Tag Archives: computer forensics

From Inside the Building

By Rumbi Petrozzello, CFE, CPA/CFF
2017 Vice-President – Central Virginia Chapter ACFE

Several months ago, I attended an ACFE session where one of the speakers had worked on the investigation of Edward Snowden. He shared that one of the ways Snowden had gained access to some of the National Security Agency (NSA) data that he downloaded was through the inadvertent assistance of his supervisor. According to this investigator, Snowden’s supervisor shared his password with Snowden, giving Snowden access to information that was beyond his subordinate’s level of authorization. In addition to this, when those security personnel reviewing downloads made by employees noticed that Snowden was downloading copious amounts of data, they approached Snowden’s supervisor to question why this might be the case. The supervisor, while acknowledging this to be true, stated that Snowden wasn’t really doing anything untoward.

At another ACFE session, a speaker shared information with us about how Chelsea Manning was able to download and remove data from a secure government facility. Manning would come to work, wearing headphones, listening to music on a Discman. Security would hear the music blasting and scan the CDs. Day after day, it was the same scenario. Manning showed up to work, music blaring.  Security staff grew so accustomed to Manning, the Discman and her CDs that when she came to work though security with a blank CD boldly labelled “LADY GAGA”, security didn’t blink. They should have because it was that CD and ones like it that she later carried home from work that contained the data she eventually shared with WikiLeaks.

Both these high-profile disasters are notable examples of the bad outcome arising from a realized internal threat. Both Snowden and Manning worked for organizations that had, and have, more rigorous security procedures and policies in place than most entities. Yet, both Snowden and Manning did not need to perform any magic tricks to sneak data out of the secure sites where the target data was held; it seems that it all it took was audacity on the one side and trust and complacency on the other.

When organizations deal with outside parties, such as vendors and customers, they tend to spend a lot of time setting up the structures and systems that will guide how the organization will interact with those vendors and customers. Generally, companies will take these systems of control seriously, if only because of the problems they will have to deal with during annual external audits if they don’t. The typical new employee will spend a lot of time learning what the steps are from the point when a customer places an order through to the point the customer’s payment is received. There will be countless training manuals to which to refer and many a reminder from co-workers who may be negatively impacted if the rooky screws up.

However, this scenario tends not to hold up when it comes to how employees typically share information and interact with each other. This is true despite the elevated risk that a rogue insider represents. Often, when we think about an insider causing harm to a company through fraudulent acts, we tend to imagine a villain, someone we could identify easily because s/he is obviously a terrible person. After all, only a terrible person could defraud their employer. In fact, as the ACFE tells us, the most successful fraudsters are the ones who gain our trust and who, therefore, don’t really have to do too much for us to hand over the keys to the kingdom. As CFEs and Forensic Accountants, we need to help those we work with understand the risks that an insider threat can represent and how to mitigate that risk. It’s important, in advising our clients, to guide them toward the creation of preventative systems of policy and procedure that they sometimes tend to view as too onerous for their employees. Excuses I often hear run along the lines of:

• “Our employees are like family here, we don’t need to have all these rules and regulations”

• “I keep a close eye on things, so I don’t have to worry about all that”

• “My staff knows what they are supposed to do; don’t worry about it.”

Now, if people can easily walk sensitive information out of locations that have documented systems and are known to be high security operations, can you imagine what they can do at your client organizations? Especially if the employer is assuming that their employees magically know what they are supposed to do? This is the point that we should be driving home with our clients. We should look to address the fact that both trust and complacency in organizations can be problems as well as assets. It’s great to be able to trust employees, but we should also talk to our clients about the fraud triangle and how one aspect of it, pressure, can happen to any staff member, even the most trusted. With that in mind, it’s important to institute controls so that, should pressure arise with an employee, there will be little opportunity open to that employee to act. Both Manning and Snowden have publicly spoken about the pressures they felt that led them to act in the way they did. The reason we even know about them today is that they had the opportunity to act on those pressures. I’ve spent time consulting with large organizations, often for months at a time. During those times, I got to chat with many members of staff, including security. On a couple of occasions, I forgot and left my building pass at home. Even though I was on a first name basis with the security staff and had spent time chatting with them about our personal lives, they still asked me for identification and looked me up in the system. I’m sure they thought I was a nice and trustworthy enough person, but they knew to follow procedures and always checked on whether I was still authorized to access the building. The important point is that they, despite knowing me, knew to check and followed through.

Examples of controls employees should be reminded to follow are:

• Don’t share your password with a fellow employee. If that employee cannot access certain information with their own password, either they are not authorized to access that information or they should speak with an administrator to gain the desired access. Sharing a password seems like a quick and easy solution when under time pressures at work, but remind employees that when they share their login information, anything that goes awry will be attributed to them.

• Always follow procedures. Someone looking for an opportunity only needs one.

• When something looks amiss, thoroughly investigate it. Even if someone tells you that all is well, verify that this is indeed the case.

• Explain to staff and management why a specific control is in place and why it’s important. If they understand why they are doing something, they are more likely to see the control as useful and to apply it.

• Schedule training on a regular basis to remind staff of the controls in place and the systems they are to follow. You may believe that staff knows what they are supposed to do, but reminding them reduces the risk of them relying on hearsay and secondhand information. Management is often surprised by what they think staff knows and what they find out the staff really knows.

It should be clear to your clients that they have control over who has access to sensitive information and when and how it leaves their control. It doesn’t take much for an insider to gain access to this information. A face you see smiling at you daily is the face of a person you can grow comfortable with and with whom you can drop your guard. However, if you already have an adequate system and effective controls in place, you take the personal out of the equation and everyone understands that we are all just doing our job.

Sock Puppets

The issue of falsely claimed identity in all its myriad forms has shadowed the Internet since the beginning of the medium.  Anyone who has used an on-line dating or auction site is all too familiar with the problem; anyone can claim to be anyone.  Likewise, confidence games, on or off-line, involve a range of fraudulent conduct committed by professional con artists against unsuspecting victims. The victims can be organizations, but more commonly are individuals. Con artists have classically acted alone, but now, especially on the Internet, they usually group together in criminal organizations for increasingly complex criminal endeavors. Con artists are skilled marketers who can develop effective marketing strategies, which include a target audience and an appropriate marketing plan: crafting promotions, product, price, and place to lure their victims. Victimization is achieved when this marketing strategy is successful. And falsely claimed identities are always an integral component of such schemes, especially those carried out on-line.

