Personal Computers and Other Devices – Following the Bread Crumbs May Lead to a Successful Cross Border Asset Recovery Effort
Written by: Michelle Campbell
AlixPartners, LLP; Los Angeles
Successful cross border asset protection and recovery efforts involve the right combination of accountancy based investigative methods, business intelligence and forensic technology expertise. This article addresses the third piece of that investigative puzzle – digital forensic methods being utilized when bank secrecy and other difficulties present barriers to collecting your evidence.
The simple proposition is this: People like to monitor their money and assets, and the primary way they do that these days is through the use of their personal computers and the Internet. A person’s computer and other devices are treasure troves in an asset tracing investigation. Information gleaned from those devices can tell you where the money and assets are hidden. Forensic techniques in connection with personal computers and other devices are particularly critical when assets are hiding with Caribbean basin financial entities that are notorious for bank secrecy.
Barriers to Obtaining Critical Evidence
People who want to conceal assets typically attempt to hide them in jurisdictions with strong bank secrecy laws, which present significant barriers to trustee and investigator recovery efforts. If you look at the way people conceal their assets, many of those methods involve an offshore component. For example, people conceal assets by:
- laundering money through off-shore banks;
- transferring assets to shell corporations or to people within their control;
- establishing discretionary and off-shore trusts;
- establishing (and making large payments to) insurance policies;
- dissipating funds by paying down mortgages and other assets held by people within their control;
- securing safety deposit boxes
The mechanisms set forth above had to have been established somehow. Research had to have been done to determine available banks, countries, etc. Professionals had to be consulted concerning available strategies. Perhaps someone needed to travel to the jurisdiction in which the assets now reside. Regardless, it is highly likely that at least the initial research was done over the Internet from a personal computer. Perhaps emails were exchanged through personal email accounts. Better still, perhaps that research was conducted through the use of an office computer that resides on a large server.
The above issues/questions present a perfect opportunity for a personal computer and device investigation. By conducting a digital forensics investigation, you will get answers to questions like:
- With whom were they communicating?
- Are they operating under an alias?
Do they have a business name or corporation to funnel data and assets under another name?
For example, in one fraud investigation, forensics experts recovered deleted e-mail messages from one of the suspects to his investment broker, which recovered attached copies of his portfolio statements. The forensics professionals also identified e-mail message traffic between the suspect and a Caribbean resort developer, where the suspect was having a multi-million-dollar home built. Along with this e-mail traffic, the experts recovered copies of loan application documents, which listed the suspects declared assets and liabilities. All of these documents were provided to a forensic accountant, who used them to structure a detailed Net Worth analysis for the suspect to document that much of his income came from unknown sources.
Piecing together answers to the questions identified above through the use of digital forensics may lead you down a winning path to asset location and recovery. Thus, in addition to trying to obtain information from private off-shore institutions, think about how you could be on a parallel track of gathering critical evidence about whether the above transfers occurred by conducting a forensic search of the personal devices of the target individuals and their associates. You may not find the smoking gun, but you may glean critical information that could form the basis for an injunction or else aid your recovery efforts.
The Investigation and the Use of Forensic Tools
Likely Data Stores and Devices You Want to Access
As noted above, people like to keep track of their money. They keep track of their money through programs on their personal computers, monitoring their bank accounts over the Internet, etc. Personal computers are the obvious place to look, but critical evidence can be stored in many places, including:
- computer hard drives
- telephones (speed dial and caller ID information)
- fax machine transaction records
- USB “thumb” drives
- optical media such as CD-Rom or DVD disks
- backup media
- on-line storage services
- off-site archival services
- shared network drives
- external hard drives
- cell phones or Personal Digital Assistants (Treos and Blackberries) capable of containing email or text messages
- Internet activity
- contact lists
- digital camera images
- digital still and video cameras
- network servers that contain logs related to Internet activities, and
- personal email and instant messaging accounts.
As counsel or trustee working to recover or protect assets, you should think about ways in which you could immediately secure the devices described above from the target individuals as well as their associates and families, and conduct a forensic search for clues that can help you connect the dots.
