It's All Digital Now: Computer Forensics Training a Necessity

Computer forensics investigations must be a critical component of your tool kit. Constant training will help you hire experts, find digital evidence, and prepare for a judge and jury. You need to realize what you don’t know and seek the training to fill the gaps.

Sam, a new internal auditor at Wannamaker Construction, suspected that Evan, an accountant, was embezzling from the company. Sam had to find evidence on Evan’s desktop and laptop computers to prove his case in court. While he was confident his computer skills were sufficient, Sam decided to hire an external digital forensics firm anyway to ensure a clear-cut case. He hired XSteronics, a digital forensics firm he found in the phone book. 

After work on a Friday evening, Sam met Duke, a digital forensics examiner from XSteronics, and led him into Evan’s office. Duke accidentally tripped over the electric cord to Evan’s desktop computer, causing it to turn off. He quickly switched it back on and began copying Word documents and Excel spreadsheets onto his laptop. Evan had left his laptop on his desk, so Sam began copying files from it onto his thumb drive. At 7 p.m., Duke and Sam shut off the computers and left.

Sam thought he’d collected enough digital evidence to criminally prosecute Evan. But shortly before Evan’s trial, his defense attorney discovered sloppy digital forensic methods, which ultimately “spoiliated,” or tainted, Evan’s files:

• Duke shut down and restarted Evan’s computer.
• Duke didn’t make a “bit-for-bit,” exact-replica image of Evan’s hard drive using specialized software and hardware.
• Sam incorrectly copied files off Evan’s laptop onto a thumb drive.

Duke and Sam also didn’t inspect Evan’s office for other electronic devices such as MP3 players, thumb drives, or digital cameras. Evan’s attorney discovered that XSteronics had hired Duke, a convicted felon, because of his illegal hacker expertise – a fact the company hadn’t shared with Sam. The judge didn’t allow Duke to testify and eventually dismissed the case for lack of evidence.

MISTAKES OF THE UNTRAINED 

Experienced computer forensics examiners interviewed for this article said that most fraud examiners won’t commit all of Sam’s serious sins in the opening composite case. But they agree that all of us must have current computer forensics skills in our tool kits.

“These abilities are just as important for fraud examiners as skills in interviewing, investigating financial transactions, or surveillance,” said ACFE’s Education Manager Allan Bachman, CFE. “Current computer forensics skills have to be integrated into every fraud examination and ingrained into our everyday thinking.”

The experts believe that we must seek regular training in the best practices of computer forensics training because of:

• The proliferation of digital data
• Advances in software and hardware
• Ever-changing fraudsters’ tactics including manipulation and duplication of files
• Easy retrieval of e-mail communications
• The necessity of intelligently and effectively communicating with in-house and hired forensics experts

“The volume of data we’re facing in most fraud examinations today has just exploded,” said Walt Manning, CFE, EnCE. “If you were in a position to read every single word of every single electronic file or e-mail message, you probably wouldn’t have enough staff or resources to complete your examination in a timely manner. So fraud examiners need to learn techniques that filter down huge volumes of data and focus only on the information that will produce the evidence they need.”

Jim Butterworth, EnCE, GCIA, GSNA, GREM, senior director of cyber security for Guidance Software, said 95 percent of all business correspondence and documents exist in electronic form.

“So it’s no surprise that most fraud examinations have high-tech angles – whether it’s looking through e-mails trying to find some side-letter sales deals or searching Excel documents to discover some back-end spreadsheet manipulation,” he said. “The bottom line is that everybody uses computers and digital devices.”

Butterworth recently completely revised and updated the ACFE’s seminar, Introduction to Digital Forensics: Gathering and Preserving Electronic Evidence, which he teaches.

Fraud examiners, according to Manning, need to know enough about current techniques and technological developments to find evidence that will effectively make their cases. “And if you’re interviewing people with technical backgrounds, you’re going to have to speak the tech language just to know what questions to ask them and to understand the answers,” he said.

