Tag Archives: computer forensics

From Inside the Building

By Rumbi Petrozzello, CFE, CPA/CFF
2017 Vice-President – Central Virginia Chapter ACFE

Several months ago, I attended an ACFE session where one of the speakers had worked on the investigation of Edward Snowden. He shared that one of the ways Snowden had gained access to some of the National Security Agency (NSA) data that he downloaded was through the inadvertent assistance of his supervisor. According to this investigator, Snowden’s supervisor shared his password with Snowden, giving Snowden access to information that was beyond his subordinate’s level of authorization. In addition to this, when those security personnel reviewing downloads made by employees noticed that Snowden was downloading copious amounts of data, they approached Snowden’s supervisor to question why this might be the case. The supervisor, while acknowledging this to be true, stated that Snowden wasn’t really doing anything untoward.

At another ACFE session, a speaker shared information with us about how Chelsea Manning was able to download and remove data from a secure government facility. Manning would come to work, wearing headphones, listening to music on a Discman. Security would hear the music blasting and scan the CDs. Day after day, it was the same scenario. Manning showed up to work, music blaring.  Security staff grew so accustomed to Manning, the Discman and her CDs that when she came to work though security with a blank CD boldly labelled “LADY GAGA”, security didn’t blink. They should have because it was that CD and ones like it that she later carried home from work that contained the data she eventually shared with WikiLeaks.

Both these high-profile disasters are notable examples of the bad outcome arising from a realized internal threat. Both Snowden and Manning worked for organizations that had, and have, more rigorous security procedures and policies in place than most entities. Yet, both Snowden and Manning did not need to perform any magic tricks to sneak data out of the secure sites where the target data was held; it seems that it all it took was audacity on the one side and trust and complacency on the other.

When organizations deal with outside parties, such as vendors and customers, they tend to spend a lot of time setting up the structures and systems that will guide how the organization will interact with those vendors and customers. Generally, companies will take these systems of control seriously, if only because of the problems they will have to deal with during annual external audits if they don’t. The typical new employee will spend a lot of time learning what the steps are from the point when a customer places an order through to the point the customer’s payment is received. There will be countless training manuals to which to refer and many a reminder from co-workers who may be negatively impacted if the rooky screws up.

However, this scenario tends not to hold up when it comes to how employees typically share information and interact with each other. This is true despite the elevated risk that a rogue insider represents. Often, when we think about an insider causing harm to a company through fraudulent acts, we tend to imagine a villain, someone we could identify easily because s/he is obviously a terrible person. After all, only a terrible person could defraud their employer. In fact, as the ACFE tells us, the most successful fraudsters are the ones who gain our trust and who, therefore, don’t really have to do too much for us to hand over the keys to the kingdom. As CFEs and Forensic Accountants, we need to help those we work with understand the risks that an insider threat can represent and how to mitigate that risk. It’s important, in advising our clients, to guide them toward the creation of preventative systems of policy and procedure that they sometimes tend to view as too onerous for their employees. Excuses I often hear run along the lines of:

• “Our employees are like family here, we don’t need to have all these rules and regulations”

• “I keep a close eye on things, so I don’t have to worry about all that”

• “My staff knows what they are supposed to do; don’t worry about it.”

Now, if people can easily walk sensitive information out of locations that have documented systems and are known to be high security operations, can you imagine what they can do at your client organizations? Especially if the employer is assuming that their employees magically know what they are supposed to do? This is the point that we should be driving home with our clients. We should look to address the fact that both trust and complacency in organizations can be problems as well as assets. It’s great to be able to trust employees, but we should also talk to our clients about the fraud triangle and how one aspect of it, pressure, can happen to any staff member, even the most trusted. With that in mind, it’s important to institute controls so that, should pressure arise with an employee, there will be little opportunity open to that employee to act. Both Manning and Snowden have publicly spoken about the pressures they felt that led them to act in the way they did. The reason we even know about them today is that they had the opportunity to act on those pressures. I’ve spent time consulting with large organizations, often for months at a time. During those times, I got to chat with many members of staff, including security. On a couple of occasions, I forgot and left my building pass at home. Even though I was on a first name basis with the security staff and had spent time chatting with them about our personal lives, they still asked me for identification and looked me up in the system. I’m sure they thought I was a nice and trustworthy enough person, but they knew to follow procedures and always checked on whether I was still authorized to access the building. The important point is that they, despite knowing me, knew to check and followed through.

Examples of controls employees should be reminded to follow are:

• Don’t share your password with a fellow employee. If that employee cannot access certain information with their own password, either they are not authorized to access that information or they should speak with an administrator to gain the desired access. Sharing a password seems like a quick and easy solution when under time pressures at work, but remind employees that when they share their login information, anything that goes awry will be attributed to them.

• Always follow procedures. Someone looking for an opportunity only needs one.

• When something looks amiss, thoroughly investigate it. Even if someone tells you that all is well, verify that this is indeed the case.

• Explain to staff and management why a specific control is in place and why it’s important. If they understand why they are doing something, they are more likely to see the control as useful and to apply it.

• Schedule training on a regular basis to remind staff of the controls in place and the systems they are to follow. You may believe that staff knows what they are supposed to do, but reminding them reduces the risk of them relying on hearsay and secondhand information. Management is often surprised by what they think staff knows and what they find out the staff really knows.

It should be clear to your clients that they have control over who has access to sensitive information and when and how it leaves their control. It doesn’t take much for an insider to gain access to this information. A face you see smiling at you daily is the face of a person you can grow comfortable with and with whom you can drop your guard. However, if you already have an adequate system and effective controls in place, you take the personal out of the equation and everyone understands that we are all just doing our job.

