The Value of Computer Forensics: Case Examples

  1. One computer forensic examination of a husband’s laptop revealed he was setting up bank accounts in his girlfriend’s name and sending her loaded credit cards to help hide his assets. The scheme was clearly documented in Skype chat logs and e-mails. His Internet searches for information on money transfers to foreign banks and his visits to an out of the country realtor’s web site were easily documented.
  2. On a non-compete case, the client assured his lawyer that nothing illegal or embarrassing would result in the examination of his computer. The subsequent forensic discovery of deleted movies the client had videotaped of his wife in sexual relations, and his subsequent posting of the videos on the internet, was enough for counsel to lose faith in the honesty of his client and seek a settlement
  3. In an embezzlement case, the offender was frequenting pornographic web sites and was stealing company funds to pay for prostitutes and expenses at gentleman’s clubs. Computer forensics assisted with documenting fraudulent 401k loan repayments, pictures and videos of the suspect with prostitutes, and internet posting reviews by the offender of erotic dance clubs and dancers
  4. In a child custody matter, an unemployed father wanted to have custody of the children and claimed to be a doting father. The computer forensic examination of a home computer, used by the father, showed hours of on-line poker activity each day while he was supposed to be watching the children.
  5. On a libel case, electronic discovery consulting was provided to the plaintiff’s attorney on preservation holds, Internet Service Provider contacts, third party subpoenas and e-mail. A subsequent court order resulted in the recovery of e-mails on a witness’s work account from the Respondent. The Respondent e-mails revealed an attempt to bribe the witness to commit perjury in Federal court. The Respondent’s attorney quit the case and the new counsel quickly reached a seven figure settlement with the Plaintiff. Computer forensics on the libelous electronic document revealed metadata leading directly to the Respondent’s home computer.

Computers have become the filing cabinet, the roll top desk, the newspaper subscription, the bank book, the postcards and letters, diary, library, movie theater, and the Montgomery Ward catalog of generations past. A computer forensic examination that locates a Google search for “hiding assets,”” nude teens,” or “casual encounters” can dramatically affect the outcome of any case. Could computer forensics be your “smoking gun?”

From Wikileaks with Love

In the 1990’s, when I first started doing computer forensics and investigating Internet crimes as a police sergeant, it was not unusual to sometimes to use my knowledge for slightly evil v. good. I recall having a co-worker giving me some good natured ribbing, and it was only right that I reciprocate. I turned to my computer, typed a few lines into a Russian website, and asked him if he had seen his new webpage. He stated he didn’t have a web page. I told him he did now, and I had him type his full name into the address bar. Immediately an unusual fetish website appeared with his name in the address bar. He learned two lessons. One, it will cost him lunch to have me remove it from the Internet, and two, you do not mess with someone who can put your name on the world-wide web forever, and on a Russian server no less.

It broke up a tedious day of tracing bomb threats, child pornography websites, and a host of other criminal cases involving computer forensics, emails and the Internet.

Upon retirement, I was engaged to review Phishing emails sent to customers of a major bank. I’d trace them around the world to the source, contact the network service provider, and get the web address and webpage shut down. The schemes were always the same, an email purporting to be from a bank would be sent to a victim, informing them they must click on an embedded link to change their password or some catastrophic event would happen to all their accounts and money. While the link appeared to be from the bank, a close inspection always showed it was not. These schemes were traced to Romania, Brazil, Russia, Germany, Spain, and a host of other countries. Typically, aided by the Phisher hacking into a server of a middle school, café, or other legitimate business without their knowledge and then using their server for the scheme. I remember one Phisher using Korean school servers exclusively. I named him Kimchi. I could always tell a Kimchi Phishing email. Like most Phishers, he always used the same code and text, just repeating it on a new website after he was shut down on the last one. Kimchi had a habit of urging the customer to “earnestly” change their password. Not a word in common use. The embedded code was always the same except for the redirect to his new phishing webpage. Picture placement, formatting and other code always matched Kimchi’s previous attempts. The embedded code would also show an email address where the Phished information was being redirected.

