This presentation is intended to raise awareness about occupational fraud, and provide a strong overview of electronic evidence investigations. The course was presented by Jerry Murray, CPA CFE, CGMA and Lance Sloves, CCE & CCME. Jerry serves as the head of the Fraud and Forensics practice at GPP, as well as being a member of the attest team. He is the “go-to” professional on all issues relating to fraud and forensic accounting and has a vast understanding of accounting records, internal controls, asset tracking, GAAP application, financial problem solving, forensic investigations and financial statements. Lance has advised hundreds of businesses and litigation professionals on Computer Forensics, eDiscovery and other technological issues relevant to the practice. He has completed hundreds of examinations globally and forensically imaged over 1,000 computers and devices. Lance has testified multiple times and is qualified as an Expert in the State of Texas in both Civil and Criminal matters, and Federal Court.

1. Occupational Fraud
and
Electronic Evidence
Investigations
Presented by
Jerry Murray and Lance Sloves

2. Learning Objectives
Raise your occupational
fraud awareness
Better understanding of
electronic evidence
investigations

3. Occupational Fraud Defined
 Employee deliberately misappropriates or misuses
company assets for personal benefit.
 “Company assets” is not just cash.
 Growth industry across most all industries.
 How big is it? Think iceberg…..
 The lucky ones are still out there right now.

4. Occupational Fraud Facts
5% of annual revenue lost to fraud
Median loss of $150,000
Average time before detected…18 months
85% of fraudsters are first time offenders
79% displayed “warning signs”
Asset misappropriation most common
fraud
Missing or ineffective internal controls
Most commonly detected by....TIPS!

5. Common Warning Signs
Rarely takes a vacation
Works long or odd hours
Unwillingness to share duties
Spending habits change
Has known financial problems
Complains about inadequate pay
Has unusually close association with a vendor or
customer

6. Common Elements of Fraud
Three common elements of the fraud triangle:
Motive (pressure)
Opportunity
Rationalization

7. Motive
What motivated you at age 20? Today?
Tomorrow?
Personal financial issues (credit card debt)
Addictions (drugs, alcohol, gambling, etc.)
Health issues and medical costs
Divorce
Elderly parent care
Living beyond their means
Greed
“The thrill of the steal”

8. Opportunity
(The Keys to the Kingdom)
Whenever someone can initiate, execute and conceal
an improper transaction.
Giving someone signature authorization on a
checking account without compensating
controls
Allowing employees to make deposits with no
crosschecks
Not reconciling bank statements timely and
accurately
Not reviewing your payroll tax deposits.

9. Rationalization
(aka moral breakdown)
Rationalization for fraud can take many
paths.
I’ll just borrow the money and pay it back…
No one will ever miss it…
I’m not paid enough…
I work hard, I deserve this…
My kid really needs a new cell phone so his
friends won’t make fun of him.

10. What’s wrong with this picture?
Employee can and does:
- sets up vendors and approves bills
- opens the daily mail
- prepares and makes bank deposits
- posts receipts and makes adjustments to the
accounts receivable system
- prepares checks and has signature authority
over bank accounts
- reconciles the bank accounts

11. I’ll just “borrow the money”
General partner embezzled funds from limited
partners (Dallas 2000-2003).
“Borrowed” investors’ funds to support his law
practice and personal lifestyle.
Total loss of $1.5 million….. over four years.
Forensic accountant untangled four years of
transactions across seven QuickBooks general
ledgers and discovered/proved the theft.
Investors sued and won.
Defendant plead guilty to mail fraud, lost
license to practice law, served time and ordered
to pay restitution plus investors’ legal costs.
(rare)

12. “They’ll never miss it”
Claims manager for TPA skimmed refund checks
from hospitals (Fort Worth 2004-2005).
Employee received the TPA’s refund checks from
hospitals and would divert a “few” to her
personal bank account.
Total loss - $100,000 over two years
New internal controls over the refund
accounting process uncovered the
embezzlement.
Fraudster convicted and jailed.
No money was recovered.

13. ”I’m not paid enough”
Office manager of privately owned business
(Dallas 2012-2013).
Wrote extra checks for insurance, utilities and
other suppliers.
Took extra checks and deposited them into her
personal bank account.
Covered cash flow shortfall by not making
payroll tax deposits.
Total loss - $150,000….. zero recovery
Discovered when owner received notices from
the IRS regarding shortage in payroll tax
remittances.

14. Anti-fraud Program
First - Perform a risk assessment.
 “Follow the dollar” - study internal processes from start to
finish.
 What could go wrong, how could it go wrong and how bad?
 Identify where there are short-falls such as no checks and
balances, no physical security or no periodic reconciliations.
 Overall goal = Prevent, Detect and Respond.

15. Anti-fraud Program
Next - Establish internal controls
 Establish controls around the position….not
the person – very important.
 Communicate financial policies and
procedures in writing and establish a fraud
policy as well as a robust anti-fraud
program. (attorney)
 Develop a written Code of Conduct
(attorney)
 Educate not only employees but vendors
and customers about your Code of
Conduct. (tips)

16. Anti-fraud Program
Finally - Monitor and Maintain
• Be diligent in recognizing changes that
impact risk profile (e.g. new location)
• Anonymous fraud reporting (attorney)
• Ethic training – initial and on-going
• A perception of detection can decrease
motive
- conduct surprise inspections
- check the business at odd hours
- test the effectiveness of internal
controls

17. Services the attorney can provide
 Assist with assessing the fraud risk.
 Assist with a written Code of Conduct.
 Provide a fraud tip reporting mechanism.
 “Quarterback” the client’s response.
 Assist with development of a written response
plan for actual, alleged or suspected fraud.
 Get the experts involved very early in the
response process.
 Quickly preserve evidence such as accounting
records and electronically stored information
(ESI).