Small Scale Electronic Crime Scenes

Most frauds aren’t Enron.  As the ACFE tells us, most frauds encountered by practicing CFE’s are what I like to call “small crime-scene frauds” perpetrated by long time employees like Mary who works in a back office keeping the books, knows everything about the company, and who has been quietly embezzling lesser amounts of company funds without detection for the last fifteen years.  In today’s environment, Mary will be doing her work on a desktop computer, probably connected to a small network with internet access.  Mary’s workstation and the simple network supporting it constitute an electronic crime-scene to be investigated as thoroughly and with as much attention to detail as possible and accompanied by a full set of investigative documentation if there is ever to be any hope of obtaining a conviction (should Mary’s employer, your client, finally decide to go that way).

It goes without saying that the investigator or team of investigators to any crime scene, large or small, have the primary responsibility of protecting all the computer and related electronic evidence that might be useful in a future civil or criminal action. Evidence is where the CFE or other investigators find it. While crime scene evidence from personal and property crimes might be in plain view, computer and electronic evidence is subtler and might not be as evident or obvious at the scene.  In general, first responders at any scene can destroy critical latent evidence if they lack training in the proper identification, collection, and packaging procedures for the type of investigation. This means that both corporate security departments and law enforcement agencies routinely involved in such investigations specially train their personnel in computer and electronic investigative techniques. Much of the potential evidence at a small-scale scene might be circumstantial, but it could possibly be used to support the primary physical and direct evidence that a detailed investigation will later develop. A list of inappropriate purchases and related amounts found on Mary’s workstation at the crime scene could be persuasive to a jury if properly obtained.

Thus, education and preparation are major components of any successful crime scene search for electronic evidence. However, our corporate clients need to be made aware of what all law enforcement agencies know, that in-house or external security personnel, whose background might sometimes even include the performance of criminal crime scene searches, are usually not qualified for large or small-scale computer crime scene searches.

The basic steps involved in a small-scale computer site investigation include the following:

–Secure and protect the scene;
–Initiate a preliminary survey;
–Evaluate physical evidence possibilities;
–Prepare a narrative description;
–Take photographs of the scene;
–Prepare a diagram/sketch of the scene;
–Conduct a detailed search and record and collect physical evidence;
–Conduct a final survey;
–Release the crime scene.

Although a number of these steps also apply to crime scene searches for crimes involving misdemeanors and felonies, the orientation of their performance in the investigation of an electronic crime scene is more technical in nature. When a computer or some electronic device is suspected of having been used as a tool in the perpetration of a crime, normal evidence gathering techniques for computer forensics processing should always be followed. It does not matter whether the crime scene is also suspected of having been additionally involved in a separate fraud issue, a civil, or a criminal investigation; if a computer or other electronic device is involved, the steps will be the same in all cases.

It is also essential that the organization’s computer personnel be excluded from the crime scene. Most computer specialists are not familiar with computer forensics techniques and individuals among them could have been involved in the crime, wittingly or unwittingly. Additionally, security must be provided for the area while the investigation is proceeding. Any employees or visitors who subsequently enter the scene need to be identified.  Try to identify in writing anyone who has routine access to the site or anyone who might have a reason to be involved with the scene generally. Do not rely on your memory alone, as it will not sufficiently support you in a court of law.

Computer and electronic evidence usually takes on the same general forms with which we’re all familiar: computer hardware, peripherals, cell phones, hand held devices, various storage media, digital cameras, and the list goes on. The investigator will have a general knowledge of the types of evidence that can be collected from each of these devices; however, s/he must be prepared for new devices showing up at any crime scene at any time. A cautious walkthrough is a good first step to get a feel for the complexity of the site. In addition to a workstation, several additional workstations or areas might become part of the investigation. Keep in mind that due to the networking configurations of even today’s smallest systems, remote sites might probably be involved in the investigation.

The investigator(s) should strive to maintain a continuing level of control of the situation and of the physical site during the investigation.  An inventory log and chain-of-custody form should be completed and photographs made of all relevant devices and related electronic evidence. Specific activities that might be included in this phase of the investigation include:

–Determination of all the locations that might need to be searched;
–Look out for any specific issues that need to be addressed relating to pieces of hardware and software;
–Identification of any possible personnel and equipment needed for the investigation but not yet on-site;
–Determination of which devices can be physically removed from the site;
–Identification of all individuals who have had access to the computer or electronic resources material to the investigation.

The evaluation of physical evidence is a continuation of the preliminary survey and may not be perceived as a separate step. After the site is thoroughly photographed, a more detailed search can begin. Before any devices are handled, remember that fingerprint evidence might become evidence in establishing who used these devices. The smallest, most insignificant appearing piece of evidence might clinch a case. Any network capability and connections to the computer site must be identified. Networking can broaden any investigation considerably. If there is an internet connection, it can become a worldwide investigation involving various internet service providers and the possibility of subpoenas. Cell-phone evidence may involve various telephone network carriers and additional subpoenas.  Prioritize the evidence collection process to prevent loss, destruction, or modification. Focus first on items easily identifiable and accessible and proceed to identified out-of-sight evidence. Look for the obvious first, the suspect might have been sloppy.

