In a previous career, I remember returning from an NICB conference and sitting down at my desk at the St. Paul Police Auto Theft Unit. I was excited to pick up fresh cases and put my new knowledge to work.
One of the first files I picked up was a case in which the auto theft report had more red flags than a Bolshevik convention. It turned out the vehicle had never seen a Minnesota winter. Purchased in Oregon, it immediately went on a container ship to Osaka, Japan. Two weeks after registering it in Minnesota, the suspect filed the auto theft report. Working together with an insurance SIU agent, we traced the vehicle and it was located by Japanese police. Eventually, the suspect was charged. Since the suspect owned an import/export company, I thought it was only fair to also discuss the case with U.S. Customs and tax revenue authorities. He likely is still being audited.
Eventually, my career led me out of the auto theft unit and into our police SIU. I performed computer forensics for a wide variety of cases as part of my duties. It took years for the various units to realize the value of computer forensics in their investigations, which now is something that is taken for granted in law enforcement. Every once in a while, on an auto theft case, an examination would discover forged insurance cards, identifications, vehicle titles, and emails between co-conspirators. Extracting computer evidence is much easier than checking under the hood for EPA stickers and matching seatbelt dates against the vehicle year.
Upon retiring, I was approached by a public accounting firm, Eide Bailly LLP, to do computer forensic examinations for their fraud and forensic accounting unit. They made me an offer to exit retirement that my wife couldn’t refuse. I found the cyber hunt for fraud, embezzlers, hidden assets, co-conspirators, and forged documents were only limited by the engagement hours. The cases, though, can be much more interesting and entertaining. Some case examples include:
- The soon to be ex-husband who claimed poverty in the divorce proceedings, but revealed in a recovered Skype chat with his girlfriend that he was hiding assets in bank accounts set up in her name and sending loaded pre-paid credit cards to her.
- The company accountant who was embezzling funds to support his addiction to gentlemen clubs and prostitutes. Information recovered from his work computer included hotel reservations, multiple 40l(k) loans, and even video files of him with the prostitutes. All ATM deposits using stolen funds and withdrawals came from the same gentlemen’s club location.
- A manager discussing a loan fraud who stated in an email, “I’m not going to jail over this!”
- An insurance SIU case where they wanted detailed information from the cash registers’ hard drives. Employees’ names, receipts, and most important to SIU, the last use time/dates on the registers were all obtained using computer forensics.
- In a non-compete case, finding that the respondent tampered with computer evidence during the discovery process allowed for a client not only to win the case, but also have the court order the respondent to reimburse for all legal costs and expenses because of the spoliation of evidence.
- Emails, deleted two years prior to a computer forensic examination, show a conspiracy to hide information from a college internal investigative authority. The presence of romantic chat that was found also was documented for corporate counsel. This was done to assist the college (and vicariously the insurance company) in any future litigation arising should a quid pro quo civil suit result from the supervisor/subordinate romance between two employees.
- In a voter fraud case, a district attorney had only three weeks before and election to verify if an individual running for public office had committed voter fraud. The suspect’s live-in companion had been deceased for over five years, but her absentee ballots had been mailed in after her death. The district attorney was comfortable have the forensic examination done by retired law enforcement. In less than a week, deleted emails were found in which the suspect admitted the offense to several individuals. The emails identified local witnesses to be interviewed and identified them as grand jury witnesses. The suspect dropped out of the campaign and subsequently pleaded guilty to voter fraud.
Computer forensics pairs well with forensic accountants. Inventories, income, and expenses all can be compared to other data. Typically, audits and accountants only look at the 20 percent of information that is structured, ignoring the 80 percent of the unstructured information. Chat, deleted data, emails, and metadata showing forged documents are all unstructured in nature. A complete fraud investigation should attempt to gather both structured and unstructured information.
Computer forensics is a cyber hunt. It is different than data recovery performed by information technology specialists. In computer forensics, one red flag leads to a second and a third. In many cases, the results of computer forensic examination can uncover evidence immediately that cause a third party to the litigation to give up the suit or settle.