Hacking Exposed
Page 45
Finding Evidence of Data Destruction
As stated, the type of data destruction that generally occurs in these investigations differs from that of other types of single hard drive analysis. Instead of wiping an entire Personal Storage Table (PST), the suspect may simply selectively delete an e-mail here and there. This can render the “broad stroke” methods of identifying wiping somewhat ineffective. Let’s look at some things you can do.
Perform a Gap Analysis Generally, individuals will follow somewhat regular e-mail patterns. They will generally send about the same number of e-mails per day on the weekdays over the course of a month, with some dips here and there. One of the techniques we use to determine whether anomalies occur in the e-mail that could be deletions is to look at the e-mail trends over the course of the investigation. For instance, if you do a month-by-month breakdown of the e-mail over the course of five years, and there are zero e-mails for the month of May 2005 when every other month has thousands, that is a key indicator that something happened in May 2005. The way we generally do this is twofold: If a full-blown investigation is underway and e-discovery tools are being used, a lot of them have facilities to run these types of reports. Otherwise, you can use a tool such as Transcend Migrator to dump the message header information into an Excel spreadsheet and create a pivot table that rolls up the e-mails by month.
Review the EDB Dumpsters I have had entire cases hinge upon what was in the Exchange dumpster. We discussed this in more detail in earlier chapters, but it bears repeating here. If you are just getting into one of these investigations, have the dumpster turned on to a properly long time period (so that even deleted e-mails are retained) and periodically take a look using a tool such as Paraben NEMX to see what was attempted to be deleted. Even if you are looking in the past, the dumpster is typically turned on for seven days, so if you have weekly tape backups of the EDB files, you can get to the information by looking to the backups from the weeks you care about.
Compare Sender and Receiver Message Counts If two individuals are of particular interest, take a look at both mailboxes for communications between them. While you would expect some small deviations here and there, as some people will delete messages more often than others, huge differences can be a sign that something fishy is going on.
Look for Minor Changes to Important Documents I remember a case involving accounting fraud, when an issue came up with regard to the audit checklist. A critical item seemed to have been added after the fact to the checklist that wasn’t applied when it would have mattered. The company, however, represented that the item had been there all along. Through the use of the revision number, created date, and modified date, we were able to show that the document had in fact been modified much later than identified by the company. This was confirmed when we pulled an old version of the document off of a backup tape from the relevant time period, and, as expected, the audit item wasn’t there. Work with forensic accountants or counsel to determine which documents may be important and then take a look at them to determine when and how they were modified.
Securities Fraud
Trillions of dollars are invested in the stock market and various companies that seek investment capital through the issuance of securities (such as stocks, bonds, commodities, and so on) in the various markets in the United States and around the world. Those securities are routinely traded among individuals, corporations, and various other types of investors and investment vehicles. The value of the traded securities rises and falls along with the fortunes of those heavily invested in the stock market. Numerous laws and regulations are directed at protecting investors, securities traders, and the companies that seek capital in the public debt and equity markets. However, sometimes those rules are ignored or outright violated, which can lead to significant losses for those entities that have invested in the system and rely on its integrity.
Securities fraud is generally described as an act in violation of applicable securities laws and regulations where the intent is to manipulate or take advantage of the market, typically with respect to a company’s stock price, through deliberate concealment or distortion of information, or through the use of material nonpublic information. Perpetrators of securities fraud may include stockbrokers, financial advisors, investment analysts, brokerage firms, and individual investors, but they often include corporations and their officers and directors. The most common forms of securities fraud include insider trading (trading the securities of particular entity with the information that is not available to the pubic); general financial reporting fraud (presenting false information on a company’s financial statements, often in connection with accounting fraud as described); and stock manipulation schemes such as the backdating of employee stock options.
As described in relation to accounting fraud, companies will often conceal their true financial condition by hiding debts or beefing up revenues to appear more profitable or financially sound than they actually are, essentially by misleading both investors and shareholders.
Investing in the stock market and other securities is carefully regulated by rules and laws established for the protection of investors and the various parties involved. Securities issued by a corporation are governed primarily by the Securities and Exchange Commission (SEC). Violations of SEC rules and regulations can have serious consequences and lead to civil and criminal punishment. The SEC, as well as the National Association of Securities Dealers (NASD), can investigate securities fraud and impose civil fines against suspected individuals and corporations.