Whenever I was asked to do presentations on the Internet, the obvious signs of a Phish and how to prevent being a victim, such as checking the originating email address to see if it was different from the bank’s, would be emphasized. Directions not to click on the email hyperlink, but use your own bookmark to go to the bank website, etc. were taught. Simple precautions.

So it was with great interest to me this past year when WikiLeaks started producing emails from a Gmail account that involved major players in the presidential election. It was not a typical “hack” as routinely reported, it was a simple Phishing email. As simple as any that have been around since Internet financial transactions started. Instead of going to a known Gmail website, someone apparently clicked on a link and gave up a user name and password allowing for the Phisher to access the account and download documents and emails. I have seen no information in the email that it contained a Trojan virus or other malware that would indicate a more traditional hacking scenario. There are some clues in the Phishing email that should have sent it to the junk folder by the user.

Initial observation of the email showed some Capitalization, punctuation, and grammar errors. As an example sign in to your account instead of using into. The email text states that an attempt was made at signing into the user account from a Ukraine Internet Protocol address and a date and time was provided, except the year was missing from the date. The signature salutation “Best” could routinely be used by Gmail, but I’ve only seen it in emails from my friends in the UK. Hovering a mouse over the Click Here icon showed a Bitly tiny URL, not a Google secure link (https).

Many countries have developed sophisticated programs for obtaining information by hacking or Phishing. As an example, numerous computer programmers and engineers in Russia were primarily involved in the industrial military complex until the 1991 fall of the Soviet Union. Suddenly they found themselves out of work as the need for their skills decreased. During the same time period, IT and network security was not a high priority with companies expanding into e-commerce or institutions. Using their skills for evil, not good, became a viable transition. Groups of programmers developed hacking tools and software that were shared on the dark web with others. Sometimes the programs were sold or just provided free for others to use in schemes. Eventually, governments realized the value of having these specialists back on the payroll. Better they work for us, rather than against us.

Eide Bailly LLP’s computer forensics have investigated a significant number of Phishing cases. In some incidents, an employee opened an attachment in a Phishing email which contained a virus that accessed the company network, in others, fake emails from a company executive caused an employee to transfer funds to the suspect’s bank account. In some cases, client companies and banks, more extensive computer and network forensics were required to ensure/validate that HIPAA information and data of concern to the FDIC was not obtained by the schemes. Thus saving the businesses from the expense of customer notifications, credit monitoring fees, and possible fines.

Based on our Phishing investigative experience, we have provided prevention tips to prospects and clients to protect themselves from these schemes. As an example, networks can be configured to lock out certain Internet Protocol addresses or flag certain emails for closer scrutiny. Employees receiving unusual requests to transfer funds should verify the requests by calling the source or emailing using contact information from the company server, not the suspicious email. Updating policies as it relates to Phishing and suspicious emails to ensure all employees are on alert on the latest schemes all can help to prevent breaches of the systems and data theft.

The schemes seen today are not much different than those in the 1990’s. Perhaps the software is more sophisticated, the Phishing emails having a more professional look or using a slightly different twist to the scheme, but the preventative measures remain the same.

Digging Deeper – How Computer Forensic Investigations can reveal a Treasure Trove of Information

In a previous career, I remember returning from an NICB conference and sitting down at my desk at the St. Paul Police Auto Theft Unit. I was excited to pick up fresh cases and put my new knowledge to work.

One of the first files I picked up was a case in which the auto theft report had more red flags than a Bolshevik convention. It turned out the vehicle had never seen a Minnesota winter. Purchased in Oregon, it immediately went on a container ship to Osaka, Japan. Two weeks after registering it in Minnesota, the suspect filed the auto theft report. Working together with an insurance SIU agent, we traced the vehicle and it was located by Japanese police. Eventually, the suspect was charged. Since the suspect owned an import/export company, I thought it was only fair to also discuss the case with U.S. Customs and tax revenue authorities. He likely is still being audited.

