In 2015, Corinthian Colleges, the for-profit education chain that operated schools such as Everest College, shuttered its network of campuses for good. The chain’s demise came following allegations that it falsified job placement records and graduation rates, causing the U.S. Department of Education (DOE) to deny it access to federal student loan money. Thousands of students were not only left without degrees, but also mired in debt.Read More
Lindsay H. Gill, CFE, Director of Forensic Technology
Forensic Strategic Solutions
News stories would lead you to believe that once an email or file is deleted, all hope is lost. Take heart — deleted data will not leave your investigation DOA. The mere absence of the information combined with other artifacts left behind can prove valuable to your investigation.
One of the latest challenges facing forensic analysts is the use of anti-forensic tools. While most frauds leave behind a digital footprint, the more technologically savvy fraudsters are now using anti-forensic tools to encrypt, delete or destroy data. Their goal, of course, is to make it more difficult to uncover the footprints of fraud.
Luckily, there are a few prevalent anti-forensic tools that can help you overcome them:
Hiding data through encryption
The encryption of data encodes it, leaving it unreadable without authorization. While organizations often deploy encryption for security measures, a fraudster may use encryption to obfuscate nefarious activity. Some encryption tools leave a signature on the digital media indicating the presence of an encrypted volume. The challenge created by encrypted data is the need for the encryption key to access the information — without it you are left with few options. But fear not, the mere existence of encryption software may be the smoking gun you need to show concealment.
Deletion of data
Deleted data is possibly the easiest form of anti-forensic activity to address. The delete key on a keyboard would be more accurate if it simply read, “hide.” When data is “deleted” the location where the data resides is merely marked as available — leaving the original data intact until it is overwritten by new data. There are many forensic analysis tools that can identify and recover deleted files or fragments of deleted files not fully overwritten. Information about the deleted files, such as the date of deletion, often proves to be a valuable artifact in an investigation.
Destruction of data
The use of data wiping software is one method a fraudster can use to make it more difficult to restore deleted data. Data wiping will overwrite the free space marked as available when the file was deleted, likely leaving it unrecoverable. The wipe can be performed on an entire disc or a specific area. The good news is that wiping software leaves a footprint that can be useful to your investigation. Review the computer’s program list for wiping tools and document the steps you take in an attempt to recover the “wiped” files. The existence of a wiping program and your efforts to recover the data may serve as evidence of the lengths a suspect went to in an attempt to conceal wrongdoing.
As fraudsters become savvier, investigators will see more sophisticated anti-forensic activity to cover the suspect’s tracks, but remember, even anti-forensic activity leaves valuable evidence.
Emily Primeaux, CFE
Assistant Editor, Fraud Magazine
Imagine you’re driving a car and suddenly a squirrel darts out in front of you. What is your immediate reaction? You’ll swerve or break — or you may even accelerate. Do you think about swerving or braking in the split second that the critter crosses your car?
Let’s continue with the car example, but now you’re deciding to buy one. You spend time researching makes and models, and most likely, prices. Do you actively think about doing this research before going to the dealership?
These are the two examples that Bret Hood, CFE, Supervisory Special Agent at the FBI, used to explain the two systems of thinking as described by Daniel Kahneman in his book, “Thinking, Fast and Slow.” Hood described these scenarios in his top-rated session, "Why Let the Truth Get in the Way: How Our Implicit Biases Affect Investigations,” at the 27th Annual ACFE Global Fraud Conference in June. You can catch a rebroadcast in webinar format tomorrow at 11 a.m. EST. (And, you can also earn any lingering ethics CPE you need to complete for 2016).
In the first example with the squirrel, you’re reacting with a routine behavior that you don’t even think about. This is system one. In the second example at the dealership, you’re thinking before you act. This is system two.
“You spend more time in system one,” said Hood. “And that’s where your blind spots are.”
Hood went on to explain that these blind spots are implicit biases. Basically what this means, he explained, is that no matter what happens around us, our minds are consciously evaluating stimuli and making choices. These biases are going to impact your experiences — you can be primed in certain ways.
This happens because system one is far more efficient than system two. Before you have a chance to assess any situation, system one is leading you to a decision. And the more experience we have, the more likely we are to fall victim to implicit biases.
“If our implicit biases play a role in reaching the conclusion, this has a profound effect on the rest of the investigation,” said Hood. In a fraud examination, if you decide ‘I know this person did it,’ it’s hard to step away from that idea.
Hood explained that acknowledging that you might be susceptible to implicit biases will help you notice when your behavior and actions are being influenced by those same biases. “If our goal is to find the person who is responsible for the crime, acknowledging our own biases and finding ways to mitigate them will lead us to the person we truly seek.”
Find out more about Hood's webinar, which will air tomorrow at 11 a.m. EST, as well as three other top-rated speakers to be featured over the next three weeks in the ACFE's All-Star Webinar Series.