The Securities Act of 1933 (known as the “truth in securities” law) was established to “require that investors receive financial information and other significant information concerning securities being offered for public sale” and “prohibitdeceit, misrepresentation, and other fraud in the sale of securities.” The Securities Exchange Act of 1934 was established to empower the SEC with broad authority over the securities industry, including the power to “prohibit certain types of conduct” and to require “periodic reporting” by companies, all of which are aimed at protecting individual investors as well as the overall integrity of the system. However, not unlike other types of fraud, the various players in this arena have found myriad ways to circumvent or altogether violate the rules and regulations of the system and to take advantage of investment analysts, financial advisors, investors, and others for personal and corporate gain.
In addition, the Sarbanes-Oxley Act of 2002 added to the existing securities fraud statutes by further defining securities fraud to include “Whoever knowingly executes, or attempts to execute, a scheme or artifice (1) to defraud any person in connection with any security... or; (2) to obtain, by means of false or fraudulent pretenses, representations, promises, any money or property in connection with the purchase or sale of any security.” Several of the more common means by which securities fraud is committed are discussed in the following sections.
Insider Trading
The term “insider trading” generally refers to the prohibited use of material, nonpublic information in the purchase and sale of securities. Typically, liability for insider trading typically falls upon so-called corporate insiders, such as officers, directors, and other key employees and shareholders—the ones most likely to have access to information that could influence the value or trading price of the company’s underlying securities. Corporate insiders who possess material nonpublic information are required either to disclose what they know to the public or to refrain from trading on that information. However, the temptation to realize a profit through trading securities on information the public does not yet know is often too great.
What to Understand
Claims of insider trading are often investigated and prosecuted by the SEC. Abnormally high returns for one investor relative to those of other investors in the market can serve as a red flag to the SEC, which monitors stock trading across all capital markets, especially trades made by those identified as corporate insiders. An individual’
s sale of stock that occurs immediately preceding an announcement of bad news or the purchase of stock immediately preceding an announcement of good news will often raise questions as to the fortuitous timing of the transaction. Often, the players involved may not appear to be corporate insiders or directly linked to a corporate insider, especially with the existence of various brokers, traders, corporate entities, family limited partnerships, and so on, that could be trading the stock. However, when questions as to whether an individual or transaction may have benefited from insider information, experienced investigators and fraud examiners look for specific things.
First, they must understand the specifics of the stock purchase or sales transactions in question. With the exception of public filing requirements regarding stock transactions involving corporate insiders, only the SEC may have access to the daily trading activity in a particular stock. However, even general trends such as stock volatility, trading volume, increase in short-selling, and so on, may provide indicators of unusual activity in a company’s stock before the announcement of certain confidential information. In addition, it is important to understand whether the event observed was a one-time occurrence or a pattern that has repeated at various points in time.
Second, investigations of this nature typically focus on one or more specific individuals. However, where the identity of persons potentially involved may not be known initially, the investigation may start with a broader population of those individuals who had access to the material non-public information. In any event, the investigation often begins with defining a population of potential insiders and their relationship to various outside parties that may have some involvement in the matter. The question of relationships often becomes key in linking outside parties with corporate insiders who divulged the information and are likely receiving some sort of benefit or kickback in return.
Third, it is important to understand who had relative access to the information. Sometimes information is limited to a small number of corporate insiders. In other situations, the circle of knowledge may be expanded to include not only corporate insiders, but outside attorneys, consultants, and others who may be providing service to the company, most likely under some sort of confidentiality or nondisclosure agreement. Questions often need to be asked relative to information access and security, whether the information is located on a secure network, and whether access to that network is tracked.
The appropriate steps to take will depend on the type of information suspected of being leaked to outside parties. It is not uncommon for individuals to use inside information in advance of quarterly or annual reports, especially where overly positive or negative news is concerned. Corporations typically have protocols for how such information is handled prior to the public disclosure, and the information is typically tightly controlled by a small group of individuals. Or the information in question may involve news related to a potential acquisition or significant legal issue, in which case various outside parties (such as attorneys, investment banks, and consultants) may also possess the material non-public information. This step of the investigative process begins with mapping the relative access to the information in question.
The next step often involves investigating whether the corporate insider who is suspected of being involved in insider trading or in facilitating the insider trading by an outside party may have benefited from the relationship. Very likely, this will be difficult to determine based on access only to corporate records. However, as with other types of fraud, it is surprising how often individuals use their corporate assets (such as computers, e-mail, voicemail, and so on) to conduct personal business, including business for which the individual may be a party to alleged fraudulent activity, such as insider trading.
