The Fraud Examiner

Tracing the Untraceable: A Fraud Examiner’s Guide to Digital Forensics
Share |


By Lindsay Gill, CFE
Director of Forensic Technology
Forensic Strategic Solutions, Inc.

We live in a world that is becoming more digital every day. From desktops and laptops, to tablets and smartphones — technology is all around us. This proliferation of technology presents new opportunities for fraudsters to commit and attempt to conceal fraudulent activity. While this issue can seem daunting, the digital trail they leave behind sets the stage for us as fraud examiners to connect the dots in ways we could not imagine just a few years ago. The ability to collect, analyze and interpret electronic evidence, often referred to as digital forensics, is becoming more prominent within the field of fraud examination. Possessing the knowledge of specific software and hardware tools, to best practices for recovery and analysis methods, digital forensics is a powerful tool and skill for fraud examiners and investigators — if they know the right places to look.

Digital forensics tools

Data is the heart of a digital forensics case, but data is simply data. There are certain tools needed to collect, assess and interpret the information. Computer forensics provides the tool to collect and preserve legally admissible evidence from one or many computing devices. Once the data has been collected, the fraud examiner must be able to mine the data to extract and identify patterns and relationships within structured and unstructured data. Performing link analysis will help the examiner discover and evaluate relationships. Link analysis, in turn, often identifies new information and connections that require a return to data mining to further zero in or to extract additional information. Data mining and link analysis helps reveal information that is nearly impossible to identify without the technology.

Leave no stone unturned

One of the greatest tips I can provide is to look everywhere. A common phrase is that things are often what and who you least expect. While that has proved true in many cases, sometimes things are obvious or made obvious by connecting seemingly unrelated information or data. Whether it be structured data like the company’s accounting system, or the unstructured data provided by email, voice communications, voicemail, text and instant messaging, it is important to truly look everywhere because you never know where you will find that missing piece of the puzzle. One of the places digital forensic experts are focusing their searches today is the world of social media. People tend to overshare locations and activities on social media accounts. Even when they don’t overshare, social media provides a host of searchable metadata such as timestamps and geo location.


Technology provides digital DNA

The quantity and variety of digital information created daily by the typical person is growing exponentially. Think for a minute about the trail you generate daily — from every swipe of your credit, debit, ATM and security access cards to the texts, tweets, pictures, emails, logins, keystrokes, websites, downloads, phone calls, voicemails, photocopies, print jobs, blogs and posts — we all leave behind an astonishing electronic footprint that could tell a very compelling story. Despite a fraudster’s best efforts to cover their trail they can rarely completely escape their digital footprint. Deleted does not mean destroyed. Deleted data can remain on the hard drive until it is overwritten by new data or “wiped” through the use of utility software. Fraudsters have also been known to attempt to hide incriminating evidence through encryption or mask the data with false file extensions. For example, an Excel file may be marked with a .pdf or .jpg file extension rather than the .xlsx extension to throw off the fraud examiner. However through the use of computer forensics, the entirety or a portion of the altered or deleted file may be recovered.

When reviewing electronic evidence, you have access to much more than the content in the document itself. The person that edited a document, the computer used to make edits are all types of metadata. The metadata in a document can reveal the name of the network server it was saved on, names of authors, document versions and more. In addition to identifying metadata it may be possible to recover various versions of a file created on the device. This information can uncover discrepancies or lead you to fraudulent documents or a second set of books and data. Further examination of the computer may identify external devices that were connected to the computer. The identified external devices may provide another source of relevant evidence.

Connecting the dots

The evidence necessary to connect the who, what, when, where and why of a fraud examination is increasingly contained in electronically stored information. While having the tools to find the answers buried in the mountains of data is invaluable in today’s digital world don’t forget that your expertise is still needed to tie it all together.

Contact the ACFE
For more information, contact Sarah Hofmann, Public Information Officer, at (512) 478-9000 ext. 324 or