Chapter 7

Fraud Examination, 4E
Chapter 7: Investigating Theft Acts
Albrecht, Albrecht, Albrecht, Zimbelman
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Learning Objectives
Discuss theft investigation methods and how they
are used to investigate suspected fraud.
Understand how to coordinate an investigation,
using a vulnerability chart.
Describe the nature of surveillance and covert
operations.
Understand the effectiveness of invigilation to
investigate fraud.
Albrecht, Albrecht, Albrecht, Zimbelman
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Learning Objectives
Explain how to obtain physical evidence and how
it can be used in a fraud investigation.
Understand how to seize and analyze electronic
information from cell phones, hard drives, e-mail,
and other sources.
Use trash and other social engineering methods
to investigate fraud.
Albrecht, Albrecht, Albrecht, Zimbelman
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
When Should You Investigate
Fraud?
Consider the following:
strength of the predication
cost of the investigation
exposure or amount that could have been taken
the signal that investigation or noninvestigation
will send to others in the organization
Albrecht, Albrecht, Albrecht, Zimbelman
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
When Should You Investigate
Fraud?
 risks of investigating
and not investigating
 public exposure or
loss of reputation
from investigating
and not investigating
 nature of the
possible fraud
Albrecht, Albrecht, Albrecht, Zimbelman
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Fraud Investigation Methods
Once there is predication, determine the:
 Who?
 How?
 How much?
Questions of the fraud.
Albrecht, Albrecht, Albrecht, Zimbelman
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Fraud Investigation Methods
Albrecht, Albrecht, Albrecht, Zimbelman
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Theft Act Investigative
Methods
Methods that directly investigate the fraud act
 Surveillance and covert operations
 Invigilation
 Obtaining physical evidence
 Gathering electronic evidence
Albrecht, Albrecht, Albrecht, Zimbelman
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Theft Act Investigative
Methods
When beginning a fraud investigation it is often
useful to develop theories
One way to develop such theories is to use a
vulnerability chart
Albrecht, Albrecht, Albrecht, Zimbelman
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Theft Act Investigative Methods
Albrecht, Albrecht, Albrecht, Zimbelman
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Theft Act Investigative
Methods
 Surveillance and Covert
Operations
 Rely on the senses—
especially hearing and
seeing
Albrecht, Albrecht, Albrecht, Zimbelman
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Theft Act Investigative
Methods
 The three types of
surveillance:
 stationary or fixed point
 Record events occurring at
a scene
 Log includes time, place,
and events
 moving or tailing
 Following the suspect
 Should only be done by
professionals
 electronic surveillance
 Video camera
Albrecht, Albrecht, Albrecht, Zimbelman
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Theft Act Investigative
Methods
Invigilation
Involves close supervision of suspects during an
examination period
Strict temporary controls are implemented so that
committing fraud is almost impossible
Albrecht, Albrecht, Albrecht, Zimbelman
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Invigilation Diagram
Albrecht, Albrecht, Albrecht, Zimbelman
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Theft Act Investigative
Methods
Physical Evidence
Involves analyzing objects such as:




inventory, assets, and broken locks
substances such as grease and fluids
traces such as paints and stains
impressions such as cutting marks, tire tracks, and
fingerprints or searching computers
Albrecht, Albrecht, Albrecht, Zimbelman
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Theft Act Investigative
Methods
 Steps for gathering
electronic evidence
 Caution: The gathering of
electronic evidence is a
highly technical task that
must be performed
correctly. You may want to
include a computer
forensics specialist on
your team.
Albrecht, Albrecht, Albrecht, Zimbelman
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Theft Act Investigative
Methods
Step 1: Secure the Device and Perform Initial
Tasks
Need to have the legal right to seize the hardware
Exercise care with respect to chain of custody,
evidence marking, etc.
Take pictures of the seizure site and have neutral
witnesses on the scene
Albrecht, Albrecht, Albrecht, Zimbelman
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Theft Act Investigative
Methods
After the preliminary steps of securing the Device
and performing initial tasks:
Turn the computer off by cutting power to the
machine (or by removing the battery on laptops)
 DO NOT TURN THE COMPUTER OFF NORMALLY
Albrecht, Albrecht, Albrecht, Zimbelman
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Theft Act Investigative
Methods
Step 2: Clone the Device & Calculate CRC
Checksum
Perform a bit-for-bit copy of the entire hard drive
Calculate the CRC checksum
Seal away the original disk
Perform investigation on the cloned copy
Albrecht, Albrecht, Albrecht, Zimbelman
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Theft Act Investigative
Methods
Cyclic redundancy check (CRC) number: a
calculation based on the contents of a disk or file
Create the CRC immediately after the bit-for-bit
copy
You can prove later that:
Your cloned hard drive exactly matched the
original drive
You have not modified data since the hard was
seized.
Albrecht, Albrecht, Albrecht, Zimbelman
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Theft Act Investigative
Methods
The two primary checksum methods used today are the MD5
and SHA-1 algorithms
Albrecht, Albrecht, Albrecht, Zimbelman
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Theft Act Investigative
Methods
Step 3: Search the Device Manually
Common areas to search include:
 Computer logs such as Web activity, recent files on the
Start menu, Web favorites, and the browser history.
 The “My Documents” folder—most applications save data
to this location.
 The trash can or recycle bin.
 USB keys, CDs, or disks found around the computer.
Albrecht, Albrecht, Albrecht, Zimbelman
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Theft Act Investigative
Methods
Recently loaded files listed in the “File” menu of
many applications
Chat logs and e-mail client caches
Albrecht, Albrecht, Albrecht, Zimbelman
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Theft Act Investigative
Methods
Step 4: Search the Device Using Automated
Procedures
Forensic Software Packages
Guidance Software’s Encase Forensic Edition
AccessData’s The Forensic Toolkit (FTK)
Open Source Packages
e-fence Inc.’s Helix
Remote-Exploit.org’s Backtrack
Albrecht, Albrecht, Albrecht, Zimbelman
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Theft Act Investigative
Methods
E-mail Systems
Many copies may exist (sender, receiver, e-mail
server)
Includes text messaging in certain countries
Web-based e-mail (Hotmail, GMail, Yahoo! Mail)
is more difficult to search
Albrecht, Albrecht, Albrecht, Zimbelman
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.