Digital Artifacts the Keys to Making or Breaking a Fraud Case

philip-rodokanakis.jpg

GUEST BLOGGER

Phillip Rodokanakis, CFE, EnCE, ACE, DFCP

U.S. Data Forensics, LLC

Herndon, Va.

In my last two blog posts, Follow the Digital Tracks to Uncover Fraud and Unearthing Digital Artifacts to Uncover Fraud, I presented a couple of case studies and addressed how digital artifacts can assist anti-fraud professionals in an examination or white-collar crime investigation. Digital artifacts allow us to quickly build a profile of the user, including family details, financial details, personal habits and associations.

Digital artifacts can be used to track events such as the timing of when an external drive was connected to the computer. This may be no big deal under ordinary circumstances, but if a fraud examiner is investigating the theft of intellectual property stored in digital files, knowing when and who connected external storage devices to the computers in an organization can make or break the case.

A computer user may insist that he did not read or open a particular file, but the digital artifacts left behind can easily prove if he is wrong or intentionally lying. These sorts of digital artifacts are logged in various Windows system files and logs, as well as the Windows registry hives.

Rumor has it that the Windows registry files are referred to as hives because the original developers of Windows NT hated bees. So the developer who was responsible for the registry snuck in as many bee references as he could.  A registry file is called a "hive," and registry data are stored in "cells," which are what honeycombs are made of.

The registry hives are files loaded into the Windows environment every time the computer boots into the operating system. They contain all kind of data, from tracking logins and installed software to personalized details, like what wallpaper image is displayed on the user’s desktop, where on the screen a particular window opens, what were the last files a user worked with and the time and date different apps were run. 

If you’re involved in a fraud examination, I am sure you see the value of knowing what files the user accessed, what programs he ran, what network share drives were accessed, what external storage devices were used, what files were deleted, what software was installed or whether an application was used to intentionally delete and wipe (e.g., overwrite) certain files. These sorts of details can easily be provided to the investigative team by a competent digital forensic examiner who has been engaged to examine the trove of digital information that exists in today’s computer networks.

You can find Phil at the 23rd Annual ACFE Fraud Conference & Exhibition next week when he presents on "Digital Forensics & eDiscovery for Fraud Examiners."

The Difference Between Computer Forensics and eDiscovery

GUEST BLOGGER

Phillip Rodokanakis, CFE, EnCE, ACE, DFCP
U.S. Data Forensics, LLC
Herndon, Va.

In my previous posts, “Computer Forensics: Following the Digital Bread Crumbs” and “eDiscovery: Digital Data Gives Birth to New Industry”, I covered computer/digital forensics and the emergence of eDiscovery as distinct and separate professions dealing with the handling of digital evidence. Although both these disciplines deal with digital data, there is some confusion as to how they differ. Digital forensics encompasses the entire universe of data stored on a hard disk drive (HDD), whereas eDiscovery usually only focuses on a smaller grouping of data stored on the drive.

Computer users are familiar with the meaning of used and free space on a HDD. In Microsoft Windows, a drive’s properties are depicted on a pie chart that shows the total disk storage capacity, as well as the used and free space. (See figure.)

In technical lingo, the free space is referred to as “unallocated clusters” while the used space is referred to as “allocated clusters.” In computer file systems, a cluster or allocation unit is the unit of disk space allotted for files and directories.

A simple way to understand the difference between eDiscovery and computer forensics is to think of the HDD allocation model. EDiscovery focuses on data stored in allocated clusters, while computer forensics deals with both allocated and unallocated clusters (i.e., the entire physical drive).

EDiscovery filters out program, temporary and system files, and processes only active user accessible files. This usually involves Microsoft or other Office Suite files (e.g., documents, spreadsheets, presentations, databases, PDFs, etc.) and emails. These types of files are then processed in an eDiscovery engine, where they are indexed and catalogued, and then usually loaded into a Litigation Support Platform (software designed to aid law firms in the process of document reviews in litigations; for more information see the American Bar Association website).

On the other hand, computer forensics investigates everything, including deleted files or remnants from former files that have been partially overwritten. A forensic examiner must pay particular attention to certain operating system and log files, temporary files and the file remnants found in unallocated clusters.

For example, data remnants (file artifacts) from web-surfing sessions, including accessing webmail accounts (e.g., Gmail, Hotmail, etc.) and chats, are usually found in temporary Internet files or unallocated clusters. Certain system files log information pertaining to external devices, accessed files, executable software, deleted files, etc.

Certified Fraud Examiners readily recognize the critical value of digital evidence in a fraud examination. They also need to fully understand the differences in eDiscovery and digital forensics in order to be able to seek appropriate technical advice and consulting services.