The crucial role of digital forensics in the investigation of white-collar crime
When investigating white-collar crime, it is often forgotten that a user's behaviour on mobile devices and computers can lead to additional insights. By analysing the digital traces or "fingerprints" of a user, it is possible to reconstruct connections and timelines that provide valuable insights for comprehensive case presentation.
The art of seeing through: Fundamentals of Forensic data acquisition
Digital Forensics is the practice of "relating to or denoting the application of scientific methods and techniques to the investigation of crime". Forensically sound data must be preserved in a format which is admissible in court and are therefore subject to strict criteria throughout the entire chain of evidence.
Figure 1: Digital Forensics Model
Preservation and documentation are key parts of the legal process which are crucial to ensuring that evidence is handled and distributed securely and accurately. As part of an investigation, it is important to ensure that digital traces are not inadvertently falsified or insufficiently documented, which would result in evidence inadmissible before courts or supervisory authorities.
Forensic technology experts use tools and techniques which adhere to the industry standards
for digital based evidence. One such technique is known as 'device imaging', a method to create a bit-for-bit copy of any data, meaning we duplicate the data in its complete structural entirety. To ensure that the data is a like-for-like copy, a technique known as 'hashing' is used, which is a mathematical formula that outputs a string of text derived from a set of data. Changing one bit of data changes the entirety of the formula, therefore the two strings would be entirely different even if only one bit of data was different.
Figure 2: Illustration of Hash function
Digital forensics to uncover the story behind the data
In contrast to traditional document review, which primarily takes the content of chats, emails and files into consideration, digital forensics works with the nuts and bolts of the operating system to understand user behaviour.
One such example is metadata analysis, whereby the embedded information of a file is accessed, and information which may not be visible to a normal user can be pulled out. This helps investigators to piece together information such as when a file was created, accessed, modified, deleted, moved or renamed.
Another example is file signature analysis, which forensic practitioners can use to determine if a file has been tampered with to hide content. A common example of this is individuals changing the extension of a file, in an attempt to disguise the original file format.
Figure 3: Example of file signature analysis
The first 8 hexadecimal digits (red frame) represent the "type" of the file. For example, you can rename a docx file to .png to hide the original content. However, from this signature it can be seen that it is not a png file but a docx file.
A further example is Axiom Examine, which is a forensic acquisition and analysis tool developed by Magnet Forensics. It is commonly used to extract data from PC's, Mobiles, and online Cloud based platforms such as Twitter, Instagram, Dropbox, and more. Axiom Examine is particularly useful at the analysis phase, where it breaks the data down into specific categories, making it easy to identify certain types of data such as user credentials, browsing history, cookies, cache, images and videos.
Unlocking the Hidden: Three case studies on Digital Forensics
In the following cases, technical expertise and tools were used to retrieve data that had been deleted, lost or not yet discovered.
Expert evidence regarding document authenticity
An expert report established that the documents analysed could not have been signed on the dates claimed by the other party. This was based on a complex extraction and analysis of specific metadata in the relevant contract and transaction documents. These were not visible at user level and provided irrefutable evidence of the exact date of signature.
Proving data destruction
The analysis of several devices belonging to former managers confirmed that the employer's protected information had been copied to an external USB device. By analysing the metadata of the file system, evidence of data destruction was also found.
Bad Leaver case
After the lead programmer of a company had left, his computers were analysed as he had left under negative circumstances. Using file header analysis and Axiom Examine, it was established that not only had he connected personal devices to the systems of his former employer, but that the data transfer to his home devices had continued long after his departure, allowing him to continue to monitor his former employers' ongoing activities.
Digital forensics as the cornerstone of investigations
Advanced techniques play a central role in filtering out the crucial information from huge amounts of data and bringing hidden evidence to light. Specialised software can be used to search for specific file types or keywords. This enables the efficient securing and identification of relevant information. Communication data can also provide information about networks of people, supporting the strategic planning of interviews and the targeted collection of further data. Furthermore, a detailed timeline of all relevant digital events can reveal connections between seemingly unrelated information.
Activities on electronic devices leave traces. These often lead to bank and email accounts, online gambling habits, inappropriate image databases, expensive leisure activities, printing and scanning activities, time zone changes, unauthorised USB connections, photos or screenshots of intellectual property, geolocation information or connections to WiFi networks that indicate places been to. Indications of data leaks, data deletions or hidden assets can also be found.
In digital forensics, tools and technical expertise are used efficiently to recover deleted, lost or previously undiscovered data. The in-depth understanding of digital evidence leads to tactical and strategic advantages in investigations.
This article was originally published by the Lucerne University of Applied Sciences and Arts with the title "Die entscheidende Rolle der digitalen Forensik bei der Untersuchung von Wirtschaftskriminalität".
Originally published by 08 May, 2024
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.