Eventually, my career led me out of the auto theft unit and into our police SIU. I performed computer forensics for a wide variety of cases as part of my duties. It took years for the various units to realize the value of computer forensics in their investigations, which now is something that is taken for granted in law enforcement. Every once in a while, on an auto theft case, an examination would discover forged insurance cards, identifications, vehicle titles, and emails between co-conspirators. Extracting computer evidence is much easier than checking under the hood for EPA stickers and matching seatbelt dates against the vehicle year.

Upon retiring, I was approached by a public accounting firm, Eide Bailly LLP, to do computer forensic examinations for their fraud and forensic accounting unit. They made me an offer to exit retirement that my wife couldn’t refuse. I found the cyber hunt for fraud, embezzlers, hidden assets, co-conspirators, and forged documents were only limited by the engagement hours. The cases, though, can be much more interesting and entertaining. Some case examples include:

  • The soon to be ex-husband who claimed poverty in the divorce proceedings, but revealed in a recovered Skype chat with his girlfriend that he was hiding assets in bank accounts set up in her name and sending loaded pre-paid credit cards to her.
  • The company accountant who was embezzling funds to support his addiction to gentlemen clubs and prostitutes. Information recovered from his work computer included hotel reservations, multiple 40l(k) loans, and even video files of him with the prostitutes. All ATM deposits using stolen funds and withdrawals came from the same gentlemen’s club location.
  • A manager discussing a loan fraud who stated in an email, “I’m not going to jail over this!”
  • An insurance SIU case where they wanted detailed information from the cash registers’ hard drives. Employees’ names, receipts, and most important to SIU, the last use time/dates on the registers were all obtained using computer forensics.
  • In a non-compete case, finding that the respondent tampered with computer evidence during the discovery process allowed for a client not only to win the case, but also have the court order the respondent to reimburse for all legal costs and expenses because of the spoliation of evidence.
  • Emails, deleted two years prior to a computer forensic examination, show a conspiracy to hide information from a college internal investigative authority. The presence of romantic chat that was found also was documented for corporate counsel. This was done to assist the college (and vicariously the insurance company) in any future litigation arising should a quid pro quo civil suit result from the supervisor/subordinate romance between two employees.
  • In a voter fraud case, a district attorney had only three weeks before and election to verify if an individual running for public office had committed voter fraud. The suspect’s live-in companion had been deceased for over five years, but her absentee ballots had been mailed in after her death. The district attorney was comfortable have the forensic examination done by retired law enforcement. In less than a week, deleted emails were found in which the suspect admitted the offense to several individuals. The emails identified local witnesses to be interviewed and identified them as grand jury witnesses. The suspect dropped out of the campaign and subsequently pleaded guilty to voter fraud.

Computer forensics pairs well with forensic accountants. Inventories, income, and expenses all can be compared to other data. Typically, audits and accountants only look at the 20 percent of information that is structured, ignoring the 80 percent of the unstructured information. Chat, deleted data, emails, and metadata showing forged documents are all unstructured in nature. A complete fraud investigation should attempt to gather both structured and unstructured information.

Computer forensics is a cyber hunt. It is different than data recovery performed by information technology specialists. In computer forensics, one red flag leads to a second and a third. In many cases, the results of computer forensic examination can uncover evidence immediately that cause a third party to the litigation to give up the suit or settle.

Phishing Attacks and Your Business – It’s Not Just Nigerian Princes Emailing You Anymore

Phishing scams, or fraudulent emails used to acquire banking and personal information, are getting more sophisticated. General emails blasted to thousands of email addresses by a Nigerian Prince wanting to share $10,000,000 with you are still out there on the web, however other schemes are hitting closer to businesses.

Spear Phishing is a type fraudulent email that is directed towards a company and its employees. The scammers take great care in doing their research on the company organization and its employees. Think for a moment. Most companies allow, and in fact encourage, employees to create social media accounts to promote business and branding opportunities. Would a search of LinkedIn or your webpage provide information on your employees, your company, and institutional knowledge of management and operations? This type of information is extremely valuable in a Spear Phishing attack of your company. “Whaling” occurs when the target of the Phishing attack are employees at the executive level.

