Erased, but Not Gone: Mitigating Anti-Forensic Activities

GUEST BLOGGER

Lindsay H. Gill, CFE, Director of Forensic Technology
Forensic Strategic Solutions

News stories would lead you to believe that once an email or file is deleted, all hope is lost. Take heart — deleted data will not leave your investigation DOA. The mere absence of the information combined with other artifacts left behind can prove valuable to your investigation.

One of the latest challenges facing forensic analysts is the use of anti-forensic tools. While most frauds leave behind a digital footprint, the more technologically savvy fraudsters are now using anti-forensic tools to encrypt, delete or destroy data. Their goal, of course, is to make it more difficult to uncover the footprints of fraud.

Luckily, there are a few prevalent anti-forensic tools that can help you overcome them:

Hiding data through encryption
The encryption of data encodes it, leaving it unreadable without authorization. While organizations often deploy encryption for security measures, a fraudster may use encryption to obfuscate nefarious activity. Some encryption tools leave a signature on the digital media indicating the presence of an encrypted volume. The challenge created by encrypted data is the need for the encryption key to access the information — without it you are left with few options. But fear not, the mere existence of encryption software may be the smoking gun you need to show concealment.

Deletion of data
Deleted data is possibly the easiest form of anti-forensic activity to address. The delete key on a keyboard would be more accurate if it simply read, “hide.” When data is “deleted” the location where the data resides is merely marked as available — leaving the original data intact until it is overwritten by new data. There are many forensic analysis tools that can identify and recover deleted files or fragments of deleted files not fully overwritten. Information about the deleted files, such as the date of deletion, often proves to be a valuable artifact in an investigation.

Destruction of data
The use of data wiping software is one method a fraudster can use to make it more difficult to restore deleted data. Data wiping will overwrite the free space marked as available when the file was deleted, likely leaving it unrecoverable. The wipe can be performed on an entire disc or a specific area. The good news is that wiping software leaves a footprint that can be useful to your investigation. Review the computer’s program list for wiping tools and document the steps you take in an attempt to recover the “wiped” files. The existence of a wiping program and your efforts to recover the data may serve as evidence of the lengths a suspect went to in an attempt to conceal wrongdoing.

As fraudsters become savvier, investigators will see more sophisticated anti-forensic activity to cover the suspect’s tracks, but remember, even anti-forensic activity leaves valuable evidence.

Securing Data from the Malicious Insider

Lindsay Gill.jpg

GUEST BLOGGER

Lindsay Gill, CFE, Director of Forensic Technology
Forensic Strategic Solutions Inc. 

A key salesman left a manufacturing company, purportedly to work in sales in another industry. Under normal circumstances a company would be disappointed to lose a key salesman. However, in this instance, while productive, the salesman was a troublemaker and a constant source of negativity.  Shortly after this salesman left the president and CEO of the company received a call from one of his top customers. The customer had just received a call from the company’s No. 1 competitor; this competitor was able to tell the customer the details of his latest order with the president’s company. The president and customer alike were concerned about how confidential company information was available to a competitor. After much reassurance to the customer, the president was able to save the order.

The president then engaged our firm to perform digital forensics and get to the bottom of things. We imaged the hard drives of the sales department. Upon analysis of the former salesman’s computer we found that immediately prior to leaving, the salesman had saved the companies detailed customer list to a USB drive. We also found frequent emails to his personal email address (webmail account) that included attachments containing order histories for key customers. Additionally, we analyzed the email exchange server and found emails between the former salesman and current sales staff. The email address being used by the former salesman was with the competitor in question. While the emails were innocent chit chat it revealed that the former salesman had not been truthful about his new place of employment, a fact which violated a non-compete agreement. Investigation of the corporate phone system indicated frequent calls from the former salesman’s cell phone to the current sales staff. We found that the current sales staff was relaying information to the former salesman during these “innocent” calls catching up on their day to day activity.

Situations like this occur more frequently than business owners would like to think. So what are some of the key signs employers should look for to help identify the malicious insider?

  • Employees who have a grudge against the company or are constantly talking about changing jobs
  • Increased rule-breaking or misbehavior
    • Physical altercations
    • Breaking dress code
    • Suspicious behavior
    • Signs of extreme stress

In addition to paying attention to how your employees are behaving, you need to implement monitoring technology to pinpoint the following:

  • Increased or unusual patterns in network/workplace access
  • Log reports of attempted unauthorized access
  • Large data transfers during nonbusiness hours
  • Frequent emails to outsiders with attachments
  • Excessive file downloads

As always, educating employees about the importance of security is always the first step in protecting company information. Annual renewals of non-disclosure agreements and employee education are key to protecting your company from the malicious insider and creating a culture of security.

The Banality of Fraud: Detecting Fraud from Even the Most Modest Employees

jeff-windham.jpg

GUEST BLOGGER

Jeffrey Windham, J.D., CFE

Forensic Strategic Solutions

Birmingham, Ala.

When the loan manager of a locally-owned and operated Alabama bank left her job in May of 2012, none of her coworkers knew that within eight months, she would be found guilty of computer fraud and sentenced to six months in federal prison. However, she knew the mess that she was leaving behind.

The manager did not lead an extravagant lifestyle. A mother of two teenagers from a small Alabama suburb, she didn’t seem to have any of the outward signs of a potential fraudster. However, as our investigation progressed, we uncovered massive credit card debt—debt that she was paying off with fraudulent loans from her employer. 

According to our investigation, the employee fraudulently increased her home equity line of credit 69 times between Oct. 11, 2011 and April 27, 2012. She also increased her personal line of credit 11 times between Jan. 13, 2009 and Feb. 25, 2010. In total, she obtained $274,775 in unauthorized equity and credit line increases from the bank. As a trusted loan manager, the fraudster had access to reports that detailed all active loans, including her fraudulent loans. Therefore, she was able to alter the reports and thus conceal her illegal activity from her supervisor.

In spite of her intentional and ongoing scheme, the employee continued to make minimum monthly payments on her fraudulent loans. Of course, with every increase in credit, her minimum payment also increased until it was over $4,000 a month. After leaving in May 2012 to take a position at another local bank, the loan manager could not recall the amount of her minimum payment and had to call to receive the information.

Her high monthly payment astounded her former coworker who then took the alarming information to her supervisor.

Of course, this meant trouble for the fraudster. After reporting the fraud to the FBI, the bank chose to expedite the investigation process and hired our financial investigation consulting firm, Forensic Strategic Solutions. In this case, we were able to bring the evidence to authorities by November of 2012— just four months after the fraud was reported.

In March 2013, the inconspicuous former loan manager was sentenced to six months in federal prison for computer fraud and was ordered to pay $308,554 in restitution.

White-collar crime is not always obvious – especially when it is being committed by an employee who, by all accounts, appears to be a straight arrow. Due to one anomaly, a once-trusted employee - because of her financial woes and ill-conceived solutions - is now a convicted white-collar criminal and banned from ever returning to the banking profession per agreement with the FDIC.

Jeff Windham is an attorney and CFE with Forensic Strategic Solutions. Read his full bio. Forensic Strategic Solutions, Inc. is a national financial investigation firm that combines fraud examination with investigative financial consulting services in order to illustrate and present complex financial data in courts of law and other forums. For more information, visit Forensicstrategic.com.