Occupational Fraud and Electronic Evidence Investigations

Occupational Fraud and

Electronic Evidence Investigations

Presented byJerry Murray and Lance

Sloves

Learning ObjectivesRaise your occupational

fraud awareness

Better understanding of electronic evidence investigations

Occupational Fraud Defined Employee deliberately misappropriates or

misuses company assets for personal benefit.

“Company assets” is not just cash.

Growth industry across most all industries.

How big is it? Think iceberg…..

The lucky ones are still out there right now. 

Occupational Fraud Facts 5% of annual revenue lost to fraud Median loss of $150,000 Average time before detected…18

months 85% of fraudsters are first time offenders 79% displayed “warning signs” Asset misappropriation most common

fraud Missing or ineffective internal controls Most commonly detected by....TIPS!

Common Warning SignsRarely takes a vacationWorks long or odd hoursUnwillingness to share duties

Spending habits changeHas known financial problemsComplains about inadequate payHas unusually close association with a

vendor or customer

Common Elements of Fraud

Three common elements of the fraud triangle: Motive (pressure) Opportunity Rationalization

MotiveWhat motivated you at age 20? Today?

Tomorrow?Personal financial issues (credit card debt)Addictions (drugs, alcohol, gambling, etc.)

Health issues and medical costsDivorceElderly parent care

Living beyond their meansGreed“The thrill of the steal”

Opportunity(The Keys to the Kingdom)

Whenever someone can initiate, execute and conceal an improper transaction.Giving someone signature authorization on

a checking account without compensating controls

Allowing employees to make deposits with no crosschecks

Not reconciling bank statements timely and accurately

Not reviewing your payroll tax deposits.

Rationalization (aka moral breakdown)

Rationalization for fraud can take many paths.

I’ll just borrow the money and pay it back…

No one will ever miss it… I’m not paid enough… I work hard, I deserve this…My kid really needs a new cell phone so

his friends won’t make fun of him.

What’s wrong with this picture?Employee can and does:

- sets up vendors and approves bills - opens the daily mail - prepares and makes bank deposits - posts receipts and makes adjustments to

the accounts receivable system - prepares checks and has signature

authority over bank accounts - reconciles the bank accounts

I’ll just “borrow the money”

General partner embezzled funds from limited partners (Dallas 2000-2003).

“Borrowed” investors’ funds to support his law practice and personal lifestyle.

Total loss of $1.5 million….. over four years. Forensic accountant untangled four years of

transactions across seven QuickBooks general ledgers and discovered/proved the theft.

Investors sued and won. Defendant plead guilty to mail fraud, lost

license to practice law, served time and ordered to pay restitution plus investors’ legal costs. (rare)

“They’ll never miss it”

Claims manager for TPA skimmed refund checks from hospitals (Fort Worth 2004-2005).

Employee received the TPA’s refund checks from hospitals and would divert a “few” to her personal bank account.

Total loss - $100,000 over two yearsNew internal controls over the refund

accounting process uncovered the embezzlement.

Fraudster convicted and jailed. No money was recovered.

”I’m not paid enough”

Office manager of privately owned business (Dallas 2012-2013).

Wrote extra checks for insurance, utilities and other suppliers.

Took extra checks and deposited them into her personal bank account.

Covered cash flow shortfall by not making payroll tax deposits.

Total loss - $150,000….. zero recoveryDiscovered when owner received notices

from the IRS regarding shortage in payroll tax remittances.

Anti-fraud Program

First - Perform a risk assessment. “Follow the dollar” - study internal processes from start to finish.

What could go wrong, how could it go wrong and how bad?

Identify where there are short-falls such as no checks and balances, no physical security or no periodic reconciliations.

Overall goal = Prevent, Detect and Respond.

Anti-fraud Program

Next - Establish internal controlsEstablish controls around the position….not

the person – very important.Communicate financial policies and

procedures in writing and establish a fraud policy as well as a robust anti-fraud program. (attorney)

Develop a written Code of Conduct (attorney)Educate not only employees but vendors and

customers about your Code of Conduct. (tips)

Anti-fraud Program

Finally - Monitor and Maintain• Be diligent in recognizing changes that

impact risk profile (e.g. new location)• Anonymous fraud reporting (attorney)• Ethic training – initial and on-going• A perception of detection can decrease

motive - conduct surprise inspections - check the business at odd hours - test the effectiveness of internal

controls

Services the attorney can provide Assist with assessing the fraud risk. Assist with a written Code of Conduct. Provide a fraud tip reporting mechanism. “Quarterback” the client’s response. Assist with development of a written response

plan for actual, alleged or suspected fraud. Get the experts involved very early in the response

process. Quickly preserve evidence such as accounting

records and electronically stored information (ESI).

Objectives• Brief History &

Background • Mobile Devices• Collection &

Analysis

Mobile Phones Today

•

• Apple has sold over a BILLION iPhones.

