John B. Baird
Computer Forensic Portfolio
Currently Seeking Employment
Open to relocation
johnbairdpc at gmail dot com
Computer Forensic Investigation of Financial Statement Fraud
John B. Baird
Case brief 1
[SUSPECT 1] is the CEO of telecommunications hardware developer [SUSPECT COMPANY]. The Department of Justice indicted [SUSPECT 1] for altering quarterly statements to boost his company’s earnings. [SUSPECT 1] is suspected of deleting incriminating evidence to hide traces of his activity. The DoJ worked out a deal with the VP of finance, [SUSPECT 2], to mention which Excel document [SUSPECT 1] altered, “earnings.xls”. At [SUSPECT 1]’s home, a USB flash drive was found. A seizure of the computer and USB flash drive was performed in a manner consistent with recommendations found in Electronic Crime Scene Investigation: A Guide for First Responders. The laptop and flash drive were entered into evidence according to agency policy and I verified that a search warrant was obtained for the examination of the computer and the flash drive. The computer and flash drive were submitted for examination.
Objective: To determine whether [SUSPECT 1] altered quarterly statements to boost his company’s earnings. This was complicated by the fact that [SUSPECT 1] is suspected to have advanced computer skills in hiding and deleting computer evidence.
Computer type: Dell laptop, serial [REDACTED].
Operating system: Windows 7
Offense: Corporate Fraud
Case agent: Investigator John B. Baird
Evidence number: [REDACTED]
Chain of custody: See attached form.
Where examination took place: Remote.
Tools used: Ultradock, WiebeTech USB WriteBlocker, Guidance Software EnCase, HashTool.
Assessment: Reviewed the case investigators requested for service. The search warrant provided legal authority. The investigator was interested in finding all information pertaining to alterations of a quarterly report filing with the file name “earnings.xls”. It was determined that the equipment needed was available in the forensic lab.
Imaging: The laptop hard drive and USB flash drive were set to have digital duplications made:
1. The laptop computer was examined and photographed.
a. The hardware was examined and documented.
b. The hard drive was taken out of the laptop.
c. The hard drive was connected to the Ultradock device with the device set to “write block” mode to prevent changing any digital evidence on the drive.
d. EnCase made a bit-by-bit image transfer of the hard drive.
e. SHA-1 hash values of the hard drive and hard drive image were verified as forensically sound duplications with EnCase.
d. SHA-1 hash values of the hard drive and hard drive image were verified as forensically sound duplications a second time with HashTool.
e. The laptop and laptop hard drive were logged and locked into an evidence locker.
2. The USB flash drive was examined and photographed.
a. The hardware was examined and documented.
b. The USB flash drive was connected to the WiebeTech USB WriteBlocker device with the device set to “write block” mode to prevent changing any digital evidence on the USB flash drive.
d. EnCase made a bit-by-bit image transfer of the USB flash drive.
e. SHA-1 hash values of the USB flash drive and USB flash drive image were verified as forensically sound duplications with EnCase.
d. SHA-1 hash values of the USB flash drive and USB flash drive image were verified as forensically sound duplications a second time with HashTool.
e. The USB flash drive was logged and locked into an evidence locker.
Examination: The laptop directory and file structures, including file dates and times, were recorded. A file header search was conducted to locate any instances of “earnings.xls”. “earnings.xls” was not visibly present but the file was found deleted. A file header search was conducted to locate any instances of “earnings.xls” on the flash drive. “earnings.xls” was not visibly present but two instances of the file were found deleted on the flash drive, “earnings2.xls” and “earnings-original.xls”.
REPORT OF MEDIA ANALYSIS
Forensic Media Analysis Report
SUBJECT: [SUSPECT 1]
Case Number: [REDACTED]
1. Status: Closed.
2. Summary of Findings:
* 3 files showing manipulation of quarterly statements to boost [SUSPECT COMPANY]'s earnings.
1. Items Analyzed:
TAG NUMBER: ITEM DESCRIPTION:
01234 Dell Laptop, Serial # [REDACTED]
01235 SanDisk 16GB USB Flash Drive, Serial # [REDACTED]
1. Details of Findings:
* Findings in this paragraph related to the Toshiba Hard Drive, Model N/A, Serial # [REDACTED], recovered from tag number [REDACTED], Dell Laptop, Serial # [REDACTED].
1. The examined hard drive was found to contain a Microsoft Windows 7 operating system.
2. An “earnings.xls” file was found deleted in the Windows Recycling Bin deleted on 09/22/10 03:38:12 PM.
* Findings in this paragraph related to the SanDisk 16GB Flash Drive, tag number [REDACTED], Serial # [REDACTED].
1. An “earnings2.xls” file was found deleted, last written to on 07/08/09 12:53:50 PM.
2. An “earnings-original.xls” file was found deleted, last written to on 07/08/09 12:54:44 PM.
5. Conclusion: “earnings.xls” from the laptop and “earnings-original.xls” from the flash drive show what appears to be [SUSPECT COMPANY]’s true earnings: net earnings totaling [REDACTED]. “earnings.xls” found on the flash drive appear to be version the altered file supplied to the public: net earnings totaling [REDACTED].
This appears to be violations of federal corporate crimes. The FBI defines corporate fraud as:
Corporate fraud investigations involve the following activities:
* Falsification of financial information of public and private corporations, including:
* False accounting entries and/or misrepresentations of financial condition;
* Fraudulent trades designed to inflate profit or hide losses; and
* Illicit transactions designed to evade regulatory oversight.
* Self-dealing by corporate insiders, including:
* Insider trading—trading based on material, non-public information—including, but not limited to:
* Corporate insiders leaking proprietary information;
* Attorneys involved in merger and acquisition negotiations leaking info;
* Matchmaking firms facilitating information leaks;
* Traders profiting or avoiding losses through trading; and
* Payoffs or bribes in exchange for leaked information.
* Misuse of corporate property for personal gain; and
* Individual tax violations related to self-dealing.
* Obstruction of justice designed to conceal any of the above-noted types of criminal conduct, particularly when the obstruction impedes the inquiries of the SEC, other regulatory agencies, and/or law enforcement agencies.
* Files ending in “.xls” are Microsoft Excel spreadsheet files.
* Imaging is the process of making an exact clone of a drive.
* SHA-1 is like a fingerprint of digital media used to ensure duplications are forensically sound clones of files.
7. Items Provided: In addition to this hard copy report, one DVD was submitted with an electronic copy of this report. The report on DVD contains hyperlinks to the above-mentioned files and directories.