As with other types of fraud, attempts may have been made to conceal the existence of altered documents or inappropriate relationships, and this is where computer forensics often plays a substantive role. Other examples of specific areas that may yield results in an investigation of mortgage fraud include the following.
Check/Bank Statement Forgery
With the advent of “low doc loans,” demonstrating proof of income was significantly reduced. Where you once had to fill out books’ worth of forms relating to your assets, you now just needed a check stub and a printed bank statement. We have found in multiple investigations that the loan officer, due to job quotas and other pressures, decided to scan in these documents and change the numbers around to ensure that the person applying for the loan would, in fact, get approved.
Detecting Proof of Income Forgery
Follow the paper. Find out how the paper got into the computer and figure out how it got out. If the forgery involved a check stub, generally the stub would be scanned in and modified using a photo-manipulation tool such as Photoshop to bump up the claimed salary. This modified scan would then be printed out with the modified numbers and sent in as proof of income. Similarly, look for the same type of activity for any bank statements. Some have even gone so far as to type up completely forged letters from the employer stating the title and salary of the individual to justify the modified salary on the pay stub. The key is to look for the repository of these types of documents, or at the very least the process by which they were modified. Look at the User Assist logs and see what types of applications are clustered together (scan, modify, print, and so on) and when and how often they were run. If you have reason to believe that entire letters were forged, set up a keyword search using the individual’s name, employer, and any other types of unique identifiers and run them in the unallocated space to see what comes up.
Also, since check forges will generally involve images, think about performing a data carving on the unallocated space and pagefile to see if any images remain on the system.
Communications Chatter
Rarely does this type of fraud occur in a vacuum, as much as those being investigated would like you to believe it does. As such, examining the communications among loan officers can provide vital insights into how these frauds may have been perpetrated and just how much formality went into them. While e-mail and chat searches have been discussed in the earlier parts of the book, several aspects of these types of investigations can help you speed up the process and better identify what you need to find.
What Communications to Look For
In our experience, those committing fraud within an institution that permits it will usually ask for advice as to how to set up the fraud or with case specific issues. (For instance, Mr. Clark makes X number of dollars, but it takes Y to get the house. What’s the best way to manipulate the documents so that Mr. Clark appears to make I?) In addition, the first thing you will hear when you walk in the door to perform one of these types of reviews is that a rogue agent was doing stuff on his own to keep his job. This is something that you will need to run down quickly, as it can affect the overall scope of the investigation.
Understand the timeframes in which these activities were supposedly occurring— not only timeframes in terms of years, but timeframes in terms of when the negotiations occurred and where it was most likely that these communications took place. Understanding the timeframe will help you focus on the pertinent e-mails. The suspect may think that doing it over the phone or using voicemail ensures that it’s not permanent. Also, some of the more “churn-and-burn” mortgage houses may have used call centers. If so, they probably had the phone calls of the officers recorded just as with any other type of call center. You saw this phenomenon come to light with the investigation of Enron. The company recorded activity on the trading floor phones, and several of the conversations were used in the criminal trials to show the depths of the fraud.
Focus intently on the communications with an eye toward who else was involved. A single e-mail or chat log can change the complexion of the investigation.
Data Destruction
Throwing a single loan officer under the bus seems to go hand in hand with data destruction in these investigations. While it’s rare to find an institutional mandate to destroy data, we have found that sometimes when players get word that a subpoena is coming their way, they will take steps to “destroy” what they believe to be evidence that may incriminate them. Of course, whether it is actually destroyed is left up to the forensic investigator to decide. We have talked extensively throughout the book about how to detect data wiping and data destruction, but a few points unique to mortgage fraud are worth mentioning.
Data Destruction in Mortgage Cases
The key here is not to look for destruction only by those who are accused of the fraud, but also those who associate with the suspects—such as supervisors. Check out these people to see if any surreptitious activities occurred around the same time as reports were being investigated. Also, if data destruction is found, pay close heed to what data was destroyed. In one of our investigations, the e-mails themselves were destroyed, but we were able to figure out by looking at residual metadata who the e-mails were to and what were the subject lines and times. That gave us two opportunities: we were allowed to retrieve those e-mails from the other inboxes; and, secondly and most important, we were able to ask the question of why the suspect was deleting those particular e-mails from those particular individuals, especially when it was supposedly a one-man “rogue” operation.