Manning, who wrote the first ACFE computer fraud course with Nancy Bradford, CFE, CPA, in the mid-1990s, teaches the new intermediate-level ACFE seminar, Digital Forensic Tools and Techniques. Jean-François Legault, CISSP, CISA, CISM, GCIH, GCFA, also teaches the course.

Manning said the digital forensics field, which only dates back to the early 1990s, is leaving its infancy and is now in an intermediate stage. In the early days of the profession, fraud examiners had to do most forensic investigations themselves with off-the-shelf consumer software, but now there are many who have the expertise to work with the more advanced and sophisticated tools. However, some examiners simply don’t understand the fundamentals of the science, he said.

“I know of one group that came in during an investigation and imaged some computers, but they actually turned on the computers to do it,” Manning said. “When you turn on a computer, especially in a Windows environment, you change information – possibly thousands of files on a hard drive. This group had training, but they weren’t using it.”

Manning said organizations these days have no excuse for conducting sub-par computer forensics investigations.

“Digital forensics is now a science with high standards,” he said. “That’s why we have established procedures and methodologies – best practices – that we use for every investigation. The field is a deep resource for fraud examiners.”

Legault said fraud examiners need to understand not only where the data resides in their companies and the ways in which it can be extracted, but how they and their forensics experts can smartly zero in on evidence.

“If you’re examining a file server that has 200 gigs of files, are you going to open up each of these files one by one and review them?” he asked. “Or are you going to apply some advanced search algorithms – specific sets of instructions – to files and discover data that will contain evidence?

“Many forensics accountants and fraud examiners are realizing how critical digital evidence is, and they want to learn how to communicate their cases to digital forensic examiners so they can pull the relevant information for them,” Legault said.

Legault is senior manager, analytic & forensic technology, with Deloitte & Touche in Montreal, Canada, and author of the Digital Fingerprints column in Fraud Magazine.

FINDING THE RIGHT EXPERT 

When selecting a digital forensics firm, Butterworth says fraud examiners need to:

• Look for a specialist who can handle specific types of investigations
• Request proof of examiners’ training, experience and certifications
• Seek other fraud examiners’ recommendations
• Choose a company that employs bonded experts
• Ensure your choice has documented processes for handling electronic evidence

"You want to find experts who will be able to find evidence that stands up in court,” Butterworth said. “They must understand evidentiary chain of custody, the latest data-gathering techniques, and how to preserve evidence intact. You would hate to have a slam-dunk case be thrown out because you couldn’t even introduce the evidence due to something you or your expert did during the process.”

(See the sidebar below for additional steps to take when hiring a digital forensics examiner.)

NEXT MOVES 

You’ve hired an experienced, trained digital forensics expert with excellent references. Now what?

“Communication between the hired forensic examiner and the client is absolutely critical so everyone is on the same page,” Manning said. “All have to agree on the type of analysis and its scope. The search terms the client provides the digital examiner must be specific and not generic.”

Manning said companies tend to underestimate the amount of time a forensic analysis will take.

"Some expect that digital examiners have a button on their devices labeled ‘Evidence’ and all they have to do is press it and the job is done,” he said.

In some deeper-level cases, the process can take “hours and hours and hours” to inspect huge volumes of electronic data to find responsive evidence, Manning said, “so a good digital examiner must tell the client that an investigation might yield good results, but it could be laborious and costly.”

Butterworth said fraud examiners must always think of the end result: finding enough scientifically validated evidence that will stand up in court.

“From the first second of a digital investigation, I’m always thinking that this evidence could end up in front of a jury,” he said.

Manning said a good computer forensics examiner will document everything “in very excruciating detail” because defense attorneys will do everything to discredit evidence.

Butterworth said he doesn’t believe there are enough trained and skilled computer forensics examiners in the marketplace. “I’m not recruiting, but we can always use people in the field no matter their ages or backgrounds,” Butterworth said. “People in the digital forensics profession are former law enforcement, military, or IT workers who end up in the security world. Many experienced fraud examiners could move into this field.”

