Super sleuth or superspy?
With ever growing integration of information technology into commerce, it’s become so much easier for those bent on criminal acts to be able to commit them. But while it may be a case of ‘locking the stable door after the horse has bolted’, it is still nevertheless important to investigate all fraud to stem the damage done, recover assets and prevent a future occurrence.
Just as police forensic examiners can search a crime scene for fingerprints and latent clues, so cyber forensics experts can help organisations protect themselves from, for example, the malicious intent of an insider threat. According to fraud body Cifas, in its April 2014 issue of Employee Fraud, 676 internal frauds were reported in the previous year. Of those, 254 related to obtaining a benefit by theft or deception.
A new way to investigate
Jonathan Krause, founder and principal consultant at Forensic Control Limited, defines cyber forensics, also known as computer forensics or digital forensics, as the practice of collecting, analysing and reporting on digital data in a way that is legally admissible before a court of law: “Originally developed for use in the detection and prevention of crime, it is now widely also used in civil cases to help establish the facts in disputes - for example those involving alleged fraud, intellectual property theft, human resources issues and organisation reputational damage.”
Of course the most insidious threat an organisation faces is the insider threat: the trusted staff member who can readily access a company’s most valuable assets. Consider the case of the bookkeeper for Sussex-based Redcat Marketing. Over a period of six years Amanda Stevens stole £210,000 from the firm. How? She knew how to manipulate the accounts systems. Convicted in February 2013, Stevens received two years.
But cyber forensics can involve more than investigating the theft of cash, it extends to corporate fraud (deliberate dishonesty to deceive the public, investors and lenders), asset stripping (taking a firm’s cash or assets but leaving the debts), fraudulent trading, bribery and corruption, tax and excise fraud and, in the case of meat, claiming that a product is something that it is not. All of these – and more – can be investigated by a cyber forensics specialist. Indeed, it’s highly likely that the case of the Bridgend meat wholesaler, Lindsey Stoneham, who was jailed for three-and-a-half years in September 2015 for defrauding HMRC of £430,000 involved the work of a cyber forensics specialist.
An investigation starts
Clearly large firms will have a highly experienced in-house IT team, so why not use them to investigate a breach? Krause says that this type of fact-finding operation is seldom best served when carried out internally: “It is not uncommon for a senior member of the IT department to not be acting in the organisation’s best interests, or to be in alliance with someone who is acting malevolently.”
He adds that in addition, the standards of evidence generally require that data is collected, handled and analysed in a way that does not bring its integrity into question. “The person tasked with handling such evidence must be competent to do so and understand the legal implications of their actions. If these conditions are met, then the evidence is likely to be legally admissible.” This is why, understandably, he says that an external, independent forensic expert is more likely to be taken seriously by a tribunal or court, than if a non-forensically trained individual collected the evidence.
Where it is possible to do so, original evidence will not be altered in any way. And this is where Krause offers advice to the ‘lay investigator’: “Merely switching on a computer and opening a file will alter dates and times associated with the file and its access, potentially over-writing vital evidence. Forensic analysis makes exact copies of the data, and it is these copies that are analysed, not the originals.”
Cyber forensics can assist
When a fraud is alleged to have occurred, a cyber forensic analyst help discover who the culprit is, what they did, and when they did it. While technology is a fraud enabler in the wrong hands, rarely does a fraud happen without leaving some form of electronic evidence behind. Even if files were simply printed, it is likely that evidence would be left of who opened the files and printed them, as well as the time and date that this activity took place.
Krause highlights a common scenario - that of a staff member accessing their private webmail and attaching company files to an email which they then send to themselves. “Though it is generally not possible for forensic analysis of a computer to retrieve the content of a person’s webmail account, analysis of other artefacts from their computer may allow for a ‘timeline’ of events to be constructed.”
He continues: “Cyber forensics can also be used to show when a staff member used a particular USB stick with their computer. The USB stick’s make, serial number and the names of the files and folders accessed on that USB stick are often recoverable. Combined with a timeline analysis of when a file was accessed, these artefacts can help provide compelling evidence that a particular user has acted fraudulently.”
While many savvy fraudsters know to delete their web history, few realise that cyber forensics can even find a mobile phone back-up on a computer, allowing for text messages, photographs and instant chat messages to be analysed.
The message that Krause wants to get over, is that as soon as fraud is suspected, the earlier a firm takes action, the better the results.
Panel: Protecting against insider threats
According to Laura Davies, crime policy adviser at the British Retail Consortium (BRC), theft and fraud by staff costs four times that committed by customers. Worse still, the BRC reckons it’s more likely that long-term permanent staff will do more damage compared to new recruits.
The BRC has published new guidelines for retail businesses wanting to minimise their exposure to insider threats. Says Davies: “While the nature and size of your business will determine the policies and procedures that are right for you, the BRC’s guidelines set out some simple steps for an effective strategy.”
Want more stories like this in your inbox?
Sign up for our FREE email newsletter
- British Retail Consortium
- Lindsey Stoneham
- Jonathan Krause
- Forensic Control Limited
- Redcat Marketing
- Amanda Stevens
- Laura Davies