By Jesman Howera
ARE fraudsters not exploiting information technology to fleece your business? If so, why not use the same technological advances to daunt their efforts
or to harden their targets?
Information technology is ever developing and each new development has found a greater role not only in business but every aspect of modern life, posing challenges in the investigation and management of fraud.
At one time, a single computer filled an entire room but today a computer can fit in the palm of your hand. Computers can be used to commit crime, as containers of evidence of crime and can even be targets of crime.
Fraud and crime in general have transformed causing traditional fraud (physical and paper and pencil types) to create their own “shadow” computer (cyber) crimes.
The calibre of today’s fraudsters, the sophistication of their modus operandi and their global networks have also increased the complexity and volumes of transactions as fraudsters are now able to disguise their identity, communicate secretly and globally, phish identities, manipulate electronic payment systems with great ease and speed.
Data is today’s currency, so they say.
As such the manner in which fraud is detected ,investigated and managed has changed significantly with the recovery of evidence from electronic devices now firmly part of law enforcement, forensic auditing, fraud risk management and legal proceedings involving allegations of high-tech crime.
This era now requires the use of analytical and investigative techniques to identify, collect, examine and preserve evidence which is magnetically stored or encoded in order to provide digital evidence of a specific or general nature in respect of general criminal cases, fraud and deception cases, employee internet abuse, unauthorised disclosure of corporate information and data (accidentally or intentionally), industrial espionage etc.
Understanding the role and nature of electronic evidence, how to extract data containing potential electronic evidence and how to preserve and present are crucial issues for businesses in this era.
More importantly, from the data mining (acquisition, extraction) stage through to preservation and presentation of electronic evidence the rules of evidence apply equally as much as they do to evidence obtained from other sources and it should be treated in the same manner as traditional forensic evidence, with respect and care.
It should be noted that electronic evidence is by its very nature delicate, alterable and can be ruined by improper handling, examination preservation and presentation. For this reason, special precautions should be taken to collect, preserve, examine and document this type of evidence.
Failure to do so may render it unusable or lead to an inaccurate conclusion. It is always the responsibility of the investigator (law enforcement, auditor or management) to ensure that data integrity rules have been complied with, in particular, to be sure that the procedures adopted in the seizure of any evidence is done in accordance with the relevant statute and current case law.
Testimony may be required to explain the processes used during the extraction and examination of the evidence.
What is electronic evidence? It is information and data of investigative value that is stored on or transmitted through and or stored electronically on electronic equipment and software.
This evidence is latent evidence in the same sense that fingerprints or DNA evidence is latent. In its natural state, we cannot see what is contained in the physical object that holds our evidence therefore electronic equipment and storage media and software are required to make the evidence available.
Examples are laptops, desktops servers, network devices (switches, routers firewalls), cellphones and PDA, telephone logs, internet usage logs, external hard disks, dongles, modems, wireless network cards, digital cameras, floppy disks and tapes jaz/zip cartridges, CDs, DVDs, memory sticks and cards. The list is endless.
During the data mining process, it is important to note that action taken by the investigator or their agents should not change data held on a computer or storage media which may subsequently be relied upon in a court of law.
In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
It is also important to create and preserve an audit trail or other record of all processes applied to computer based electronic evidence, a trail which an independent third party should be able to examine those processes and achieve the same result.
As such there is need for businesses to develop or make available analytical and investigative techniques to identify, collect, examine and preserve evidence which is magnetically stored or encoded.
Examples of these techniques are: forensic computing (computer imaging, analysis, and retrieval of magnetically stored information to retrieve deleted files and “formatted” hard drives), forensic e-mail analysis (search and retrieval of relevant e-mail correspondences, chain of custody of e-mails), forensic document analysis (conversion of all paper-based evidence into an electronic format for further investigation) and other data management techniques to use during audit testing, categorisation, aggregation and analysis of data sets of any size.
It is also important to note that despite the fact that the methods of data mining, recovering and collating electronic evidence while maintaining evidential continuity and integrity may seem complex and costly, computer forensics experience has shown that, if dealt with correctly, these methods will produce evidence that is both compelling and cost effective (ACPO).
*Jesman Howera is senior manager: fraud & forensic services.
Disclaimer: This publication contains information in summary form and is therefore intended for guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgement. Neither PricewaterhouseCoopers Zimbabwe nor any other member of the global PricewaterhouseCoopers organisations can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. For further information or comments please contact marketing on email@example.com or 338362-8