A journal or narrative must be prepared concerning the investigation and the crime scene search. Anything and everything is important when conducting the scene investigation. Remember that the defense attorney is going to query any witnesses on the most obscure item possible. A technique suggested by the ACFE is to represent crime scenes in a “general to specific” scheme. Describe the site in broad terms and then get very specific with details. A sound idea is to cross-reference a chronological journal with the photographic evidence and a chain-of-custody form. The narrative effort should not degenerate into a sporadic and unorganized attempt to recover physical evidence. Under most circumstances, evidence should not be collected while developing the narrative. The narrative process can be accomplished by using audio, video, or text. Remember the axiom “haste makes waste.”

Developing a photographic profile of the crime scene is a requirement for any computer forensic investigation no matter how small. Photographs should be taken as soon as the incident scene is secured and before any computers or electronic devices are moved. Photographs should be taken from all angles of the physical site. Close-ups of cable connections for all devices should be included. Note these cables will need to be separately tagged in another step. Any video screens displayed would be photographed. The photographic effort needs to be recorded in a photographic log.  Photographs should be taken as soon as possible to depict the scene as it is observed before anything is handled, moved, or introduced to the scene. Photographs allow a visual permanent record of the crime scene and items of evidence collected from the crime scene.

A diagram or sketch establishes a permanent record of items, conditions, and distance/size relationships. They also supplement the photographic record. Usually a rough sketch is drawn at the crime scene and is used as a model for a complete, formal document that would be completed later. The sketch can be coordinated with any logs or journals via a numbering scheme. Sketches are used along with the reports and photographs to document the scene. A crime scene sketch is simply a drawing that accurately shows the appearance of a crime scene.

The CFE will usually have a general idea from discussions with the client as to the types of evidence that s/he will find at the incident scene. A checklist can be developed that will identify most types of computer and electronic evidence that might be at a small-scale crime scene. The major difference between investigations will probably be the size of the computer system and the amount of disk storage that will need to be secured or imaged. Seizure of electronic devices, such as cell phones and iPads, should not pose any special problems due to their small size. It might be necessary to determine the amount of disk storage records that need to be copied or imaged for later forensic analysis. On large data bases or for data in the cloud it will be next to impossible to copy or image the entire storage device. In these cases, a forensic examination might have to occur partly at the crime scene and partly off-site once the required permissions for data access are received from the data owners of record.

Conflicts in documentation can cause considerable grief in a court of law. Also, if a computer system is to be reconstructed later, cable connections and maps must be precise. There are four basic premises to the search, recording, and collection phase of a small- scale investigation. These premises are as follows:

–The best search options are typically the most difficult and time consuming;
–The physical evidence cannot be over-documented;
–There is generally only one best chance to properly perform the investigative task;
–Cautious searching of visible areas and identification and searching of relevant off-site areas is crucial.

After the investigative team has completed all tasks relating to the search, recording, and collection phases at the small-scale crime scene, a critical review should be conducted to ensure that nothing has been missed. This is the last chance to cover all the bases and ensure nothing has been overlooked. The investigators must ensure that they have gone far enough in the search for evidence, documented all essential things, and made no assumptions that may prove to be incorrect later.

–Double-check documentation to detect inadvertent errors;
–Check to ensure all evidence is accounted for before leaving the crime scene;
–Ensure all forensic hardware and software used in the search is gathered;
–Ensure possible hiding places of evidence and difficult areas for access have not been overlooked;

An incident scene debriefing is the best opportunity for personnel and participants to ensure the investigation is complete.

The last step in the evidence investigation phase for a small-scale crime scene featuring electronic evidence is to release the incident scene back to its owners. The release is accomplished only after completion of the final survey. The individual investigator or team should provide an inventory of the items seized to the client owner/manager of the scene. A receipt for electronic evidence must be completed for any devices seized. A formal document should be provided that specifies the time and date of the release, to whom released, and by whom released.

RVACFES May Event Sold Out!

Liseli_2

On behalf of the Central Virginia Chapter and our partners the Virginia State Police and national ACFE, our Chapter officers would like to thank each of you, all our Chapter members and training attendees who made our May Event such a resounding success!  Taught by Liseli Pennings, Deputy Training Director for the ACFE, ‘Investigating on the Internet – Research Tools for Fraud Examiners’ presented a treasure trove of information for the effective utilization of hundreds of readily available on-line resources and tools to support every step of even the most complex fraud investigation and subsequent prosecution.

Liseli_1As the course makes clear, investigations today can be undertaken solely through the investigative resources a computer offers. But there are so many tools available to a fraud examiner beginning an online investigation that it can be difficult to sort out the applicable resources. By better understanding computer and Internet media, examiners can more efficiently conduct investigations and save valuable time and money. While fraud examiners can easily begin searching the Internet without a plan, they will benefit if they develop a strategy prior to conducting a search. Employing a focused search strategy can save time, maintain direction, and make better use of resources.

Liseli presented two analytical techniques designed to analyze the following in an investigative scenario:

SWOT Analysis

— Strengths
— Weaknesses
— Opportunities
— Threats

The SWOT methodology can help professionals achieve the goals of a due diligence investigation or when evaluating a company or person. SWOT is also suited for investigating a product, market, organization, or business venture. Additionally, investigations that entail comparing financial aspects to other companies or markets, such as analyzing one small business or cost in relation to the competition, can benefit from this type of analysis. If an investigator is conducting a search on an individual, it provides analysis into life aspects and characteristics of the person. This method can also be used to conduct a risk assessment that details what an organization can and cannot do, as well as alert the examiner to potential threats and opportunities.

