Today, most financial data and records exist in electronic form, and while this digital transformation offers benefits for businesses in terms of efficiency and productivity, it also creates another layer of evidence that must be properly examined when performing any type of forensic investigation.
At Withum, our Digital Forensics/eDiscovery and Forensic and Valuation Services teams blend their talents to provide a unique service to clients. Examiners well-versed in digital media/data forensics and accountants with experience in financial forensics collaborate to work on a wide range of cases, including complex financial, white-collar and corporate fraud investigations. The depth and breadth of experience and the variety of the services provided are a distinctive combination in a consulting firm.
Understanding Digital Forensics
Digital forensics involves the careful, forensically sound acquisition or extraction and analysis of data from various digital media sources, such as computers, mobile devices, thumb drives, etc. Trained examiners use specialized hardware and software to acquire images without altering the original data on the digital media, ensuring that the evidence is admissible in court. In an era where most financial transactions are recorded digitally, and nearly all communications are transmitted through email, mobile text messages, or chat platforms, digital forensic examiners are essential for extracting and analyzing critical information, which forensic accountants rely upon in conducting an investigation.
Below, we share real-world examples where digital forensics examiners and forensic accountants played a pivotal role in uncovering and analyzing fraudulent activities.
Recovery of Deleted Documents in a Trade Association
- Background: A not-for-profit (NFP) trade association’s outsourced executive director had full authority to conduct financial transactions, and, outside monthly reporting to the Board, there was limited oversight surrounding the association’s financial affairs. . As a national association with members located throughout the United States, most financial documentation was maintained electronically under the control of the executive director.A newly appointed treasurer, who sought to improve transparency of the association’s finances, obtained banking documents and noticed excessive and unrelated payments which were indicative of fraud, but the association did not have sufficient documentation to fully vet the suspicions.
- Digital Forensic Process: The executive director was reluctant to provide the Treasurer with requested documentation.Accordingly, to investigate, the association-provided computer was forensically imaged, and the image was placed into evidence.A working copy of the forensic image was processed using a digital forensics software program. A search through the user’s profile identified folders and files associated with the trade association, which the forensic accounting team flagged as pertinent to the investigation. The investigation team then performed a keyword search to identify additional pertinent documents/partial documents, including both active and deleted files. Photographs were reviewed to locate any and all related scanned documents. Additionally, the data was analyzed to determine if any external devices were attached to the computer and a timeline analysis was conducted to determine if there was evidence of data exfiltration.
- Outcome: The digital forensic examiners’ recovery of deleted documents provided key evidence of fraudulent transactions, such as invoices/receipts prior versions of QuickBooks files, and canceled checks, which aided the forensic accounting team in quantifying misappropriated assets.Without the use of digital forensics, the forensic investigation team would have fought an uphill battle in attempting to obtain historical financial documents.
Uncovering Embezzlement Through Browser History Analysis
- Background: A finance employee in a corporation created fake companies and fraudulent purchase orders to fund a lavish lifestyle, including the purchase of high-end automobiles, multiple houses, and a gambling addiction.
- Digital Forensics Process: Digital forensic examiners imaged the employee’s laptop and analyzed their browsing history across Google, Bing and Duck Duck Go, uncovering searches for high-end purchases, including real estate, foreign banks, and evidence of shell companies used in the scheme. These companies were identified as having received payment from the victim company.
- Outcome: This browsing history helped piece together the embezzlement scheme, aiding in both internal investigations and external legal proceedings. An analysis of the browsing history timeline identified specific vendors of issue, and comparing those vendors against the Company’s vendor master file and payment history identified that these companies did in fact get paid by the Company around the same time the websites were accessed. Review of the browsing history also aided the investigation team to identify financial institutions that the finance employee holds personal accounts, which allowed for legal subpoenas to be issued for financial information.
Email Review in a Law Practice Fraud Case
- Background: In a large contingency-based law practice, paralegals could receive additional compensation for after-hours eDiscovery document review. An office manager at the law practice compiled the total document review pages reported by the paralegal and emailed this information to practice management for approval. Once management approved the hours, the office manager would either forward the approval email to the payroll company or—without anyone’s knowledge—manipulate the reported hours to increase payments for certain paralegals before sending it on. In some cases, the office manager made it appear as though the altered number of documents were management-approved by creating an entirely fictitious email trail.
- Digital Forensic Process: Forensic examiners directly acquired the emails of the office manager and involved management using provided user credentials and using email provider discovery tools.The downloaded email was imaged for analysis and placed into evidence. By closely reviewing email headers and timestamps, the team was able to identify inconsistencies between emails sent to management and those the office manager sent to payroll. A detailed timeline analysis revealed patterns in the altered hours, uncovering fraudulent activities.
- Outcome: The investigation identified deliberate inflation of money paid to paralegals, allowing the legal practice to take corrective action and improve internal controls. The forensic accounting investigation team relied upon the documentation extracted by the digital forensics examiners to cross-reference document access dates and times to the number of documents each paralegal was paid and to cross-reference approved compensation to what was actually paid.This enabled the investigation team to calculate the loss to the law practice.
Recovering Auto-Fill Login Credentials
- Background: A key employee responsible for the company’s banking operations left the company abruptly and under suspicious circumstances, failing to provide passwords for essential online banking systems, effectively locking the company out of critical financial resources.
- Digital Forensic Process: The former employee’s laptop was forensically acquired, and forensic examiners created a secure, working copy of the laptop. Initially, they conducted a targeted search to locate any documents that might contain login information for the company’s banking system. When no direct documents were found, the team turned to analyzing web browsers installed on the laptop, including Google Chrome, Mozilla Firefox, and Microsoft Edge. Each browser was examined for any auto filled login information, as they often store usernames and passwords for easier access. Through this method, forensic examiners successfully retrieved several usernames and passwords stored in the Google Chrome SQLite database linked to the employee's profile.
- Outcome: The decrypted usernames and passwords provided the company with access to its online banking systems, allowing it to regain control of its financial assets and prevent any further disruptions. Doing so, provided the company with the information needed to confirm their suspicion of asset misappropriation and commence an investigation to quantify losses.
Takeaways
Digital forensics plays a crucial role in fraud investigations by providing concrete, admissible evidence for complex cases involving financial misconduct. For organizations, collaborating with experts trained in both data and financial forensics provides a comprehensive approach to investigating and preventing fraud. These cases serve as a reminder of the importance of digital forensics in safeguarding businesses and uncovering the truth when financial misconduct arises.
Digital forensics is also invaluable in areas like criminal defense, where uncovering key evidence can be pivotal. Explore this further in our article, The Vital Role of Independent Digital Forensics in Modern Criminal Defense.
Authors: Eric Bishop, Lead, Digital Forensics and eDiscovery Services; Justin Sacks, CPA, CFE; and Alan Nelson, CPA/CFF, PI, Principal
Contact Us
For more information on this topic, please contact a member of Withum’s Digital Forensics and eDiscovery Services Team.
