Hacking Exposed
Page 42
The third phase of the investigation typically involves gathering evidence to address the allegations and to evaluate the various theories developed as to the suspected fraudulent scheme. The computer forensic specialist will likely find his/her most significant involvement in the fraud investigation during this phase as evidence is sought to confirm or deny the allegations. The importance of the computer forensic specialist’s role will likely depend on the extent of the fraud, as well as the potential cover-up. As described, by their nature frauds involve deception. The perfect fraud is said to be one where no evidence of wrongdoing exists. The authors of this book subscribe to the belief that there is always evidence; one only has to look in the right place to find it.
Efforts to conceal or cover up a fraud are usually evidenced somewhere, whether it is in falsified documents and records, fictitious invoices, correspondence or expense/payroll records, or disguised access to secure files. In addition, there is almost always a record of the perpetrator’s actions, if even saved to a removable storage device or hard drive. Most people committing frauds have to keep track of what they’re doing to avoid making mistakes. They, themselves, have to understand what is fake and what is real, and which transactions are legitimate and which ones are not.
Once the evidence is collected, the investigation’s next phase involves the development of the case against the employee(s) involved. Often, identified evidence will give rise to serious concerns regarding the likelihood of the allegations, but will not be sufficient to fully establish the extent of the fraud, the period of time covered, or all the potential individuals involved. Sometimes it may be prudent to expand the scope of the investigation, while in other times experienced fraud examiners and investigators may seek to interview potential witnesses as well as the suspected perpetrators. Often, companies are more concerned with effecting proper controls to avoid future exposure to the fraud, rather than fully vetting the entire scope of the fraud committed. The internal investigation may be turned over to law enforcement to complete the remaining aspects of the investigation and to seek potential criminal penalties and restitution.
More than one issue often gives rise to concern, and each issue should be evaluated with regard to whether potential evidence may exist in areas where computer forensics could be of importance. Computer forensics may be instrumental in myriad ways while gathering evidence and conducting a fraud investigation including tracking access to secure networks and files, identifying supporting e-mail evidence, determining whether external files and/or storage devices have been used that may evidence the fraud, and evaluating whether documents have been altered or falsified, as well as when and by whom, to name a few.
What to Look For
By its nature, fraud is generally hidden as employees and corporations alike try to conceal their inappropriate actions. Computer forensics has become an integral tool used to uncover hidden, disguised, and concealed evidence to expose the actions for the fraud that it is.
What to look for depends on the circumstances surrounding the alleged fraud, the employee(s) and corporate department(s) involved, their respective access and controls around that access to the information required to perpetrate the fraud, and the use of computers and e-mail to commit the fraud, as well as other tangential elements that may be of importance. Examples of areas for review include the following.
Finding the Records of Embezzlement/Larceny
As discussed earlier, it’s not uncommon for the individuals perpetrating the fraud to run a second set of books that keep track of everything they are doing. In general, this will be in addition to the proper set that is being obfuscated to make it look like everything is on the up-and-up. One of the vital roles that computer forensics plays in this type of investigation is assisting with the identification and location of the alternate ledgers. These can come in many forms: Excel spreadsheets, QuickBooks files, Act! databases, and so on. The key thing to remember here is that the fundamentals of computer forensics still apply.
Where to Look for Records
When looking for these transaction logs, think like the fraudster. It’s unlikely that the files or data you are looking for will be out there in plain sight. The suspected individual will have probably used some type of anti-forensic technique to hide the actual ledger. Let’s look at a few cases and how to combat them.
Changing a Filename This is the most simple case. Instead of calling the ledger mysecondsetofbooks.xls, the individual renames the file pinkbunnies.jpg, with the hopes that whoever may be looking for the financials will pass right by this file, thinking it’s a picture of bunnies. The way to combat this is via file signature analysis. One quick and easy way to do this is with the file command on your UNIX flavor of choice (or cygwin). However, the granularity of what types of files it can detect and differentiate leaves a bit to be desired. If you have access to a commercial forensics tool such as EnCase, you can use the file signature facilities in the software to perform this analysis quickly and easily.
Encrypting a File One of the most common ways these ledgers are hidden is by the use of encryption. The suspect knows the file is bad, and if the information inside the file gets out, he will be in a lot of trouble, so he takes steps to encrypt it. What method he actually uses varies based on the file type and the complexity of the user. Most people will just use the password-protection features of the software in which the file was created (for instance, applying a password to an Excel spreadsheet) and let that be it. Others may use more advanced forensic techniques. Using a tool such as Access Data’s PRTK can be crucial not only in cracking the password but also in identifying the type of scheme that was used to encrypt it. There is also always the option of just asking for the password, but in my experience this rarely, if ever, works. Even if the higher-ups are OK with you asking for the password (which usually isn’t the case, because they don’t want to tip their hand that they know of the fraud), the person who knows the password generally “forgets” it around the time he finds out he is being investigated.