19. Objectives
• Brief History &
Background
• Mobile Devices
• Collection &
Analysis

20. Mobile Phones Today
•
• Apple has sold over a BILLION iPhones.
• 91% of all mobile internet use is “social” related, i.e. Facebook, Twitter, Four
Square, Snap Chat, KIK, etc. 75% Computer Desktop-Laptop related. &
Uploaded Facebook photos and Videos take up 27%bof upstream web traffic.
• People have four essential items - Keys, Wallet, Money and a Mobile Phone.
• “Nomophobia” is the fear of being without your cell phone of losing your
signal. Take the Test http://www.nomophobia.com/
•

21. Identifiers for Discovery
• International Mobile Station Equipment Identity (IMEI)
– The IMEI number is used by a GSM-LTE network to identify
valid devices and therefore can be used for stopping a stolen
phone from accessing that network.
• Model Number of Device.
• Serial Number of Device.
• Phonescoop www.phonescoop.com

22. Capturing and Recovering Data
• Cellular Smart Phones
– Recovery of Information
• Email, Chat, SMS “text”, MMS, Calendars, Internet Browsing,
Picture and Video Capture, Banking, Games, GPS Locations
and Directions.
• Facebook, Twitter and other Social Media.
• Passwords
• Email Accounts
• Apps information.
– Spyware – Jailbraking.
– User accounts and Data.
– Hidden Apps.
– Specialized Chat Programs

23. Capturing and Recovering Data
• Typically three components are Imaged
– Sim Card
– GSM
– Contains International Mobile Subscriber Information (IMSI)
» Identifies individual subscriber or cellular network.
• Country Code
• Network Code
• Mobile Station Identification
– Possibly SMS messages, contacts or call logs (Not very Likely)
• Past Case used to track back a GPS device on car.
– SD Card
• Pictures, Videos, Files, Apps and other info
– Phone Memory.
• All the good stuff: SMS, MMS, Contacts, Call Logs, App Data, Etc.

24. Capturing and Recovering Data
• JTAG – Advanced Technique or Chip Off
– JTAG (Joint Test Action Group) forensics is an advanced level data acquisition
method which involves connecting to Test Access Ports (TAPs) on a device and
instructing the processor to transfer the raw data stored on connected
memory chips when typical commercial tools won’t image data.
• When is it appropriate to JTAG an evidence device?
When commercial forensic extraction options cannot acquire a physical
image or when a device is logically damaged or “bricked”. The majority of
our JTAG work involve Android phones which are pattern locked and
cannot be bypassed by other means. We also JTAG prepaid cell phone
models (such as TracFone, Net10 and Virgin) which have their data ports
intentionally disabled by the carrier.
• Phone Repair and Imaging is also possible when water, fire damaged, etc.
• Password removal or bypass

25. Capturing and Recovering
• We can also download Windows Backups from
online sources.
• iPhone backups from computers.
• Android backups.
• Blackberry Backups.

26. Data Capture and Analysis
• Cellebrite Mobile Device Forensic Tool
– UFED Ultimate Touch Hardware Device.
– Cellebrite UFED Physical Analyzer Software.
– Imaging, Decoding, Analysis and Report of Mobile
Data.
– Over 14,000 devices.
– Legacy Phones, Smartphones, Portable GPS, Tablets
and even Chinese Devices.
– Prepaid phones.
– Can unlock over 1750 phones.

27. Cellebrite Physical Analyzer Software

28. Cellebrite Physical Analyzer Software
• Additional Identifiable Information
– Last computer iPhone was synced or backup too.
• Phone and Ownership information.
• Database & Data Storage information
– SQL Lite Databases.
– Can identify Photograph & Video Downloads (Porn
and Captured Documents)
– Database Application information such as QuickBooks,
Banking, Facebook, Four Square and others.
– Application Logs.
– Plist & XML Settings.

29. Internet Evidence Finder
Internet
Searches
Deleted Skype
Recovered Deleted Internet History

30. Types of Cases
• Vehicle and Construction Accidents
• Labor and Employment
• Family Law
• Probate
• General Commercial Litigation
• Criminal
– Medicare Fraud
– Terrorism
– Drug
– Murder (lots of these cases)

31. Reports
• Excel
• PDF
• HTML
• Load file creation for Summation &
Concordance, Relativity.
– Others

32. Place Evidence online for Review
• Place all Messaging online for Investigation, Review, Tagging and Production.

33. Daubert-Frye
• Potential issues
– Manual review of Text Msgs or Email date/timestamp
– Test different devices of same make and model.
– Test against different forensic software.
– Compare against carrier phone records.
– Peer Review?
• NIST Testing and error rates.
– Known or Potential error rates.
– Misreporting by software
– Anomalies

34. Conclusion
 Encourage your client to establish an anti-fraud
program.
 Consider how your firm can play important roles in
your client’s anti-fraud program.
 Electronically stored information (ESI) will almost
always be involved.
 It’s critically important to capture the electronic
evidence as quickly as possible.
 Important - get your Forensics and ESI experts
involved early on in the process.

35. QUESTIONS?
Jerry Murray: (214)-635-2519
jmurray@gppcpa.com
Lance Sloves: (214) 498-5666
lancesl@cfiusa.com

36. References
Association of Certified Fraud Examiners – 2016 Report to the Nations on
Occupational Fraud.