The readers of this book will surely be aware of the recent outbreak of corporate fraud and accounting scandals within the executive ranks at major U.S. corporations. Enron, Tyco, AOL Time Warner, WorldCom (and these are real names now) are just the more well-known cases, and not by any means an exhaustive list. Well, we can say with some degree of satisfaction that computer security professionals do at least have a role to play in identifying, proving, and stopping this type of fraud.
This case study details the computer forensic procedures utilized to support a large-scale corporate fraud investigation aimed at many senior executives of an international company who were accused of fraudulently increasing corporate revenues in order to increase profits and subsequently their personal income.
Security professionals specializing in computer forensics and cyber crime investigations were asked to assist with the investigation. Computer forensics is a critical component of many corporate and law enforcement investigations. It is an excellent means of uncovering critical information and tracking the flow of information. However, computer forensic technicians must be knowledgeable in computer operating systems, system hardware, common business applications, and the function and design of hard drives. Because of these requirements, oftenespecially in larger companiesIT departments are responsible for providing computer forensic support to legal counsel or the internal audit director in support of an investigation.
We should define the term computer forensics here to make sure we're all speaking the same language. Computer forensics is most often thought of as involving the creation of a mirror image of a suspect's hard drive (and associated storage devices) and subsequent analysis of its logical file structure, unallocated file space, and file slack. This is a technical description of activities that a computer forensic professional may perform. In a larger sense, and as it is being used in this case study, computer forensics is the process of examining digital evidence for use in a criminal or other legal investigation.
15.1 Introduction: The Whistle-Blower
A disgruntled employee at a large international company left a message on the company's fraud hot line indicating that he had information relating to fraudulent activities being conducted by many of the company's senior executives. Within hours the independent third party that managed the fraud hot line had contacted the disgruntled employee and the initial information was being gathered. Soon thereafter, the company's audit committee chairman was briefed on the initial allegation. Such allegations are not taken lightly in any case, but something about this caller and the information presented lent the accusation an extra bit of credibility, so a law firm was retained to conduct a full investigation.
Within 24 hours the law firm had its team of investigators in place. The initial efforts of the investigators were to meet with the disgruntled employee and collect any information relating to the fraud. The information gathered at this meeting suggested a fraud that could easily amount to millions of dollars.
The initial information identified several key executives in the company as potential conspirators in a plot to inflate corporate revenues in order to increase corporate profits and therefore the executives' annual salaries and bonuses. A lawyer representing the law firm hired to conduct the investigation assumed responsibility as the head of the investigation. A larger investigative teamconsisting of more than 20 financial auditors, tax accountants, and corporate lawyers, as well as computer forensic professionalswas assembled.
Under the direction of counsel, three objectives were outlined for the investigative team.
To ascertain if any fraudulent activity had taken place.
To examine e-mails, internal communications, and the computer systems of all parties potentially involved, in an attempt to obtain proof and/or supporting documentation of the alleged fraud.
To identify the total financial extent of the alleged fraudand ascertain how exactly the restatements, which certainly would follow, would be made.
This case study focuses on the second objective. We will operate under the assumption that the investigators determined that some amount of fraudulent activity had taken place. This is not a small assumption, and we make it here simply for brevity and to get to the heart of the case. We do not want to suggest, even in the current environment of corporate scandals, that allegations of fraud are immediately considered truth. Such allegations must be carefully investigated, and they certainly were in this case.