’Brien, of the 1995 mobile telephone licence by imparting to O’Brien information “of significant value and assistance to him in securing the licence”.

The tribunal found that O’Brien made payments to Lowry in 1996 and 1999.

O’Brien and Lowry have always denied any wrongdoing and dismissed the tribunal findings, which O’Brien says is merely an “opinion”. Some other files in the dossier refer to SiteServ, a company bought by O’Brien, and IBRC, a bank used by O’Brien.

Comments on both subjects have drawn furious reactions from the businessman, including several legal actions, including against the Oireachtas.

Peter Murtagh

Peter Murtagh

Peter Murtagh is a contributor to The Irish Times