Such marketing strategies generally involve a specific target market, which is usually made up of affinity groups consisting of individuals grouped around an objective, bond, or association like Facebook or LinkedIn Group users. Affinity groups may, therefore, include those associated through age, gender, religion, social status, geographic location, business or industry, hobbies or activities, or professional status. Perpetrators gain their victims’ trust by affiliating themselves with these groups.  Historically, various mediums of communication have been initially used to lure the victim. In most cases, today’s fraudulent schemes begin with an offer or invitation to connect through the Internet or social network, but the invitation can come by mail, telephone, newspapers and magazines, television, radio, or door-to-door channels.

Once the mark receives and accepts the offer to connect, some sort of response or acceptance is requested. The response will typically include (in the case of Facebook or LinkedIn) clicking on a link included in a fraudulent follow-up post to visit a specified web site or to call a toll-free number.

According to one of Facebook’s own annual reports, up to 11.2 percent of its accounts are fake. Considering the world’s largest social media company has 1.3 billion users, that means up to 140 million Facebook accounts are fraudulent; these users simply don’t exist. With 140 million inhabitants, the fake population of Facebook would be the tenth-largest country in the world. Just as Nielsen ratings on television sets determine different advertising rates for one television program versus another, on-line ad sales are determined by how many eyeballs a Web site or social media service can command.

Let’s say a shyster want 3,000 followers on Twitter to boost the credibility of her scheme? They can be hers for $5. Let’s say she wants 10,000 satisfied customers on Facebook for the same reason? No problem, she can buy them on several websites for around $1,500. A million new friends on Instagram can be had for only $3,700. Whether the con man wants favorites, likes, retweets, up votes, or page views, all are for sale on Web sites like Swenzy, Fiverr, and Craigslist. These fraudulent social media accounts can then be freely used to falsely endorse a product, service, or company, all for just a small fee. Most of the work of fake account set up is carried out in the developing world, in places such as India and Bangladesh, where actual humans may control the accounts. In other locales, such as Russia, Ukraine, and Romania, the entire process has been scripted by computer bots, programs that will carry out pre-encoded automated instructions, such as “click the Like button,” repeatedly, each time using a different fake persona.

Just as horror movie shape-shifters can physically transform themselves from one being into another, these modern screen shifters have their own magical powers, and organizations of men are eager to employ them, studying their techniques and deploying them against easy marks for massive profit. In fact, many of these clicks are done for the purposes of “click fraud.” Businesses pay companies such as Facebook and Google every time a potential customer clicks on one of the ubiquitous banner ads or links online, but organized crime groups have figured out how to game the system to drive profits their way via so-called ad networks, which capitalize on all those extra clicks.

Painfully aware of this, social media companies have attempted to cut back on the number of fake profiles. As a result, thousands and thousands of identities have disappeared over night among the followers of many well know celebrities and popular websites. If Facebook has 140 million fake profiles, there is no way they could have been created manually one by one. The process of creation is called sock puppetry and is a reference to the children’s toy puppet created when a hand is inserted into a sock to bring the sock to life. In the online world, organized crime groups create sock puppets by combining computer scripting, web automation, and social networks to create legions of online personas. This can be done easily and cheaply enough to allow those with deceptive intentions to create hundreds of thousands of fake online citizens. One only needs to consult a readily available on-line directory of the most common names in any country or region. Have a scripted bot merely pick a first name and a last name, then choose a date of birth and let the bot sign up for a free e-mail account. Next, scrape on-line photo sites such as Picasa, Instagram, Facebook, Google, and Flickr to choose an age-appropriate image to represent your new sock puppet.

Armed with an e-mail address, name, date of birth, and photograph, you sign up your fake persona for an account on Facebook, LinkedIn, Twitter, or Instagram. As a last step, you teach your puppets how to talk by scripting them to reach out and send friend requests, repost other people’s tweets, and randomly like things they see Online. Your bots can even communicate and cross-post with one another. Before the fraudster knows it, s/he has thousands of sock puppets at his disposal for use as he sees fit. It is these armies of sock puppets that criminals use as key constituents in their phishing attacks, to fake on-line reviews, to trick users into downloading spyware, and to commit a wide variety of financial frauds, all based on misplaced and falsely claimed identity.

The fraudster’s environment has changed and is changing over time, from a face-to-face physical encounter to an anonymous on-line encounter in the comfort of the victim’s own home. While some consumers are unaware that a weapon is virtually right in front of them, others are victims who struggle with the balance of the many wonderful benefits offered by advanced technology and the painful effects of its consequences. The goal of law enforcement has not changed over the years; to block the roads and close the loopholes of perpetrators even as perpetrators continue to strive to find yet another avenue to commit fraud in an environment in which they can thrive. Today, the challenge for CFEs, law enforcement and government officials is to stay on the cutting edge of technology, which requires access to constantly updated resources and communication between organizations; the ability to gather information; and the capacity to identify and analyze trends, institute effective policies, and detect and deter fraud through restitution and prevention measures.

Now is the time for CFEs and other assurance professionals to continuously reevaluate all we for take for granted in the modern technical world and to increasingly question our ever growing dependence on the whole range of ubiquitous machines whose potential to facilitate fraud so few of our clients and the general public understand.

Small Scale Electronic Crime Scenes

Most frauds aren’t Enron.  As the ACFE tells us, most frauds encountered by practicing CFE’s are what I like to call “small crime-scene frauds” perpetrated by long time employees like Mary who works in a back office keeping the books, knows everything about the company, and who has been quietly embezzling lesser amounts of company funds without detection for the last fifteen years.  In today’s environment, Mary will be doing her work on a desktop computer, probably connected to a small network with internet access.  Mary’s workstation and the simple network supporting it constitute an electronic crime-scene to be investigated as thoroughly and with as much attention to detail as possible and accompanied by a full set of investigative documentation if there is ever to be any hope of obtaining a conviction (should Mary’s employer, your client, finally decide to go that way).

