|
......Continued from previous page
|
15.6 Review of Unallocated Space and File Slack
After completing the logical file structure review, we focused on analyzing the unallocated space and file slack. Unallocated
space, also called free space, is defined as the unused portion of the hard drive; file slack is the unused space that is created
between the end-of-file marker and the end of the hard drive cluster in which the file is stored. Sometimes data is written to
these spaces that may be of value to investigators.
Using a software tool to facilitate the process is the easiest way to accomplish this portion of the analysis. As we had earlier,
we used EnCase for this segment of the review. Our approach was twofold: (1) We extracted deleted files out of the
unallocated space and subsequently reviewed them for appropriateness, and (2) we performed string searches through the
unallocated space and file slack in an attempt to locate data related to the matter being investigated.
Even with the assistance of software tools, this process can be very time-consuming and potentially lengthy. The results of
the extraction of deleted files can be voluminous. In this case several thousand files from each hard drive needed to be
reviewed.
In addition, all of the identified files must be reviewed. We can't simply review until we find material that we're looking for, or
material that helps our case, and stop. That would an unfair and incomplete evaluation of the potential evidence. Therefore,
to expedite the process of reviewing files extracted from unallocated space, we use a software utility called dtSearch. With all
of our extracted files in one location, we fed our search terms into dtSearch and had it scan through the files to find those
that were pertinent to our investigation.
As in logical file structure review, when potential evidence is found, its address on the hard drive must be recorded. However,
because unallocated space and file slack are outside of the logical addressing scheme in this review, we must record the
physical address of any evidence, essentially including its cluster and sector address (e.g., cluster 11155, sector 357517).
15.7 Smoking Gun
Although everyone on the investigative team wanted to find a smoking gun, such as an e-mail from a senior executive saying,
"I'm going to lie about the numbers to increase my yearly bonus—the SEC be damned," no such e-mail was found. In
addition, no single financial report, PowerPoint presentation, or word document clearly indicated that any individual was a
party to fraud or that any fraud had indeed taken place.
Instead, the investigation was an iterative process in which we discovered information piece by piece—draft financial reports,
reports marked confidential, e-mails between suspects—and shared it with the accountants to review. Each time we gave
them some such material, they reviewed it and suggested that we look for more of the same.
Sometimes the accountants came to us with leads. For example, they might ask us to do a search on the name of an off-
shore corporation to see what might turn up. In some cases, a great deal of relevant data was discovered; in other cases,
nothing came up. In this back-and-forth process, the case for fraud was built.
15.8 Reporting
When our analysis was complete, we began to draft a report. This is another critical step in the computer forensic process,
and we wanted to make sure we got it right.
We met with the lead investigators and attorneys and provided them verbal reports of the results of our analysis, as well as
our working papers. We had been working together, so they were aware of the findings for the most part, but a presentation
still had to be made to ensure that there were no misunderstandings. In addition, though we had a report format (template)
that we were comfortable with, we needed to know how the report should be labeled (e.g., confidential, sensitive, privileged,
attorney/client privileged). This is an important consideration, that, in general, is best left to the lawyers.
We agreed to develop our report using Microsoft Word and to include links to pertinent files that would be stored on an
accompanying CD-ROM. All the attorney would need to do is insert the CD in a computer, and the report would automatically
open for viewing. The attorney could then easily review the report and choose to open any associated files she wished to
view.
The report, as well as all data and work papers, would be on the CD-ROM. The written report could certainly be printed in
hard copy; the sheer volume of the data, however, made hard copies of the data completely impossible.
15.9 Lessons Learned
Although no smoking gun was found in this investigation, enough evidence was discovered (e.g., key electronic documents, e-
mail, spreadsheets, PowerPoint presentations) that, when put together, identified how key executives had committed the
fraud and had communicated about their activities. In this particular case, however, all of the information that we uncovered
with computer forensics would have to fall into the category of circumstantial evidence. All of it was critical to allowing our
team to complete the investigation. However, none of it contained the smoking gun that our computer forensic technicians
were hoping for. Fortunately for the investigative team (and the company involved), a whistle-blower and other company
employees were willing to talk with the investigating team and provide information that was helpful in uncovering the details
of the fraud.
For the sake of fairness, it must be stated that the investigation did exonerate certain of the suspects. And this is a major
part of the role of computer forensic professionals. We are charged not only with presenting evidence that an incident did in
fact occur, but also with presenting evidence suggesting that the incident did not occur, if that is indeed the case.
After the investigation was completed, the lead attorneys from the investigative team provided the complete report to the
audit committee. The report outlined specifically which company employees—mainly executives—were involved in the fraud,
without attempting to evaluate their culpability. (Lawyers have more leeway in assessing guilt than we do.) The report also
contained information about internal control deficiencies that permitted the fraud to occur and ways to mitigate the risk of this
type of fraud in the future.
The audit committee took swift and decisive action, firing all of the executives that were involved in the fraud and
recommending significant changes to the company's internal financial reporting and control environment.