TYING IT TOGETHER
Consumer fraud is a pervasive and growing problem in the United States. With billions of dollars in fraud losses every year, various federal and law enforcement agencies have made combating consumer fraud a major initiative. However, with the ever-increasing use of e-mail and the Internet to commit fraud, as well as the complexity of the frauds being perpetrated and the ease by which documents can be altered or falsified, law enforcement and regulatory agencies have their work cut out for them. Increased investigative efforts have been underway for quite some time, as have efforts to broaden and strengthen the scope of applicable laws and regulations and the penalties for violating those laws.
As consumer fraud has become more sophisticated, so have the efforts to track, investigate, and uncover those frauds. The existing arsenal of computer forensics tools combined with skilled investigative techniques mean that many of these frauds can be uncovered and evidence identified to bring them to a halt and hold the guilty parties accountable for their actions. While frauds may become more complex and sophisticated, one fundamental truth remains: evidence always exists, and whether it’s in falsified information and documents or in separate sets of books and records, evidence is typically concealed in some way. It is the objective of skilled computer forensics specialists to assist in lifting the veil of that concealment.
APPENDIX
SEARCHING TECHNIQUES
Learning effective search techniques is one of the single most important things you can do as a forensic investigator. As anyone who has conducted an investigation on a large dataset can tell you, if you choose the wrong search criterion, you will either completely miss the data you are looking for or you will spend hours, if not days, searching through masses of false positives. To search effectively, you must consider not only the key phrases that you are looking for, but also the context in which they may be stored in the document. To search for the context as well as the keywords, you will have to understand something more than how to perform simple keyword searches.
REGULAR EXPRESSIONS
The easiest and quickest way to search effectively is by using regular expressions (regex). Most of the forensics tools available today support some subset of the regular expressions language. The most famous regex may be the old DOS holdover, *. *.. To translate loosely, this means any amount and kind of characters, a period, and then any amount and kind of characters after the period.
Theory and
History
If theory isn’t your thing, skip this section. Regular expressions were developed by an American mathematician named Stephen Kleene. They were created as a notation for an algebra that described what he called “the algebra of regular sets.” This was later placed into what became known as the Chomsky hierarchy of languages, which is a formal linguistics model that places every grammar from the regular expression language to the English language into a hierarchy. This hierarchy can then be used to tell how easy or how difficult it is to parse that grammar. Regular expressions are some of the easiest to parse, with the English language being one of the most difficult.
The Building Blocks
Before we start constructing regular expressions to see how powerful they are, let’s look at some of the common operators that will be the fundamental building blocks.
Constructing Regular Expressions
The following regex matches numbers in the format of currency ($2.50, for example). This shows that regular expressions can get messy and can become completely unreadable.
\$[1-9][0-9]*(\.[0-9]{2})?|\$0?\.[0-9][0-9]
Let’s work with the symbols listed in the preceding table to see how to create effective searching tools. The utility that will be used throughout this appendix is called grep, the open source regex processor. It is extremely powerful and uses the same syntax used in Perl and other scripting languages.
Simple Text Matching
Let’s start by doing a simple keyword search. If, for instance, we want to search for all HTML files, we would use the following:
.html
Note the use of the operator to escape out the period (.), since the period itself is an operator. This works well enough for files ending in .html; however, some HTML files have the extension .htm as well as .html, so we want to be able to search for both. In this case, we want to use the | operator, so this becomes
.html | .htm
This will give us all the files ending in either .html or .htm. Now, to extend this regex a bit, let’s match only the files that are either index.htm or index.html. Two different regular expressions will match this:
index.html | index.htm
or
index.(html|htm)
While the first example may be a bit easier to read, the second regex is less prone to error. We have also introduced the () operator. Think of this as the grouping operator. If we left it out, the regex would match either index.html or htm, but not index.htm:
Index.html|htm
A lot of your problems when debugging these regular expressions will come because you are not grouping correctly. Practice makes perfect.
A More Complex Example
Let’s construct an alternative regex to the one listed earlier that searched for financial numbers. First, we construct the regex to match $:
$
Easy enough. Now to introduce the [] operator, which allows us to define a set of characters we want to match. To match a single digit, we use this regex:
[0-9]
This will match a number 0 through 9. Let’s combine the two regular expressions:
$[0-9]
What we now have is a pattern that will match $1 or any other number besides 1. However, there is a “gotcha” here. This will check only for one digit, not multiple digits. If we want to do that, we must add either a + or a * to the end, as shown:
$[0-9]*
Now we have something that will match an arbitrary number of digits, but will also match $, since the Kleene star allows for zero as a positive match. Be very careful when doing repetition operators like this. In this case, to reduce the number of false positives, we actually want to use the + operator, not the * operator, to force at least one number after the $.