It goes without saying that the investigator or team of investigators to any crime scene, large or small, have the primary responsibility of protecting all the computer and related electronic evidence that might be useful in a future civil or criminal action. Evidence is where the CFE or other investigators find it. While crime scene evidence from personal and property crimes might be in plain view, computer and electronic evidence is subtler and might not be as evident or obvious at the scene.  In general, first responders at any scene can destroy critical latent evidence if they lack training in the proper identification, collection, and packaging procedures for the type of investigation. This means that both corporate security departments and law enforcement agencies routinely involved in such investigations specially train their personnel in computer and electronic investigative techniques. Much of the potential evidence at a small-scale scene might be circumstantial, but it could possibly be used to support the primary physical and direct evidence that a detailed investigation will later develop. A list of inappropriate purchases and related amounts found on Mary’s workstation at the crime scene could be persuasive to a jury if properly obtained.

Thus, education and preparation are major components of any successful crime scene search for electronic evidence. However, our corporate clients need to be made aware of what all law enforcement agencies know, that in-house or external security personnel, whose background might sometimes even include the performance of criminal crime scene searches, are usually not qualified for large or small-scale computer crime scene searches.

The basic steps involved in a small-scale computer site investigation include the following:

–Secure and protect the scene;
–Initiate a preliminary survey;
–Evaluate physical evidence possibilities;
–Prepare a narrative description;
–Take photographs of the scene;
–Prepare a diagram/sketch of the scene;
–Conduct a detailed search and record and collect physical evidence;
–Conduct a final survey;
–Release the crime scene.

Although a number of these steps also apply to crime scene searches for crimes involving misdemeanors and felonies, the orientation of their performance in the investigation of an electronic crime scene is more technical in nature. When a computer or some electronic device is suspected of having been used as a tool in the perpetration of a crime, normal evidence gathering techniques for computer forensics processing should always be followed. It does not matter whether the crime scene is also suspected of having been additionally involved in a separate fraud issue, a civil, or a criminal investigation; if a computer or other electronic device is involved, the steps will be the same in all cases.

It is also essential that the organization’s computer personnel be excluded from the crime scene. Most computer specialists are not familiar with computer forensics techniques and individuals among them could have been involved in the crime, wittingly or unwittingly. Additionally, security must be provided for the area while the investigation is proceeding. Any employees or visitors who subsequently enter the scene need to be identified.  Try to identify in writing anyone who has routine access to the site or anyone who might have a reason to be involved with the scene generally. Do not rely on your memory alone, as it will not sufficiently support you in a court of law.

Computer and electronic evidence usually takes on the same general forms with which we’re all familiar: computer hardware, peripherals, cell phones, hand held devices, various storage media, digital cameras, and the list goes on. The investigator will have a general knowledge of the types of evidence that can be collected from each of these devices; however, s/he must be prepared for new devices showing up at any crime scene at any time. A cautious walkthrough is a good first step to get a feel for the complexity of the site. In addition to a workstation, several additional workstations or areas might become part of the investigation. Keep in mind that due to the networking configurations of even today’s smallest systems, remote sites might probably be involved in the investigation.

The investigator(s) should strive to maintain a continuing level of control of the situation and of the physical site during the investigation.  An inventory log and chain-of-custody form should be completed and photographs made of all relevant devices and related electronic evidence. Specific activities that might be included in this phase of the investigation include:

–Determination of all the locations that might need to be searched;
–Look out for any specific issues that need to be addressed relating to pieces of hardware and software;
–Identification of any possible personnel and equipment needed for the investigation but not yet on-site;
–Determination of which devices can be physically removed from the site;
–Identification of all individuals who have had access to the computer or electronic resources material to the investigation.

The evaluation of physical evidence is a continuation of the preliminary survey and may not be perceived as a separate step. After the site is thoroughly photographed, a more detailed search can begin. Before any devices are handled, remember that fingerprint evidence might become evidence in establishing who used these devices. The smallest, most insignificant appearing piece of evidence might clinch a case. Any network capability and connections to the computer site must be identified. Networking can broaden any investigation considerably. If there is an internet connection, it can become a worldwide investigation involving various internet service providers and the possibility of subpoenas. Cell-phone evidence may involve various telephone network carriers and additional subpoenas.  Prioritize the evidence collection process to prevent loss, destruction, or modification. Focus first on items easily identifiable and accessible and proceed to identified out-of-sight evidence. Look for the obvious first, the suspect might have been sloppy.

A journal or narrative must be prepared concerning the investigation and the crime scene search. Anything and everything is important when conducting the scene investigation. Remember that the defense attorney is going to query any witnesses on the most obscure item possible. A technique suggested by the ACFE is to represent crime scenes in a “general to specific” scheme. Describe the site in broad terms and then get very specific with details. A sound idea is to cross-reference a chronological journal with the photographic evidence and a chain-of-custody form. The narrative effort should not degenerate into a sporadic and unorganized attempt to recover physical evidence. Under most circumstances, evidence should not be collected while developing the narrative. The narrative process can be accomplished by using audio, video, or text. Remember the axiom “haste makes waste.”

Developing a photographic profile of the crime scene is a requirement for any computer forensic investigation no matter how small. Photographs should be taken as soon as the incident scene is secured and before any computers or electronic devices are moved. Photographs should be taken from all angles of the physical site. Close-ups of cable connections for all devices should be included. Note these cables will need to be separately tagged in another step. Any video screens displayed would be photographed. The photographic effort needs to be recorded in a photographic log.  Photographs should be taken as soon as possible to depict the scene as it is observed before anything is handled, moved, or introduced to the scene. Photographs allow a visual permanent record of the crime scene and items of evidence collected from the crime scene.

A diagram or sketch establishes a permanent record of items, conditions, and distance/size relationships. They also supplement the photographic record. Usually a rough sketch is drawn at the crime scene and is used as a model for a complete, formal document that would be completed later. The sketch can be coordinated with any logs or journals via a numbering scheme. Sketches are used along with the reports and photographs to document the scene. A crime scene sketch is simply a drawing that accurately shows the appearance of a crime scene.