External Media The use of some type of secured thumb drive is very common in these cases, especially with the advent of the hardened, hardware-encrypted drives. A suspect will use these drives thinking that they are small and encrypted, and if it all comes crashing down he can throw it away or destroy it and no one will ever know the better. We have described in detail in other chapters how to identify that thumb drives are being used and how to locate what files may have been on them. Performing this same analysis, but this time with a focus on looking for accounting related files in the link files, temp files, and registry keys, can be an extremely fruitful path of investigation. This can also help determine who was involved, as it is not uncommon for these thumb drives to be passed around between the conspirators.
E-mails and Other Communications This one is a bit of a long shot in these types of investigations, but you never know. Most individuals engaged in embezzlement/larceny are smart enough to keep their transgressions off of the corporate e-mail server. However, you may still be able to find some clues there, as well as in the personal webmail/e-mail of the individual and his smartphone records. Remember that you are not only looking for “caught red handed” type communications, but also patterns of communication that could indicate something deeper, as well as code words and other types of speech designed not to draw attention.
Finding Evidence of Check Fraud
Other than expense account fraud, check fraud still remains one of the most prevalent types of employee fraud out there. This typically entails an employee who gets hold of a check and modifies it in some way so that she can profit from it. This can mean changing dollar amounts, changing the payee name, or stealing new blank checks and filling them out. Oftentimes, they will scan the checks into the computer so that they can modify them and print out new, authentic-looking forged checks. This intermediary step is where computer forensics can play a role in detecting this type of check fraud.
Looking for the Counterf
eit
Generally this type of fraud occurs in one of two ways: modification of an existing check or creation of a new check forged to look authentic. For the modification route, typically a tool such as Photoshop is used to modify the image of the check before it is printed. If the counterfeiter is creating a new check, a page layout tool such as Microsoft Word is used to lay out the fields so they match up with the paper check and to print the new check. Let’s look at some of the various techniques you can use to find these forgeries.
Look for Pictures of the Check on the Computer If the check is scanned into the computer to be modified, you may be able to locate both the before and after images on the computer. Do a search for all images on the computer (remember to do this on a file signature basis, as they may be trying to hide the files) and review by hand to see if you can find any images of the checks. Also, the individual may have deleted the images after the modification, so using a data-carving utility such as Scalpel or Access Data’s FTK can be crucial here. Once you find the pictures, make sure you note the file metadata as well as the internal metadata (such as EXIF), as they can provide vital clues to who actually did the modification and what tools they used.
Find Documents That Lay Out the Check Forgery If the individual stole blank checks to write out to herself, chances are that she won’t just write out the check, but will attempt to print the information on the check so as to not attract attention. You can use this fact to your advantage and search for Word docs that contain the check layout. Make sure you also look at the temporary files and the unallocated space, as she may not have actually saved the file to the computer.
Look at the Printer Spool If the check was laid out or modified on the computer, it was probably printed as well. Take a look at the various print spools for the operating system and see if a temporary file exists that contains the check data. Also, look for evidence that some other type of printer was used, such as a print to PDF or print to TIF type option. These options may have been used with some of the newer online check depositing services.
Tracing the Assets
Once you have identified that the embezzlement has occurred, the company will want to track the assets and figure out where they have gone. While this task falls primarily in the domain of forensic accountants, computer forensics can benefit and speed up this process in several ways.
What to Look For
You should understand or work with someone who understands how money flows through the organization and where the records are kept. If you are dealing with a large company, the assets will be handled through some kind of centralized system, such as a mainframe or enterprise resource planning (ERP) type system. Smaller companies generally use programs like QuickBooks to assist with the accounting. Also, if the company controls are lax enough, it is not uncommon for the fraudster to bypass these systems and interact with the bank accounts directly. Let’s look at some various avenues for investigating where the assets came from and are going to.
Internet History With the increasing popularity of online banking, this avenue of investigation can become a real boon. In smaller organizations with few controls over who has access to the money and what they can do with it, we are starting to see online banking as the point of fraud. The individual will log into the online banking site for the company, allocate some cash, and transfer it to a third-party bank under the guise of some type of invoice payment. In addition, he may also log into the recipient bank account to move the money around. All of these transactions can leave history in the Internet cache and cookies on the computer. This can be extremely helpful in reconstructing the bank accounts used and what funds were used to store what money.
