Unearthing Digital Artifacts to Uncover Fraud


Phillip Rodokanakis, CFE, EnCE, ACE, DFCP
U.S. Data Forensics, LLC
Herndon, Va.

In my last blog post, “Follow the Digital Tracks to Uncover Fraud,” I discussed how following the digital tracks has replaced the old technique of “follow the money” in uncovering and solving fraud schemes. The post included case examples where digital data left behind on a computer was instrumental in solving complex fraud investigations.

The operating system (OS) keeps track of digital data in allocated clusters (e.g., the used space on the drive) which are occupied by active files (e.g., files that are actively tracked by the OS). Data no longer tracked by the OS resides in unallocated clusters (e.g., the free space on the drive). 

The data in unallocated clusters can include complete files no longer tracked by the OS (e.g., deleted or temporary files) or file fragments (e.g., partial files or remnants from files that were previously stored on the drive). Digital forensic examiners usually refer to these remnants as file artifacts.

In addition to file artifacts, OS generate many logs and system files that can contain artifacts of interest in a digital examination. For example, a user’s Internet surfing history is usually captured in system databases that record a plethora of details about the user’s surfing activity. Additionally, as different websites are visited, the pages are downloaded to the browser’s cache, which consists of system generated files and folders that temporarily store the information accessed online.

With today’s gargantuan hard disk drives, temporary or deleted files, or their file fragments can reside on a drive for a long, long time. For example, it’s not unusual to be able to retrieve Internet browsing history going back a year or longer.

These sorts of digital artifacts may enable a fraud examiner to follow the money. For example, the browsing history may include visits to financial institutions that may disclose the existence of bank or investment accounts. Better yet, if the user accessed online items like cancelled checks or account statements, they may have been downloaded and left behind in the browser’s cache.

Another fruitful area in fraud examinations may be the type of file remnants left behind from webmail sessions. Webmail describes online email services like Gmail, Hotmail, Yahoo, etc. Usually these services are accessed through an Internet browser, meaning that file artifacts from online webmail sessions can be found and retrieved from hard disk drives. Computer users frequently use webmail for their private communications, particularly when using a computer at work. Such webmail artifacts can and often do contain information of great use to fraud examiners. 

My next post will examine other digital artifacts that can come in handy in fraud examinations and white-collar crime investigations.