Eide Bailly LLP computer forensics have been engaged to trace several of these Spear Phish attacks where hundreds of thousands of dollars have been lost by companies and banks. Here is how some of the more recent schemes are performed.

Typically, someone working in a company’s finance department receives an email that appears to be from a high level executive of the company. The email signature is correct, the format and font are the same as the companies. The appropriate logos are also present. The email, usually proclaiming some urgency in paying an overdue invoice, or a need to transfer funds, directs the lower level employee to transfer a fixed amount of money via wire or bank transfer to a routing and account number provided by the Phishing email. The employee, believing the email is legitimate, performs the money transfer and replies back to the email that funds were sent.

The problem is the email never came from the company executive. Close inspection of the email address revealed a single character difference. As an example, becomes The funds are now gone, and the likelihood of a Federal criminal investigation into the theft are minimal unless substantial funds are lost. That is why the Phishing scheme typically deals with amounts of money that would not normally raise concerns to the email recipient in payroll or finance.

Companies should review policies dealing with ordinary, and out of the norm, requests for the wire transfer of funds. Policies should include independent verification with the source of the request, either by company phone line or by initiating an email using the company directory email address. A reply to the original email would only go to the Phishing suspect.


Digital Divorce: How Computer Forensics Can Influence Your Client’s Case

Computer forensics and eDiscovery can play an important role in the outcome of your client’s divorce or family law case, revealing key details that might otherwise remain buried.

In a recent divorce case, one spouse suspected the other of hacking into a personal Gmail account in order to gain possible financial information and attorney-client privileged communications that might be valuable in the divorce settlement. The spouse used the security questions to change the password for the account and gained access to all personal and business emails present on the account.

My task was to prove the spouse committed the hacking. Committing a crime during the divorce discussions might not affect the outcome of any settlement; however, it would not be looked upon favorably by a judge. As you can imagine, it would cast a shadow on the character of the offending spouse.

Two subpoenas and a little time online quickly identified evidence that the spouse was the offending party. The Internet Protocol address (think Internet caller ID) used to hack the account was traced to a hotel Wi-Fi network in another state. The hotel registry verified that the current love interest of the spouse was registered there at the time, and the cell tower and GPS data from the spouse’s cell phone traced to the same hotel at the time of the hacking. The spouse subsequently exercised the right against self-incrimination to a new set of interrogatory questions.

Helping Clients Fortify Their Online Security

Think about your own answers to online security questions. Would your spouse know your favorite sport, mother’s maiden name, and other simplistic questions commonly used? The preventive solution is to lie on the security questions. The computer is only looking for a match between the ones and zeros; it does not care how many children you have or what street you lived on in grade school. This is a point that should be mentioned to your clients at the onset of divorce proceedings. All of your initial meetings should emphasize having your client change passwords and security questions for all online accounts, not just banking and email.

Understanding the Power of Computer Forensics

In one case, a computer forensic examiner was hired to look at the data on one spouse’s computer. The court order was very specific as to what the examiner could reveal to the hiring attorney from his examination. In violation of the agreement between counsels and what was approved by the court, the examiner provided privileged email communications to the attorney, who subsequently gave the emails to his client – the opposing spouse. My examination of the opposing spouse’s computer proved the emails were provided and opened by the soon-to-be ex-husband. The lawyer providing the emails was tossed from the case by the judge, and the husband’s credibility with the court diminished significantly. A key logging spy program had also been placed on my client’s computer, which is not an uncommon event in family law cases.

In another case, a 48-year-old male neurosurgeon was convinced by the 28-year-old woman he met on Craigslist to marry her. Since he was already married, this caused some issues. The 28-year-old subsequently made the argument that she was in a putative marriage, because she believed the neurosurgeon was divorced at the time of their marriage. Computer forensics of the chats between the two revealed that, three months prior to the marriage, she was clearly advised that he was already married. Additional computer evidence included her having a copy of his current marriage license and her running Internet search reports on his current wife.

