Occupational Fraud and Electronic Evidence Investigations Presented by Jerry Murray and Lance Sloves
Occupational Fraud and
Electronic Evidence Investigations
Presented byJerry Murray and Lance
Sloves
Learning ObjectivesRaise your occupational
fraud awareness
Better understanding of electronic evidence investigations
Occupational Fraud Defined Employee deliberately misappropriates or
misuses company assets for personal benefit.
“Company assets” is not just cash.
Growth industry across most all industries.
How big is it? Think iceberg…..
The lucky ones are still out there right now.
Occupational Fraud Facts 5% of annual revenue lost to fraud Median loss of $150,000 Average time before detected…18
months 85% of fraudsters are first time offenders 79% displayed “warning signs” Asset misappropriation most common
fraud Missing or ineffective internal controls Most commonly detected by....TIPS!
Common Warning SignsRarely takes a vacationWorks long or odd hoursUnwillingness to share duties
Spending habits changeHas known financial problemsComplains about inadequate payHas unusually close association with a
vendor or customer
Common Elements of Fraud
Three common elements of the fraud triangle: Motive (pressure) Opportunity Rationalization
MotiveWhat motivated you at age 20? Today?
Tomorrow?Personal financial issues (credit card debt)Addictions (drugs, alcohol, gambling, etc.)
Health issues and medical costsDivorceElderly parent care
Living beyond their meansGreed“The thrill of the steal”
Opportunity(The Keys to the Kingdom)
Whenever someone can initiate, execute and conceal an improper transaction.Giving someone signature authorization on
a checking account without compensating controls
Allowing employees to make deposits with no crosschecks
Not reconciling bank statements timely and accurately
Not reviewing your payroll tax deposits.
Rationalization (aka moral breakdown)
Rationalization for fraud can take many paths.
I’ll just borrow the money and pay it back…
No one will ever miss it… I’m not paid enough… I work hard, I deserve this…My kid really needs a new cell phone so
his friends won’t make fun of him.
What’s wrong with this picture?Employee can and does:
- sets up vendors and approves bills - opens the daily mail - prepares and makes bank deposits - posts receipts and makes adjustments to
the accounts receivable system - prepares checks and has signature
authority over bank accounts - reconciles the bank accounts
I’ll just “borrow the money”
General partner embezzled funds from limited partners (Dallas 2000-2003).
“Borrowed” investors’ funds to support his law practice and personal lifestyle.
Total loss of $1.5 million….. over four years. Forensic accountant untangled four years of
transactions across seven QuickBooks general ledgers and discovered/proved the theft.
Investors sued and won. Defendant plead guilty to mail fraud, lost
license to practice law, served time and ordered to pay restitution plus investors’ legal costs. (rare)
“They’ll never miss it”
Claims manager for TPA skimmed refund checks from hospitals (Fort Worth 2004-2005).
Employee received the TPA’s refund checks from hospitals and would divert a “few” to her personal bank account.
Total loss - $100,000 over two yearsNew internal controls over the refund
accounting process uncovered the embezzlement.
Fraudster convicted and jailed. No money was recovered.
”I’m not paid enough”
Office manager of privately owned business (Dallas 2012-2013).
Wrote extra checks for insurance, utilities and other suppliers.
Took extra checks and deposited them into her personal bank account.
Covered cash flow shortfall by not making payroll tax deposits.
Total loss - $150,000….. zero recoveryDiscovered when owner received notices
from the IRS regarding shortage in payroll tax remittances.
Anti-fraud Program
First - Perform a risk assessment. “Follow the dollar” - study internal processes from start to finish.
What could go wrong, how could it go wrong and how bad?
Identify where there are short-falls such as no checks and balances, no physical security or no periodic reconciliations.
Overall goal = Prevent, Detect and Respond.
Anti-fraud Program
Next - Establish internal controlsEstablish controls around the position….not
the person – very important.Communicate financial policies and
procedures in writing and establish a fraud policy as well as a robust anti-fraud program. (attorney)
Develop a written Code of Conduct (attorney)Educate not only employees but vendors and
customers about your Code of Conduct. (tips)
Anti-fraud Program
Finally - Monitor and Maintain• Be diligent in recognizing changes that
impact risk profile (e.g. new location)• Anonymous fraud reporting (attorney)• Ethic training – initial and on-going• A perception of detection can decrease
motive - conduct surprise inspections - check the business at odd hours - test the effectiveness of internal
controls
Services the attorney can provide Assist with assessing the fraud risk. Assist with a written Code of Conduct. Provide a fraud tip reporting mechanism. “Quarterback” the client’s response. Assist with development of a written response
plan for actual, alleged or suspected fraud. Get the experts involved very early in the response
process. Quickly preserve evidence such as accounting
records and electronically stored information (ESI).
