Wednesday, 17 December 08 - 12:31 PM (GMT) By John ML Dierckx in General
Recurring themes in investment frauds
Over the years several duped investor files have passed my deck. Recently I have been going over some old journals and notes and I found several characteristics coming back as well let's say recurring themes.
One person at the top and apparently in control of everything. Some of the cases passing my desk here in New Zealand, are more obvious as there are in general many more SME and the investment scene is not an exception. There was this family owned business, where father ran the show, beyond control of any of his sons, who just did as father ordered. Separation of duties? Yes, but not for father. On a larger scale, look at Nick Leeson's Barings Bank case and a similar pattern is evident, he controlled front and back office.
Unusually high returns If you may not be sold on the person directly, than if anything will pull people over the bridge it is the promise of a higher than normal return. In some instances, people even see these high returns but in order to keep the scheme going they are lured into re-investing these schemes instead of taking a payout or - as is the case in Ponzi-schemes - the substantial payouts come in but at one point the scheme collapses when fresh money is drying up.
Lack of independent proof of profitability What do I mean with that? Well you will get all these fantastic figures, predictions and other tantalizing material, all produced to convince you that this is an opportunity of a lifetime. But what is it they are actually giving you? Well whatever it is it will look luxurious and flash. Glossy presented prospectusses to support the incredible income prognosis. But you need to ask yourself: were these figures ever audited and by whom? They may very well be an unaudited audit report, preferably presented as a copy of a Dun & Bradstreet report or something similar to give it that extra air of credibility.
Diversion tactics You are being flooded with information, however it is not necessarily relevant material! Recently I posted an article and that illustrated this tactic just perfectly. I was referred to website reports with all fantastic graphs but was it really about the opportunity I was invited to? NO! Conmen are besides that a master in drawing big conclusions from little or no evidence. Or otherwise the attention of victims is diverted from the investment opportunity, or business opportunity, to things that are of no relevance, such as incredble headquarters in tropical paradises, mansions that will make you stand back in awe (and who asks or checks whether it is actually owned) and impressive looking materials all around that make it look even more impressive or lifestyles funded by other victims to create this incredible air of success. If you can't sell the "opportunity", sell the person offering it! In Madoff’s case, it was reported that some people were simply begging him to be allowed to become an investor. He was the man, the go-to- guy.
An impressive list of references and endorsements Have you ever tried to verify the credibility of these references: tried to chase down one or the other extremely busy business person. As this is part of my job, I can assure you it is time consuming and often times a frustrating and job. Is such a reference really worth anything if you can't get a hold of him or her? It is very easy to provide fake references once you are aware if this reality. And even if you do get hold of these people, they may very well either not be aware of the fact that they are being defrauded or they could be fraudsters themselves!
Due diligence: say what? Whole all these signs may be very obvious, I see on a regular basis a lack of proper due diligence, even by the professionals. Investors, accountants, lawyers, they see but seem not to see. It is not too hard to understand, they simply don't want the bad or deal breaking news; they are committed to make the deal for real. The fraudster knows this and keeps on coming with more meaningless glam documents, rewrites of the same documents, whatever you ask for, until everyone is tired of asking for more. Moreover, and that is where things go bad, once one reputable party is lured in, the rest will often follow blindly and due diligence is out of the door: "someone else will have already done it."
Remember however, it is your money, and therefore you should take responsibility you are handing over, so make sure you do it wisely. All these recent scandals show the importance of safeguarding your interests. And if you are not sure or not getting the answers you are looking for, keep your money in your pocket and look around for the next opportunity. Most of all remember: if it sounds too good to be true it usually is.
Recently there has been some discussion in New Zealand about disbanding the Serious Fraud Office and bring the unit under the police: an initiative of the previous governement. I expressed my concerns about such an idea on the blog of Dierckx & Associates Ltd.
I was pleased to read today thatmy vote has not been wasted and that our new prime minister John Key announced the SFO would stay.
“They’ll be staying, and they’ll be investigating some very interesting crimes, I would suggest, over the next few years,” Mr Key said.
“Those who have broken the law, maybe those who have defrauded New Zealanders out of their retirement savings with all sorts of dodgy schemes, are going to know that the Serious Fraud Office will be here, with all its powers, to investigate them.”
When recruiters/head hunters, managers or HR professionals are in need to fill a position, they should look for more than just a proper skill set, experience or a good fit for team or company. They should also consider whether or not there are or may be reasons for not contracting a specific applicant.