After completing the logical file structure review, we focused on analyzing the unallocated space and file slack. Unallocated
space, also called free space, is defined as the unused portion of the hard drive; file slack is the unused space that is created
between the end-of-file marker and the end of the hard drive cluster in which the file is stored. Sometimes data is written to
these spaces that may be of value to investigators.
Using a software tool to facilitate the process is the easiest way to accomplish this portion of the analysis. As we had earlier,
we used EnCase for this segment of the review. Our approach was twofold: (1) We extracted deleted files out of the
unallocated space and subsequently reviewed them for appropriateness, and (2) we performed string searches through the
unallocated space and file slack in an attempt to locate data related to the matter being investigated.
Even with the assistance of software tools, this process can be very time-consuming and potentially lengthy. The results of
the extraction of deleted files can be voluminous. In this case several thousand files from each hard drive needed to be
reviewed.
In addition, all of the identified files must be reviewed. We can't simply review until we find material that we're looking for, or
material that helps our case, and stop. That would an unfair and incomplete evaluation of the potential evidence. Therefore,
to expedite the process of reviewing files extracted from unallocated space, we use a software utility called dtSearch. With all
of our extracted files in one location, we fed our search terms into dtSearch and had it scan through the files to find those
that were pertinent to our investigation.
As in logical file structure review, when potential evidence is found, its address on the hard drive must be recorded. However,
because unallocated space and file slack are outside of the logical addressing scheme in this review, we must record the
physical address of any evidence, essentially including its cluster and sector address (e.g., cluster 11155, sector 357517).
15.7 Smoking Gun
Although everyone on the investigative team wanted to find a smoking gun, such as an e-mail from a senior executive saying,
"I'm going to lie about the numbers to increase my yearly bonus—the SEC be damned," no such e-mail was found. In
addition, no single financial report, PowerPoint presentation, or word document clearly indicated that any individual was a
party to fraud or that any fraud had indeed taken place.
Instead, the investigation was an iterative process in which we discovered information piece by piece—draft financial reports,
reports marked confidential, e-mails between suspects—and shared it with the accountants to review. Each time we gave
them some such material, they reviewed it and suggested that we look for more of the same.
Sometimes the accountants came to us with leads. For example, they might ask us to do a search on the name of an off-
shore corporation to see what might turn up. In some cases, a great deal of relevant data was discovered; in other cases,
nothing came up. In this back-and-forth process, the case for fraud was built.
15.8 Reporting
When our analysis was complete, we began to draft a report. This is another critical step in the computer forensic process,
and we wanted to make sure we got it right.
We met with the lead investigators and attorneys and provided them verbal reports of the results of our analysis, as well as
our working papers. We had been working together, so they were aware of the findings for the most part, but a presentation
still had to be made to ensure that there were no misunderstandings. In addition, though we had a report format (template)
that we were comfortable with, we needed to know how the report should be labeled (e.g., confidential, sensitive, privileged,
attorney/client privileged). This is an important consideration, that, in general, is best left to the lawyers.
We agreed to develop our report using Microsoft Word and to include links to pertinent files that would be stored on an
accompanying CD-ROM. All the attorney would need to do is insert the CD in a computer, and the report would automatically
open for viewing. The attorney could then easily review the report and choose to open any associated files she wished to
view.
The report, as well as all data and work papers, would be on the CD-ROM. The written report could certainly be printed in
hard copy; the sheer volume of the data, however, made hard copies of the data completely impossible.
15.9 Lessons Learned
Although no smoking gun was found in this investigation, enough evidence was discovered (e.g., key electronic documents, e-
mail, spreadsheets, PowerPoint presentations) that, when put together, identified how key executives had committed the
fraud and had communicated about their activities. In this particular case, however, all of the information that we uncovered
with computer forensics would have to fall into the category of circumstantial evidence. All of it was critical to allowing our
team to complete the investigation. However, none of it contained the smoking gun that our computer forensic technicians
were hoping for. Fortunately for the investigative team (and the company involved), a whistle-blower and other company
employees were willing to talk with the investigating team and provide information that was helpful in uncovering the details
of the fraud.
For the sake of fairness, it must be stated that the investigation did exonerate certain of the suspects. And this is a major
part of the role of computer forensic professionals. We are charged not only with presenting evidence that an incident did in
fact occur, but also with presenting evidence suggesting that the incident did not occur, if that is indeed the case.
After the investigation was completed, the lead attorneys from the investigative team provided the complete report to the
audit committee. The report outlined specifically which company employees—mainly executives—were involved in the fraud,
without attempting to evaluate their culpability. (Lawyers have more leeway in assessing guilt than we do.) The report also
contained information about internal control deficiencies that permitted the fraud to occur and ways to mitigate the risk of this
type of fraud in the future.
The audit committee took swift and decisive action, firing all of the executives that were involved in the fraud and
recommending significant changes to the company's internal financial reporting and control environment.
 | |  | |  | |  | |  | |  | |  |
| Computer Forensic Services - TR LOGIC, Inc. |