Follow the Digital Tracks to Uncover Fraud

/

GUEST BLOGGER

Phillip Rodokanakis, CFE, EnCE, ACE, DFCP
U.S. Data Forensics, LLC
Herndon, Va.

The adage “follow the money” is well known to seasoned fraud examiners who are tasked with investigating white-collar crimes and financial frauds. By tracking and following the money trail, examiners can usually identify fraudsters.

Before personal computers became commonplace appliances, following the money was not always possible. Access to banking information usually required a court order or subpoena authority. Even if such authority was granted, identifying the financial institutions where relevant bank accounts might exist was difficult without access to knowledgeable sources of information that were willing to open up to the examiner.

Now that just about everyone uses a computer, relevant information can usually be gleaned through a suspect’s computer, assuming one can get access to its hard drive. But in cases where the examiner works for the employer, access to employees PCs is readily available (at least in the United States).

Fraud examiners need the services of qualified forensic examiners who are trained in digital and computer forensics. Looking for digital evidence on a hard drive can be a little like looking for the proverbial needle in a haystack. There are thousands of active file objects on each drive, in addition to all the file remnants and other file and system artifacts that are left behind.

Each case is different, so the type of evidence sought will differ from examination to examination. The following examples showcase the type of evidence that can be potentially retrieved through a forensic exam.

Case study: I worked on a case that involved the embezzlement of a substantial amount of funds from an organization. There was little doubt that this was an “inside” job, but the forensic accountants had failed to identify the culprit. Several employees had the level of access necessary to compromise the accounts payable procedures and issue payments to fictitious vendors. But tracking down each payment transaction over a prolonged period of time would be difficult and time consuming.

However, once access to the employees’ computers was granted, the culprit was identified in less than 48 hours. An employee was found to have used Hotmail  to correspond by email with an accomplice who received the fictitious payments. Additional information was also retrieved that exposed the entire scheme.

Case study: In another case, a number of fictitious payments were discovered during an internal audit, but the culprit responsible for processing the checks was not identified. After examining the computers of all the employees in the accounting department and employing keyword searches, a document was found linking one employee to several of the check recipients that received the fraudulent payments. The “smoking gun” document, was actually a band roster in which the employee was a member.

These type of revealing digital files are not likely to be found during the course of an internal audit or a fraud examination. To get to such files without the benefit of employing a competent computer forensic examiner is practically nil. Getting to this type of evidence can usually provide the missing pieces needed to solve a fraud.

The Difference Between Computer Forensics and eDiscovery

/

GUEST BLOGGER

Phillip Rodokanakis, CFE, EnCE, ACE, DFCP
U.S. Data Forensics, LLC
Herndon, Va.

In my previous posts, “Computer Forensics: Following the Digital Bread Crumbs” and “eDiscovery: Digital Data Gives Birth to New Industry”, I covered computer/digital forensics and the emergence of eDiscovery as distinct and separate professions dealing with the handling of digital evidence. Although both these disciplines deal with digital data, there is some confusion as to how they differ. Digital forensics encompasses the entire universe of data stored on a hard disk drive (HDD), whereas eDiscovery usually only focuses on a smaller grouping of data stored on the drive.

Computer users are familiar with the meaning of used and free space on a HDD. In Microsoft Windows, a drive’s properties are depicted on a pie chart that shows the total disk storage capacity, as well as the used and free space. (See figure.)

In technical lingo, the free space is referred to as “unallocated clusters” while the used space is referred to as “allocated clusters.” In computer file systems, a cluster or allocation unit is the unit of disk space allotted for files and directories.

A simple way to understand the difference between eDiscovery and computer forensics is to think of the HDD allocation model. EDiscovery focuses on data stored in allocated clusters, while computer forensics deals with both allocated and unallocated clusters (i.e., the entire physical drive).

EDiscovery filters out program, temporary and system files, and processes only active user accessible files. This usually involves Microsoft or other Office Suite files (e.g., documents, spreadsheets, presentations, databases, PDFs, etc.) and emails. These types of files are then processed in an eDiscovery engine, where they are indexed and catalogued, and then usually loaded into a Litigation Support Platform (software designed to aid law firms in the process of document reviews in litigations; for more information see the American Bar Association website).

On the other hand, computer forensics investigates everything, including deleted files or remnants from former files that have been partially overwritten. A forensic examiner must pay particular attention to certain operating system and log files, temporary files and the file remnants found in unallocated clusters.

For example, data remnants (file artifacts) from web-surfing sessions, including accessing webmail accounts (e.g., Gmail, Hotmail, etc.) and chats, are usually found in temporary Internet files or unallocated clusters. Certain system files log information pertaining to external devices, accessed files, executable software, deleted files, etc.

Certified Fraud Examiners readily recognize the critical value of digital evidence in a fraud examination. They also need to fully understand the differences in eDiscovery and digital forensics in order to be able to seek appropriate technical advice and consulting services.  

Risky Readers: Kindles, Nooks Capable of Storing More Than Just Bestsellers

/
walt-manning.jpg

GUEST BLOGGER

Walt Manning, CFE

Director, Techno-Crime Institute

Dallas, Texas

The experience of attending the ACFE Annual Fraud Conference in San Diego was somewhat different for me this year, as it was the first time in many years that I did not speak. This allowed me to attend some presentations that I would not normally have had time for in the past. In addition to the networking opportunities, my attending also reinforced the value of obtaining current information regarding new developments in our field. 

Because my specialty focuses on digital forensics and e-discovery, I always enjoy hearing any presentation by Amber Schroader, CEO of Paraben Corporation. I had always known the security risks of portable data storage devices, which include not only cell phones and USB devices, but also other devices that people may not think about such as MP3 players and iPods. We must also not forget the exploding tablet market, with the extremely popular iPad and similar products.

