Delving Deep into Suspects' Computers

Learn Some Techniques to Find Digital Evidence

By Mark Furner, Ph.D.


You may not take the lead in a computer forensic investigation, but knowledge of binary files and metadata will help you understand some methods of catching fraudsters. 

On March 26, 1999, Melissa began her worldwide rampage.
Computer cracker David L. Smith unleashed the computer virus with the feminine name that crippled network systems and cost the business world in excess of an estimated $80 million.

I want to teach you some of the same forensic computing investigation techniques that helped catch Smith and convict him of interruption of public communication, theft of computer service, and wrongful access to computer systems. These are advanced techniques that you can use to find the evidence you need to convict fraudsters in your business or those of your clients.

Mystery Dispelled
For many fraud examiners, the gathering of electronic evidence from a suspect's hard drive can appear to be an arcane business. Though many turn to specialists to search computers, those in charge of investigations should understand the methodology of evidence gathering and presentation.

Computer forensics isn't as mystical as it may appear. I'd like to walk you through a case I recently worked on to examine the types of information electronic documents can contain. We'll focus on the software package you probably use - Microsoft Office.

Market research showed that until the middle of 2001, Office 97 was still the most popular application package in its class (at about 50 percent), and that Microsoft Office versions share about 90 percent of the market for office software.1

Electronic Evidence: an Example
An international German construction company, which we'll rename Baugeschäft AG,2 suspected that one of its managers was conducting illegal or corrupt business practices during a large building project in a Latin American country.

The construction company called in the Big 5 firm for which I was working. We took an image of the company laptop used by the manager.3 We examined the paper and electronic evidence, and found "soft" copies of invoices from three service providers. This is automatically suspicious; invoices are submitted for payment by post and should never be found on a hard drive in "soft" form. It would be an invitation to commit fraud because they could so easily be altered. The suspect in this case had altered or created new invoices on his company laptop. He routed payments to these companies via an alias account with an offshore bank. Furthermore, we found the manager had dealings with a consultant whose company had a dummy address in a Latin America country but who lived and worked in Germany. This consultant was paid through the same offshore bank and accompanied the manager on two trips to the bank. A total of about $1,000,000 was in the alias account at the time of this visit, although total obligations to the service providers under suspicion amounted to $2,600,000.

Using the electronic evidence in the form of the binary files of Word documents,4 we proved that the manager had altered certain invoices to add extra payments. We recovered the evidence in the form of deleted documents or scraps of documents in free space from the manager's home directory on the company server and the image of the company laptop.5 One incriminating invoice interested us in particular; we'll focus on it now.





For full access to story, members may sign in here.

Not a member? Click here to Join Now. Or Click here to sign up for a FREE TRIAL.