Computer forensics – fraud detection and investigation tools
9th June 2011
One of our forensic investigators recently presented at the Fraud Advisory Panel conference….the presentation was very well received so I thought I’d share it with you – part 1 today and part 2 tomorrow.
Fraud has much in common with many other crimes. Standard computer forensic tools are suitable, in most cases, for finding evidence to support or challenge an allegation of fraud in the same manner that they would be used for anything else.
Invariably the computer forensics element of a fraud investigation will involve searching for and potential recovery of documents such as invoices, statements, order forms, spreadsheets and databases. E-mails can be a good source of information relating to fraud and can contain information concerning contact between fraudsters, the passing of information such as credit card and bank account details.
The initial stage of dealing with the computer forensics aspect of a fraud investigation is the capturing of the data. Whether this is done by the police or by a commercial contractor on their behalf, the procedures are the same. The handling of all computer based evidence should be in accordance with the Guidelines for Handling Computer Based Evidence which are issued by the Association of Chief Police Officers. These are more commonly known as the ACPO Guidelines.
Information can be obtained from servers, workstations, laptops, removable storage media, mobile phones and other handheld devices. The collection of the data should be carried out by a trained and experienced person, in a manner which does not allow the original data to be altered in any way. The ACPO Guidelines state that: No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court.
The process of capturing the data in such a secure manner is known as ‘acquisition’ or ‘imaging’ and is achieved, typically, by capturing through a write protection device a very low level copy of the contents of the media. This, once processed, allows the investigator a view of the contents of the computer including those areas that would not normally be visible to a user. This is known as a forensic image.
The two tools most widely used for the processing and examination of the forensic image are ‘EnCase’ (produced by Guidance Software) and ‘Forensic ToolKit’ or ‘FTK’ (produced by AccessData). These allow the investigator to view the content of the images, conduct searches and potentially retrieve hidden and deleted data. Tools are available which will attempt to recover items such as social networking chat logs and other artefacts, which may be missed. These items can be very helpful in an investigation as often, communication between culprits is via instant messaging or ‘Chat’ on websites such as ‘Facebook’.
Additionally, a record of the Internet history can provide information that would be very useful to an investigator. By way of an example, the fact that the Internet history on a suspect computer has entries referring to various online banking websites could indicate that a user with fraudulent interests has been visiting accounts of their targets.
Whilst acting for the defence in a recent case, the prosecution were relying on e-mails which showed personal banking details of total strangers. This information had been harvested by the use of software programs specially written for the purpose of obtaining such material. An unsuspecting person is sent a link to a fake webpage whereby they are asked to submit their personal banking details. The person, thinking the link is genuine, unwittingly puts their details in the information fields of the fake webpage.
These details are then harvested to a bank of data obtained in the same manner from other unsuspecting people. This data is then e-mailed between the members of the fraud ring. The e-mails in this particular case contained, not only the standard e-mail addresses you would expect to see, but a whole variety of details which included account numbers, sort codes, security questions, passwords and other details. Additionally in a number of the e-mails, the IP addresses were visible. In some cases a trail of IP addresses can be seen. These can often show a trace of where the e-mail has been. The obtaining of data in this manner is known as ‘Phishing’.