The CFE will usually have a general idea from discussions with the client as to the types of evidence that s/he will find at the incident scene. A checklist can be developed that will identify most types of computer and electronic evidence that might be at a small-scale crime scene. The major difference between investigations will probably be the size of the computer system and the amount of disk storage that will need to be secured or imaged. Seizure of electronic devices, such as cell phones and iPads, should not pose any special problems due to their small size. It might be necessary to determine the amount of disk storage records that need to be copied or imaged for later forensic analysis. On large data bases or for data in the cloud it will be next to impossible to copy or image the entire storage device. In these cases, a forensic examination might have to occur partly at the crime scene and partly off-site once the required permissions for data access are received from the data owners of record.

Conflicts in documentation can cause considerable grief in a court of law. Also, if a computer system is to be reconstructed later, cable connections and maps must be precise. There are four basic premises to the search, recording, and collection phase of a small- scale investigation. These premises are as follows:

–The best search options are typically the most difficult and time consuming;
–The physical evidence cannot be over-documented;
–There is generally only one best chance to properly perform the investigative task;
–Cautious searching of visible areas and identification and searching of relevant off-site areas is crucial.

After the investigative team has completed all tasks relating to the search, recording, and collection phases at the small-scale crime scene, a critical review should be conducted to ensure that nothing has been missed. This is the last chance to cover all the bases and ensure nothing has been overlooked. The investigators must ensure that they have gone far enough in the search for evidence, documented all essential things, and made no assumptions that may prove to be incorrect later.

–Double-check documentation to detect inadvertent errors;
–Check to ensure all evidence is accounted for before leaving the crime scene;
–Ensure all forensic hardware and software used in the search is gathered;
–Ensure possible hiding places of evidence and difficult areas for access have not been overlooked;

An incident scene debriefing is the best opportunity for personnel and participants to ensure the investigation is complete.

The last step in the evidence investigation phase for a small-scale crime scene featuring electronic evidence is to release the incident scene back to its owners. The release is accomplished only after completion of the final survey. The individual investigator or team should provide an inventory of the items seized to the client owner/manager of the scene. A receipt for electronic evidence must be completed for any devices seized. A formal document should be provided that specifies the time and date of the release, to whom released, and by whom released.

The Expert & the Internet

expert-witnessesPart of the wrap up process our Chapter performs following each of our two day seminars is a review of attendee question topics.  As nearly all of them do, our recent ‘Investigating on the Internet: Research Tools for Fraud Examiners’ seminar elicited a number of thoughtful questions, several from attendees whose practices include testimony as an expert witness and employment as legal consultants.   From the tenor and content of the questions it appears that these CFEs were acting as experts and consultants in the legal process by assisting attorneys with the financial details of a suit, and testifying about these practices at trial. In such cases CFE’s analyze documents and transactions, both internet based and hard copy, showing how the fraud was accomplished and, when possible, who the most likely perpetrators were. The CFE acts as a guide and adviser for the attorney in assembling the case, and, sometimes, as a major participant as an expert witness in explaining the ways of fraud to a judge and jury.

Experts, in general, are brought in when required by law, as in malpractice suits where a member of a profession, say a physician, has to explain the infraction against professional by-laws or principles; where key points are deemed sufficiently technical or complex, like “cooking-the-books” schemes involving intricate accounting manipulations; or for assisting (some would say, for swaying) the jury in making its final decision.  Federal Rule of Evidence 702 tells us that an expert witness with appropriate knowledge and credentials may testify in any proceeding where scientific, technical, or specialized knowledge will shed light on the dispute.  Even in cases that don’t go to trial, experts may still be involved in mediation, arbitration, settlement conferences, or summary judgment motions. Experts contribute value to the trial process in a myriad of ways. They provide background information to guide and frame a case; during discovery they investigate, run tests, advise on depositions, prepare other witnesses, make exhibits, and respond to the opposition’s discovery requests; they file written opinions, which are entered as evidence into the court record; and they testify in actual proceedings should the case actually make it to a courtroom.

Once they accept a case, many experts immediately begin utilizing on and off-line tools to start the process of assembling a narrative version of the events. This detailed summary of the facts of the case serves as the raw material for rendering an official opinion. It’s important that the narrative text be written with care and professionalism. The text may (and probably will) have to be produced during discovery. Additionally, a well-written narrative helps the client attorney in preparing and executing the case at trial.  As our speaker, Liseli Pennings, pointed out, perhaps the thorniest challenge for CFEs, once they’re engaged to work on a case, is setting a value on business losses due to fraud. Even though financially related information available on the internet and elsewhere can be of great value in estimating the loss, there may be several methods appropriate for evaluating net worth/net loss appropriate to a given case, each rendering a different number at the end. And regardless of the numbers, there’s always the human element.

Article V. of the Association of Certified Fraud Examiners Code of Professional Ethics states:

A fraud examiner, in conducting examinations, will obtain evidence or other documentation to establish a reasonable basis for any opinion rendered.  No opinion shall be expressed regarding the guilt or innocence of any person or party.

The rule that prohibits opinions regarding the guilt or innocence of any person or party is a rule of prudence. Clearly, it’s prudent for a Certified Fraud Examiner to refrain from usurping the role of the jury. In a courtroom, no good attorney would ask a Certified Fraud Examiner for such a conclusion, and no alert judge would allow such testimony. The fraud examiner’s job is to present the evidence in his report. Such evidence might constitute a convincing case pointing to the guilt or innocence of a person. But a clear line should be drawn between a report that essentially says “Here is the evidence” and one that steps over the line and says “He is the guilty (innocent) person.”  Nevertheless, there is a fine line between recommending action – forwarding the evidence to a law enforcement agency or filing a complaint or lawsuit – and giving an opinion on guilt or innocence. Certified Fraud Examiners may make such recommendations because they think the evidence is strong enough to support a case. They might even have a conclusion about whether the suspect committed a crime. The rule does not prohibit the Certified Fraud Examiner, under the proper circumstances, from accusing the person under investigation. However, the ultimate decision of whether a person is “guilty” or “innocent” is for a jury to determine. The CFE is free to report the facts and the conclusions that can be drawn from those facts, but the decision as to whether or not a person is guilty of a crime is a decision for the judge or jury.

