Presentation Transcript

1. "To Catch a Thief"IT Forensics in Financial InvestigatorsAndy HarbisonForensic & Investigation ServicesChartered Accountants Leinster Society25 September 2013
2. Hotmail Most crimes use computers… Did the suspect research the crime? Did the suspect launder the money? How does he intend to spend it? Is more than one person involved?
3. What data is on my PC? Intact Files Deleted Files Overwritten Files Recycle bin Program Files eMails eMails Cookies Browser History Data Cookies Graphics Cookies eMails Data Data Charts Jpeg Databases Charts Jpeg Browser History Charts Graphics Jpeg
4. What to do if you find yourself with a fraud? Have a cup of tea Have a notepad ready Date and time the sheet before writing anything down Conversations/Interviews: Note clearly what people say – and your own impressions – but make sure you can tell them apart
5. Electronic evidence is “volatile”
6. Managing the investigation Don't make legal decisions Try not to let the lawyer make technical decisions Keep informed about what is going on Be proactive No secrets DON'T RUIN THE COMPUTER EVIDENCE!
7. Analysis Keep a timeline of events Take detailed notes and document everything Checklist of standard tests Find out what is on the computer how is it normally used registries and browser histories are most often useful Use a second pair of eyes It gets a lot easier with practice!
8. Cressey's Fraud Triangle Motivation Opportunity = Liberty + Privilege + Knowledge Opportunity Rationalisation
9. Email: Tuesday, 17 November 2003 From: N Sent: 17 November 2003 15:43To: G Last HJ for this year…Paul ok for Wednesday / Thursday Send one invoice for following 20 * DLT         750 20 * DAT        500 40 Printer Carts            1,000 Training                        3,000 Launch setup                2,500 Will sort these out over next week. When all paid up approx. 18,000 ? If you have any outstanding invoices get them in asap. Thanks, N
10. When to tell others about findings? When you are certain? but their input could help Before you are certain? but if you are wrong it could blow your credibility / provoke people to overreaction What I do is keep them up to date, but continually remind them not to jump to conclusions "Stupidity is far more common than malice"
11. Email: Thursday, 5 June 2003 Received: by VWXYZex1.VWXYZ.ie id <01C32B52.DD806E00@VWXYZex1.VWXYZ.ie; Thu, 5 Jun 2003 12:09:00 +0100 content-class: urn:content-classes:message Subject: RE: MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: binary Date: Thu, 5 Jun 2003 12:09:24 +0100 Message-ID: <60FCAFB14E869241BEA744B6499443B45FBA@VWXYZex1.VWXYZ.ie X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: RE: Thread-Index: AcMrUuvtZQa4+yfJSA24TuVbYamhjg== X-Priority: 1 Priority: Urgent Importance: high From: "N" To: "G" G, Will you get all post sent to me marked Private and Confidential - Thanks, N. www.VWXYZ.ie
12. Continuation… From: N [SMTP:n@VWXYZ.ie] Sent: Wednesday, June 04, 2003 5:13 PM To:   G Subject:      RE: Importance:   High G, Thanks for that - I'll come back to you soon to order. The invoices are 1795 for HP Omnibook invoice no 103743 2000 for Projector invoice no 103744 1995 cisco pix 1495 cisco 1750 both on invoice 103745 Could you send me hjdelivery dockets for these ? Thanks, N.
13. Email: Thursday, 5 June 2005 From: N [SMTP:n@VWXYZ.ie] Sent: Thursday, June 05, 2003 3:08 PM To:   GSubject:      RE: Importance:   High G, Can you do me 3 quotes and order for me 1 * 5500 Scanner 2 * HP 1300N Get a price for HP4600 In terms of the servers we were looking at give me a call but can you also check price of UPS and Rack to hold servers. N.
