Provided by, PricewaterhouseCoopers
With increased reliance on IT, more information is being stored on hard drives, file servers and backup systems than ever before. These are fertile grounds for potential fraudsters and the way this information is handled can decide the difference between success and failure in any fraud-mitigation effort. Welcome to the world of forensic technology.
Working closely with investigation teams, forensic technology experts work to collect and analyze a wide variety of data â from spreadsheets and word-processing files to email and instant messages â that might represent evidence of fraud activity. Using state-of-the-art recovery techniques, forensic IT specialists can resurrect information that was once assumed to be lost.
Instant messaging (IM) is a prime example. Most people think of instant messages as being purely ephemeral â that is, once sent and received, they vanish into the ether, never to be seen again. This is not entirely true, however. Depending on a system's configuration, instant messages may be retained on a computer's hard drive. New forensic technology makes it possible for specialists to track and restore this content in many cases.
"It is very much like having a recording of someone's telephone conversations," says Gregory Schaffer, director of the PricewaterhouseCoopers Forensic Technology Solutions practice and co-leader of the firm's Cyber crime Prevention & Response practice in Washington, DC. "People often use IM instead of picking up the phone, and you get off-the-cuff comments like those in a private conversation. What is said on instant messaging is often more illuminating than something that is assumed to be permanent."
IT and Audit Trails -
The work of forensic technology specialists is not as simple as firing up the suspect's computer and copying files off the hard drive. The very act of starting up a computer can compromise the integrity of critical data. To the degree litigation might ensue, having an untouched copy of the perpetrator 's data can be crucial.
Fraud cases have been lost on the grounds that the suspect's computer files could have been altered when they were opened.
Forensic technology experts can copy data â even over an active network â in ways that avoid such legal pitfalls. Further, they can help companies establish systems and procedures - some of which are now mandated by laws like the Sarbanes-Oxley Act - that ensure the integrity of electronic data for evidentiary purposes.
But technology is only part of such a system; policies and procedures are equally important. "If you have a system that is capable of keeping audit trails, but you have disabled the function, or if you have several people using the same login, it's difficult to see who is doing what," Schaffer says.
How is Computer Data Analyzed?
The direction that an investigator will adopt in a computer forensic analysis will depend initially on the scope of the particular investigation. Numerous forensic tools and procedures exist that can be used to locate material on electronic media along with identifying usage and activity of the computer system.
As mentioned earlier, the resurrection of deleted instant messages or deleted computer files is one example of an investigation. Another investigation may attempt to determine the authenticity of a document extracted from the computer.
Approaches may differ depending on available resources and scope of investigation. However, the investigative process in computer forensics is like any other investigation - methods used will depend on the skills, experience and imagination of the forensic investigator.
Value of Computer Forensics
The vast majority of today's information resides in electronic form. No inquiry process can be truly complete without considering the information that may exist in digital form. These digital fingerprints do not necessarily reside on a hard drive.
There are numerous locations, some obvious, some not so obvious, where data can survive. Data can be found on floppy disks, back-up tapes, personal organizers, building access logs, Internet postings, e-mail databases, and the list goes on.
It is important to recognize where potential information may exist, and then to ensure that this data is forensically secured by qualified forensic analysts. This should be performed as a matter of urgency, as soon as it is discovered that this data may contain information that can be used to prove or shed new light on the investigator's case.
Once data has been secured to protect its integrity, then useful information can be extracted from the data through sound forensic techniques and procedures.
The underlying principle behind this process is that any results that are produced are accountable and repeatable by any other interested party.
Business and operational factors often may dictate when computer-related data may be accessed, but ideally the forensic process should be commenced as soon as the investigation is initiated.
With the help of forensic technology experts, companies can ensure they are prepared for new legal requirements as well as the challenges that accompany complex fraud investigations.