As Liseli pointed out caution as to information reliability is the by-word for every use of internet based information in general and use by expert witnesses is no exception. According to discovery rules governing expert testimony, everything the expert says or writes about the case after being hired is subject to discovery by opposing counsel. That means everything: internet downloads, narrative versions of the case, comments to the press or law enforcement, hypothetical reconstructions, even notes can be demanded and used by the opposing party.  However, CFE’s acting as expert witnesses need to be aware of the consulting expert exception.

Experts may consult on the attorney’s work product, i.e., materials the attorney prepares as background for a case. While performing background work, the expert is said to be working as an associate of the attorney, so the exchange is protected…they are two professionals conferring. However, once the expert is hired as a witness, and begins entering opinions as part of the attorney’s case, there is no privilege for any contribution the expert makes. The distinction is something like this: when acting as “witnesses,” experts are bringing official information to the court, and so must disclose any contact with the case; when experts act as “consultants” or “associates” for attorneys or law enforcement, they are only assisting the attorney, and do not have to disclose their involvement in the case.

There is one trap for the unwary. The rule is that if an expert will testify at trial, everything s/he does regarding the case must be turned over to the other side. If an expert works only as a consultant to the attorney, then her work product is not discoverable. However, if a testifying expert reviews the work of the consultant expert, then the work of the consultant expert will be discoverable. Just remember this, if you are hired to testify at trial, anything you used to form your opinion will be subject to review by the opposing party. This includes information downloaded from the internet, notes from other experts, documents received from the plaintiff or defendant, and any documents or notes from the attorney. Be sure to consult with the attorney before you review anything. If the attorney has not given the document to you, then ask before you read. Otherwise, you may inadvertently destroy the confidentiality or privilege of the material.

The utilization of internet based information resources introduces yet another layer of complexity to the employment of CFE’s as expert witnesses and/or attorney consultants.  The information available is often vast, almost instantly available and constantly changing.  Practitioners and their client attorneys must decide on a case by case basis whether it’s best utilized in the role of a consultant or in that of an expert witness.

Investigating on the Internet

online-investigationThis May our Chapter, along with our partners the Virginia State Police and national ACFE will be hosting a two day seminar – ‘Investigating on the Internet – Research Tools for Fraud Examiners’.  This in-depth session will be taught by Liseli Pennings, Deputy Training Director for the ACFE.  We’ll begin enrolling students in mid-March, so pencil in the dates, May 18th and 19th!

Fraud examiners now have the ability to gain insights from, and test correlations with, a vast array of investigative relevant information on the Internet, which can be as diverse as suspect competitor information, regulatory filings, and conversations on social media.  Such analytics can provide CFE investigators with a variety of capabilities from investigative planning and risk assessment to fieldwork. They also enable fraud examination practitioners to provide clients with more compelling information about every experienced fraud.

Internet based investigation tools can be classified into three broad categories:

–Retrospective statistical analysis, used to gain deeper insight into important sub-processes in financial and operational areas related to the investigation subject.

–Forward-looking models, built to predict which areas of the business are riskier or simply require a greater level of fraud prevention focus.

–Advanced visualization analytics, used to help transform the investigation by providing deep analytical insights and actionable information through visual tools like interactive charts and dynamic graphics. In short, investigation on the internet has rapidly evolved from simply allowing CFE’s the ability to provide perspective in hindsight to helping them assemble rich digital views of the present investigative situation. Investigative, internet based analytics provide investigators with the potential to dramatically increase the value of the insights they can provide clients at every level of the examination from evaluation of business risks, to suspect analysis, and on to prosecutorial issues and challenges.

The first step in deploying internet based investigative tools effectively is determining the exact fraud scenario that needs to be addressed – what are the features constituting the scenario under review? Once specific fraud features have been identified, on-line analytical capabilities can be used to source facts, drive understanding, and generate knowledge by addressing three general questions:

–What data can be leveraged to enhance understanding of the exact fraud scenario and improve the performance of its investigation? It’s important to understand the source of the on-line data available and the systems and processes that produce it. Effective data evaluation by the examiner supports the accuracy, completeness, and reliability of the data used in her investigation.

–What is known about the general type of business processes related to the fraud?

–Exactly what fraud scenario is suspected to have transpired and why? What steps should be taken by the client immediately?

Canny use of the internet by the trained investigator can play an important role in answering these questions with a view to optimizing immediate investigative performance. The knowledgeable examiner can frequently look at on-line data from within the organization and outside it, with a focus on patterns, data mining and optimization, data visualization, advanced algorithms, neural analysis, and social networks.

These data can provide powerful insight into every aspect of our cases under investigation. In addition to examination field-work one of the most important uses of internet based investigative tools is to enhance fraud risk management. Analytics available on-line from the ACFE and others help provide a clearer understanding of risks and furnish insights as to how they can be mitigated. Ultimately, the objective is to develop and implement an analytical capability that provides the individual CFE with greater insight into the control failures associated with each major category of fraud. A second important use for internet analytics is to develop a deeper understanding of common fraud related issues. Once a potential issue has been identified, analytics can source the facts (e.g., what does the data tell us about the issue?), drive understanding of the facts (e.g., what has happened?), and generate knowledge (e.g., why did it happen?) to ultimately build a more complete presentation of fraud report findings. A third area for CFE’s to consider is how to leverage the use of the analytics performed for the fraud examination for use by the client throughout their organization. In this regard, the CFE’s report can become an important change agent, driving fraud prevention insights throughout the organization. Business managers and leaders of other organizational risk functions have a need to understand fraud risks and the correlations between data. In many cases, fraud investigative tools developed for use during a fraud examination can evolve into valuable fraud prevention tools and ownership can be transferred to business or functional leaders for ongoing use.

Consider keeping the following in mind when using internet based investigative tools in your investigation:

–Establish a clear understanding of what you’re trying to achieve in your investigation and ensure a linkage to examination planning. This should translate into defined objectives that drive the strategy and long-term vision for the use of the tools as well as surface near-term opportunities.