14. Email: 16 October 2003 From: NSent: 16 October 2003 12:11To: G G Can you order Can you get me quotes for these as well – higher than yours! Two of these (actual spec to have 2 processors - include 2 extra processors in each in price as HJ) Compaq Proliant ML370 G3 Tower Pentium Xeon 2800Mhz Processor,  Ultra 2/3 HP Backplane,  512GB Ram
15. What exactly did we find?"Non-Compliance with Tendering Process" "VWXYZ purchased goods and services amounting to €911,715 in the period between June 2003 and August 2005 from a supplier of IT equipment… The only tendering process during this period for the supply of IT equipment was conducted in 2003. …the business with the IT supplier in question from June 2003 to August 2005 represented 64% of its total IT expenditure during this period. Once the supplier was installed for an initial set of purchases no further tendering took place for the type of IT equipment and services that are within the supply range of this supplier. Even in instances where a number of quotations were received, most appear to have emanated from the same supplier. There appeared to be agreement between VWXYZ's IT Manager and the supplier in arranging this. This became evident from a review of retrieved electronic communications that passed between the IT Manager and the supplier."
16. Examples of the emails from the IT Manager to Supplier Date Electronic Communication 5 June 2003 ‘Will you get all post sent to me marked Private and Confidential’ 16 October 2003 ‘Can you get me quotes for these as well – higher than yours!’ ‘Two of these (actual spec to have 2 processors – include 2 extra processors in each in price as HJ). Can you invoice for each server separately (4 separate invoices)’ 29 June 2005 ‘Like the new system quote – one suggestion – might be good to include logo as it will look more official then.’ 15 July 2005 ‘Can you send me 3 separate quotes for each item – thanks.’
17. … and … IT Company were able to evade the requirement for multiple quotes in the government tendering process by providing all the required quotes themselves.
18. Apparent Collusion in Determining Prices "In the IT business volume users usually negotiate substantial discounts from list prices. A report by XXX delivered to VWXYZ in November 2006 (XXX 3) stated that in most cases VWXYZ paid list prices for items and do not appear to have received a discount on list price. The emails show that the IT Manager appeared to be influencing the price at which quotes were to be submitted. In addition, the IT Manager appeared to have colluded with the supplier in determining the ultimate price to be charged to VWXYZ."
19. Email: Tuesday, 2 September 2003 Received: by VWXYZex1.VWXYZ.ie id <01C37142.01FE245E@VWXYZex1.VWXYZ.ie>; Tue, 2 Sep 2003 12:04:41 +0100 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----_=_NextPart_001_01C37142.01E3EA80" Subject: Date: Tue, 2 Sep 2003 12:04:41 +0100 X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 Message-ID: <60FCAFB14E869241BEA744B6499443B45B1D@VWXYZex1.VWXYZ.ie> X-MS-Has-Attach: yes X-MS-TNEF-Correlator: Thread-Index: AcNxQgHOM9t0cqeDSl6GY8aj8CfsgA== From: "N" To: "G" This is a multi-part message in MIME format. ------_=_NextPart_001_01C37142.01E3EA80 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: binary G, Attached is the spec required for server – I have just highlighted requirements from your spreadsheet. Can you let me know how long it would take – end of week would be good and if it can have Windows 2000 pre loaded hardware setup configured before delivery also if include additional processor in cost (but not spec) for HJ purposes. Will you let me know what delivery time would be. Thanks, N
20. Email: Friday, 6 June 2003 Received: by VWXYZex1.VWXYZ.ie id <01C32C1D.49C7A400@VWXYZex1.VWXYZ.ie>; Fri, 6 Jun 2003 12:18:00+0100 content-class: urn:content-classes:message Subject: MIME-Version: 1.0 Content-Type: multipart/related; type="text/html"; boundary="----_=_NextPart_001_01C32C1D.49C7A400" Date: Fri, 6 Jun 2003 12:18:25 +0100 Message-ID: <60FCAFB14E869241BEA744B6499443B45FC6@VWXYZex1.VWXYZ.ie> X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 X-MS-Has-Attach: yes X-MS-TNEF-Correlator: Thread-Index: AcMsHViCkvUu0czjTuqhqbuXoL+36Q== X-Priority: 1 Priority: Urgent Importance: high From: "N" To: "G" This is a multi-part message in MIME format. ------_=_NextPart_001_01C32C1D.49C7A400 Content-Type: text/html; charset="windows-1251" Content-Transfer-Encoding: binary G, Hope the following will make sense – Can you get a 4600N with 3 independent quotes and the final price at ˆ3295 (hj 1000) HP1300n * 2 with 3 quotes at quoted price of 479 One scanner with 3 quotes at price of 335 ML370 5 disks 2 processor + smart controller + UPS 1500 (3 quotes) at price plus hj of 1500 ML370 with 3 disks with controller – no ups – at price plus hj of 1500(3 quotes here also)