Digital Forensics and What it Entails
Digital forensics combines elements of law and computer science to collect and analyze electronic data in a way that could be admissible as evidence at trial. Data that is not captured in a “forensically sound” manner may be spoiled for use in trial. Capturing data in a forensically sound manner allows you to create a comprehensive snapshot of electronic media that will show the state of the data on a specific date and time, which can be critical to determining if, where or when a particular event occurred. In short, evidence that may otherwise be missed can be uncovered by utilizing forensic tools and techniques that search every place where a custodian may store data, like the data stores set forth above.
Depending on the needs of the situation, forensic tools and techniques can:
- Recover deleted files or email messages;
- Recover fragments of data, even if a portion of the original has been permanently deleted;
- Identify and capture relevant data saved on external data storage devices;
- Capture and search data from cellular telephones and personal digital assistants;
- Capture and analyze instant messaging traffic;
- Analyze Internet history and recover images of web sites visited
The Deleted File Question
If you are not a digital forensics expert, you might assume that files have been deleted and there is no point in searching the “data stores” described above. Not true. In fact, in most situations, data on digital media is not permanently deleted until other data is “written to” that storage location. In plain English, that means that new data must be created before old data can be permanently replaced. So if there is any room left on the computer’s hard drive, which is the case in all but rare circumstances, a file can be “undeleted” and recovered from a Windows Recycle Bin by forensics experts. In fact, digital forensics tools can be utilized to search an entire hard drive or other item of digital media to recover files, e-mail messages, or fragments of files that were previously deleted.
The above explanation will carry the day when your fraudster is more of an amateur, but what about some of the more sophisticated fraudsters who have read this article and are more focused on covering their tracks? Well, you might be surprised to learn the a forensics expert utilizing the right tools can actually recover files and other information that has been “deleted” from the computer using even the most sophisticated file deletion software. A popular product is the “Window Washer” program that purportedly rids personal computers of unwanted or incriminating files. There are a few things to consider with respect to such “metadata cleansing” software:
First, most people do not have this software.
Second, even if they do have this software, it is likely that they either do not use it, or do not know how to use it correctly. Accordingly, even where such programs have been used, a solid forensics expert will likely be able to recover the washed files, provided there is still unallocated space on the hard drive, as described above.
Tips and Tricks Concerning Digital Forensics in the Off-Shore Context
Here are some tips and tricks to consider when you are trying to put the pieces of the puzzle together in connection with an investigation concerning concealed assets:
- People like to track their money. A personal computer or other device can provide many critical clues;
- Even if people have off-shore accounts, it is likely that they are checking them through the Internet. Through the use of forensics tools and techniques, you can track Internet activity and history.
- People like to protect their information. Forensic tools and techniques can “crack” files that are password protected.
- Looking at the bigger picture, it makes sense to have someone with data analytics expertise on your team to partner with the forensics experts to help decipher what could be thousands and sometimes millions of records that might seem duplicative at first glance. You might be surprised to learn that some data analytics on those records could produce answers to questions you didn’t even know to ask.
- Civil investigations are often preceded by criminal investigations, which can present a host of problems in terms of evidence-sharing. There may be none. Accordingly, the more creative you can get with accessing devices the government may not have accessed, the more information you’ll get. It might also work to offer to host their data in a secure manner. We’ve seen that work in case in which the government did not have the resources to host the data in a searchable format.
- Where personal home computers are not available, do not forget about work computers. People track their personal information while they are at work. Whether a search of the company’s records will turn up any useful evidence depends upon the company’s level of cooperation and how the company’s Information Technology platform is set up. For example, it is hit or miss as to whether the company will have a firewall or maintain Internet usage logs. Most companies have firewall but do not activate logging capability. Regardless, this is an avenue worth exploring.
- While you should try to obtain records from third party providers such as Yahoo, Google and AOL, keep in mind that such third party providers either do not maintain transaction records, or just do so for a very short time.
- Be very careful about taking a target’s personal device or computer. If this is not done correctly in accordance with proper orders and procedures, the evidence may not be admissible at trial.
Digital forensics in the context of personal computers and devices can augment an investigation when bank secrecy laws or government investigations are preventing the discovery of critical evidence. It is still worthwhile to go down the path of attempting to discover information from financial institutions. But you should cast a wide net and ensure that your investigative strategy considers that people keep their assets in places other than banks, including real estate and brokerage accounts. Try including digital forensics as part of your strategy in your next investigation. After all, there are realizable benefits for casting a wide net and adopting strategies that include the use of every available remedy and technique.