–Know the data.  It’s important for examiners to understand both the data they have and the data they don’t have when determining how and where to begin using the internet as an investigative tool. This knowledge also prioritizes efforts to collect what’s missing for future analyses and for enhancements to the data driven investigative program.

–Start with a targeted, ad hoc program which will likely yield greater benefits in terms of speeding insights, learning, and long term value. Take the time to learn first and then deploy necessary capabilities across your tool kit.

–Lever existing cumulative insights. These ever building insights may provide clues related to the risks and related fraud scenarios to start with, jump-starting the investigative program and build consistency with prior initiatives.

–Take steps to develop a written plan early on in every examination to take action and measure results accurately. Don’t forget that the client organization, systems, and processes that support fraud response and control remediation must be able to take action working with the insights that your final report provides.

Fraud examiners stand at the beginning of a new era in the use of internet based data to enhance the entire fraud examination life cycle. Taking the steps outlined above can help individual practitioners realize gains in effectiveness and efficiency while providing enhanced investigative services.

Please make plans to join your fellow RVACFE Chapter members and guests for an outstanding learning experience on May 18th and 19th.  You won’t be disappointed!

Making Sure It Sticks

ComputerRaft2Download our Chapter’s Free App – RVACFESon Google Play!

As a follow-on to our last blog post (see To Have and to Hold immediately above), I thought I’d talk a little about the documents our investigating CFE was able to find.

These case documents proved critical to the examination and were found in both paper and digital form.   Of the two types of evidence, the digital documents proved the most voluminous and the trickiest from an investigative point of view.  Suspected frauds, such as the one our CFE reader was investigating, leave behind data on computer systems, all kinds of data. Despite the ubiquity of this digital evidence, though, it’s often overlooked, collected incorrectly, or analyzed ineffectively. The rub is that, if relevant evidence isn’t gathered at the very beginning of an investigation, it may be too late to do so later in the process. Therefore, ideally, a CFE’s client organization’s management should consider the importance of digital evidence from the outset of its operations and be prepared to gather it for a wide range of financial fraud related scenarios; indeed, most of the larger, more sophisticated companies, finding themselves routinely under cyber-attack, already do so.

It’s been my experience that many organizations underestimate just how often they may need to produce reliable evidence of what has happened in their information systems.  And, importantly, from the individual CFE’s point of view, they also may underestimate the demands that the legal system makes in terms of ensuring the admissibility and reliability of digital evidence. Unless an organization has developed a detailed incident response plan, much potential evidence will never be collected or will become worthless as a result of contamination. As a preliminary to any investigation involving digital data, CFE’s should assess whether the client organization has applied a consistent and effective approach to managing information security incidents, including staff and organizational responsibilities and procedures; not having done so can prove a significant legal problem for the client in court.  When a follow-up action against a person after an information security related fraud involves legal action, evidence should be collected, retained, and presented to conform to the rules for evidence promulgated by the relevant jurisdiction(s). The examination should also review whether documented procedures are developed and followed when collecting and presenting routine evidence for internal disciplinary actions.

Digital forensic readiness (DFR) focuses on proactively collecting and preserving potential digital evidence. This can limit business risk by providing support for all kinds of legal defense, civil litigation, criminal prosecution, internal disciplinary actions, intellectual property claims, and due care documentation.  It also can document the impact of a crime or disputed action for an insurance or damage claim. In addition, digital forensics can support the recovery process indirectly after an incident (something that proved very important for the client of our CFE in the ‘To Have and to Hold’ case).

When preparing data for use as evidence, all CFE’s know that it’s often necessary to provide further supporting information. It’s important to show that audit trail information can demonstrate that the system used to preserve evidence is functioning appropriately. It’s also important to demonstrate how information progresses through it. Audit trails need to be comprehensive and overseen appropriately, because without them the integrity and authenticity – and thus the evidential weight – of the data stored in the system could be questioned in court.  In addition to the system’s effectiveness, CFE’s need to be concerned with whether access to audit trail information was controlled adequately. In some applications, access may be needed infrequently, thus it’s important that the access procedures be documented.

In most jurisdictions, the legal admissibility of digital evidence (or any evidence) in a court of law is governed by three fundamental principles: relevance, reliability, and sufficiency. Digital evidence is relevant when it can prove or disprove an element of the specific case being investigated. Although the meaning of reliable (i.e., authentic and accurate) varies among jurisdictions, a general principle is to ensure the digital evidence is what it purports to be and has not been spoiled. It is not always necessary to collect all data or to make a complete copy of the original evidence. In many jurisdictions, the concept of sufficiency means that enough evidence has been collected to prove or disprove the elements of the matter.

Information security is key when discussing legal admissibility.  Was the process for capturing electronic information secure? Was the correct information captured, and was it complete and accurate? During storage, was the information changed in any way? When responding to questions by opposing counsel about the authenticity of stored information, organizations must show whether the system was operated correctly at all times. To address this issue, CFE’s should establish that all relevant procedures are well thought out, complete in scope, documented, and operated by competent individuals.

To reduce the risk of legal challenges, CFE’s should consider offering evidence that the client organization has implemented security measures. Management should have reviewed information security systems at planned intervals to determine whether their control objectives, controls, processes, and procedures:

–Conform to the requirements of information security standards and relevant regulations;
–Conform to the identified IT security requirements;
–Are implemented and maintained effectively;
–Are performing as expected.

Determining which digital evidence the organization should be collecting and preserving is a two-step process. First, the crimes and disputes the organization is exposed to must be determined. Second, based on the identified exposure, the organization needs to identify potential evidence based on a risk analysis combined with a cost/benefit approach.

DFR is a natural progression for organizations with a mature information security posture, enabling them to pursue perpetrators in the legal domain when other security measures have failed. Among more security-aware CFE clients, it can enhance existing processes and leverage incident response, business continuity, and crime prevention activities. CFE’s can provide assurance of their client organization’s forensic readiness based on the following criteria suggested by the ACFE:

–Whether the organization has identified the main likely threats it faces;
–Whether the organization has identified what sorts of evidence it is likely to need in a criminal proceeding and how it will secure that data;
–Whether the organization has identified the amount and quality of evidence it already has collected;
–Whether the organization is familiar with potential legal problems such as admissibility, data protection, human rights, limits to surveillance, obligations to staff members and others, and disclosure in legal proceedings;
— Whether the organization has identified the management, skill, and resource implications and developed an action plan.