CARA Analysis

Commonly used by law enforcement and private investigators to develop information on a subject, the CARA method analyzes:

— Characteristics
— Associations
— Reputation
–Affiliations

This type of analysis can be used to gain an understanding of an individual rather than a company.

Electronic evidence can change with usage and be altered by improper or purposeful mishandling and storage. Electronic evidence such as social media pages and blog posts can be deliberately removed or altered. Examiners should never assume that a website or post that was available one day will be there the next. Capturing information as it is found is essential because the subjects of an investigation often delete websites and social media profiles. Web pages can be preserved by selecting print screen and pasting the screen capture into a document. When possible, examiners should capture the time, date, time zone, or any other information that can prove when or where data was captured. Not doing so could lead to timeline inconsistencies and contradict alibis when used as evidence and could result in evidence being dismissed due to inaccuracies. It could also affect the examiner’s credibility and negatively impact the case if brought to trial.

When using public and paid-access databases to conduct research, it is important to determine the age of the information. If the date that the information was aggregated is not listed, examiners should look for other sources of information that do include dates.  Examiners must recognize that there are often delays in the reporting and dissemination of information from the sources used by these types of databases.

Some state or local databases might only compile information from certain cities or counties. Examiners who do not find the information they are looking for on a particular site might believe that the information does not exist or that the subject does not have an arrest record when in fact the jurisdiction in question is not included on that site or database. For this reason, it’s important to gain an understanding of exactly which jurisdictions a database covers and what type of information it provides. Determining how long the website or database retains information is also important. Some only retain information for a certain period of time (e.g., five, ten, or twenty years). Furthermore, many databases archive their records after a set number of years to allow faster searches on current information. In such cases, the examiners should search the archived database for information, try another source, or hire a service to conduct a manual record search at the local level. Examiners should avoid the assumption that a lack of records means that an incident did not occur when in fact the database simply might not have the records the examiners need.

Most websites and databases have disclaimers and disclosure statements that users should thoroughly review. Some public and paid databases contain disclosure statements informing users that the subject is notified when someone searches for their information. One such example is when credit header or certain background information is accessed online. The person to whom the information belongs is usually notified when searches pertaining to credit information are conducted with permission by an employer, but notifications can also be enacted when searching other databases for basic information. This could have a significant impact on an investigation. Disclosure practices vary from company to company and across various jurisdictions. It is crucial that examiners review all disclaimers as they will often indicate when the database was last updated or caution that information is not always current or accurate. As such, all information found online should be corroborated for accuracy and all disclaimers should be read thoroughly. Another important legal aspect to consider regarding public and private databases is the dissemination clause-if one exists. Finally, there can be legal ramifications for disseminating third-party information to attorneys or courts, or for using information compiled from certain sources. Sometimes permission is required before disclosing information. Therefore, it is important to read all legal notices and consult an attorney if unsure how to proceed.

Again, our thanks go out to all for making this May event one of our most informative and successful ever!

Making Sure It Sticks

ComputerRaft2
Download our Chapter’s Free App – RVACFESon Google Play!

As a follow-on to our last blog post (see To Have and to Hold immediately above), I thought I’d talk a little about the documents our investigating CFE was able to find.

These case documents proved critical to the examination and were found in both paper and digital form.   Of the two types of evidence, the digital documents proved the most voluminous and the trickiest from an investigative point of view.  Suspected frauds, such as the one our CFE reader was investigating, leave behind data on computer systems, all kinds of data. Despite the ubiquity of this digital evidence, though, it’s often overlooked, collected incorrectly, or analyzed ineffectively. The rub is that, if relevant evidence isn’t gathered at the very beginning of an investigation, it may be too late to do so later in the process. Therefore, ideally, a CFE’s client organization’s management should consider the importance of digital evidence from the outset of its operations and be prepared to gather it for a wide range of financial fraud related scenarios; indeed, most of the larger, more sophisticated companies, finding themselves routinely under cyber-attack, already do so.

It’s been my experience that many organizations underestimate just how often they may need to produce reliable evidence of what has happened in their information systems.  And, importantly, from the individual CFE’s point of view, they also may underestimate the demands that the legal system makes in terms of ensuring the admissibility and reliability of digital evidence. Unless an organization has developed a detailed incident response plan, much potential evidence will never be collected or will become worthless as a result of contamination. As a preliminary to any investigation involving digital data, CFE’s should assess whether the client organization has applied a consistent and effective approach to managing information security incidents, including staff and organizational responsibilities and procedures; not having done so can prove a significant legal problem for the client in court.  When a follow-up action against a person after an information security related fraud involves legal action, evidence should be collected, retained, and presented to conform to the rules for evidence promulgated by the relevant jurisdiction(s). The examination should also review whether documented procedures are developed and followed when collecting and presenting routine evidence for internal disciplinary actions.

Digital forensic readiness (DFR) focuses on proactively collecting and preserving potential digital evidence. This can limit business risk by providing support for all kinds of legal defense, civil litigation, criminal prosecution, internal disciplinary actions, intellectual property claims, and due care documentation.  It also can document the impact of a crime or disputed action for an insurance or damage claim. In addition, digital forensics can support the recovery process indirectly after an incident (something that proved very important for the client of our CFE in the ‘To Have and to Hold’ case).

