The leading edge of high tech

The collaboration between data mining and digital forensics

By Les E. Heitger, Ph.D., Educator Associate; Jeremy Clopton, CFE, CPA; Lanny Morrow, CFE
les-heitger jeremy-clopton lanny-morrow

Fraud Edge: A forum for fraud-fighting faculty in higher ed

As fraudsters become more sophisticated, schemes more complex and technology more innovative, fraud examiners' approaches must also evolve. Common investigative techniques include interviews, document review, data mining and digital forensics. With technology playing a larger role in fraud schemes, digital forensics and data mining are becoming increasingly important tools. This column is a six-part series for educators and practitioners that will examine the importance of integrating digital forensics and data mining aspects of investigations, key technologies, methodologies and future applications and how to present them to budding fraud examiners. For some readers, these columns will contain review material, but hopefully all will benefit from information that we need to transmit to higher-education students.

The rate of change in most, if not all, areas of business is accelerating with each passing year. Most professionals view these changes with mixed emotions. On the one hand, new innovations and technology tend to enhance professionals' abilities to provide their services effectively and efficiently. On the other hand, the more that's possible, the more that's expected.

CFEs can't be idle bystanders with a passive interest as innovations arise. They must openly embrace new knowledge that will drastically affect their professional services. Educators should stress to their students that the rate of change in the technology world — particularly, data mining and digital forensics — has major implications for the fraud examination profession.


Digital forensics is the collection, preservation, analysis and reporting of digital evidence in an investigation. Prominent forms of digital evidence include computers, email, servers, mobile devices such as smartphones and tablets, cloud storage and external storage devices.

The sources of information available through forensic analysis are rich. On many forms of digital media, examiners can recover deleted activity and find communications never intentionally saved by the user in areas such as the computer's memory. Further, with the advent of smartphones, recovered photos can bear GPS coordinate information, and "call detail reports" from a cell phone provider can assist with determining the location of a phone and user at a given time. Other traditional sources include but aren't limited to:

  • Internet history and related artifacts.
  • Chat/instant message history.
  • iPhone backups.
  • Chronological timeline of events on devices.
  • Financial records and software.

Forensic software allows a fraud examiner to search digital media in a relatively efficient manner — usually beginning with simple keyword searches and analysis of logfiles generated by the digital device. The software can also present historic activity in a chronological timeline to assist in corroborating digital activity with other events.

Digital forensics enables fraud examiners to use more exotic forms of analysis, such as:

  • Artificial intelligence-assisted searches for relevant content.
  • Detection of emotional tone of communications.
  • Collection of names, places, events and dates to construct "relationship maps" of possible related parties, which fraud examiners couldn't otherwise detect because they might be too obscure or separated by too many degrees.

For full access to story, members may sign in here.

Not a member? Click here to Join Now. Or Click here to sign up for a FREE TRIAL.