Erased, but Not Gone: Mitigating Anti-Forensic Activities

/

GUEST BLOGGER

Lindsay H. Gill, CFE, Director of Forensic Technology
Forensic Strategic Solutions

News stories would lead you to believe that once an email or file is deleted, all hope is lost. Take heart — deleted data will not leave your investigation DOA. The mere absence of the information combined with other artifacts left behind can prove valuable to your investigation.

One of the latest challenges facing forensic analysts is the use of anti-forensic tools. While most frauds leave behind a digital footprint, the more technologically savvy fraudsters are now using anti-forensic tools to encrypt, delete or destroy data. Their goal, of course, is to make it more difficult to uncover the footprints of fraud.

Luckily, there are a few prevalent anti-forensic tools that can help you overcome them:

Hiding data through encryption
The encryption of data encodes it, leaving it unreadable without authorization. While organizations often deploy encryption for security measures, a fraudster may use encryption to obfuscate nefarious activity. Some encryption tools leave a signature on the digital media indicating the presence of an encrypted volume. The challenge created by encrypted data is the need for the encryption key to access the information — without it you are left with few options. But fear not, the mere existence of encryption software may be the smoking gun you need to show concealment.

Deletion of data
Deleted data is possibly the easiest form of anti-forensic activity to address. The delete key on a keyboard would be more accurate if it simply read, “hide.” When data is “deleted” the location where the data resides is merely marked as available — leaving the original data intact until it is overwritten by new data. There are many forensic analysis tools that can identify and recover deleted files or fragments of deleted files not fully overwritten. Information about the deleted files, such as the date of deletion, often proves to be a valuable artifact in an investigation.

Destruction of data
The use of data wiping software is one method a fraudster can use to make it more difficult to restore deleted data. Data wiping will overwrite the free space marked as available when the file was deleted, likely leaving it unrecoverable. The wipe can be performed on an entire disc or a specific area. The good news is that wiping software leaves a footprint that can be useful to your investigation. Review the computer’s program list for wiping tools and document the steps you take in an attempt to recover the “wiped” files. The existence of a wiping program and your efforts to recover the data may serve as evidence of the lengths a suspect went to in an attempt to conceal wrongdoing.

As fraudsters become savvier, investigators will see more sophisticated anti-forensic activity to cover the suspect’s tracks, but remember, even anti-forensic activity leaves valuable evidence.

What’s in a Name? How to Reconcile Linguistic Differences in Identity Matching

/

LIVE FROM THE ACFE GLOBAL FRAUD CONFERENCE

Sarah Hofmann
ACFE Public Relations Specialst

For most people, your name is one of the purest, and easiest, summations of your identity. For those in the business of screening identity data against compliance intelligence information, a name may be the best tool you have to track and prosecute fraudsters around the globe. However, things get complex when you consider the multitude of countries and organizations developing sanction lists using their language’s translations of names.

When dealing with names, anti-fraud professionals must think both about the source language and the language it is being transcribed into. Would a name that originally is written in Russian Cyrillic characters and placed on an Egyptian watch list have the same sound and root name if then translated into English or French? Victoria Meyer, CFE, ACCA, Director of the Swiss Business Academy, discussed this potential problem during her session, “Linguistic Identity Matching” at the 27th Annual ACFE Global Fraud Conference.

“These are all different things you need to take into account to see ‘is this name a match or not?’” she said. “The pronunciation in the different countries is different, so you get different end translations.”

Showing the example of the name, عبد الرحمن حسين , she explained that it has more than five different potential English translations depending on what nationality the Arabic characters are first being translated into Latin characters from. If that name was translated from Yemeni Arabic into English, the translation would be “Abdirahman Hussein (Cabdiraxmaan Xuseen).” If translated from Pakastani Arabic into English, the name would be “Abdur Rehman Hussain.” While these might not be entirely dissimilar, a software program designed to match lists would likely not be able to match them.

Similarly, the same root name in a specific language could translate to different outputs in different languages. Former President of the Russian Federation Boris Yeltsin’s full name is originally written Борис Николаевич Ельцин. However, in French it is translated to Boris Nikolaïevitch Eltsine. In Spanish, it is Boris Nicoláievitch Iéltsin.

The largest takeaway that professionals operating in the multinational sanctions realm need to realize is that to perfect their linguistic identity matching software and processes they must educate themselves on the linguistic patterns and customs of all countries they deal with. For counterterrorism experts, French and German translations of names are starting to come into play more as many refugees have been moving to areas in those countries, and the law enforcement and terrorism authorities are creating watch lists in their language.  

When practicing linguistic identity matching, the onus falls on the fraud examiner to ensure the accuracy of any type of matching software their organization might be using. “This is your risk tolerance you’re setting. It’s not fair to delegate it to someone in IT,” said Meyer. She said that someone well-versed in code and computer patterns, but not familiar with many nuances of international linguistics, would not be able to effectively create a software matching system unless given the patterns and specific triggers to look for from a linguistic professional.

Ultimately, anti-fraud professionals need to be the ones leading the charge in reforming and perfecting multinational linguistics identity matching. Meyer explained that currently, the vendors touting identity matching systems have said, “We know our searches are rubbish, but no one expects any better, so it’s fine.” With the fight against fraud becoming undeniably global in nature, it is more important than ever for fraud examiners to look outside of their own language borders. 