It is estimated that around 10% (US) of applicants have criminal convictions. A considerable amount of resumes contain serious falsehoods or omissions. Diplomas and certificates can be bought at a reasonable price by those that want to beef up their academic achievements. It is therefore important to avoid costly mistakes and that appropriate measures are taken to reduce the risk associated with recruitment/hiring new employees. Especially in tighter markets where there is a shortage of skills, the need for proper hiring procedures may be overlooked or neglected.
At all times however, you will want to find a balance between required controls and attracting applicants. Employers, should use evaluation tools.We do encourage you to contact us about our Triple R program (Recruitment Risk Reduction Program): a programmatic approach embedded in the organization's policies and procedures is the preferred choice. For the purpose of this article however, and realizing that such a programmatic approach is not always realized, here are some tips that can be used immediately, at no cost, and that will assist you in better informed decisions and will hopefully reduce your recruitment risks. It is a well known idea that even the best fraud controls will not do their job if you hire dishonest employees. While it may not always be possible to predict the future and while it is believed that everyone deserves a second chance, we also promote that you can only make a good decision in these matters if you are well informed. I speak from experience when I say that I have often ended up being involved in cases where the sign were all over the wall if someone had only taken the trouble of a proper evaluation of the information provided by candidates. Ok, enough now, here are some tips that may assist you in making better informed decisions.
First determine what the actual needs of the organization are and whether or not these needs may be addressed internally. Consider recruiting internally first.
If at all possible use pre-formatted application forms and include any documents or authorization forms that you may require. This ensures that you stay in control of the information you require from each applicant and forces to sit down and document your requirements.
Have each job applicant sign a consent form for a background check, including a check for criminal records, past employment, financial information and education. Announcing upfront that your firm checks applicants’ backgrounds may discourage applicants with something to hide, and encourage applicants to be truthful and honest about mistakes they have made in the past.
In addition to an actual check, ask whether or not an applicant has been convicted for criminal offenses in the broadest possible terms allowed by law. Laws may differ considerably so ask your lawyer or HR professional where the boundaries are.
Towards the end of an interview, advise applicants that the firm performs a criminal background and reference check as a standard business practice.
Ask the applicant if he or she has any concerns to share. Good applicants will usually pay no heed to the question. Applicants with a problematic background may either reveal relevant background information or withdraw their application.
You could ask applicants during an interview what they think a former employer might say about them. For example, "If we were to contact past employers, how would they describe your performance, work style?" Since the applicant has signed an authorization and has been advised that such checks may occur, the applicant may be more motivated to reveal information about past jobs.
Make sure that the applicants are advised in clear terms that any false or misleading statements or material omissions are grounds to terminate the hiring process or employment, regardless of when discovered.
Should employment commence before the completion of a background check: make sure that any agreement states in writing that employment is conditional upon a background report that is satisfactory to the employer.
Verifying past employment is often a neglected but very important tool for an employer. Generally speaking, past job performance can be a predictor of future success and offers you an opportunity to test whether or not there may be issues as to how the applicant may fit in.
Verification of dates of employment and job title are critical because an employer: there may be hidden and unexplained gaps in the employment history to should be discussed or may raise concern. There may be many reasons for a gap in employment.
When you are provided contact details of referees from past employers or otherwise, always use the general number of the organization as opposed to any private number or DDI provided. Ill-willed applicants may have made arangements with friends or family.
Gaps in employment histories should at all times be discussed. There may be a thousand very valid reasons for these gaps, however if an applicant cannot account for them that could be a red flag. Where in doubt, consider ways to corroborate the explanations provided by the applicant.
Ask for previous addresses, and likewise, if an applicant cannot account for them that may be another red flag. In some jurisdictions (for instance US) previous addresses are paramount to efficiently and effectively perform adequate criminal background checks due to the way the system is set up.
Obtain a listing of all past addresses for five to ten years.
Advise applicants that besides pre-employment screenings, employment screenings may be performed for specific reasons for instance if a future investigation is required.
Since you already obtained the authorization, do actually check for criminal records. There are services providers that can assist in this, as well as obtain financial and other background information.
Finally, documenting an attempt to obtain references can demonstrate due diligence and may be seen as an expression of how serious you take your company and its employees, the applicant included. They are after all your most important asset.