Computers Provide an Electronic Trail Revealing a Party’s Character

The computer is not just an avenue to investigate and identify hidden assets, fund transfers, driving directions to safe deposit boxes, unknown credit cards, and bank accounts. It is the electronic trail to the opposing party’s life and character. Addictions from gambling, shopping, drugs, or pornography to extramarital affairs, manipulating finances in anticipation of the divorce, using eBay or PayPal used to sell assets, and spying on the spouse electronically can all be revealed through computer forensics. In most cases, spoliation of some form has been present on the computers I have examined over the course of my career.

According to the National Endowment for Financial Education, 31% of U.S. adults who combine assets with a spouse or partner say they have been deceptive about money, and 58% say they hid cash or assets from their spouse or partner.

I recently returned from an overseas trip and exclusively communicated with friends and family through the less expensive text option, instead of phone calls. It reminded me of a case where the husband was claiming poverty in the divorce, only to have the examination of his computer show him sending thousands of dollars in assets to his Brazilian girlfriend, which was verified in his deleted Skype chat. The chat was not something an IT professional would normally locate, nor would an attorney ask for in eDiscovery.

“Mr. Mom” claimed he was a doting stay-at-home father, until his computer use showed that he routinely spent hours on Internet poker websites while his wife was away from the home The time/date analysis was so precise, it could predict when the spouse left and returned from work, as well as when she went to bed. The timelines were matched up with the start of tournaments on the poker websites, so his online time could be measured down to the second.

Discussing Computer Forensics with Your Clients

At the onset of each new family law case, counsel should interview clients concerning computer use and email accounts to determine if computer forensic examinations would benefit the client. The expense for a forensic computer examination for matrimonial litigation is typically affordable due to the limited issues that need to be resolved. The above examples are true case examples. Computer forensics is commonly used in other litigation where Electronically Stored Information (ESI) is important to the client in eDiscovery. In family law matters, any preliminary client discussions should include the security of ESI and whether computer forensic would assist in the case.

Automobile Forensics

Auto Blog

As you enter your car in the morning, the little “door ajar” light appears on the dash, this activity is now time/date stamped in the vehicle’s computers. The vehicle is started and your cell phone automatically syncs to the infotainment system downloading your call list, music, text messages, phonebook, and documenting that it is your phone syncing to the system by capturing the device ID. You plug in an iPod to listen to “Slim Whitman’s Greatest Hits” and the computer makes a note of the iPod, and your lack of taste in music. As you drive down the road, you stop at a red light next to a Starbucks, and the vehicle computer makes a record of the free Wi-Fi reaching out to your cell phone. When you pick up a colleague to carpool, once again data showing the passenger door ajar is now recorded. Your colleague has their cell phone’s Bluetooth enabled, so your infotainment system sees it, makes a note of it, and decides whether it should try and sync with the phone. It may even document the GPS location where the vehicle was when it recognized the Bluetooth, as well as where the vehicle was when your colleague gets out of the vehicle and the signal is lost.

What value would it be to know that the party making the stolen vehicle report, whose vehicle was found abandoned at the hit and run scene, had his/ her phone synced to the vehicle at the time of the accident? Or that three doors were opened indicating there were passengers, and their cell IDs were recorded as the devices reached out and tried to sync with the infotainment system? Need that GPS record showing the vehicle was at Slim Whitman’s Bar and Grill just before the event, or at the event? The drive-by shooters dump their cell phones in Lake Minnetonka? It might not be the end of the world, look to the vehicle’s Infotainment memory.

As vehicle technology increases, so will the amount of evidence available from the vehicle to help your case. Automobile forensics is in its infancy, but it is expected to expand just as quickly as the technology.

I remember in 1995 having a difficult time convincing LE agencies that they needed to start preparing for the flood of computer evidence that was on the horizon. Thirty years later, it is hard to imagine any case where important evidence cannot be gained from computers or cell phones. Before most of you will retire, there will be over 200 million vehicles that will have systems in place that may have data important for your investigation. The information is there, the technology to retrieve it is there, agencies just need to strategically prepare for it.