USING ALL TOOLS TO FIND FRAUDSTERS 

Manning, Butterworth, and Legault are all on the same mission: to learn the latest on catching fraudsters by using the most sophisticated digital investigative tools, then passing that knowledge on to fraud examiners and forensic accountants. But the process involves much more than rote memorization of the latest techniques, they say.

“Computer fraud is still people fraud,” Legault said. “We can’t forget that; there’s always somebody behind the computer or digital device, and we need to understand that person as much as the evidence we collect. The highest-end technology you’ll use in a fraud examination is still the human mind.”

Legault said fraud examiners must still use all the classic ACFE investigative tools to complete their cases.

“The skills, expertise, and experience you’ve accumulated are still crucial,” he said.

Manning says “it really boils down to something much more basic than technology; It’s pitting yourself against the bad guys and using the tools and expertise to catch them and bring them to justice and stop fraud that’s ruining people’s lives.” However, he says, if fraud examiners don’t seek computer forensics training then the bad guys – as Sam, the internal auditor at Wannamaker Construction discovered – will live another day to defraud.

Dick Carozza is editor-in-chief of Fraud Magazine.

ACFE Expands Computer Forensics Training 

The ACFE has completely revamped its two computer forensics seminars to provide fraud examiners with the most current information and techniques. 

“The ACFE is developing its computer-forensics-related curriculum to be more in line with the times,” said ACFE’s Education Manager Allan Bachman, CFE. “Computer forensics is a component of fraud examinations. A fundamental knowledge and understanding of the ‘who, what, when, where, how, and why’ of this science are important building blocks in a fraud examiner’s tool kit.”

Bachman said the ACFE doesn’t necessarily see it transforming its members into computer forensics scientists, “but we realize many CFEs and others who do fraud examinations and even auditing will have to work closely with this technical skill set at some point.

“This will include how these specialists work with the hardware and software tools they bring to bear in a fraud examination,” he said. “Fraud examinations become more effective and efficient when fraud examiners and computer professionals understand each other’s goals and objectives.”

The ACFE not only updated the original Introduction to Digital Forensics seminar, but revised it to cover most of the fundamentals in a survey course, he said.

“We now pick up in the intermediate seminar, Digital Forensic Tools and Techniques: Taking Fraud Examination to the Next Level, where the introductory seminar leaves off,” Bachman said. “We develop in greater depth many of the areas briefly covered in the basic course. Both seminars have major case study components as critical components of the learning objectives.”

The ACFE is considering an advanced course, he said, which will take the fraud examiner even further into the world of computer forensics.

Bachman was an internal auditor for more than 30 years before joining the ACFE staff, and he has a master’s degree in information systems. His experience has taught him that fraud examiners need constant computer forensics training. 

“When I first started I had to laboriously paw through file cabinets and desk drawers looking for documentation that either proved or disproved my case,” he said. “Now all these materials are resident on computer hard drives and other electronic media or even in deleted files themselves, not to mention the multitude of formats they might come in. Finding evidence can be both harder and easier if you know what you’re doing.”

He said the days of fraudsters using white-out and sloppy copies of financial documents are over. “Finding what you need has become if not harder then certainly more complex,” he said. “But this change has made our lives as fraud examiners much more exciting because the processes and tools to uncover these documents are phenomenal, and they get the job done.”

The ACFE seminars teach attendees not only what they need to know, but “more importantly, to recognize what they don’t know and where to locate the expertise they need to complete their work when they enter the gray areas of their fraud examinations,” Bachman said. “This isn’t a static field; the seminars encourage additional learning and reading.”