Accounting Systems This review will be conducted primarily by forensic accountants, but computer forensics can bring some things to the table in review of the financial accounting systems. First are the audit logs. One common tool used by embezzlers is to inflate the payout of an invoice or to back date the payout. With the requirements placed on larger companies in terms of financial reporting and compliance, these transactions are generally heavily logged and tracked. The typical flow of the investigation is that the accountants will flag a few transactions that look suspicious and ask for help regarding what can be identified about those transactions. For instance, look for the user who authorized the transaction, other types of transactions that follow the same pattern (payout to the same vendor, unusually round dollar amounts, and so on), and analyze the metadata around those. Take what the forensic accountants know and match that up to what the metadata says and see if any types of new patterns emerge.
Corruption
Corruption is another word used frequently with regard to individuals, corporations, and even governments. Corruption involves many activities that may be in violation of federal and state laws but may not necessarily involve the actual misappropriation of assets either through embezzlement or larceny, but still may result in economic loss and damage to a company through such things as undisclosed conflicts of interests, bribery, and kickbacks.
Conflicts of interest are generally described as any situation involving individuals with the authority to make decisions for a corporation, where a conflict may exist between the individual acting in the best interest of the corporation and acting in a manner in which the individual has a potential self-interest (the potential to receive a direct or indirect benefit). In its simplest form, if an individual has to decide what’s best for the corporation versus what may be best for himself (for example, through a side or family business), a conflict of interest exists. Not all conflicts of interest are bad, nor are they illegal. In many situations, conflicts of interest are acknowledged and accepted as long as they are properly disclosed to the appropriate parties. However, conflicts of interest do give rise to opportunities for an individual to reward himself at the expense of the corporation, and in those situations, especially when undisclosed, a problem may exist.
Bribery and illegal kickbacks are probably the most common forms of corruption worldwide. While both continue to be prevalent in the United States, bribery and illegal kickbacks can be serious problems for businesses in developing countries around the world, so much so that the US government has adopted, and continues to enforce, efforts to identify, investigate, and prosecute businesses that engage in the bribery of officials around the world (the Foreign Corrupt Practices Act).
Bribery can range from a few dollars given to a maître d’ for a better seat at a restaurant, to many millions of dollars when hundreds of millions to billions of dollars in business contracts may be at stake. Kickbacks, in some sense, are similar to bribery, yet they occur after the contract or action in question has already been approved. While bribery typically occurs prior to the award of a contract or receipt of business, kickback payments usually come from the business in question. Often, in exchange for steering business to a particular vendor, supplier, or other business entity, the individual may receive a kickback that could be a one-time payment or an ongoing payment in proportion to the amount of business referred (similar in nature to a commission).
What to Understand
The first question when corruption is suspected is whether the company is the victim or the perpetrator of corruption. Most often, corporations are the victims of corruption as various individuals take advantage of their positions within the corporation for personal gain, namely through conflicts of interests but also through the receipt of bribes and kickbacks for steering business one direction or another. However, corporations also commit bribery and pay kickbacks, especially where significant contracts or other potential business is involved. Whether the corporation is the victim or the perpetrator of alleged corruption significantly alters the dynamics of the potential sources of information and the services that could be rendered by a computer forensics specialist in uncovering fraud.
As described, the investigative process follows a fairly standard approach. However, it is important to understand that, by its nature, most cor
ruption (that is, the transactions) occurs outside of the business in question. Unlike a misappropriation of assets where missing assets, falsified documents, and a trail of other evidence may likely exist for the fraud examiner or investigator to pursue, corruption may be far removed from the books and records of the company, especially when the company may be the victim. An individual receiving bribes or kickbacks for influencing certain decisions or steering business to a preferred client may never have to falsify a document or otherwise attempt to hide or conceal his efforts. These types of bribes and/or kickbacks may be paid directly to the employee with no evidence ever finding its way to the company’s books and records.
Often, the initial, and sometimes the only, indicia of corruption may be a tip from a whistleblower, concerns expressed by a competing business interest, or an observed change in an individual’s lifestyle and perceived standard of living (as previously described), especially where bribes and kickbacks may be involved. However, even when the process starts with a tip, computer forensics can be an important tool in identifying and collecting evidence of potential wrongdoing. Most individuals rarely keep their personal interests, or outside relationships, completely separate from their business responsibilities. Individuals often track personal records on corporate assets (i.e., their company-issued computer), as well as make and track contacts. Contacts are made through business e-mail, voice mail, calendar appointments, travel logs, and other means. Often perpetrators are lulled into complacency when they believe that no one is effectively watching.