21. Email: Tuesday, 28 October 2003 From: NSent: 28 October 2003 13:00To: GSubject: RE: I know I know ive got to keep this going to Xmas…move over Liam.. -----Original Message-----From: Grad [mailto:g@itcompany.ie] Sent: 28 October 2003 12:52To: RSubject: RE: Hi Joe Will do!! G -----Original Message-----From: G[mailto:N@VWXYZ.ie] Sent: 28 October 2003 12:35To: GSubject: Peter, Can you add 500 to each of Laptops as HJ. Thanks, N
22. Apparent Collusion in Determining Prices continued… "The forensic review (YYY 2) also refers to an email of 7 December 2004 in connection with the purchase of a Storage Area Network where the IT Manager wrote “I assume we can get better prices than list prices but can still use these list prices as indicative and include your cut and a HJ”. The forensic review (YYY 2) took this to indicate that the parties would obtain reduced prices for equipment while passing on the full list price to VWXYZ and retaining the difference."
23. Email: Friday, 19 December 2003 G, I won't know until Monday afternoon if this is a runner or not so maybe could you provisionally prepare invoices for the following and I can meet you later on or on Tuesday with the cheque. I have included a HJ column in this so will explain in below
24. Purchasing Goods which were in Excess of Needs "In December 2004, VWXYZ was invoiced for, and paid, €198,420 in respect of the purchase of a server and peripherals which had not been the subject of a tender process. The invoice included €15,125 for installation. The purchase was authorised by VWXYZ, approved by the CEO and the invoice was paid on 10 February 2005. Up to November 2006 the equipment had not been installed as it was deemed to be greatly in excess of any short, medium or long-term requirement of VWXYZ."
25. Email: Wednesday, 24 November 2004 From: N [mailto:N@VWXYZ.ie] Sent: 19 November 2004 12:01To: GSubject: I see I started writing this email a 8.45 and am only finishing it now! Anyway – can you get me a price on SQL Backup agent for 2 servers for  CA Arcserve. Also – can you send me an official quote for the server maintenance at the 6 hr 24*7 Hardware Call (I will use this but take the M-F actual cover and use the difference for HJ) – hope that makes sense. Will be onto you soon re MSA config and some other thin Clients – what is delivery time on them like now ? N
26. Email: Monday, 29 September 2005 From: N Sent: 29 September 2003 12:08To: G G, Can you send invoice for tender 70 PC at 579 70 15” FST monitors at 289 70 Ghost images at 10 70 removal of Packaging at 10 (ghost and packing cover CD/RW) Can you send also a HJ for 7 man days server configuration at 850 and a separate HJ for 10 man days desktop config at 550
27. Services not Proven to have been Provided "No evidence has been found to show that computer support services purported to have been provided by the supplier were actually received by VWXYZ. VWXYZ has no evidence to show that any persons engaging in the provision of support services had entered VWXYZ’s premises for the purpose of providing these services. The supplier submitted invoices for services purportedly supplied to VWXYZ. These were certified by the IT Manager and processed for payment. On the basis of information provided by the supplier it appears that the IT Manager would then invoice the supplier for the same service, purportedly supplied by him to VWXYZ on their behalf. In some instances, the amounts charged by the IT Manager to the IT supplier appeared to be similar to the amounts the IT supplier charged to VWXYZ. Initially, his invoices were issued without a charge for VAT but later invoices included VAT, although a VAT number was not quoted on his invoices."