The last couple of areas focus on the corporate insider’s knowledge that he was divulging inside information and that it was being relied upon by an outside party in trading on that inside information. Corporate insiders are subject to non-public information throughout the course of their work. Not all non-public information is material. Often individuals lose track of, or fail to realize, the importance of certain information and the potential ramifications it may have on the company’s stock price when made public. While the inadvertent disclosure of material non-public information may still have led to the improper trading by an outside party, the distinction may nonetheless be the difference between the corporate insider merely losing his job or going to prison.
What to Look For
What to look for depends on the corporation, the circumstances surrounding the suspected insider trading, and the extent of the individuals with knowledge of the non-public information. However, as with investigating certain types of fraud where the focus is to follow the money, insider trading in many respects is simply following the information—what was it, who knew it, how did it get out, and who used it?
When Did They Know the Information
In our experience, most insider trading investigations hinge upon when someone learned a piece of information. The most common way that this information is sent and received is by e-mail—perhaps an offhanded e-mail from a financial advisor to a client about movement in a company. As such, when confronted with the e-mail, the person accused of insider trading will generally state something to the effect of, “I didn’t actually open the e-mail until after the trades were made.” It will be your task as a forensic examiner to determine whether or not this is the truth.
When Was the E-mail Opened
The entire investigation can hinge on determining when the individual opened the e-mail. While this can be extremely difficult to determine, depending on what e-mail client is in use, with a little outside-the-box thinking you can find the information you need. Let’s look at a few different ways to do this.
Webmail/Internet History This method has obvious applications if you believe the e-mail was sent to a webmail account such as Yahoo!, Gmail, or Hotmail. However, I have often seen this history overlooked when corporate e-mail is involved. The thing to remember is that even if corporate e-mail is involved, the individual may still have used the webmail client (such as Outlook Web Access, or OWA) on his laptop or home computer. No matter what e-mail systems you are looking at, you should check the webmail just to be complete.
Having said that, let’s discuss what exactly to look for. Generally, at the point when you are trying to determine when an e-mail was read, you know exactly which e-mail you are looking for (this would have been discovered earlier in the investigation). With that in mind, you can re-create the Internet cache and history to see if you can find the e-mail being opened. If you can, match it up with the date and time that it was first placed into the history/cache, as this will generally be the first time the e-mail was opened. If you can’t find the exact e-mail, remember to look at the folder view web pages (such as the inbox page) where it shows the message subject and other information about the message. Generally, by looking at the URL status, you can tell whether the message has been read or not, and looking at how these indexes change over time (for instance, you can look at the index cached on Monday, versus the index cached on Wednesday) can help you narrow down exactly when the message was opened. You can sometimes get everything you need from the Internet history URL. Older versions of OWA would actually include the subject of the message in the URL and what action was requested (READ, FWD, Reply, and so on).
Exchange E-mail When investigators hear Exchange, in my experience the first thing they head for are Personal Storage Tables (PSTs) and the Outlook metadata. However, the actual .edb file can be a treasure trove of information. Specifically, you should care about two pieces of metadata in the .edb with respect to this task—an is_read flag and a last_modified date and time for each message. When a message is placed in the .edb, the modified date is set to the date when it was placed in the container and the is_read flag is set to false. When an e-mail is opened, the is_read flag changes to true, which causes the last modified date and time to change to th
e time the flag changed. Don’t rely on this date and time completely, however, as other things can change it as well. Take a look to see if the message has been replied to, moved, or forwarded. All these actions will change the last modified date. Still, this can be a great place to start, and if you can eliminate all other options on why the modified date changed, the is_read flag can be crucial.
Stock Option Backdating
Several articles by the Wall Street Journal in late 2005 and early 2006 raised serious questions regarding a number of apparently well-timed or fortuitous stock option grants to various corporate officers and directors of publicly traded companies. One of the articles, “The Perfect Payday,” cited significant research and analysis performed by a University of Iowa professor, which purported that option grants to officers and directors and many large public companies could not have been random and likely were the result of efforts to time or “backdate” the option grants to days when the company’s stock price was at a relative low.
Stock options give the recipients the right to buy stock at a preset price called the exercise or strike price. Often that price is set the day the options are granted, with the right to exercise that option (that is, buy the stock at that price) usually not vesting with the individual for a period of time (usually a year or more). Intuitively, the lower the exercise price, the lower the amount the individual has to pay to exercise that option and buy the stock. For example, an option with an exercise price of $10 versus one with $20 can be significantly more valuable if at the time the option is exercised the value of the stock was $30 per share (that is, it would be $10 more valuable). The reports referenced by the Wall Street Journal inferred that officers and directors at many of the companies in question had intentionally backdated option grants to periods when a company’s stock price was low to reap the additional benefits from a rebound or rise in the stock price over time.