Investigating Computer Evidence

When investigating fraud, remember where there is a paper document, there is probably an electronic version of it.  There may be more than one copy, often held by third parties.  Electronic documents often tell you more than paper ones would, for example the date of deletion from a computer may indicate a covering up exercise.

Computer data should always be secured at the onset of any fraud investigation. This could be at the time of executing search orders in an asset recovery case or when deciding the priorities of an internal investigation – using forensic techniques that can recover deleted documents, faxes, emails and other data that may prove a case beyond dispute.  This requires specialist knowledge and tools – simply switching on and reviewing what is immediately seen is not forensic analysis, and this approach may destroy evidence or render it inadmissible in a court.

In house IT staff are unlikely to be qualified to process computer evidence and may make serious mistakes that will almost certainly undermine the value of any evidence and may prevent recovery of assets through legal channels. At Mark Jenner & Co we always work with trusted Computer Forensic Partners that have demonstrated their ability to work quickly, efficiently and most importantly cost effectively.

It is not just computers that need to be considered.  Mobile phones, personal organisers, fax machines and many other devices may also contain evidence important to your case.  If forensic analysis is required of any device, attention to the following is vital:

  • Secure electronic evidence quickly to reduce the risk of it being destroyed or changed
  • If a computer or device to be investigated is on – do not switch it off!
  • If a computer or device to be investigated is off – do not switch it on!
  • Disconnect computer from power at socket and seal in a plastic bag
  • Gather all disks, CDs, DVDs, tapes, USB memory sticks and other electronic storage devices together to accompany computer
  • Gather associated manuals, power cables, external drives and any other external peripheral devices together to accompany computer
  • Avoid contact by magnetic media with strong magnetic fields, microwaves, excessive heat, shock or vibration.

The physical recovery of data that can then be analysed is very important. Next comes the equally hard part – making sense of what you have safely gathered for evidential purposes. This is where data mining techniques come in and the need for the ability to deal with often vast amounts of data, ensuring that the data is complete and that there is an audit trail supporting any results that you find.

Our preference for data analysis when the volume of computer based information is anything more than you would find in a small business is to use IDEA for Windows. This software allows us to collate even more data than you can fit on an Excel spreadsheet, therefore it is useful for dealing with bespoke accounting record software found in major banks, insurance companies and major corporate entities, as well as being user friendly enough for use analysing smaller concerns’ accounting records.

Bookmark:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks
  • Add to favorites
  • RSS
  • LinkedIn

About Mark Jenner

Mark Jenner is an experienced forensic accountant specialising in fraud and white collar criminal matters. He provides independent financial investigation and expert accounting witness services to police forces, fraud regulators and criminal defence lawyers, also providing assistance and solutions to organisations embroiled in financial disputes.

Leave a Reply

Please use your real name instead of you company name or keyword spam.


*