CFE Exam Quiz 32

Textual analytics is a method of extracting useful information from unstructured text data using software. Linguistic technologies and statistical techniques are used. Text analytics tools can identify data to expose fraud-related trends and relationships.

Investigator is going to want a list of keywords for fraud that are likely to point to suspicious activity. The list would rely on the industry, the fraud schemes and the data available to the fraud examiner. When constructing a fraud keyword list, the factors listed in the Fraud Triangle are helpful. Remember that someone in the company being investigated may be able to commit fraud, be under pressure to commit fraud, or be able to rationalize fraud committing.

Most people commit fraud because they are driven to take something that has happened in their lives. Maybe they have to hit a certain target to qualify for a reward based on performance or may be they are in debt. Pressure-related keywords include deadline, goal, difficulty, low, question, and concern.

Emotional Tone Analysis is a way to discover fraud clues concealed in text by taking into account the emotional tone of correspondence between employees. A fraud investigator must recognize messages that are negative, shocked, confidential or worried. This needs the use of sophisticated software and a thorough understanding of legal environment of employee rights and workplace searches and until pursuing these methods, they must consult with technical and legal experts.

Visual Analysis represents data through graphs, maps of heat, diagrams of links, charts of time series. The utility of visual representations is improved as the size and sophistication of information increases. Visual analytics draw on the innate ability of humans to consume more data in visual rather than numerical form and more readily interpret certain patterns, shapes and shades. Effective visuals can translate multidimensional data like frequency, time, and relationships into an intuitive picture by using mathematical techniques to evaluate patterns and outliers.

The heat map is a graphical representation of the data in which the individual values contained in the matrix are represented as plots or colors. They are not commonly used in fraud detection, heat maps are an important visual method in performing a fraud risk assessment for internal auditors and risk management teams. An organization’s susceptibility to various fraud schemes is measured by plotting their probability and context on a heat map.

A tree map is a type of heat map that divides rectangular space into regions and then divides each region again for each hierarchical tier. The size and coloring of the rectangles help the user to identify patterns in complex data. Tree maps ‘ hierarchical structure will expose multi-faceted information faster than spreadsheets, bar charts, or line graphs.

Fraud examiners use the link analysis software to create visual representations of data from multiple data sources using charts with line connections. Indirect relationships and multi-degree separation relationships can be defined with the help of Link Analysis.

Link analysis is especially useful in conducting a money laundering investigation because it can monitor money positioning, layering and integration as it passes between unknown sources. A fictitious vendor (shell company) scheme could also be detected. The investigator could map visual links between a variety of entities that share an address and bank account number to reveal a fictitious vendor created from a company to embezzle funds. Associate communication with events and individuals to expose links, such as email, instant messages, and internal phone records. It can also demonstrate complex networks (including social networks).

Visual analytics depict correlations between different data types and their corresponding geographical location in a Geospatial analysis. It helps to uncover a hidden relationship or unknown trend, such as those in a corruption scheme or bribery. Timeline analysis software helps fraud investigators turn their data into graphical timelines. Timeline analysis allow the examiners of fraud to:
 Highlight key times, dates, and facts.
 More readily determine a sequence of events.
 Analyze multiple or concurrent sequences of events.
 Track unaccounted for time.
 Identify inconsistencies or impossibilities in data.

The software for data analysis should have the following minimum requirements:
· Import / export capabilities of software: how easily is data imported / exported given the data format and structure.
· Visualization of data: how easy is it to transfer the data from a table to a chart for analysis and interpretation?
. Search for suite of tools: He should select the most suitable set of tools based on his available data and then select the software best suited to his current and future needs.

Ken Collier and his colleagues set up a framework for data mining software evaluation. The framework has divided the criteria into four areas:
· Performance: The ability to manage a number of data sources refers to performance.
· Functionality: Functionality applies to the program’s range of features, technological approaches and data mining techniques.
· Usability: Usability refers to the conformation of different user levels and types without compromising usability or usefulness.
· Support for additional activities: support for additional tasks allows the user to perform various tasks supporting data mining.

Regulators may want to review the controls of the company at some stage and may find it difficult to navigate an in-house system compared to standard commercial options. Depending on how difficult the program is to understand, labor turnover can cause significant disruption. Apart from unnecessary costs, an organization-free platform will either fail to detect the transactions it needs or return too many false positives.

If an entity intends to use a consultant in data mining, it should evaluate the following qualities:
. Innovation: Check how the individual keeps himself up-to-date. In your field of inquiry, search for professional associations, journals, and training.
• Creativity: Can individuals work in a creative setting, such as fraud intelligence? Can the individual work unattended and be expected to yield results? He should also think about why and how a fraud might have occurred.
• Experience: Does the individual have experience in the type of investigation that will be conducted? Does the individual have experience with the kind of software / tools that will be used in the course of the investigation?

Digital investigation is work involving applicable digital data processed or stored by digital devices — devices that process data in the form of numbers (digits). It is possible to use digital devices to connect with others, build documents, access online data, enter online data, and store information. The investigator conducting an investigation into a crime involving a digital device is not necessary, and should not be, the forensic investigator in most cases.

