Phillip Rodokanakis, CFE, EnCE, ACE, DFCP
U.S. Data Forensics, LLC
The adage “follow the money” is well known to seasoned fraud examiners who are tasked with investigating white-collar crimes and financial frauds. By tracking and following the money trail, examiners can usually identify fraudsters.
Before personal computers became commonplace appliances, following the money was not always possible. Access to banking information usually required a court order or subpoena authority. Even if such authority was granted, identifying the financial institutions where relevant bank accounts might exist was difficult without access to knowledgeable sources of information that were willing to open up to the examiner.
Now that just about everyone uses a computer, relevant information can usually be gleaned through a suspect’s computer, assuming one can get access to its hard drive. But in cases where the examiner works for the employer, access to employees PCs is readily available (at least in the United States).
Fraud examiners need the services of qualified forensic examiners who are trained in digital and computer forensics. Looking for digital evidence on a hard drive can be a little like looking for the proverbial needle in a haystack. There are thousands of active file objects on each drive, in addition to all the file remnants and other file and system artifacts that are left behind.
Each case is different, so the type of evidence sought will differ from examination to examination. The following examples showcase the type of evidence that can be potentially retrieved through a forensic exam.
Case study: I worked on a case that involved the embezzlement of a substantial amount of funds from an organization. There was little doubt that this was an “inside” job, but the forensic accountants had failed to identify the culprit. Several employees had the level of access necessary to compromise the accounts payable procedures and issue payments to fictitious vendors. But tracking down each payment transaction over a prolonged period of time would be difficult and time consuming.
However, once access to the employees’ computers was granted, the culprit was identified in less than 48 hours. An employee was found to have used Hotmail to correspond by email with an accomplice who received the fictitious payments. Additional information was also retrieved that exposed the entire scheme.
Case study: In another case, a number of fictitious payments were discovered during an internal audit, but the culprit responsible for processing the checks was not identified. After examining the computers of all the employees in the accounting department and employing keyword searches, a document was found linking one employee to several of the check recipients that received the fraudulent payments. The “smoking gun” document, was actually a band roster in which the employee was a member.
These type of revealing digital files are not likely to be found during the course of an internal audit or a fraud examination. To get to such files without the benefit of employing a competent computer forensic examiner is practically nil. Getting to this type of evidence can usually provide the missing pieces needed to solve a fraud.