When preparing data for use as evidence, all CFE’s know that it’s often necessary to provide further supporting information. It’s important to show that audit trail information can demonstrate that the system used to preserve evidence is functioning appropriately. It’s also important to demonstrate how information progresses through it. Audit trails need to be comprehensive and overseen appropriately, because without them the integrity and authenticity – and thus the evidential weight – of the data stored in the system could be questioned in court.  In addition to the system’s effectiveness, CFE’s need to be concerned with whether access to audit trail information was controlled adequately. In some applications, access may be needed infrequently, thus it’s important that the access procedures be documented.

In most jurisdictions, the legal admissibility of digital evidence (or any evidence) in a court of law is governed by three fundamental principles: relevance, reliability, and sufficiency. Digital evidence is relevant when it can prove or disprove an element of the specific case being investigated. Although the meaning of reliable (i.e., authentic and accurate) varies among jurisdictions, a general principle is to ensure the digital evidence is what it purports to be and has not been spoiled. It is not always necessary to collect all data or to make a complete copy of the original evidence. In many jurisdictions, the concept of sufficiency means that enough evidence has been collected to prove or disprove the elements of the matter.

Information security is key when discussing legal admissibility.  Was the process for capturing electronic information secure? Was the correct information captured, and was it complete and accurate? During storage, was the information changed in any way? When responding to questions by opposing counsel about the authenticity of stored information, organizations must show whether the system was operated correctly at all times. To address this issue, CFE’s should establish that all relevant procedures are well thought out, complete in scope, documented, and operated by competent individuals.

To reduce the risk of legal challenges, CFE’s should consider offering evidence that the client organization has implemented security measures. Management should have reviewed information security systems at planned intervals to determine whether their control objectives, controls, processes, and procedures:

–Conform to the requirements of information security standards and relevant regulations;
–Conform to the identified IT security requirements;
–Are implemented and maintained effectively;
–Are performing as expected.

Determining which digital evidence the organization should be collecting and preserving is a two-step process. First, the crimes and disputes the organization is exposed to must be determined. Second, based on the identified exposure, the organization needs to identify potential evidence based on a risk analysis combined with a cost/benefit approach.

DFR is a natural progression for organizations with a mature information security posture, enabling them to pursue perpetrators in the legal domain when other security measures have failed. Among more security-aware CFE clients, it can enhance existing processes and leverage incident response, business continuity, and crime prevention activities. CFE’s can provide assurance of their client organization’s forensic readiness based on the following criteria suggested by the ACFE:

–Whether the organization has identified the main likely threats it faces;
–Whether the organization has identified what sorts of evidence it is likely to need in a criminal proceeding and how it will secure that data;
–Whether the organization has identified the amount and quality of evidence it already has collected;
–Whether the organization is familiar with potential legal problems such as admissibility, data protection, human rights, limits to surveillance, obligations to staff members and others, and disclosure in legal proceedings;
— Whether the organization has identified the management, skill, and resource implications and developed an action plan.

CFE’s, as part of the planning for a fraud or incident investigation, should ensure the completeness and integrity of digital evidence. Moreover, they should ensure that potentially useful evidence is never overlooked.  A functioning and documented DFR supports such assurance and helps make sure that assurance sticks.

To Have and To Hold

SharingFiles2One of our CFE readers practicing abroad reports currently investigating the transactions of a key executive of a financial subsidiary of a large U.S. based company and finding that many documents critical to his examination simply have not been retained anywhere on the firm’s server farm; a problem much more common in our present e-world than many of us would like to think!  The documents weren’t on the servers simply because the firm’s document retention policy (DRP) published to its employees isn’t comprehensive enough to require them to be.

When our CFE’s client firm policy was written, the primary electronic document type was in the form of e-mail files stored on company servers. But today, electronic records also include text messages, instant messages, voice mail, and internet search histories, images on digital cameras, in cell phones and tablets, and scores of differing file types stored on a myriad personal devices and in the cloud.  In this environment, the importance of the DRP, as a living document, is right up there with other critical documentation like that concerning access control and physical security.  Each paper and electronic document type should be treated separately in the policy. Even in the case of e-mail – a technology that’s been ubiquitous for two decades – our Chapter members report finding retention practices are often spotty and messages sometimes difficult to search and retrieve. Rather than backing up all e-mails, for example, the policy might distinguish between e-mails with an attached signed contract and an e-mail inviting staff to the office holiday party. In addition, e-mails often end up residing in numerous locations.  Because real time monitoring of individuals’ personal computers would be impractical for any firm, a central electronic depository could be developed for contracts, tax returns, medical plans, pension statements, and other documents that have legal or regulatory holding limits, Also, all CFE’s must be constantly alert to new communication means and be prepared to adopt investigative modifications to deal quickly with them.

We’re all familiar with the many problems involving legal discovery.  Such requests primarily deal with centrally located files, but certain types of lawsuits, such as hostile work environment or sexual harassment, can also require discovery of personal files. Because no client management staff is large enough to verify that all employees follow prescribed rules, companies must rely on regular training to inform employees and confirm their compliance with company retention policy. Companies can reinforce this training by taking appropriate disciplinary measures against anyone who violates the rules. This reinforcement, of course, is based on the assumption that the organization already has appropriate controls in place and an effective process to gather the necessary data to monitor employee compliance. In the present case, our CFE reports that none of these controls proved to be in place; their absence will likely result in any subsequent prosecution of the targeted fraudster being either extremely difficult or impracticable.