While these short tips may address some of the most pregnant issues regularly overlooked, Dierckx & Associates promotes you to have a comprehensive program in place. It does not need to be expensive and it does not necessarily mean going overboard. Your employees are one of the most important assets of your organizations: treat them like that, which starts by due care in hiring decisions. In some jurisdictions, this extra care is also required because of the potential of claims on the basis of 'negligent hiring' or because you may be on the receiving end of a claim based on for instance discrimination.
Dierckx & Associates in conjunction wiith its invovement in the Arcis Group, have developed a comprehensive program especially aimed at SME. Call us for more information.
Monday, 29 September 08 - 02:44 PM (GMT) By John ML Dierckx in General
PRESS RELEASE
New Board Members Announced
On September 23, 2008, The Loss Prevention Foundation’s Board of Directors approved four new board members. These individuals are industry leaders and have been chosen to help govern The Foundation, as well as provide strategic direction for the organization. The following individuals have accepted the nomination to serve on The Foundation’s Board of Directors:
·Patti Feltz, Vice President Asset Protection, Polo Ralph Lauren
·Monica Mullins, Vice President of Asset Protection & Safety, Wal-Mart Stores - U.S.
·Kevin Valentine, Vice President of Loss Prevention, Sterling Jewelers
·Stan Welch, Vice President, Director of Loss Prevention, J. C. Penney’s
According to The Foundation’s Chairman, Frank Johns of A. C. Moore, “It is very gratifying to have such wonderful industry professionals join this Board of Directors. I couldn’t be more pleased to have such a well-rounded group of individuals help govern this organization.”
The Foundation, whose mission is to advance the loss prevention profession by providing relevant, convenient, and challenging educational is organized as a not for profit, 501 (c) 6. “Having such a diverse group of individuals provide direction for this Foundation shows the level of support this organization continues to have from this industry.We could not ask for a better, more passionate group to lead this organization” said Gene Smith, the Foundation’s President.For a complete list of board members, please visit our site at: http://www.losspreventionfoundation.org/about_us_board.html
Thursday, 07 August 08 - 10:12 PM (GMT) By John ML Dierckx in Scam Letters
This came in this morning. An oldie in terms of 419 scams but apparently still in use. DON'T FALL FOR IT.
From: "Lomza Saton" <lomza_saton350@yahoo.com> To: Subject: CRUDE OIL SALES VENTURE. Date: Friday, 8 August 2008 8:21 a.m.
Dear,
I wish to introduce you to this highly prospective crude oil sale venture. What do I mean? I propose that we become partners in a crude oil sales project under the umbrella of the National Petroleum Agency of Sao Tome and Principe. I am presently in Sao Tome and Principe Liaison In South Africa .
In this project, we will register either your company or a joint company with the local Corporate Affairs Commission of Sao Tome and Principe ; re-assign an already allocated crude oil sale license to the company and act as representative of the Petroleum Agency in selling of crude oil to the end buyers.
I have assisted a company based in Oman, Middle East to secure a crude oil sale license allocation in 2005. The director of this company, Mr. Ahmed Syed could not actualize his dream in this project as he; the sole owner of the company was unfortunately struck by stroke therefore incapable of involving in active business.
I will package you as the crude oil sale license beneficiary if you are interested. We would re-assign the sale license earlier given to Mr. Ahmed to your/our company. This will give your company/our joint company the legal authority to act as crude oil sales agent/representative for the petroleum agency.
The assignment of the crude oil sale license allocation to our company gives us the privilege to operate as first lifters of crude oil from the block. This attracts US$2.00 discount per barrel to the lifter. The US$2.00 is our (lifter) entitlement from the local petroleum agency (national petroleum agency), also been able to get final buyers entitles us also to a US$1.00 discount from the discount given to the end buyer as "mandates". As we are going to be lifting 2 million barrels per month from the block, US$2.00 discount from local petroleum agency sums up to US$4 million per month. And US$1.00 discount from the end buyer comes to US$2 million per month.
This totals to US$6 million gross coming to our group per transaction/per month. On equity sharing ration, both of us will be netting in a cool US$6 Million as profits monthly. This proceeds known as commissions will be shared equally on equity between the both of us at the end of every sales operation month. This implies that shall both go home with US$3 Million each.
This project is highly prospective and presently the most legitimate money making machinery someone can set up. What is so interesting about the project is that our both presence is not much needed, rather after the registration of your/our company and obtaining the crude oil sales license, we would connect buyers to the Petroleum Agency by any means we choose and our commissions will be directed instantly to our nominated company bank co-ordinates.