Objectives• Brief History &
Background • Mobile Devices• Collection &
Analysis
Mobile Phones Today
•
• Apple has sold over a BILLION iPhones.
• 91% of all mobile internet use is “social” related, i.e. Facebook, Twitter, Four Square, Snap Chat, KIK, etc. 75% Computer Desktop-Laptop related. & Uploaded Facebook photos and Videos take up 27%bof upstream web traffic.
• People have four essential items - Keys, Wallet, Money and a Mobile Phone.
• “Nomophobia” is the fear of being without your cell phone of losing your signal. Take the Test http://www.nomophobia.com/
Identifiers for Discovery• International Mobile Station Equipment Identity (IMEI)
– The IMEI number is used by a GSM-LTE network to identify valid devices and therefore can be used for stopping a stolen phone from accessing that network.
• Model Number of Device.
• Serial Number of Device.
• Phonescoop www.phonescoop.com
Capturing and Recovering Data
• Cellular Smart Phones– Recovery of Information
• Email, Chat, SMS “text”, MMS, Calendars, Internet Browsing, Picture and Video Capture, Banking, Games, GPS Locations and Directions.
• Facebook, Twitter and other Social Media.• Passwords• Email Accounts• Apps information.
– Spyware – Jailbraking.– User accounts and Data.– Hidden Apps.– Specialized Chat Programs
Capturing and Recovering Data
• Typically three components are Imaged– Sim Card – GSM
– Contains International Mobile Subscriber Information (IMSI)» Identifies individual subscriber or cellular network.
• Country Code• Network Code• Mobile Station Identification
– Possibly SMS messages, contacts or call logs (Not very Likely)• Past Case used to track back a GPS device on car.
– SD Card• Pictures, Videos, Files, Apps and other info
– Phone Memory.• All the good stuff: SMS, MMS, Contacts, Call Logs, App Data, Etc.
Capturing and Recovering Data• JTAG – Advanced Technique or Chip Off
– JTAG (Joint Test Action Group) forensics is an advanced level data acquisition method which involves connecting to Test Access Ports (TAPs) on a device and instructing the processor to transfer the raw data stored on connected memory chips when typical commercial tools won’t image data.
• When is it appropriate to JTAG an evidence device?When commercial forensic extraction options cannot acquire a physical image or when a device is logically damaged or “bricked”. The majority of our JTAG work involve Android phones which are pattern locked and cannot be bypassed by other means. We also JTAG prepaid cell phone models (such as TracFone, Net10 and Virgin) which have their data ports intentionally disabled by the carrier.
• Phone Repair and Imaging is also possible when water, fire damaged, etc.• Password removal or bypass
Capturing and Recovering
• We can also download Windows Backups from online sources.
• iPhone backups from computers.• Android backups.• Blackberry Backups.
Data Capture and Analysis
• Cellebrite Mobile Device Forensic Tool– UFED Ultimate Touch Hardware Device.– Cellebrite UFED Physical Analyzer Software. – Imaging, Decoding, Analysis and Report of Mobile
Data.– Over 14,000 devices.– Legacy Phones, Smartphones, Portable GPS, Tablets
and even Chinese Devices.– Prepaid phones.– Can unlock over 1750 phones.
Cellebrite Physical Analyzer Software
Cellebrite Physical Analyzer Software
• Additional Identifiable Information– Last computer iPhone was synced or backup too.
• Phone and Ownership information.• Database & Data Storage information
– SQL Lite Databases.– Can identify Photograph & Video Downloads (Porn and
Captured Documents)– Database Application information such as QuickBooks,
Banking, Facebook, Four Square and others.– Application Logs.– Plist & XML Settings.
Internet Evidence FinderInternet Searches
Deleted Skype
Recovered Deleted Internet History
Types of Cases
• Vehicle and Construction Accidents• Labor and Employment• Family Law• Probate• General Commercial Litigation• Criminal
– Medicare Fraud– Terrorism– Drug– Murder (lots of these cases)
Reports
• Excel• PDF• HTML• Load file creation for Summation &
Concordance, Relativity.– Others
Place Evidence online for Review• Place all Messaging online for Investigation, Review, Tagging and Production.
Daubert-Frye
• Potential issues– Manual review of Text Msgs or Email date/timestamp– Test different devices of same make and model.– Test against different forensic software.– Compare against carrier phone records.– Peer Review?
• NIST Testing and error rates.– Known or Potential error rates.– Misreporting by software– Anomalies
Conclusion Encourage your client to establish an anti-fraud program.
Consider how your firm can play important roles in your client’s anti-fraud program.
Electronically stored information (ESI) will almost always be involved.
It’s critically important to capture the electronic evidence as quickly as possible.
Important - get your Forensics and ESI experts involved early on in the process.
ReferencesAssociation of Certified Fraud Examiners – 2016 Report to the Nations on Occupational Fraud.