Understanding the mindset of a digital fraudster
Stefan Lau is a Senior Manager, Computer Forensics & Ediscovery Services with Kroll Ontrack. To learn more about these services, visit www.ediscovery.com
Nearly all corporate crimes today involve a digital element, and fraudsters are increasingly sophisticated in covering up their tracks. Computer Forensic specialists, with their technical knowledge and investigative experience, can help companies be one step ahead when collecting information from a digital device. They are able to easily spot the red flags to give you a quick sense of what is going on – which might support a deeper investigation. With over 10 years of experience in the field, Stefan Lau shares his insight on the tactics fraudsters often employ.
There are two tactics we increasingly see…
Deleting with Junk. Many years ago, employees that were looking to hide information would simply “delete” the information from their digital device. However, we all know that deleted information can be easily traced. While we see less of this simple “deletion” tactic we are seeing employees forcing a more effective deletion of files by filling a hard drive’s free space with junk files, thus overwriting the files the fraudsters wants to delete. Hard drives nowadays tend to be 500 gigabytes (GB) in size and from what we have seen an average employee only uses about 30 to 50GB at work.
Once we have completed a forensic image or run computer forensics analysis on the suspect’s computer, if we see that a hard drive is used to its maximum capacity, this is a red flag and we will want to investigate further. More often than not we will find that the hard drive is stuffed with movie files, interestingly the same movies ten times over. We will investigate this further to see if the creation date of the junk files match with key dates such as when an employee resigned, or was terminated or when we suspect a fraud took place, to confirm the company’s suspicions. While it’s tough to retrieve the deleted files, the computer forensic specialist will be able obtain enough evidence to indicate wrongdoing. This intelligence provides the investigator or lawyer with additional insight to question or further investigate the subject.
Transfer of illicit files to an external drive. While most companies have improved their IT security control, especially when it relates to its network and internet access, we still see that many do not have strict security around the use of USB ports. From our experience most data thefts involve USB storage media.
So what happens when a fraudster wants to delete particular files? We worked on a case where a fraudster transferred ALL files from his computer’s internal drive to an external USB drive. He then wiped clean the internal drive and transferred back only those files which were irrelevant to the crime. In cases like this, to an average person the computer’s internal drive seems in order, nothing appears to be “deleted” – even if the accessed date for all files has changed to a single, more recent date that can be easily justified by having run a virus scan. Instead one needs to be pay attention to the creation date – are there an abnormal number of files that were “created” during a short period of time? This is an instant red flag which requires further investigation. Match up these creation dates with footage from security cameras around the time of the incident and see what you get.
Companies need to be vigilant and be well prepared. If you are planning to terminate a senior employee who is responsible for sensitive company information, forensically image his/her computer on a regular basis and run reviews to ensure the sensitive information is shared with only appropriate parties. If a senior employee resigns, as a precaution companies should immediately terminate both physical and digital access to company information, preserve the information on his/her computer, network and possibly the backup server as well. Smart companies are always prepared for the worst, but it’s important to be aware of data privacy challenges and consider working with your lawyer to add various clauses in employee contracts to ensure a digital investigation goes smoothly.