|
publications |
|
ON BALANCE • FREQUENCY • THE BRIDGE • CPA2B • ACCOUNTING FOR THE FUTURE |
(taken from the Jan/Feb 2006 issue of On Balance magazine)
Hi-tech tools to catch a thief
By Jeffrey T. Lemmermann, CPA, CITP, CISA
So, one of your company’s ex-employees was a fraud perpetrator, now what? Welcome to the world of forensic computing.
The computer the perpetrator was using could be a gold mine of evidence. Be prepared, however, to put that box of gold through some rigorous interrogation to get it to spill the beans.
Maybe it will be as easy as sifting through the user’s “my documents” folder, recycle bin, or deleted e-mails to find evidence of wrongdoing. If the criminal kept things that are easy to find, there are probably piles of evidence already available. Most fraud architects have time to cover their computer tracks. But like a healthy canary, computers will sing if properly coaxed.
The most important thing to do first: Stop using the computer! Each action performed on the target computer could make evidence more difficult or impossible to uncover. Disable screen savers, disk utilities, update programs, etc., and disconnect the computer from the company network. If the perpetrator was still logged into the computer, leave applications open and the user logged in.
The situation will dictate what to do next. For a criminal situation, contact authorities before proceeding. They may have experts who want a first crack at the evidence. After that, the following tools may help in your investigation:
Important: If at all possible, run any of the mentioned utilities from removable media (CD, USB Drive, etc.) Avoid installing to the local hard drive, since that may cover up the data you are trying to uncover.
Running programs
Some e-mail applications are configured to empty deleted items upon exit. If you were lucky enough to nab the criminal while still logged into the system, examine this area for items of interest before shutting down the program. Also investigate the recently opened files list that most applications keep for clues to popular save locations. The Windows start button also contains an item named “documents.” A list of recently opened documents is here.Duplication utilities
Taking a snapshot of the computer’s hard drive will allow you to start over if your attempts to disable the computer cover up something that may have been useful. Norton’s Ghost or Acronis Disk Image are examples. Some commercial data recovery tools include disk-imaging capabilities.Recovery software
It used to be that disk data recovery was for the highly skilled professional only, synonymous for highly expensive. Professional recovery services are still available and are the only option if all else fails.Many data recovery utilities exist, both in freeware and commercial formats. If the perpetrator didn’t use disk-wiping tools (programs that write over old file locations numerous times) data that was deleted from computer media has a good chance of being recovered.
These software tools allow for the recovery of files from local hard drives, network drives, removable storage devices, and other media. They can retrieve data from disks that have been reformatted, drives that are unbootable, partitions that have been changed, as well as normally deleted files and those emptied from the recycle bin.
The Web site www.freebyte.com/filediskutils has a list of free utilities, and the site http://data-recovery-software-review.toptenreviews.com gives reviews on commercial tools.
E-mail tracking
Similar to data recovery software, these utilities allow the recovery of e-mail that has been deleted. If you want to be proactive, several tools add the ability to archive all email in or out of an email system. Products like GFI MailArchiver maintain a copy of all email in a database, allowing for later restoration or review of emails. If the fraudster left clues via internal or external email, these utilities can help through their ability to sort email content, recipient, time and other factors.Password cracking
So, you’ve undeleted a series of files the prospective criminal tried to erase, but they were Excel spreadsheets with a password. Not a problem. Utilities exist to strip or crack passwords from a number of applications, including Excel, Word, Quickbooks, Zip Files, and the like. Many are free, like the one at: http://www.freewordexcelpassword.com. Commercial tools also exist.All of the above tools are the equivalent of a small, hot room with one bright light. With these tools, you’ll have the computer turning state’s evidence in the time it takes to watch an episode of “CSI.”
Jeffrey T. Lemmermann, CPA, CITP, CISA is the Wisconsin security practice manager for Clifton Gunderson Technology Solutions. He can be reached at jeff.lemmermann@cliftoncpa.com.