Digital forensic experts are capable of analyzing digital media at the hexadecimal level, which ensures that all sectors and bytes in those sectors can be displayed on a device. Digital forensic experts can, therefore, retrieve information from deleted files, both those that have been deleted deliberately and those that have been inadvertently deleted. Digital forensic experts can also recover temporary auto-saving files, print-spool files, deleted emails, and deleted link (shortcut) files, and work with hexadecimal level data.

Operating and file system experts: these experts are knowledgeable of certain operating systems (e.g., Windows Vista, Windows 7, Windows 10, Ubuntu, and OS X) and the different file systems they use (e.g., Joliet, NTFS, FAT, VFS, Ext2) and are capable of conveying operating characteristics and analyzing artifacts.
Experts in documentation and retrieval of archives: these are experts in extracting information from recordings, digital media or other backup systems. Backup technologies usually store data in proprietary formats, making recovery very difficult.
Experts in intrusion and malicious code: These experts are trained in the analysis of intrusion into the computer network. Specialists may evaluate the dimensions of the attack, the methods used, what happened during the entry, and what was taken, if anything.
Experts in data recovery: These experts operate clean rooms designed to extract information magnetically from a source of damaged content. Such experts can disassemble a hard disk using special tools and equipment, remove the platters, and retrieve and reassemble the data for further analysis.

Digital evidence is data that can be used to prove something, stored or distributed in binary form (i.e., those and zeroes). The proliferation of digital technologies has created new technical possibilities for almost all types of fraud. Consequently, in almost all fraud tests, fraud examiners must gather some form of digital evidence. Computers themselves can be the targets of crime. It is also possible to use computers to facilitate criminal behavior. When this occurs, the computer is referred to as the criminal tool or instrument.

Digital data is more fragile than tangible information because more quickly than tangible records can be changed or lost. Digital data is, by design, fragile and short-lived in nature. It can be easily deleted or manipulated.

Spoliation is broadly defined as an act of deliberate or careless destruction of litigation-related documents. Failure to preserve the integrity of digital evidence may result in evidence being considered inadmissible in a legal proceeding or may not be given much weight, even if accepted, since evidence of doubtful authenticity does not provide reliable evidence.

When looking for digital evidence, searching becomes a task as data is stored in large volumes and in a number of different locations. The fraud examiner must know the location in computer system, phones or any other devices where he can locate information or any related data might be useful for the case.

The correct methods of detecting the use of steganography are:
-Visual identification by searching for jpeg, bmp, gif and other image files.
-Check for audible anomalies in wav, mp3, mpeg and other media files.
-Statistical detection by deciding if the statistical properties of the files are different from the expected standard.
-Structural detection by looking for structural oddities that do not suggest manipulation.

Every operating system produces logs of events, files that record activities, or transactions on a computer. In addition, for each event or transaction occurring on any computer, a log entry is made, and therefore there are numerous types of event logs. Some common types of logs include system logs, application logs, and security logs.

Any suspected workstations, including any peripherals or other portable media devices that may be used for data transmission or processing, should be examined. A peripheral device is an external device attached to a host computer, but not part of it.

Cloud storage refers to information that is stored by an online available third-party host. The cloud can save on hardware, software or licensing fees, and cloud services provide a cost-effective alternative to IT infrastructure development. The cloud also improves accessibility because users can access the cloud whenever and wherever they want. With cloud computing, organizations can easily scale information technology resources up or down to suit their business needs.

The planning phase ensures that all equipment used in a forensic capacity is legitimate and reliable.
In the privacy issues phase, the fraud examiner must be knowledgeable of the law pertaining to workplace seizures. If it becomes necessary to seize a computer or other device capable of storing digital evidence, the investigator should consult with legal counsel.
In the seizing, acquisition of digital evidence must be secured in a forensically sound manner so that the evidence is not
tainted or destroyed.

Volatile data refers to forensic objects in a flux state that may be lost when power (or network connections, in some cases) are withdrawn from a computer system. Therefore, when volatile data is not obtained live from a suspect computer when the system is shut down or disconnected from its network, it may be altered or lost.

Common sources of volatile data include:
. Random Access Memory (RAM): Recently accessed data, such as data files, recent commands and password hashes, and slack space and free space residual data, are included in volatile RAM data.
. Operating System: It includes incoming and outgoing network connections, login sessions and currently running programs.
. Network device logs: Volatile data includes the logs generated by network gear such as routers and switches in network device logs.

There is a hard shutdown due to power failure. Therefore, a hard shutdown is achieved by unplugging all the computer power and power cables. When the consumer relies on the collection of built-in processes that prepare a computer for shutdown, a graceful shutdown occurs.

Given the benefits of live data collection, it has its drawbacks, including:
· Untrained individuals can compromise the data using live data collection methods.
. A range of tools for gathering live data are not checked.
. There is a lack of established live data collection processes and procedures.

The collection of live data should be taken seriously when:
. At the time of seizure, the suspect uses the machine.
· At the time of seizure, an attack is ongoing.
· Shutting down the computer could result in data being unusable through drive encryption, processes running.