BYOD Investigations: Take Charge and Develop a Plan

/

GUEST BLOGGER

Walt Manning, CFE
President of Investigations MD and Breakout Session Speaker at the Upcoming 24th Annual ACFE Global Fraud Conference in Las Vegas, June 23-28

A recent NBC article, Use your personal smartphone for work email? Your company might take it, serves as a wake-up call to fraud examiners about the types of evidence that is potentially available in Bring Your Own Device (BYOD) investigations. Many articles discuss the problems caused by BYOD programs, but fraud examiners need to focus on the idea that BYOD can also create new career or business opportunities for investigators who know the possible challenges with BYOD investigations and have developed plans to deal with them.

Consider this scenario:

An employee named John connects to the Internet at a coffee shop with his BYOD tablet. John bought the tablet, and he also pays for the cell data plan that he uses when Wi-Fi is not available. The company has no policy regarding the use of public wi-fi. John uses the free coffee shop wi-fi, which has no security and requires no login, to connect to the office to check email and download files needed for a project team meeting.

When the team John is working with arrives to discuss a company project, John activates a personal hotspot on his tablet, providing other team members with access to the Internet and also to his connection to the corporate network. The company has no policy or training regarding how the personal hotspot should be configured to ensure a secure connection, and provides no Virtual Private Network (VPN) capabilities for security.

All five team members are connected to their cloud-based personal email accounts on Gmail, Yahoo or Outlook. Not all team members are full-time employees – two are independent contractors hired for this project only.

Does this scenario sound familiar? If you were assigned an investigation related to the expense reports submitted by this project team, would you know where to start looking? The scenario above contains potential problems, and an investigation may be more challenging because of them. Knowing where to find the evidence you need and how to preserve it may just be the keys to breaking the case.

The red flags are there with the lack of security, lack of policies and training and general lack of protocols for using personal devices for business. But, with those challenges comes the opportunity to dig into more data and find more evidence.

Learn about BYOD programs and develop your own game plan that will make you the “go-to” person for these investigations. I will discuss this and more in more detail during my breakout session “BYOD (Bring Your Own Device), BYON (Bring Your Own Network) and the Evolution of Digital Forensics” at the 24th Annual ACFE Global Fraud Conference in Las Vegas, June 23-28. I hope to see you there!

Unearthing Digital Artifacts to Uncover Fraud

/

GUEST BLOGGER

Phillip Rodokanakis, CFE, EnCE, ACE, DFCP
U.S. Data Forensics, LLC
Herndon, Va.

In my last blog post, “Follow the Digital Tracks to Uncover Fraud,” I discussed how following the digital tracks has replaced the old technique of “follow the money” in uncovering and solving fraud schemes. The post included case examples where digital data left behind on a computer was instrumental in solving complex fraud investigations.

The operating system (OS) keeps track of digital data in allocated clusters (e.g., the used space on the drive) which are occupied by active files (e.g., files that are actively tracked by the OS). Data no longer tracked by the OS resides in unallocated clusters (e.g., the free space on the drive). 

The data in unallocated clusters can include complete files no longer tracked by the OS (e.g., deleted or temporary files) or file fragments (e.g., partial files or remnants from files that were previously stored on the drive). Digital forensic examiners usually refer to these remnants as file artifacts.

In addition to file artifacts, OS generate many logs and system files that can contain artifacts of interest in a digital examination. For example, a user’s Internet surfing history is usually captured in system databases that record a plethora of details about the user’s surfing activity. Additionally, as different websites are visited, the pages are downloaded to the browser’s cache, which consists of system generated files and folders that temporarily store the information accessed online.

With today’s gargantuan hard disk drives, temporary or deleted files, or their file fragments can reside on a drive for a long, long time. For example, it’s not unusual to be able to retrieve Internet browsing history going back a year or longer.

These sorts of digital artifacts may enable a fraud examiner to follow the money. For example, the browsing history may include visits to financial institutions that may disclose the existence of bank or investment accounts. Better yet, if the user accessed online items like cancelled checks or account statements, they may have been downloaded and left behind in the browser’s cache.

Another fruitful area in fraud examinations may be the type of file remnants left behind from webmail sessions. Webmail describes online email services like Gmail, Hotmail, Yahoo, etc. Usually these services are accessed through an Internet browser, meaning that file artifacts from online webmail sessions can be found and retrieved from hard disk drives. Computer users frequently use webmail for their private communications, particularly when using a computer at work. Such webmail artifacts can and often do contain information of great use to fraud examiners. 

My next post will examine other digital artifacts that can come in handy in fraud examinations and white-collar crime investigations.