$[0-9]+
Say we want to enforce formatting where we know there is a decimal point and two trailing numbers ($250.00). To match this, we want to extend this regular expression a bit:
$[0-9]+.
This will match the ($250.) part of the number. To add in the two places after the decimal, we can do it in one of two ways:
$[0-9]+.[0-9][0-9]
or
$[0-9]+.[0-9]{2}
The introduction of the {} operator shows another way the regex can be shortened and made even more unreadable. The number inside the brackets defines how many times the previous element can be repeated. In addition, if you want to do a range of repetitions, say two to four repetitions, you would write it like this:
$[0-9]+.[0-9]{2,4}
Here, the format is {x, y} with x being the minimum and y being the maximum number of occurrences.
INDEX
A
Acceptable Use Policy (AUP), 98–99
access control lists (ACLs), 47
accounting fraud, 440–444, 468, 484–485
accounting ledgers, 468
accounting systems, 427, 484–485
ACLs (access control lists), 47
ACME Services case study, 2–3, 128, 340
acquisition host computers, 49
acquisitions, 64. See also collections; evidence
active files, 230–231
adders, 21–22
affidavits, 343, 350
alarms, 46
algebra of regular sets, 494
allocation file, 183
alternate data streams, 204
analysis host computers, 49–50
anti-forensic techniques, 197–219. See also encryption
alternate data streams, 204
compression methods, 202–203
encoding methods, 200–202
file extension renaming, 198–200
obscurity methods, 198–205
overview, 198
privacy measures, 205–219
slack space, 204–205
anti-static bags, 55
AOL e-mail, 257–261, 271
Apple Developer Community, 176
applications, 25, 122, 159, 194
archive management, 13, 18
Arthur Andersen firm, 438
artifacts
e-mail, 240, 244–265
Windows, 150–160
ASCII, 154
assets
corporate, 394–404
intangible, 381, 391
intellectual, 370
misappropriation, 421–427
non-traceable, 466, 467
physical, 370
resale of, 466
tracing, 426–427
asymmetric key encryption, 209–211
attributes file, 186
AUP (Acceptable Use Policy), 98–99
autoloaders, 226–227
B
backups
considerations, 16, 47, 95, 378, 452
data destruction and, 443
magnetic media, 26
Microsoft Backup, 236
tape, 32–35
wiped files and, 215–217, 407
backup tapes. See tapes
backward links (BLINKS), 184
BagsMRU key, 387
Bank Secrecy Act, 465
bank statement forgery, 489
BASH shell, 170
Basic Input and Output System. See BIOS
binary number system, 20–22
binary search trees, 232
BIOS (Basic Input and Output System), 24–25
BIOS information, 66
BIOS time, 66
birthday attack, 14
bit image copy, 178
Blackberry devices, 306, 307, 407
black box job, 110
Blink, Charlie, 128, 340
BLINKS (backward links), 184
BlueArc unit, 53
Boolean operations, 21–22
boot blocks, 184
boot disk, 71–92
bot-nets, 455–456
bot/remote control malware, 457–463
bribery, 428–431
browser bookmarks, cell phones, 334
burning CDs/DVDs, 384–385
C<
br />
cache. See also Internet cache; memory
detecting phishing access, 478–479
reconstructing activity (Firefox), 293–295
reconstructing activity (IE), 290–291
cache memory, 22, 24
Caesar cipher, 299
calendar events, 431
camera, 55
camera phones, 334–335
case management, 56–59
case studies
ACME Services, 2–3, 128, 340
analyzing data, 128–129
Blink, Charlie, 128, 340
case wrap up, 340
collections agency, 62
lab preparations, 2–3
using NetAnalysis, 296
catalog file, 186
CD-ROMs, 35–36, 132, 195
CDs, burning, 384–385, 410
cell phones
analyzing data on, 336–337
browser bookmarks, 334
calendar/to-do records, 334
cameras in, 334–335
collecting evidence on, 332–336
MMS data, 334
for mobile investigations, 50–51
models, 332–334
phonebook, 334
records, 431
smartphones, 407
SMS/EMS data, 334, 407
user-created files, 334–335
voice codec chip, 334
Cell Seizure, 337–338. See also Device Seizure
chain of custody
BIOS information, 66
described, 67
drive handling, 65–66
establishing, 16
evidence handling, 57–58
media handling, 66
traceable evidence and, 47
Chain of Custody form, 65–66
chat logs, 406
check fraud, 425–426, 489
Hacking Exposed Page 51