CFE’s, as part of the planning for a fraud or incident investigation, should ensure the completeness and integrity of digital evidence. Moreover, they should ensure that potentially useful evidence is never overlooked.  A functioning and documented DFR supports such assurance and helps make sure that assurance sticks.

To Have and To Hold

SharingFiles2One of our CFE readers practicing abroad reports currently investigating the transactions of a key executive of a financial subsidiary of a large U.S. based company and finding that many documents critical to his examination simply have not been retained anywhere on the firm’s server farm; a problem much more common in our present e-world than many of us would like to think!  The documents weren’t on the servers simply because the firm’s document retention policy (DRP) published to its employees isn’t comprehensive enough to require them to be.

When our CFE’s client firm policy was written, the primary electronic document type was in the form of e-mail files stored on company servers. But today, electronic records also include text messages, instant messages, voice mail, and internet search histories, images on digital cameras, in cell phones and tablets, and scores of differing file types stored on a myriad personal devices and in the cloud.  In this environment, the importance of the DRP, as a living document, is right up there with other critical documentation like that concerning access control and physical security.  Each paper and electronic document type should be treated separately in the policy. Even in the case of e-mail – a technology that’s been ubiquitous for two decades – our Chapter members report finding retention practices are often spotty and messages sometimes difficult to search and retrieve. Rather than backing up all e-mails, for example, the policy might distinguish between e-mails with an attached signed contract and an e-mail inviting staff to the office holiday party. In addition, e-mails often end up residing in numerous locations.  Because real time monitoring of individuals’ personal computers would be impractical for any firm, a central electronic depository could be developed for contracts, tax returns, medical plans, pension statements, and other documents that have legal or regulatory holding limits, Also, all CFE’s must be constantly alert to new communication means and be prepared to adopt investigative modifications to deal quickly with them.

We’re all familiar with the many problems involving legal discovery.  Such requests primarily deal with centrally located files, but certain types of lawsuits, such as hostile work environment or sexual harassment, can also require discovery of personal files. Because no client management staff is large enough to verify that all employees follow prescribed rules, companies must rely on regular training to inform employees and confirm their compliance with company retention policy. Companies can reinforce this training by taking appropriate disciplinary measures against anyone who violates the rules. This reinforcement, of course, is based on the assumption that the organization already has appropriate controls in place and an effective process to gather the necessary data to monitor employee compliance. In the present case, our CFE reports that none of these controls proved to be in place; their absence will likely result in any subsequent prosecution of the targeted fraudster being either extremely difficult or impracticable.

Also, instant messages, like those used by our CFE’s executive target, illustrate the hidden complexity of contemporary document retention. Dealing with e-mail is relatively straight-forward compared with the issues surrounding instant messages. Instant messages provide a convenient way to transmit text, audio, and live streaming video, often outside the firewalls and other safeguards of a company’s main system, which creates greater technological and competitive risks. Of greater concern to CFE’s should be the content of the messages. An instant message constitutes a business correspondence; as such, the message is discoverable and must be included in any document retention plan. The organization should have an established plan for the recovery of the messages in their original form. The optimal time to formulate the plan is before legal action, not in the midst of it. Many organizations (again, like our CFE’s client) have document retention plans covering only paper-based correspondence or e-mail; management of the content of instant messages is not addressed.  In addition to instant messaging, individuals use text messaging, which takes place on personal devices like cell phones. If a company doesn’t have an instant messaging system (IMS), it should consider acquiring one. An IMS allows message backup and access in case of discovery. Storing the instant messages and allowing access to them after-the-fact can help mitigate organizational liability exposure and close fraud vulnerability and security holes in the system. At a minimum, this would demonstrate some due diligence to outside stakeholders. The issue boils down to having a clear policy, both in terms of digital media use and its retention. The retention policy would involve purging instant messages after they are a given period old. Use policies might include random monitoring – an important deterrent for abuse and a valuable means to gather sample data about use.

So CFE’s need to be aware that policy creation for present-day business communication technology is obviously much more complex and necessary than the document retention policies of the past. Past policies usually governed only workplace documents, whereas policies today also must govern documents that are generated and consumed on mobile devices away from the workplace. The document retention policies should include retention limits for each type of format. Employees should be trained and reminded of the policy and their responsibility to follow it. Targeted management reviews based on fraud risk assessments could be valuable and would reinforce the importance of following the policy. In addition to training employees to regularly cull e-mail and instant messages sent and received, Internet browser options should be set so cookies and images are purged when the Internet session is over and histories are discarded daily.

Retention policies also should stress the appropriate and acceptable uses of company equipment. During company training, employees should learn that sharing inappropriate texts, audio, or video files is unacceptable, and they should clearly understand the consequences for not following company policy. Unfortunately, the delineation between work time and personal time is often blurred. With more employees being on call beyond the standard 40-hour work week, employers need to be sensitive to employees’ needs to perform personal tasks while at work using corporate equipment, or to perform work-related activities with personal devices.  Certain questions must be asked, however, such as: If an employee uses a personal device and maintains personal and business files separately, would the personal files be discoverable? Would discoverability depend on whether the device was personally or company owned? It could be assumed that if the employer owns the device, all records are discoverable. If the employee owns the devise, privacy issues may come into play. Due diligence always demands that conservative guidelines be employed.

I recommended to our CFE reader that, in addition to consulting corporate attorneys and IT staff, he might consider providing management with recommendations about whether outside consultants are needed to help develop or modify a more up-to-date document retention policy. Also, because electronic data is often salvageable even after it’s been deleted, a computer forensic expert could provide valuable insights into both the development and implementation of a new policy. This expert would then have knowledge of the system and could provide assistance if the company is party to a lawsuit in the future. Contracting with a computer forensic expert on retainer allows the organization to receive regular feedback on changes in the state of the art in computing technology and best practices in the field. These experts are aware of the costs and burden of discovery under both poor and good retention policies, and they’re able to make recommendations that will save money should litigation arise.