I will gladly appreciate your understanding and keen interest to be part of this moving train called CRUDE OIL SALES VENTURE.
Please feel free to contact me on the number below or reply to this private email
I came across this interesting article which is something we all may want to consider, especially SME's. Besides checking your companies office/house records, make sure you regularly get a credit report for your business and yourself.
Organised criminals are now turning their attention from the well-documented personal identity theft to the corporate market
More than 200,000 British businesses have already fallen victim to identity theft and thousands more could be at risk, according to a survey of 200 SMEs carried out on behalf of Close Invoice Finance, part of the Close Brothers merchant banking group.
The findings appear to show that organised criminals are now turning their attention from the well-documented personal identity theft to the corporate market, with small and medium sized businesses top of their hit list. The statistics indicate that at least five per cent of SMEs have been already been targeted by identity fraudsters, while separate figures from the Metropolitan Police indicate the financial damage to British businesses could be in excess of £50 million a year.
A typical scenario could see fraudsters changing the registered address and the company secretary or director of a business at Companies House. The criminals could then appoint new directors, using them to open bank accounts and arrange to have goods delivered to a new address, effectively ruining the credit rating of the business and leaving it with significant charges to clear.
The authors see small and medium sized businesses as especially vulnerable because they lack the manpower and systems to adequately protect themselves, so their experts have put together the following advice to help SME’s safeguard confidential information:
Regularly check that your records at Companies House are correct. File your accounts electronically, using the protected online filing service PROOF. Subscribe to Companies House ‘Monitor’, an email alert that gives warning when any changes to company details are made. Don’t rely solely on Companies House records, research new suppliers or customers before issuing goods on credit
Wednesday, 30 July 08 - 12:02 AM (GMT) By John ML Dierckx in Pyramid Scheme Alert
As readers here are well aware, I have been a supporter of Pyramid Scheme Alert and the prominently heading by Robert Fitzpatrick as well as the efforts undertaken by Eric Scheibeler through his book and site Merchants of Deception detailing his experiences as an Amway distributor. We can now add the False Profits Blog to the list of sites of interest.
Robert FitzPatrick, the publisher of the "False Profits Blog," is the co-author of the book, False Profits, the first book-length analysis of pyramid schemes and multi-level marketing ever published.
Definitely recommended reading for those interested in MLM and more importantly for those considering a 'career' as distributor.
Wednesday, 09 July 08 - 01:38 AM (GMT) By John ML Dierckx in Scam Letters
I had a good laugh reading this piece of junk coming into my mailbox. To crazy for words of course. On the other had I keep in mind that every now and then people still fall for these letters.
The FBI using different non-government email addresses, from Australia??? and look at all the typos.
Well, the FBI will not be contacting you by email and mist of all not using an email address as below.Don't fall for it please, mark as junk (so it will next time be caught by a filter), move to junk or delete and whatever you do don't answer.
Subject: KINDLY GIVE THIS MATTER AN URGENT ATTENTION.
From: "FBI" waw1@optusnet.com.au Reply to: FBI www-fbi-us.gov@live.com
Date: Tue, 8 Jul 2008 12:21:07 -0700
ANTI CRIME DEPARTMENT/WASHINGTON DC FIELD
ATTENTION: BENEFICIARY,
THIS IS AN OFFICIAL ADVICE FROM THE FBI FORIEGN REMMITTANCE/TELEGRAPHIC DEPT. ,IT HAS COME TO OUR NOTICE THAT THE H.S.B.C BANK LIVERPOOL DISTRICT , HAS RELEASED 10,500,000.00 U.S DOLLARS INTO YOUR ACCOUNT HERE IN THE UNITED STATES OF AMERICA.
THE CENTRAL BANK OF NIGERIA KNOWING FULLY WELL THAT THEY DO NOT HAVE ENOUGH FACILITIES TO EFFECT THIS PAYMENT FROM UNITED KINGDOM TO YOUR ACCOUNT, USED WHAT WE KNOW AS A SECRET DIPLOMATIC TRANSIT PAYMENTS.T.D.P TO PAY THIS FUND THROUGH ATM ,THEY USED THIS MEANS TO COMPLETE THE PAYMENT, AND INSTEAD OF PAYING 10.5 MILLION.
