Digital detection

Detecting crime in the modern computer environment is an increasingly technical challenge. The volume and velocity of data (the speed at which data is created and likewise disappears) is increasing at an incredible pace. For the white-collar criminal, opportunities to steal assets or divert funds and then hide among voluminous transactional data are increasing exponentially.

For the insurance company, this shows itself in two ways. Firstly through claims on fidelity guarantee policies and secondly in direct claims made under fortuitous or contrived circumstances and which may be inflated.

An example might be where one of a retailer's two warehouses burns down. The company makes a claim on its insurance policy saying that all its newest and most expensive stock was in the destroyed warehouse. The task for the forensic accountant is to obtain the company's stock transaction records and, through an analysis of probable movements (for example, last-in, first-out and first-in, first-out), come up with a realistic range of figures that may drastically reduce the payment made by the insurer. In a recent case of this type, digital analysis indicated that the lowest value of the stock loss was approximately 30% of the claimed amount. The claim was eventually settled at 50%.

Before commencing an investigation, access must be gained to the transaction-level data and this will need the co-operation of the data owner. The data may be contained in a variety of sources and, although this may be given as a reason for obfuscation, it is no longer a reasonable argument. Technology now exists that can connect to most systems and export data in a wide variety of formats. Similarly, the claim that "the volume is far too great for your spreadsheets" is invalid. Professional forensic accountants have tools that far outstrip the capacity of normal spreadsheet applications, and can process millions of transactions very quickly. These applications also protect the acquired data so that the investigator can testify as to its veracity.

The investigation can then proceed to the identification of potential anomalies. This can be done in a number of ways: the investigator may identify entries that are out of balance, contain duplicates or are posted at odd times, such as weekends or evenings. Some stratification may be done to establish the spread of values, especially in large data sets. Accomplished fraudsters with knowledge of these statistics can take advantage of them to hide their transactions. Digital frequency analysis is often used to highlight these anomalies and other areas of data for further investigation.

Having confirmed that anomalies exist, the next stage is to consider the acquisition and examination of further digital evidence directly connected with the suspect.

This is often referred to as digital evidence recovery (DER) and involves a number of techniques. This is a highly skilled area of investigation, and staff who embark upon it must have appropriate training. It is essential that evidence is preserved in such a way that its authenticity cannot be questioned in a trial situation. When suspicious activity is first suspected, it is often the first thought of a company official to ask their IT department to copy files, email and logs or even to "have a look" themselves. Discounting the fact that the IT department may actually be under suspicion, copying or accessing files without using specialist software and techniques can easily corrupt vital evidence.

The 'digital landscape', where evidence may be hidden, goes far beyond the suspect's PC and extends out into the corporate network. Email servers, shared network storage servers, back-up tapes, archive media, local storage devices, PDAs, iPods, mobile phones and telephone recording systems all form part of the digital jungle where fraudulent activity can be squirreled away among the noise of modern communications and transactions.

Investigating IT issues
There are several important issues and questions that need to be dealt with early on in the investigation:

Who will manage the forensic technology solutions? Using local IT may not be appropriate and they may not have the skills.

How will you obtain the network and system architecture to understand where users' data resides? Often it may not be in the most logical place.

Are all IT systems synchronised or linked to an external time source? If not, trying to connect an email to a recorded telephone conversation and to a subsequent entry in a mobile phone log based on the alleged incident can be difficult.

What is the back-up and archive policy? When are tapes removed from the daily or weekly cycle and how long are they retained for? Are the back-ups tested?

What computer or storage equipment is available to staff? What is the policy on removable storage, such as thumb drives?

What network or system logs are enabled? How can they be accessed and what do they contain?

Is the wording of the IT usage or HR policy adequate to allow the monitoring of staff usage of IT?

Is any relevant digital evidence likely to be in other jurisdictions, particularly Europe?

Very often, the first stage in any DER process is the "imaging" of the suspect's PC. Imaging is a process using evidentially sound techniques to make an exact copy of the data held on a PC's internal hard disk. This not only captures files visible to the normal user, but goes beyond that to recover deleted files, partially overwritten deleted files (referred to as file fragments) and, potentially, other information related to the incident such as Windows registry entries and temporary internet files, which may include internet-based email data, such as Hotmail.

Of course, once the investigation spreads beyond the immediate location, there are additional challenges to be overcome.

Logistics are one thing but, increasingly, European and UK data protection and human rights legislation make it hard, if not impossible, to collect relevant evidence. It is imperative to seek local legal advice before embarking on an acquisition exercise in a different country or jurisdiction.

In all instances, whatever the scope of the investigation or suspicions, it is important not to potentially corrupt evidence by "having a look". Consider the wider digital landscape for evidence and engage a forensic technology expert early on. IT

' Chris Paley-Menzies is head of forensic technology at RGL Forensic Accountants & Consultants