When investigating fraud, remember where there is a paper document, there is probably an electronic version of it. There may be more than one, often held by third parties. Electronic documents often tell you more than paper ones would, for example the date of deletion from a computer may indicate a covering up exercise.
Computer data should always be secured when executing search orders, using forensic techniques that can recover deleted documents, faxes, electronic mails and other data that may prove a case beyond dispute. This requires specialist knowledge and tools – simply switching on and reviewing what is immediately seen is not forensic analysis, and this approach may destroy evidence or render it inadmissible in a court.
In house IT staff are unlikely to be qualified to process computer evidence and may make serious mistakes that will almost certainly undermine the value of any evidence and may prevent recovery of assets through legal channels.
So when a fraud is suspected the best thing to do is definitely not panic – give a specialist firm a call such as CY4OR or Data Genetics – or call your friendly fraud investigator – all of whom will talk you through the steps you must take (happy to help!).
It is not just computers that need to be considered. Mobile phones, personal organisers, fax machines and many other devices may also contain evidence important to your case. If forensic analysis is required of any device, attention to the following is vital:
- Secure electronic evidence quickly to reduce the risk of it being destroyed or changed
- If a computer or device to be investigated is on – do not switch it off!
- If a computer or device to be investigated is off – do not switch it on!
- Disconnect computer from power at socket and seal in a plastic bag
- Gather all disks, CDs, DVDs, tapes, USB memory sticks and other electronic storage devices together to accompany computer
- Gather associated manuals, power cables, external drives and any other external peripheral devices together to accompany computer
- Avoid contact by magnetic media with strong magnetic fields, microwaves, excessive heat, shock or vibration
Of course there are times when a quick examination of the computer will assist with urgent decision making – that will prevent further losses. Again it is knowing what to do that is important. This is why all organisations should have a Fraud Response Plan in place so that the right decisions are made by the appointed persons in a timely fashion.