Phillip Rodokanakis, CFE, EnCE, ACE, DFCP
U.S. Data Forensics, LLC
In my last two blog posts, Follow the Digital Tracks to Uncover Fraud and Unearthing Digital Artifacts to Uncover Fraud, I presented a couple of case studies and addressed how digital artifacts can assist anti-fraud professionals in an examination or white-collar crime investigation. Digital artifacts allow us to quickly build a profile of the user, including family details, financial details, personal habits and associations.
Digital artifacts can be used to track events such as the timing of when an external drive was connected to the computer. This may be no big deal under ordinary circumstances, but if a fraud examiner is investigating the theft of intellectual property stored in digital files, knowing when and who connected external storage devices to the computers in an organization can make or break the case.
A computer user may insist that he did not read or open a particular file, but the digital artifacts left behind can easily prove if he is wrong or intentionally lying. These sorts of digital artifacts are logged in various Windows system files and logs, as well as the Windows registry hives.
Rumor has it that the Windows registry files are referred to as hives because the original developers of Windows NT hated bees. So the developer who was responsible for the registry snuck in as many bee references as he could. A registry file is called a "hive," and registry data are stored in "cells," which are what honeycombs are made of.
The registry hives are files loaded into the Windows environment every time the computer boots into the operating system. They contain all kind of data, from tracking logins and installed software to personalized details, like what wallpaper image is displayed on the user’s desktop, where on the screen a particular window opens, what were the last files a user worked with and the time and date different apps were run.
If you’re involved in a fraud examination, I am sure you see the value of knowing what files the user accessed, what programs he ran, what network share drives were accessed, what external storage devices were used, what files were deleted, what software was installed or whether an application was used to intentionally delete and wipe (e.g., overwrite) certain files. These sorts of details can easily be provided to the investigative team by a competent digital forensic examiner who has been engaged to examine the trove of digital information that exists in today’s computer networks.
You can find Phil at the 23rd Annual ACFE Fraud Conference & Exhibition next week when he presents on "Digital Forensics & eDiscovery for Fraud Examiners."