THEY ARE STILL ,WAITING FOR CONFIRMATION FROM YOU ON THE TRANSFER. RECORDS WHICH WE HAVE HAD WITH THIS METHOD OF PAYMENT IN THE PAST HAS ALWAYS BEEN RELATED TO TERRORIST ACTS,WE DO NOT WANT YOU TO GET INTO TROUBLE AS SOON AS THESE FUNDS RELFLECT INTO YOUR ACCOUNT IN THE U.S.A, SO IT IS OUR DUTY AS A WORD WIDE COMMISSION TO CORRECT THIS LITTLE PROBLEM BEFORE THIS FUND IS TRANSFERRED .
DUE TO THE INCREASED DIFFICULTY AND UNNECESSARY SCRUTINY BY THE AMERICAN AUTHORITIES WHEN FUNDS COME FROM OUTSIDE OF EUROPE, AND THE MIDDLE EAST, THE F.B.I BANK COMMISSION FOR EUROPE HAS STOPED THE TRANSFER ON ITS PAYMENT OF $10,500,000.00 TO DEBIT YOUR RESERVE ACCOUNT AND PAY YOU THROUGH A SECURED DIPLOMATIC TRANSIT ACCOUNT (S.D.T.A). WE GOVERN AND OVERSEE FUNDS TRANSFER FOR THE WORLD BANK AND THE REST OF THE WORLD . WE ADVICE YOU CONTACT US IMMEDIATELY,AS THE FUNDS HAVE BEEN STOPED AND ARE BEIGN HELD IN OUR OFFICE HERE , UNTIL YOU CAN BE ABLE TO PROVIDE US ,(WITH THE ENCODED F.B.I ORDER FOR TRANSFER ),WE ADVICE YOU PRESENT US WITH A DIPLOMATIC IMMUNITY SEAL OF TRANSFER WITHIN 3 DAYS FROM THE BANK WHERE THE FUNDS WERE TRANSFERED FROM FOR US TO CERTIFY THAT THE FUNDS THAT YOU ARE ABOUT TO RECIEVE FROM NIGERIA ARE ANTI-TERRORIST/DRUG FREE OR WE SHALL HAVE CAUSE TO CROSS AND IMPOUND THE PAYMENT,WE SHALL RELEASE THE FUNDS IMMEEDIATELY WE RECIEVE THIS LEGAL DOCUMENT .
The name we have on the fund as the rightfull beneficiary is.That is why we have decided to contact you directly to acquire the proper verifications and proof from you to show that you are the rightfull person to receive this fund, because the above mentioned amount is a big amount of money,that is why we want to make sure is a clear and legal money you are about to receive Be informed that the fund have hit your account , but right now we have ask the bank not to release the fund to anybody that comes to them , unless we ask them to do so, because we have to carry out our investigations first before releasing the fund to you. Note that the fund is in the BANK OF AMERICA right now,but we have ask them not to credit your account yet,because we need some proof and verifications from you before releasing the funds.
So to this regards you are to reassure and proof to us that what you are about to receive is a clean money by sending to us FBI Identification Record and also Certificate Of Ownership to satisfy to us that the money your about to receive is real money. You are to forward the documents to us immediately if you have it with in your posession, if you dont have it let us know so that we will direct and inform you where to obtain the document and send to us so that we will ask the bank holding the funds .This Documents are to be issued to you from the place where the fund was transfer from, so get back to us immediately if you dont have the document so that we will inform you the particular place and what it will takes to obtain it in Federal Republic Of Nigeria, because we have come to realize that the fund is transfered from the Federal Republic Of Nigeria. An FBI Identification Record and Certificate Of Ownership often referred to as a Criminal History Record or Rap Sheet, is a listing of certain information taken from fingerprint submissions retained by the FBI in connection with arrests and, in some instances, federal employment, naturalization, or military service. The United States Department of Justice Order 556-73 establishes rules and regulations for the subject of an FBI Identification Record to obtain a copy of his or her own Record for review. The FBI's Criminal Justice Information Services (CJIS) Division processes these requests to chek illegal activities in U.S.A. An individual may request a copy of his or her own FBI Identification Record for personal review or to challenge information on the Record. Other reasons an individual may request a copy of his or her own Identification Record may include international adoption or to satisfy a requirement to live or work in a foreign country or recieve funds from another country (i.e., Certificate Of Ownership, letter of good conduct, criminal history background, etc.)