Find conference articles, photos and videos at FraudConferenceNews.com.

Benford's Law: A Real Life Case Study

/
Pete Miller Color Publicity.jpg

By Pete Miller, CFE, CPA
Shareholder, Clark Nuber

Benford’s Law is an example of data analysis, sometimes referred to as data mining or data monitoring. Accounting systems are churning out gobs of data these days, and without consistent and organized data analysis, it is just too easy to hide even unsophisticated schemes. The mice are indeed getting smarter, so the mousetraps you used in the past won’t cut it in today’s environment. Data analysis, dashboards, and other tools are a great way to advance your internal control systems and stay ahead of the fraudsters.

I recently wrote a piece on my company’s blog that gave the basics on Benford’s Law. Most of you likely are familiar with Benford’s Law in your fraud examinations.  I am a big believer in practical application as a tool in learning any new concept, so with that in mind, I wanted to provide an example of how to apply this law based on one of my old case files.  

The main facts you need to know for this example are: 

  • the business had two subsidiaries, so you will see two sets of Benford charts; 
  • funds seemed to be leaking out of these subsidiaries; and 
  • the check-writing or cash disbursement cycle seemed to be the source of that leak.  

Check registers are key sets of data to which a Benford’s Law analysis can be applied. For each of the two subsidiaries, we obtained check registers from the accounting system that spanned approximately 10 years, resulting in approximately 16,000 checks for each subsidiary (32,000 in total) –  definitely a large enough sample for the Benford distribution to be distinct and clear.  

After running this analysis, what I found was very interesting. It is represented in the two charts below.  

As you can see, the 3-digit column sticks out and is high relative to the Benford curve for both charts. The 2-digit column sticks out as well and is relatively high, but only in the second chart. These results prompted me to drill down into each of the three columns. 

I began to analyze the subsets of data and found that certain vendors had an unusual volume of checks written to them; several vendors had 200 or more checks written to them over this period of time. The other thing I quickly noticed was that many of the vendors with these high volumes had “do not use” included in the vendor name field. That seemed very unusual. I typically expect that this kind of label would be a signal to not use that vendor and that it would also hopefully lead to the eventual removal of that vendor from the master list.  

With these two questions in front of me, I continued digging. Next, I looked at the greater population of checks to see how much total volume was written to these “do not use” vendors over the years. What I found was absolutely staggering.  

A single vendor, in a population of more than 16,000 checks spanning a period of 10 years, had over 1,400 checks written to them over a period of just three years. Nearly 10 percent of the total checks were written to this single vendor, in just one-third of the time. The other entity had more than 1,700 checks written to one vendor over a period of five years. How is that possible? That doesn’t just happen naturally in most businesses. There must be some other reason.

Unfortunately, I am not in a position to share the end results. But, I can say that it led to further investigation, which is the point of Benford’s Law. In and of itself, a Benford’s Law analysis will not produce a smoking gun, but it will shine a light on the cloud of smoke, and if you follow that cloud of smoke, you might find the smoking gun. This is a fine example of the process in action.

Mitigating Fraud Risk in 2016

/

GUEST BLOGGER

Jeremy Clopton, CFE, CPA, ACDA
Director, Forensics and Valuation Services
BKD, LLP

The end of 2015 is quickly approaching and organizations are planning their activities for 2016, so it seems like a good time to consider the importance of fraud prevention efforts. The numbers are stacked against recovery — 58 percent of the victim organizations in the ACFE’s 2014 Report to the Nations recovered none of their losses — so thinking through how best to mitigate fraud risk is an important exercise. It’s my hope that you gave this consideration throughout the year. In the event you didn’t, there is no better time than the present to start.

One of the most common questions I hear from organizations is, “what can I do to prevent fraud in my organization?”  While I wish I had a great answer to that question, completely preventing fraud is nearly impossible and there is no guarantee that fraud will not occur. However, it is possible to mitigate and manage fraud risks with internal controls (FYI – trust is not one of them).

Based on the information in the Report to the Nations, proactive data monitoring/analysis was the most effective anti-fraud control. When looking at cases where this control was present compared to those where it was not, the report shows a 59.7 percent reduction in median loss and a 50 percent reduction in median duration. While this control is the most effective, it was far from the most common control. In fact, it was present in just over a third of all cases submitted.

Another of the most effective anti-fraud controls was surprise audits, which showed a 43.3 percent reduction in median loss and a 50 percent reduction in median duration. Again, this control was only present in about a third of all cases studied.

Hotlines are also near the top of the list of effective anti-fraud controls. Hotlines resulted in a reduction in median loss of 40.5 percent and median duration of 50 percent. Further, hotlines are responsible for tip-reporting, which is the most common method of detection, according to the report.

As 2016 approaches, many companies will likely wait until a fraud occurs to begin thinking through preventive procedures. I’ve highlighted three of the most effective anti-fraud controls in this post, and there are many others to consider. I hope you will take some time prior to the end of the year to consider what controls you have in place, and what controls you should consider adding, to help mitigate fraud in your organization. Here’s to a happy 2016!