Also, instant messages, like those used by our CFE’s executive target, illustrate the hidden complexity of contemporary document retention. Dealing with e-mail is relatively straight-forward compared with the issues surrounding instant messages. Instant messages provide a convenient way to transmit text, audio, and live streaming video, often outside the firewalls and other safeguards of a company’s main system, which creates greater technological and competitive risks. Of greater concern to CFE’s should be the content of the messages. An instant message constitutes a business correspondence; as such, the message is discoverable and must be included in any document retention plan. The organization should have an established plan for the recovery of the messages in their original form. The optimal time to formulate the plan is before legal action, not in the midst of it. Many organizations (again, like our CFE’s client) have document retention plans covering only paper-based correspondence or e-mail; management of the content of instant messages is not addressed.  In addition to instant messaging, individuals use text messaging, which takes place on personal devices like cell phones. If a company doesn’t have an instant messaging system (IMS), it should consider acquiring one. An IMS allows message backup and access in case of discovery. Storing the instant messages and allowing access to them after-the-fact can help mitigate organizational liability exposure and close fraud vulnerability and security holes in the system. At a minimum, this would demonstrate some due diligence to outside stakeholders. The issue boils down to having a clear policy, both in terms of digital media use and its retention. The retention policy would involve purging instant messages after they are a given period old. Use policies might include random monitoring – an important deterrent for abuse and a valuable means to gather sample data about use.

So CFE’s need to be aware that policy creation for present-day business communication technology is obviously much more complex and necessary than the document retention policies of the past. Past policies usually governed only workplace documents, whereas policies today also must govern documents that are generated and consumed on mobile devices away from the workplace. The document retention policies should include retention limits for each type of format. Employees should be trained and reminded of the policy and their responsibility to follow it. Targeted management reviews based on fraud risk assessments could be valuable and would reinforce the importance of following the policy. In addition to training employees to regularly cull e-mail and instant messages sent and received, Internet browser options should be set so cookies and images are purged when the Internet session is over and histories are discarded daily.

Retention policies also should stress the appropriate and acceptable uses of company equipment. During company training, employees should learn that sharing inappropriate texts, audio, or video files is unacceptable, and they should clearly understand the consequences for not following company policy. Unfortunately, the delineation between work time and personal time is often blurred. With more employees being on call beyond the standard 40-hour work week, employers need to be sensitive to employees’ needs to perform personal tasks while at work using corporate equipment, or to perform work-related activities with personal devices.  Certain questions must be asked, however, such as: If an employee uses a personal device and maintains personal and business files separately, would the personal files be discoverable? Would discoverability depend on whether the device was personally or company owned? It could be assumed that if the employer owns the device, all records are discoverable. If the employee owns the devise, privacy issues may come into play. Due diligence always demands that conservative guidelines be employed.

I recommended to our CFE reader that, in addition to consulting corporate attorneys and IT staff, he might consider providing management with recommendations about whether outside consultants are needed to help develop or modify a more up-to-date document retention policy. Also, because electronic data is often salvageable even after it’s been deleted, a computer forensic expert could provide valuable insights into both the development and implementation of a new policy. This expert would then have knowledge of the system and could provide assistance if the company is party to a lawsuit in the future. Contracting with a computer forensic expert on retainer allows the organization to receive regular feedback on changes in the state of the art in computing technology and best practices in the field. These experts are aware of the costs and burden of discovery under both poor and good retention policies, and they’re able to make recommendations that will save money should litigation arise.

Tying Up Loose Ends

ComputerSystemChris Rosetti, a nationally recognized authority on fraud prevention and our July 2015 RVACFES live event speaker, responding to a question during his training session at the Virginia State Police Training Academy, commented that the securing of end-point devises was posing one of the greatest challenges to the fraud prevention programs of many of his clients.  Chris explained that an endpoint is any software or hardware devise that has an IP address, transmits data to another device, processes or displays information, or accesses a network or computing infrastructure. So any device that can connect to an organization’s network is an endpoint.

He went on to say that endpoints include such devices as smart phones, IPads, desktops, laptops, and servers, as well as radio frequency devices, routers, firewalls, switches, hubs, network attached storage, and voice-over-IP devices (like desk top VOIP phones replacing conventional landlines). Moreover, to complicate matters further, desktops and laptops generally have one or more wired network cards, Wi-Fi network cards, multiple CD/DVD ROMs, multiple USB ports, modem ports, an Ethernet connection port, and in some cases, Bluetooth and PCMCIA cards. Each of these items constitutes a potential security node and, therefore, a fraud risk.  In his opinion, end point security is a key component in the information security defenses of organizations and is, to this day, being overlooked by a significant number of enterprises.   Surprisingly, Chris says that a fifth of organizations don’t have any form of end point security, which means that their corporate networks and data are potentially exposed to hackers and criminals who can access sensitive information from unprotected access points.  With the unmanaged end point and the mobile end point now ubiquitous business enablers, it doesn’t suffice anymore to just lock down only the endpoints within the office premises or build a formidable perimeter security infrastructure. These end points are not only prone to threats themselves, but also can be a medium for threat vectors to attack the infrastructure.  Current threats include viruses, Trojans, worms, the use of end points as distributed denial-of-service (DDoS) zombie hosts and spyware.

