Computer Forensics: Extracting Evidence To Prove And Stop Fraud

Posted on Wednesday, May 10, 2017

If an employee commits fraud, some of the most compelling evidence to support a personnel or legal action against the individual may reside on a computer hard drive. But computer forensics -- the task of finding the data and maintaining its integrity -- is a highly specialized and complex area of fraud investigation.

Forensic accountants specializing in computer investigations normally divide a case into four distinct phases:

1. Seizing the computer.

2. Imaging the machine and the data it contains.

3. Analyzing the evidence without altering it.

4. Reporting the results of the analysis.

Not surprisingly, the success of each phase depends on the successful completion of the preceding phase.

Most companies do not have the in-house expertise to conduct an effective computer forensics investigation. As technology has developed, so have the complexities of the forensics needed to uncover fraudulent activity.

A forensic accountant specializing in computer investigations has considerable experience from other investigations, as well as access to the most current techniques and software to locate and analyze computer records.

Keep in mind that the information that comes from a forensics investigation is evidence and the investigator must maintain the integrity of that evidence by:

Handling it as little as possible.
Establishing and maintaining a chain of custody.
Documenting every step taken during the probe.

Without these precautions, the data may lose its viability as evidence to support whatever action you decide to take against the employee.

Even before calling in the forensic specialist, however, you want to secure the computer, which means leaving it alone and making sure that no one can access it. If the computer is running, do not turn it off; if it is not running, don't turn it on. This protects your company and the investigator from allegations that someone tampered with data during the seizure process.

When forensic accountants arrive, they typically take the following steps:

Observe the scene. Before disconnecting the system for analysis, investigators generally take photographs of the workstation or desk, and the system's setup. They pay attention to items like Post-It notes and papers lying around that may contain passwords or security instructions. They also look for removable storage devices such as flash drives, memory cards and MP3 players.

In addition, they scrutinize the status of the system to see whether it is running any programs or utilities, whether the hardware connections follow the company's standard configuration and whether the computer is connected to a wireless device.

Analyze the files. The suspect may have deleted files, but that doesn't necessarily mean they are gone forever. Trained computer forensics experts not only analyze the existing normal files, they may also recover deleted files and analyze those that are hidden, temporary, password-protected and encrypted. Moreover, they can rebuild the Internet history, as well as recover a list of documents printed from the computer.

Any one of these files may contain the "smoking gun" that investigators seek to support their cases.

If the machine is still active, the forensic accountant knows how to record any applications that are open and recover any information that might be stored solely in RAM before powering down. Specialists are also able to protect computer systems from alterations, data corruption, booby traps, viruses and electromagnetic or mechanical damage.

Maintain data integrity. Forensic accountants know how to handle evidence throughout the investigation so that it will be admissible in court. They use software that can prove they did not alter the evidence once the material was in their hands. They also make forensically-sound copies of the information on computers and use those copies rather than original evidence for their in-depth analysis.

In addition to the issue of data integrity, forensic accountants are aware of privacy and legal issues connected with sensitive information found on computers. Keep in mind: A case can easily be lost if the defendant can place any doubt on the accuracy or handling of the data gathered during the investigation.

Given all of the issues noted above, engaging an investigator skilled in computer forensics offers the highest probability of conducting a successful investigation while minimizing the risk to the company's ongoing operations.

Posted in Fraud & Forensics Group

Disclaimer: The information contained in Dulin, Ward & DeWald’s blog is provided for general educational purposes only and should not be construed as financial or legal advice on any subject matter. Before taking any action based on this information, we strongly encourage you to consult competent legal, accounting or other professional advice about your specific situation. Questions on blog posts may be submitted to your DWD representative.

"Our firm has worked with Casey Scheurich at DWD for several years and we have always received excellent service. Their responsiveness is top notch. They also provide us with more than routine…"

Dan Bobilya

Bonahoom & Bobilya