Here are some of the components of the two seminars:

Introduction to Digital Forensics: Gathering and Preserving Electronic Evidence 

• Computer Forensics Examination Process
• Case Law and Guidelines for Industry
• Digital Documents, Correspondence, and Communication
• Working with the Digital Forensic Examiner: Asking the Right Questions to Get What You Want

Digital Forensic Tools and Techniques: Taking Fraud Examination to the Next Level 

• Forensic Methodology and Logistics
• Understanding File Systems
• Analyzing Windows Systems
• Forensic Equipment and Software
• Data Acquisition Methods
• Mobile Phone and PDA Forensics
• Search and Analysis Strategies
• Tracking Internet Activities and Tracing E-mail

For more information on these and other courses, see “Training & Events” on www.ACFE.com or call +1 (512) 478-9000, or toll-free (800) 245-3321 (U.S. and Canada only) to register by phone.

How to Prepare for Hiring a Computer Forensics Examiner 

The following is excerpted and adapted from the course materials of the ACFE seminar, Introduction to Digital Forensics: Gathering and Preserving Electronic Evidence. 

After you determine that you’ll be augmenting your investigation with a digital forensics expert, you should go through a vetting process to decide which expert to hire.

QUESTIONS TO ASK  

For-hire outfits conduct quite a few investigations. The absolute first step that needs to be performed is a conflict check. Unless the court is going to assign a special master for the forensics investigation, you’ll need to find out if your expert has a conflict of interest.

Interviewing the Experts
You can learn a great deal about experts during phone conversations or over lunch. Try to determine how experts will appear on the stand. Are they composed, calm, and well-spoken? Talk to them in generic terms about previous cases, the types of matters, and the specific impact he or she had during the proceedings. Were they assigned as lead examiner, or did they play a supporting role? Do the expert firms have legal teams that can represent and advise your company on matters that arise during the examination? Do the experts have adequate insurance and/or bonding? Can they explain technical elements so that all can understand? What are their rates and what percentage will they require up front?

Ask them for advance copies of their contracts or copies of previous written reports. A cursory look at their documentation should give you a level of comfort that the experts’ qualifications will stand up to scrutiny should you end up in litigation.

INFORMATION THE EXPERTS WILL NEED FROM YOU 

Be prepared to answer a lot of preliminary questions. If the matter is sensitive, ask the experts to sign nondisclosure agreements; don’t discuss details of the case until the experts sign them. Without such an agreement, the end client might not allow any discussion about the matter. In that event, a simple description like “IP theft” or “stock back-dating” might suffice. These explanations let the experts know the type of matter and provide preliminary estimates of how long it will take to complete.

The prospective experts will want to know:

• How many and what types of computers are involved
• The size of the hard drives
• The types of operating and file systems in use
• If an e-mail server is involved
• Internet history
• Deleted file recovery

Each of these considerations will affect the time required to complete the investigation. Experts will need to know up front your timeline for deliverables. Computer forensics often requires time to carve through data. You can’t speed up a processor, but adding more machines and processing power can speed up the process.

SURVEYING SYSTEMS INVOLVED 

Prospective experts will ask about the subject’s electronic equipment. You don’t need to know the exact hardware specifications or the exact versions of installed software, just a high-level description of the environment. For example:

“The client’s network consists of about 500 computers. There are about 10 Windows servers, one SCO Unix server, and one VPN server. The subject of this investigation is a VP of the company. He uses an older laptop and his secretary uses a workstation. The VP has a VPN account and two e-mail accounts: his main account and one under an alias. The secretary routinely accesses and sends e-mails on his behalf and has the same level of access to the network as the VP. He also has a Blackberry. His laptop runs Windows Vista and was purchased about four months ago.”

Here’s what the above information means to the examiner:

• We have to examine an Exchange server and up to two Outlook PSTs.
• The laptop likely has a removable hard drive.
• The laptop’s hard drive likely has a minimum of 120 gigabytes.
• The laptop’s hard drive spins at 5400 RPM so imaging will take longer than a newer model.
• The secretary also will need to be investigated, which will require additional effort.
• We need to image and analyze the Blackberry.
• We need to check the VPN access logs.
• We need to conduct a link-file analysis to check server access.

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.