THESE CONDITION IS
VALID UNTIL :
11TH OF JUly 2008 AFTER WE SHALL TAKE ACTIONS ON CANCELLING THE PAYMENT AND THEN CHARGE YOU WITH THE FOR ILLEGALLY MOVING FUNDS OUT OF NIGERIA . GURANTEE :
FUNDS WILL BE RELEASED ON CONFIRMATION OF THE DOCUMENT. :DOCUMENTED PROOF OF OWNERSHIP TELEGRAPHIC TRANSFER CENTRAL BANK OF NIGERIA VIA CONSULER SERVICES AND UNITED NATIONS, N.Y. U.S.A. 011335463820++ 22654 CBBANK NG 421044 AMBANK ++ DOCUMENTED PROOF OF OWNERSHIP ------------------------------------------------------------------------------------------------------------------------------------------------ -1 SW78 A67432 FILE- 11.9.2002 512. 21 41** Message PIN code No.. (CA \34209XXG) NGLG CD GBXXO SECA /# ORDER : CBN A/C # 700690695 FINAL TERMINAL: US GOVERNMENT BANKING : BANK OF NEW YORK, NEW YORK-N/Y ACCOUNT OFFICER : UNDETERMINED TELEPHONE#: +4470*** **** FAX#: +443011 *** **** FOR FURTHER CREDIT TO : CONTRACT VALUE : $10.5 Million CONFIRMED A/C #: FEE: ORIGIN PAYMENT US $ AUTHORITY CODE: UNCN/7468 EXECUTIVE INSTRUCTION: DO NOT FRAGMENT FUND. TEL: SECURED FINAL TERMINAL TOTAL: US$ (10.5 MILLION) FAX: SECURED VALUE DATE: 07-11/-08 FINAL INSTRUCTION: 60F CREDIT PAYMENT INSTRUCTION: IRREVOCABLE CREDIT GUARANTEE 61E BENEFICIARY HAS FULL POWER WHEN VALIDATION IS CLEARED 62 BENNEFICIARIES BANK IN U.S.A. , CAN ONLY RELEASE FUNDS- 62 UPON CONFIRMATION FROM THE WORLD BANK/UNITED NATIONS. 64 BEARERS MUST CLEAR BANK PROTOCOL AND VALIDATION REQUEST --------------------------------------------------------------------------------------------------------------------------- NOTE: We have asked for the above documents to make available the most complete and up-to date records possible for the enhancement of public safety, welfare and security of Society while recognizing the importance of individual privacy rights.. If you fail to provide the Documents to us, we will charge you with the FBI and take our proper action against you for not proofing to us the legitimate of the fund you are about to receive.
Recently I across this interesting and helpful article in relation to computer forensics. A must read for lawyers and other professionals that are involved in litigation, discovery and investigations and even corporate decision makers.
Having been active in this field in both the Netherlands and New Zealand, I know for a fact that some of the issues considered in this article are very spot on. At the same time the legal development of computer forensics appears not to be as hot an issue in New Zealand, compared to for instance the USA.
In my view however, it is always better to be safe than sorry and more than once I have been wondering why parties (including their lawyers) have been taking risks in this area by introducing (in my view) indefensible evidence or evidence that could well have been disputed. Maybe I am overly concerned.
Searching for clues? Here's how to investigate and use digital forensics and e-discovery tools
by Mary Brandel,
June 04, 2008
Digital forensics tools are intended to help security staff, law enforcement and legal investigators identify, collect, preserve and examine data on computer hard drives related to inappropriate and illegal activity, such as cybercrime, e-mail and Internet abuse, fraud, financial mismanagement, unauthorized disclosure of corporate information, intellectual property theft, and so on. Increasingly, these tools are also being applied to e-discovery efforts related to civil litigation and regulatory compliance.
Forensics tools are often confused with other classifications of tools, such as incident management, e-discovery and data recovery. [For a quick look at the major forensic software providers, see The Usual Suspects.] But while they can be used for those purposes, the difference is that they abide by formal evidence processing protocols such as maintaining a chain of custody and avoiding the alteration or compromise of evidence, enabling any findings to be successfully used in a court of law.
In short, while you can apply forensics tools to nonforensics work, it can be risky to use nonforensics tools. "If the evidence you've collected is not defensible in court, you've severely limited its later applicability," says Jay Heiser, research VP and analyst at Gartner.