Chris indicates that in his risk assessments and in his fraud prevention practice, new and novel types of threats are emerging almost on a weekly basis. These threats often take advantage of a growing number and variety of end point vulnerabilities, and include the familiar buffer overruns, the more insidious keystroke loggers and instant messaging worms, as well as vulnerabilities even in the security software clients install to protect themselves.  Chris says that the issues related to end point security need to be addressed from two different perspectives: protecting the end point itself and protecting the enterprise from the end point.  Regarding the endpoint itself, CFE’s need to be aware when conducting our fraud risk assessments that a device that does not have the proper tools to detect and prevent malicious codes and attacks (e.g., desktop firewalls, anti-virus programs) can expose the entire organization’s infrastructure to attacks. A device like a cellphone or IPad that is connected to the corporate network and also allowed to connect to the Internet through another medium (e.g., dial-up, wireless) at the same time opens a channel for attackers. Allowing removable storage devices (e.g., thumbdrives, external drives, MP3 players) to connect to the network, and handhelds of all types to synchronize with other networked devices, serves as yet another medium for the entry of malicious code into the enterprise.

According to Chris, the good news is that, according to his count, there are currently more than a hundred tools and products for securing the end point and improving its security health. These include anti-malware programs, desktop firewalls, automatic software patch updaters, an intrusion detection system (IDS), secure remote access tools and port lock down (to prevent USB devices from connecting).  As CFE’s, our fraud risk assessment reports need to emphasize that all devices issued to enterprise employees should have these types of security tools configured and that devices are appropriately locked down. Vulnerability scanners that scan all the devices within the enterprise enhance its fraud management capabilities.

Chris advocates inventorying all the endpoint devices connected to the corporate network as a vital component of the fraud prevention program.  This, in turn, allows the identification of all the interfaces on the various endpoints.  The fraud vulnerability assessment inspection of the end point may identify gaps, e.g., a machine that has not been patched. One inspection policy might be to isolate the machine and deny connectivity. However, the user may be looking to connect and carry out some critical activity; therefore, building a remediation aspect into the inspection process would be important. This way, if a patch is missing, the user can be directed to the site to download a patch and. once it is installed, the user can be allowed to re-connect.  Organizations also lose critical information through USB or equivalent devices. Employees can copy sensitive and protected information on these devices and remove such information from the premises. To stop this from happening, data loss prevention should be part of the organization’s fraud prevention strategy.

Chris additionally advocates including a review of end point vulnerability in every fraud risk assessment used to build the fraud prevention program.   The first step to the fraud vulnerability assessment of any endpoint environment is to understand the organization’s policies and how the policies address endpoint security. Second, CFE’s must understand the technologies deployed to implement endpoint security, if any. This is probably the toughest task because some CFE’s may not be qualified to conduct such reviews on their own. In such cases, Chris recommends it may be best to augment the assessment staff with outside experts, because these technologies change rapidly.

Finally, Chris pointed out that some commercially available endpoint control solutions come with an integrated, risk-based monitoring dashboard. Organizations that have implemented continuous or automated financial audits may want to start deploying the endpoint agents on those nodes that their external auditors audit regularly and let the agents continuously feed data to the dashboard.  This strategy may prove to be a good investment if it reduces total audit costs in the long run and provides greater assurance that the organization’s most critical endpoints are secure.

With the corporate perimeter quickly vanishing, the virtual organization becoming a reality and with more organizations allowing staff members to work from wherever on their own phones, laptops or other wired devices, all CFE’s  should think of how they can bring the anti-fraud security perimeter closer to where the data are and treat everything else as external. We should advocate that all our clients deploy end point security tools  to ensure that the end points are secure from fraud exploits and also that the organization itself is secure from its own end points.

E-discovery Challenges for Fraud Examiners

black-signI returned from the beach last Friday to find a question in my in-box from one of our Chapter members relating to several E-discovery issues (electronically stored information) she’s currently encountering on one of her cases.  The rules involving E-discovery are laid out in the US Federal Rules of Civil Procedure and affect not only parties to federal lawsuits but also any related business (like the client of our member).  Many fraud professionals who don’t routinely work with matters involving the discovery of electronically stored information are surprised to learn just how complex the process can be; unfortunately, like our member’s client company, they sometimes have to learn the hard way, during the heat of litigation.

All parties to a Federal lawsuit have a legal responsibility, under the Rules of Civil Procedure and numerous State mirror statutes, to preserve relevant electronic information.  What is often not understood by folks like our member’s client is that, when a party finds itself under the duty to preserve information because of pending or reasonably anticipated litigation, adjustment in the normal pattern of its information systems processing is very often required and can be hard to implement.  For example, under the impact of litigation, our member’s client needs to stop deleting certain e-mails and refrain from recycling system backup media as it’s routinely done for years.  The series of steps her client needs to take to stop the alteration or destruction of information relevant to the case is known as a ‘litigation hold’.

What our clients need to clearly understand regarding E-discovery is that the process is a serious matter and that, accordingly, courts can impose significant sanctions if a party to litigation does not take proper steps to preserve electronic information.  The good news is, however, that if a party is found to have performed due diligence and implemented reasonable procedures to preserve relevant electronic data, the Rules provide that sanctions will not be imposed due to the loss of information during the ‘normal routine’ and ‘good faith’ operations of automated systems; this protection provided by due diligence is called the ‘safe harbor’.

To ensure that our clients enjoy the protections afforded them through confirmation of due diligence, my recommendation is that both parties to the litigation meet to attempt to identify issues, avoid misunderstandings, expedite proper resolution of problems and reduce the overall litigation costs (which can quickly get out of hand) associated with E-discovery.  The plaintiff’s and defendant’s lawyers need some sort of venue where they can become thoroughly familiar with the information systems and electronic information of their own client and those of the opposing party.  Fraud examiners can be of invaluable assistance to both parties in achieving this objective since they typically know most about the details of the investigation which is often the occasion of the litigation.  Both sides need to obtain information about the electronic records in play prior to the initial discovery planning conference, perhaps at a special session, to determine:

–the information systems infrastructure of both parties to the litigation;
–location and sources of relevant digitized information;
–scope of the electronic information requirements of both litigants;
–time period during which the required information must be available;
–the accessibility of the information;
–information retrieval formats;
–costs and effort to retrieve the required information;
–preservation and chain of custody of discover-able information;
–assertions of privilege and protection of materials related to the litigation.