However, Amber brought another device to my attention that I had not even considered: electronic readers such as the Kindle or the Nook. When these devices are connected to a computer via their USB cable, they are capable of storing any type of data – not just publications. Amber also briefly described how she had installed the Android operating system on the memory card in her color Nook e-reader, allowing her to convert it into a functioning Android tablet computer with Wi-Fi capability. The interesting thing about this “hack” is that when the Nook is booted with the memory card containing the Android operating system it will function as a tablet. However, if the memory card is removed and the Nook then booted the regular Nook operating system and user interface appears, which does not show any of the non-Nook data. 

Other technology developments, such as cloud computing and its impact on investigations, are also areas that fraud examiners must be aware of and consider in the future. To learn more about the issues related to cloud computing, be sure to look for my upcoming article in the July/August issue of Fraud Magazine entitled “Investigating in the Clouds: Cloud Computing Shakes up Examination Processes.”

eDiscovery: Digital Data Gives Birth to New Industry

/

GUEST BLOGGER

Phillip Rodokanakis, CFE, EnCE, ACE, DFCP
U.S. Data Forensics, LLC
Herndon, Va.

In the old days, sometime before 1975 B.C. (before computers), a company’s data production was usually produced in paper format only. That all changed when we began storing our data digitally. Some studies suggest that more than 90 percent of all new data is created digitally and perhaps more than 70 percent of that never migrates to paper.

In my last blog post, "Computer Forensics: Following the Digital Bread Crumbs," I addressed why CFEs must familiarize themselves with the type of data that can be obtained from digital forensic examinations. Although digital forensics got its start in the early 1990s, a newer discipline, Electronic Discovery or eDiscovery, has made major inroads in the 2000s.

Discovery is the process whereby civil litigants seek to obtain information from other parties based on the notion that the parties should not be subject to surprises at trial. Litigators employ a number of tools during the discovery phase, such as document requests, interrogatories, requests for admissions and depositions.

As the importance of Electronically Stored Information (ESI) has increased over the last decade, responding to discovery requests has become a significant management function and cost center for larger organizations. In response, a new industry was born to address eDiscovery. Surveys indicate that more than half of the firms surveyed use an outside company to collect, identify, verify, recover and produce ESI.

The creation of this new industry has brought to the scene a number of new players, not only in the companies that perform eDiscovery services, but in software vendors that have developed new applications capable of processing ESI data and provide for management review database platforms.

The plethora of new eDiscovery vendors means that many different and incompatible formats exist, as each vendor introduces new features and capabilities. Accordingly, it will take years for a few vendors to gain predominance.

ESI can also be produced in TIFF or PDF files, which are like a photograph of an electronic document. Alternatively, it can be produced in “native file format,” that is the format in which the information was created and used in the normal course of operations. Native format production is usually preferred, because it preserves the file metadata (i.e., data about the file, such as file creation date, last saved date, etc.). 

Tune in for my next post that will address the differences between eDiscovery and Digital Forensics.

Computer Forensics: Following the Digital Bread Crumbs

/

GUEST BLOGGER

Phillip Rodokanakis, CFE, EnCE, ACE, DFCP
U.S. Data Forensics, LLC
Herndon, Va.

During the execution of search warrants in the late 1980s and early 1990s, investigators would examine every piece of paper we could get our hands on. We would look at computers, scratch our heads and wonder, “How do we access the digital data they contained?” At the time we had no protocols or tools to retrieve and examine digitally stored data.

Computer forensics was reportedly coined in 1991 at the first training session sponsored by the International Association of Computer Investigative Specialists (IACIS). Since that time, the term has become accepted in the computer security field and the legal profession. Recent technological advances have introduced computing capabilities to all kind of new devices, like PDAs (Personal Digital Assistants), smartphones, iPads, etc. Accordingly, the term digital forensics was introduced to cover all types of digital devices that have become commonplace in our daily lives.

Even though these terms are widely recognized now, they invoke different thoughts as to what this discipline really entails. Some think that computer forensics involves the collection of digital files from computer systems in order to present them in searchable electronic databases. Others believe that they may involve a forensic review of electronic data stored in large databases. So what is computer or digital forensics?

Just like when a fingerprint examiner performs an examination of latent fingerprint impressions found at a crime scene with the goal of linking them to the known fingerprints of a suspect, a digital forensics expert examines computer and digital storage systems to identify relevant evidence that is stored on digital storage devices and which may link a suspect to the case under investigation. In particular, Computer Forensics deals with the acquisition, preservation, identification, extraction, analysis and documentation of digital evidence.

CFEs must familiarize themselves with the type of data that can be obtained from digital forensic examinations. A thorough examination of storage devices by a competent digital forensic examiner may yield evidence that is otherwise unavailable. I have been involved in a number of cases where the digital forensic examination led to finding the “smoking gun” literally in a matter of hours, whereas traditional investigative approaches would have taken months to identify the culprits, if ever.

As trial attorneys rely more and more on proving cases through the introduction of digital evidence, new litigation support technologies and services have evolved. Computer or digital forensics is one such example, where specially trained professionals use basic investigative and IT skills to find evidence that is left behind on digital storage devices. Additionally, the introduction and authentication of digital evidence in a court of law usually requires testimony by an expert witness, meaning that digital forensic examiners must also qualify as expert witnesses.

To learn more about digital forensics, go here.

Electronic Discovery, or eDiscovery, is another example of a technology that has evolved from the use of digital evidence. Want to know more about eDiscovery? Tune in next month.