ONLINE EXCLUSIVE

Sundaraparipurnan Narayanan

Unaoil, a Monaco-based oil consulting company, was recently exposed in a media investigation for potentially supporting or facilitating bribes on behalf of large multinational firms in the oil and gas industry. Though the company is from Monaco, Unaoil is believed to have supported companies in winning contracts across Middle Eastern and African countries. The investigation, which Fairfax Media and The Huffington Post conducted, identified several emails providing references to the routing of bribes.

The Unaoil case provides several lessons on using forensic email reviews to help gather evidence or indications of fraud, misconduct and regulatory non-compliance. Investigators who use these reviews rely on communication as a raw form of evidence that exhibits subjects' unethical or illegal intent. Keyword searches are an effective method of identifying evidence in the huge volumes of data stored in digital devices. Investigators choose keywords based on context and relevance to the case.

An analysis of the evidence gathered by Fairfax Media and The Huffington Post on the Unaoil case reveals a number of lessons on forensic email reviews for investigators.

Using code words in communication

Many of the leaked Unaoil emails and excerpts contain several code words referring to individuals, organizations, events and the contexts of the communication. Individuals are referred to as "Doctor," "Ivan," or "Lighthouse." Keywords can help disguise intent in communication. For example, bribers or bribe receivers (public officials) might not be red-flagged in email if they identify themselves by code name or keyword.

Of course, these reviews wouldn't be effective unless investigators are aware of the keywords subjects are using because generic keywords might show inconsistencies.  
Investigators should look for:

1. Data (files created, system logs, etc.) and communication (email and chat logs) pertaining to a specific time period (a month, quarter or a year that's relevant to the incident or the issue in question). 

Dissecting the chain of events

The leak in the Unaoil case included emails referencing the opening of a separate bank account to channel funds; a request for depositing funds into an unknown, third-party, offshore account; and a payment rejected by a bank, which noted the transaction "may conflict with U.S. government sanctions." In that case, the rejected payment was subsequently cleared by the bank.

Automated communications from a banking channel on payouts or deposits might be ignored assuming they're irrelevant. However, if someone attempts to place some of these transactional communications into the overall chain of events relating to the issue or the incident in question, it helps in identifying relevant evidence on a violation or misconduct. Such communication might not contain any of the keywords (including names of key people) that are considered in the review.

When looking at the chain of events, investigators should consider the following three key factors:

1. Inconsistent nature of received communication.
2. Unusual patterns of communication and the use of "Bcc:" in emails.
3. Communication representing financial transactions or financial manipulation.

These outliers help put together events and look at them from a bird's-eye view. Looking at the chain of events in this way enables the investigator to identify potential red flags. For instance, a Bcc: communication might show that the perpetrator intended to involve the subject in the blind copy field without the receiver knowing it.

Forensic email reviews help uncover clues

Organizations should consider using forensic email reviews in new ways to uncover information to understand key players' communication patterns, including what and with whom they communicating, and files they're sending and receiving. If you conduct this type of analysis on each individual for an isolated sample period you might identify specific keywords.

These reviews should extend beyond keyword-based searches to examine communication among identified individuals, time-period-based information exchange, inconsistent/unusual patterns or nature of communication, and any suspect references to financial transactions and manipulation.

The Unaoil case demonstrates how you can use these tactics in forensic email reviews to help unravel large-scale, complex fraud schemes and discover communication patterns, preserved digital evidence and, most importantly, fraud perpetrators' own words — saved for posterity.

Read the full article, with even more tips for reviewing emails, at Fraud-Magazine.com.

Sundaraparipurnan Narayanan is the associate director of forensic services at SKP Business Consulting LLP. His email address is: SNarayanan@skpgroup.com.