28. In summary, the Fraudsters cleaned up… By charging list prices to VWXYZ for computer hardware and software, while paying suppliers reduced rates By having VWXYZ pay for services not-fully or never delivered By having VWXYZ pay for hardware of a higher specification than is actually delivered By over-charging for equipment and consumables
29. Email: Thursday, 26 June 2005 Received: by VWXYZex1.VWXYZ.ie id <01C33BBC.B69AE200@VWXYZex1.VWXYZ.ie>; Thu, 26 Jun 2003 09:27:00 +0100 content-class: urn:content-classes:message Subject: MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: binary Date: Thu, 26 Jun 2003 09:27:38 +0100 Message-ID: <60FCAFB14E869241BEA744B6499443B46025@VWXYZex1.VWXYZ.ie> X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Index: AcM7vM0tJgyN3+tQT/Wn65JubkKWeg== X-Priority: 1 Priority: Urgent Importance: high From: "N" To: "G" Morning! First question – have you received any payments yet from here? Cheques issue from ZZZZ at present so I don’t know what has paid out so let me know. The reason i'm asking is so I can figure out what is left in our kitty ! I think about 1,500 from first lot of invoice and then 4,000 from servers and colour printer. That about right ? Bang in whatever invoices you have for me as it is a bit slow in paying – god bless State Agency! I’ll try and get them through quickly as will need the 1,500 and 4,000 by mid –end July. 2.Will you also spec and price out a small server – low basic spec just for Mail Scanning. 3. Could you also send me a separate HJ for 5,500 – Make Invoice for Install / Configure Cisco Data Switch – PIX Switch
30. How to perform a "Stand Away"… Take plenty of notes Take plenty of photos If you can clear the room before doing it, do so If you can have a lawyer present, consider it There must be a representative of the client there to sign material over / add context Do not engage with suspect if it can be avoided
31. … so a sophisticated fraud, underway very quickly… How do people fall into carrying out frauds The one-off "big-hit" is unusual, but you see it The Road to Hell… it becomes easier to rationalise In this case the fraud "infected" our client from another victim In this case we saw very little evidence of financial need, and N lied about his credentials Could never work out who was the instigator
32. So, what do we have? Fraud on Invoices Fraud on the Tendering Process Fraud on Consumables Fraud on Services Provided Fraud on Software When N was suspended, VWXYZ had no idea exactly what equipment they possessed
33. What kind of criminal was N? Doesn't look like someone who "fell" into this Highly Convincing – Histrionic characteristics N claimed to have qualifications he did not have Did not have any qualms about carrying out the fraud
34. Sociopathic Types Tend to see characteristic histrionic, narcissistic and controlling behaviours Can often be highly plausible but on deeper examination, shallow Computers can be a give away browser history not like a "normal" person Can be very aggressive in defence it is your fault for catching them
35. Client Issues Most fraud is a form of betrayal you cannot commit a fraud if you are not trusted in some way Trust may persist even where misconduct is uncovered the investigator is the outsider Denial is also an issue very difficult for clients to accept that they have been betrayed Politics another issue may be embarrassing to pursue
36. Murderers Fraudsters
37. What happened in the end? Cost of investigating & clearing up the fraud almost as high as fraud losses themselves VWXYZ did not hire a real forensic accountant, which complicated matters C&AG issued a report on the matter PAC in Dail dealt with it N cooperated initially in retrieving funds from IT Company IT Company stonewalled When it looked like Gardaí would pursue N, he fled the country
38. Thank you.Andy HarbisonDirector – Forensic & Investigation ServicesGrant Thornton24-26 City Quay, Dublin 2T: +353 (0)1 680 5805M: +353 (0)86 040 7211E: andrew.harbison@ie.gt.com