Digital forensics tools generally provide three main capabilities: Acquisition/collection/preservation: Make a sector-by-sector copy of the hard drive and run checks against those images to verify it's an exact copy of the original. Search/analysis: Identify, analyze and keyword-search all relevant data, including deleted, encrypted, hidden, protected and temporary files, as well as virtual memory, application settings, printer spools, etc. Some packages can also detect which Web ports are open and which processes are running. Reporting: Create a detailed report, including a full audit log. This can help address compliance with Sarbanes-Oxley and other regulations.
The 800-pound gorilla of digital forensics is Guidance Software, which released its EnCase Forensic software in 1998. However, most investigators work with a variety of tools, and there are many commercial and open-source tools and utilities available, from suites to specialized point products. Main competitors are AccessData's FTK and AD Enterprise; Paraben Software's P2 suite; and Technology Pathways' ProDiscover suite. Others include New Technologies' suite of tools, X-Ways Software Technology's WinHex utility, StepaNet Communications' DataLifte and ASR Data's Smart utility. On the open-source side is Sleuth Kit and E-fense's Helix.
In addition to forensics tools geared toward hard-drive contents, two other types of tools are often used in conjunction with forensics (or e-discovery) work, according to Mark Rhodes-Ousley, an information security architect and author of Network Security: The Complete Reference. For instance, there are "survey tools" that report on exceptions to preconfigured thresholds, including intrusion detection tools, e-mail and log analyzers, Web proxy reporters and network traffic analyzers, he says. In addition, "sliding-window" systems observe the behavior of a system over time, including network monitoring tools such as those from NetWitness, Niksun, and Sandstorm Enterprises.
George Socha, founder of Socha Consulting, compares digital forensics to woodworking. "No one tool will build a piece of furniture," he says. "Same here—what tools you use depend on what objectives you have in mind."
Key Decisions Should you use a service or buy software? There are hundreds of forensics service providers, including many of the vendors that sell forensics tools. So the question becomes whether to outsource this work or invest in software. It stands to reason that if you anticipate several incidents per year or are in an industry with heavy governmental regulations, it may be worth investing in an in-house solution, especially if you can also put the tool to other uses, such as e-discovery, data recovery and incident management. According to Gartner, by 2010 the most litigious companies in financial services, energy, utilities, pharmaceuticals and high-tech will decrease their spending on outsourced e-discovery services by 75 percent and increase their enterprise software spending by 100 percent.
For Affiliated Computer Services, it was less expensive to purchase AD Enterprise than to hire outside help because the software enables the company to respond more quickly to requests, according to Curtis Gatterson, director of digital forensic and e-discovery support at the company. With 58,000 employees in the U.S., the centralized collection network helps him provide litigation support and respond to internal inquiries into policy violations or complaints related to privacy or ethics. "Any Fortune 500 company is going to constantly have inquiries," he says. "With the amount of cases we process a month, it would be five to 10 times the cost of what we spend with our more proactive approach."
Should you buy single-workstation software or a tool that works over the network? Traditionally, investigators used manual forensics tools, requiring them to be physically present at the workstation from which they were extracting data. However, more vendors now offer software that works over the network, using remote agent technology to preview and collect evidence without users being aware of it. "It's much more efficient than sending someone to every single office that might be involved in a discovery request," Heiser says.
Network-based solutions are more expensive but should be considered by large or distributed environments. For instance, Gatterson upgraded to AD Enterprise after using EnCase Forensic, Access Data's FTK and other tools for many years. Previously, "we had to put folks on a plane to do collection, which was resource-intensive and time-consuming," he says. Now, from a central location in Dallas, he can log in to the network, do some quick searches and identify the inquiry subject within a six-hour period.
Are you purchasing the tool to do more than forensics work? According to John Patzakis, vice chairman and chief legal officer at Guidance, customers are increasingly justifying the cost of its EnCase Enterprise product by targeting it not just at forensics but also at e-discovery. "They realize they're spending $30 million to $40 million on outsourcing their e-discovery function and another $10 million to $20 million in investigations, so the business case is more compelling when they combine [the two processes]," he says.
Both Guidance and Access Data offer an e-discovery module that automates keyword searching around the network to look for relevant documents in pending civil litigation suits or for regulatory compliance.
"If you're trying to collect all the files having to do with the XYZ merger, you may or may not need to do that in a forensically sound way. But, it's tough to make that decision, which is why many companies are simply buying products like EnCase," says Jason Priebe, Of Counsel in the Chicago offices of Seyfarth Shaw.