Technical difficulties and verbal misunderstandings can arise at any point in the E-discovery process.  It often happens that one of the litigants may need to provide technical support so it that digital information can even be used by the opposing party … this can mean that metadata (details about the electronic data) must be provided for the data to be understandable.  This makes it a standard good practice for all parties to test a sample of the information requested to determine how usable it is as well as to determine how burdensome it is to the requested party to retrieve and provide.

It just makes good sense to get the client’s information management professionals involved as soon as possible in the E-discovery process.  A business will have to disclose all digitally stored information that it plans to use to support its claims or defenses.  When faced with specific requests from the opposing side, your client will need to determine whether it can retrieve information in its original format that is usable by the opposition; a question that often only skilled information professionals can definitively answer.

Since fraud examination clients face E-discovery obligations not only for active Federal litigation but also for foreseeable litigation, businesses can be affected that merely receive a Federal subpoena seeking digital information.   Our questioner’s client received such a subpoena regarding an on-going fraud investigation and was not ready to effectively respond to it, leaving the company potentially vulnerable to fines and adverse judgments.

Richmond ACFE Chapter Meeting Webcast – 6/17/2013 – Basic Computer Forensics

CDTechEvery two weeks the Central Virginia Chapter of the Association  of Certified Fraud Examiners (ACFE) presents a webcast on a topic related to the practice of fraud examination and/or forensic accounting.  These webcasts are presented primarily for the benefit of Chapter members but are open to all with a general interest in improving the practice of auditing and fraud examination.

Members of the Central Virginia Chapter will have received an e-mail notifying them that the bi-weekly webcast is available at this site; the e-mail contains three questions which must be answered and returned for the award of one hour of continuing education credit.

If you are an audit professional or a student and would like to listen to these lectures as a Richmond Chapter member for continuing education credit, please visit our website at www.cpenet.net  and join our Chapter on-line by clicking on the first picture of a set of scales, registering as a site user and paying $15.00 annual dues.  We offer at least 20 hours of continuing education credit on fraud related topics for the one time annual fee.  You don’t have to be a resident of the Richmond area or even of Virginia to join… we have members all across North America.

This week’s webcast is fifty-one minutes in length, on the topic of The Laws of Fraud & Where to Find Them.

BASIC COMPUTER FORENSICS

Preserving Evidence in Electronic Form

FingerprintSince the our Chapter is working up a Bi-Weekly Webcast for future broadcast on the topic of computer forensics, I thought I’d do a post on electronically encoded evidence, specifically on gathering and preserving it.  Of course, the need to preserve evidence implies that an incident or event has taken place requiring eventual presentation as fact, and thus serving as proof of some irregularity or illegal act.  Whether the target data are in transit or at rest, it’s critical that steps be taken to prevent the information from destruction, corruption or unavailability for further forensic examination.

Given the preservation mandate, it’s up to investigative management to proactively design incident response and forensic investigation policy and procedure within the framework of the strict guidelines represented by legal requirements.  Electronic evidence must be gathered and preserved under procedures that ensure evidential non-repudiation.  Repudiation occurs when the defense attorney is able in some way to break the evidentiary chain linking the evidence to the actions of his or her client.

The legitimate extraction of in-transit electronically encoded data is known as lawful interception and there are numerous laws and statutes allowing and controlling it in both the U.S. and the European Union.  In short, legitimate interception occurs when a network operator, service provider, or corporate IT management group grants law enforcement network access to monitor, review, tag and/or capture the communications of suspect individuals or groups.  Lawful interceptions can be used to capture an employee’s inbound and outbound data packets for examination but it must be done in such a way as to prevent detection by the targeted individual(s) and ensure the appropriate authorized management personnel know about the interceptions.  As U.S. internal and information systems auditors well know, private corporations have the right to monitor the e-mail and company network related transactions of their employees if they’ve made such monitoring a condition of employment, have notified every employee that the corporate network and related systems are company property and that management conducts surveillance of e-mail and routine transactional information as a matter of routine.

If you’re a fraud examiner dealing with stored data (data at rest)  after or during an incident, if the target system is turned off, simply turning the technology on and permitting a boot can introduce target content changes to files directly or indirectly connected through operating system procedures.  So get help from a qualified computer forensic analyst or certified information systems auditor before attempting to extract electronic data.  To address this and related issues, computer forensic experts can apply appropriate forensic imaging software to obtain an exact working copy of the hard disk or storage media (every encoded bit of recorded data).  Media content imaging can be carried out without launching the computer’s operating system, thereby avoiding the tampering allegations inevitably raised by opposing attorneys.

So, whether target data are in transit or at rest, it’s critical that measures be in place to prevent the information from being destroyed, corrupted or becoming otherwise unavailable.  Functionally sound imaging software and investigative practices are essential to maintaining evidential continuity and the chain of custody.  When evidence is at rest, defined procedures should be followed to ensure against repudiation by the investigative target.  Lawful interception assists fraud examiners and other investigators in determining the system state during an incident or event and the utilization of functionally sound imaging software and related practitioner practice is essential to maintaining the evidential continuity required for judicial proceedings.