Forensic Accounting in a Time of Terror

CitySceneIt seemed that, hardly had we bid the last family member goodbye and cleared away the Thanksgiving dishes, that we heard about yet another terror attack, this one domestic, in Colorado Springs.  It increasingly feels that the terrorists freely swim in the sea of the vulnerable rest of us.  As fraud examiners and forensic accountants confronted with the problem of assisting our clients and law enforcement in combating the illicit financing of this scourge, it seems to me we should have two basic objectives, follow the money and dry up the money.  I know I’m preaching to the choir but law enforcement and government agencies in collaboration with forensic accountants and fraud examiners can play a key role in tracing the source of terrorist financing directly to those financial activities used to support terror attacks on both our national and on global citizens. Using this information, law enforcement agencies can utilize existing investigative and predictive analytics tools to gather, dissect, and convey data in an effort to distinguish the types of distinctive patterns (just as we daily do with fraud scenarios) leading to future terrorist perpetrated events. Government agencies can employ database inquiries of the terrorist-related financial information that fraud examiners have helped to build to evaluate the future probability of terrorist financing and attacks. Forensic accountants can also review the data to identify the specific patterns related to previous transactions by utilizing those same data analysis tools, which can also be used to assist in tracking the sources of the funds.

Our pivotal role is being increasingly recognized on all sides by those actively engaged in this struggle. According to the ACFE, forensic accountants use a combination of “accounting knowledge with investigative skills in … litigation support and investigative accounting settings” (ACFE, 2015). Hence, it’s no news to readers of this blog that numerous organizations, agencies, and companies employ us forensic accountants to provide investigative services and fraud risk assessments. Among them are public accounting firms, law firms, law enforcement agencies, The Internal Revenue Service (IRS), the Central Intelligence Agency (CIA), and the Federal Bureau of Investigation (FBI).  The FBI is a case in point.  All the way back in 2009, the FBI officially created a forensic accounting position within the Bureau to complement its standard criminal investigations. Now the agency is actively utilizing forensic accountants to investigate domestic and foreign terrorists involved in financial wrongdoing. FBI forensic accountants use various investigative tools to track terrorist financing, i.e. government-wide databases and Financial Crimes Enforcement Network (FinCEN) data inquiries to trace the illicit funds and related transactions of suspected terrorists. The search for illicit funding sources commences after Government agencies share information regarding red flags of possible terrorist activities such as money laundering.

Obstructing terrorist financing requires that fraud examiners have an understanding of both the original and the supply source of the illicit funds. As such financing is typically derived from a poisonous mix of both legal and illegal funding sources, terrorists may attempt to evade detection by funneling money through legitimate businesses thus making the money difficult to trace. Charitable organizations and reputable companies provide a legitimate source through which terrorists may pass money for illicit activities without drawing the unwanted attention of law enforcement agencies. Patrons of legitimate charities and non-profit organizations are often unaware that their personal contributions may support terrorist activities. However, terrorists also obtain funds from obvious illegal sources, such as kidnapping, fraud, and drug trafficking.

Terrorists often change daily routines to evade law enforcement agencies as predictable patterns create trails that are easy for skilled investigators to follow. Audit trails can be traced from the donor source to the terrorist by forensic accountants and law enforcement agencies using specific indicators to assist the tracking. Audit trails reveal where the funds originate and whether the funds came from legal or illegal sources.

Take their use of money laundering and virtual currencies as an example.  Money laundering is a specific type of illegal funding, which can provide the forensic accountant a clear audit trail.  Money laundering is the process of obtaining and funneling illicit funds in order to disguise the connection with the original unlawful activity. Terrorists launder money in order to spend the unlawfully obtained money without drawing attention to themselves and their activities. In order to remain undetected by regulatory authorities, the illicit funds being deposited or spent need to be “washed” to give the impression that the money came from a seemingly reputable source. There are particular types of unusual transactions that raise red flags associated with money laundering in financial institutions. The more times an unusual transaction occurs, the greater the probability it’s the product of an illicit activity.  Money laundering may be quite sophisticated depending on the strategies employed to avoid detection. Some identifiers indicating a possible money-laundering scheme are: lack of identification, money wired to new locations, customer closes account after wiring or transferring large amounts of money, executed out -of-the-ordinary business transactions, executed transactions involving the customer’s own business or occupation, and executed transactions falling just below the threshold trigger requiring the financial institution to file a report.

Virtual currency, unlike traditional forms of money, does not leave a clear audit trail for forensic accountants to trace and investigate. The Government Accounting Office (GAO) has discussed the emerging trend of financial anonymity of Bitcoins and other virtual currency and the need for regulators of traditional banking institutions to become more aware of suspicious activities with respect to virtual currency. According to the GAO, because they operate over the Internet, virtual currencies can be used globally to make payments and funds transfers across borders. The obscurity of Bitcoin currency transactions allows international funding sources to conduct exchanges without a trace of evidence. This co-mingling effect is similar to money laundering but without the regulatory oversight. Government and law enforcement agencies must be able to share information with public regulators when they become suspicious of terrorist financing.

The traditional types of data analysis tools, so familiar to the readers of this blog, which can be effectively used by forensic accountants to investigate these types of terrorist financing include: Benford’s Law, Accounting Command Language (ACL) software, Interactive Data Extraction and Analysis (IDEA) software, data mining software, and financial statement analysis ratios.

Forensic accounting technology is most beneficial in terror related investigations when used in conjunction with the analysis tools of law enforcement agencies to predict and analyze future terrorist activity, before it happens. Even though some of the tools in a forensic accountant’s arsenal are useful in tracking terrorist funds, the ability to identify conceivable terrorist threats is limited. To identify the future activities of terrorist groups, forensic accountants, and law enforcement agencies need to cooperate with one another by standardizing and incorporating the principal analytical tools utilized by all their sister agencies. Agencies and government officials should become familiar with virtual currency like Bitcoins. Because of the anonymity and lack of regulatory oversight, virtual currency offers terrorist groups a useful means to finance illicit activities on an international level. It might be helpful to even conceive of a new government agency to tie together all of the financial forensics efforts of the different organizations so that information sharing is not so compartmentalized as to compromise future investigative cooperation.