Evaluation Criteria for Digital Forensics Software Here are some key criteria to include in your search for the best tool: Courtroom admissibility. If there's any chance of needing to use the evidence you collect in court, you should look carefully at which tools have been tested in a courtroom and how much success they've had there, according to Rhodes-Ousley. "One of the most important factors to keep in mind is courtroom admissibility of evidentiary data," he says.
EnCase is not the only tool to fit that bill, but because it's used extensively by law enforcement, it's gained a lot of familiarity with judges, Priebe says. "It's stood the test of experts challenging its sufficiency," he says. "It's a little harder when you have to have the IT person saying, Let me tell you how the tool works."
Ability to preserve only relevant data. Some tools enable you to reduce the volume of data you preserve by filtering out certain types of files such as executables. Or you might be able to narrow down data by using keyword searches or context searching capabilities. "It's not the blunt instrument that grabs everything and then you sort through it later," Priebe says. "You can stage it on the storage device and de-duplicate it right then and there." E-discovery costs rise quickly during the attorney review stage; "Getting data from 2 terabytes to 5GB can save a company millions on one case," Patzakis says.
Case management capabilities. Especially when running multiple investigations, it's important to maintain a record of your activities, as well as all the data objects associated with each investigation.
Integration. Many vendors have worked to integrate their tools with other software that aids in forensics work, such as incident management, e-mail analysis, decryption tools, password-recovery tools and so on. Other vendors offer preintegrated modules that extend a tool's capabilities into areas such as e-discovery, password analysis, e-mail analysis and incident response.
Digital Forensics Dos and Don'ts DON'T confuse e-discovery with forensics. Some vendors of forensics suites are marketing their tools for e-discovery because, in fact, the steps involved with forensics work are actually subsets of the e-discovery process, as defined by the Electronic Discovery Reference Model. The EDRM defines forensics as encompassing identification, preservation and collection—three steps of its overall model, which also includes information management, review, analysis, production and presentation. Vendors such as Guidance and AccessData also sell e-discovery modules.
When using an e-discovery module, the tool doesn't make a full bit-by-bit copy of the entire hard drive, explains Socha; instead, it uses a keyword search function over the network to locate relevant files in specific folders or drives, he says. This enables the scan to happen much more quickly, according to Patzakis. "It can scan 500 computers in three or four days, which would take three or four months with EnCase Enterprise," he says.
But while forensics tools can perform e-discovery work, Priebe and others discourage users from doing the opposite—using nonforensics tools for forensics work. "There are plenty of companies that think if you use something like Norton Ghost or the WinZip file utility that it's an adequate job," Priebe says. "And it may be, but not against a more skilled opponent who starts questioning the adequacy of what you did in court."
DO train staff before using these tools. The process related to a forensics investigation is more important than the product you use, Gartner says. And you can't just learn it on the job—you need to undergo formal training. "There are always stories of clients who say, I've captured the data; now you tell me what happened," he says. "But at that point, the admissibility of the data in a court of law might be totally gone."
"People will, in good faith, think they're using a tool and following a process that's appropriate, but they're not sufficiently informed sometimes," Socha says.
DON'T forget PDAs. With increasing use of handheld tools, chances are you'll someday need to investigate data held on a PDA or cell phone. Software that supports PDAs include Palm DD, Pilot-link and Palm OS Emulator, all open-source software; PDA Seizure from Paraben; and Guidance's Duplicate Disk utility.
DO prepare for sticker shock. EnCase Enterprise Version 6 starts at $25,000. You can spend considerably less by purchasing a workstation-based tool, a less scalable remote-collection tool or one that limits its feature set, for instance, a tool that's strong in forensics data collection and not internal policy and compliance investigations, or one that eliminates the analysis and reporting capabilities.
"Other methods are great for smaller cases, but when many computers are involved or it's a serious criminal matter involving something like the SEC, EnCase is the gold standard," Priebe says. "You don't want to cut butter with a chainsaw, but sometimes you need a chainsaw."
Others contend you can get similar functionality for far less. Gatterson says it cost him about $2 million to implement AD Enterprise, about half what he would have paid for EnCase Enterprise.
DO expect to use more than one tool. Although the trend is for software vendors to try to be a one-stop shop, most investigators use more than one tool. In fact, NIST compares forensics tools to a Swiss army knife, where many tools specialize in certain functionality that needs to be augmented by others.