• 91% of all mobile internet use is “social” related, i.e. Facebook, Twitter, Four Square, Snap Chat, KIK, etc. 75% Computer Desktop-Laptop related. & Uploaded Facebook photos and Videos take up 27%bof upstream web traffic.

• People have four essential items - Keys, Wallet, Money and a Mobile Phone.

• “Nomophobia” is the fear of being without your cell phone of losing your signal. Take the Test http://www.nomophobia.com/

Identifiers for Discovery• International Mobile Station Equipment Identity (IMEI)

– The IMEI number is used by a GSM-LTE network to identify valid devices and therefore can be used for stopping a stolen phone from accessing that network.

• Model Number of Device.

• Serial Number of Device.

• Phonescoop www.phonescoop.com

Capturing and Recovering Data

• Cellular Smart Phones– Recovery of Information

• Email, Chat, SMS “text”, MMS, Calendars, Internet Browsing, Picture and Video Capture, Banking, Games, GPS Locations and Directions.

• Facebook, Twitter and other Social Media.• Passwords• Email Accounts• Apps information.

– Spyware – Jailbraking.– User accounts and Data.– Hidden Apps.– Specialized Chat Programs

Capturing and Recovering Data

• Typically three components are Imaged– Sim Card – GSM

– Contains International Mobile Subscriber Information (IMSI)» Identifies individual subscriber or cellular network.

• Country Code• Network Code• Mobile Station Identification

– Possibly SMS messages, contacts or call logs (Not very Likely)• Past Case used to track back a GPS device on car.

– SD Card• Pictures, Videos, Files, Apps and other info

– Phone Memory.• All the good stuff: SMS, MMS, Contacts, Call Logs, App Data, Etc.

Capturing and Recovering Data• JTAG – Advanced Technique or Chip Off

– JTAG (Joint Test Action Group) forensics is an advanced level data acquisition method which involves connecting to Test Access Ports (TAPs) on a device and instructing the processor to transfer the raw data stored on connected memory chips when typical commercial tools won’t image data.

• When is it appropriate to JTAG an evidence device?When commercial forensic extraction options cannot acquire a physical image or when a device is logically damaged or “bricked”. The majority of our JTAG work involve Android phones which are pattern locked and cannot be bypassed by other means. We also JTAG prepaid cell phone models (such as TracFone, Net10 and Virgin) which have their data ports intentionally disabled by the carrier.

• Phone Repair and Imaging is also possible when water, fire damaged, etc.• Password removal or bypass

Capturing and Recovering

• We can also download Windows Backups from online sources.

• iPhone backups from computers.• Android backups.• Blackberry Backups.

Data Capture and Analysis

• Cellebrite Mobile Device Forensic Tool– UFED Ultimate Touch Hardware Device.– Cellebrite UFED Physical Analyzer Software. – Imaging, Decoding, Analysis and Report of Mobile

Data.– Over 14,000 devices.– Legacy Phones, Smartphones, Portable GPS, Tablets

and even Chinese Devices.– Prepaid phones.– Can unlock over 1750 phones.

Cellebrite Physical Analyzer Software

Cellebrite Physical Analyzer Software

• Additional Identifiable Information– Last computer iPhone was synced or backup too.

• Phone and Ownership information.• Database & Data Storage information

– SQL Lite Databases.– Can identify Photograph & Video Downloads (Porn and

Captured Documents)– Database Application information such as QuickBooks,

Banking, Facebook, Four Square and others.– Application Logs.– Plist & XML Settings.

Internet Evidence FinderInternet Searches

Deleted Skype

Recovered Deleted Internet History

Types of Cases

• Vehicle and Construction Accidents• Labor and Employment• Family Law• Probate• General Commercial Litigation• Criminal

– Medicare Fraud– Terrorism– Drug– Murder (lots of these cases)

Reports

• Excel• PDF• HTML• Load file creation for Summation &

Concordance, Relativity.– Others

Place Evidence online for Review• Place all Messaging online for Investigation, Review, Tagging and Production.

Daubert-Frye

• Potential issues– Manual review of Text Msgs or Email date/timestamp– Test different devices of same make and model.– Test against different forensic software.– Compare against carrier phone records.– Peer Review?

• NIST Testing and error rates.– Known or Potential error rates.– Misreporting by software– Anomalies

Conclusion Encourage your client to establish an anti-fraud program.

Consider how your firm can play important roles in your client’s anti-fraud program.

Electronically stored information (ESI) will almost always be involved.

It’s critically important to capture the electronic evidence as quickly as possible.

Important - get your Forensics and ESI experts involved early on in the process.

QUESTIONS?

Jerry Murray: (214)[email protected]

Lance Sloves: (214) [email protected]

ReferencesAssociation of Certified Fraud Examiners – 2016 Report to the Nations on Occupational Fraud.