Forensic Accounting – the recorded electronic data found on Computer Hard Disk Drives, PDAs and numerous other Digital Devices

First published September 2004

Where is the hidden money for the Creditors in the Bankrupt Estate?

The Importance of Applying Section 521(4) in obtaining the Debtor’s electronic data.

Jack Seward
Rosenfarb Winters, LLC
New York, NY 10016
JSeward@RWCPAs.com or
JackSeward@msn.com

Introduction


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


A trustee has the duty to investigate the financial affairs of the Debtor and ensure that books and records are properly turned over to the trustee in accordance with Section 704. Furthermore, under Section 521(4) it is the duty of the Debtor to “surrender to the trustee all property of the estate and any recorded information, including books, documents, records, and papers relating to property of the estate, whether or not immunity is granted under Section 344 of this title”. The Handbook for Ch 7 Trustees indicates that “Attorneys and accountants may not be compensated for performing the statutory duties of the trustee” and investigating the financial affairs of the debtor falls within the duties of a trustee “unless sufficiently documented to show that special circumstances exist”. This article will demonstrate the need for qualified forensic accountants with specific computer forensic skills as it relates to the bankruptcy process.

How many millions of businesses and individuals have e-mail, Word Perfect, Word, Excel, QuickBooks, Quicken, Money, and accounting software applications used to record and report on business and personal financial activities? (So did anyone mention keeping a second set of books or off the books accounting?) It is almost impossible for unscrupulous Debtors or their officers to escape from the trail of electronic/digital/optical information left behind in today’s digitized business environment.

Indeed this is the digital age, and in the Bankruptcy arena that means the Trustee has powerful resources available to sift through the sand pit of the unscrupulous Debtor. To accomplish this, the Trustee will need the skills of the “eSleuthHound” , the forensic accountant for the 21st Century. The eSleuthHound is cognizant that business operates, and ultimately survives or fails, using digital information. After a failure, the eSleuthHound must be prepared to uncover and recover the Debtor’s e-data from any available data-storage source.

The size of the eSleuthHound should not be important to the Trustee, because in the struggle to decipher the trail of the Pixie Dust the only thing that matters is the size of the fight in the eSleuthHound.

Computer Reality Check

Questions:

1. Let’s assume that when you asked the Debtor at the Section 341 examination if the books and records were kept on computer, the Debtor answered “No”. Did you then ask, “Ok, so how many computers were used in the business during the last six years and where are they now?”

2. Do you have the e-mail and www addresses from all your Debtor cases, including those of the insiders’?

3. In the larger cases, the Debtor often fails to immediately file the Schedules and Statement of Financial Affairs with the Petition, but all on the Creditors’ team can be assured that those Debtors will have used more than one computer in the business.

4. Did the Debtor document for the Trustee exactly how many laptops were used and where they are now?

5. Does the Trustee have a plan to examine the laptop hard disk drive (“HDD”)?

6. Did the Debtor sell or dispose of any desktop systems, laptop computers, PDAs or other digital devices during the two years prior to the filing?

7. Does the Debtor have leased computer equipment containing the business and financial records, including e-mail and word processing files on the hard disk drive (“HDD”)?

8. Inasmuch as the computers are property of the Estate, when the time comes do you as the Trustee plan to sell the computers for fair value before the eSleuthHound makes an examination of the computer hard disk drive (“HDD”), PDAs and other digital devices?

9. Prior to any sale of computers belonging to the Estate, does the Trustee plan to take adequate measures to insure that no confidential personal and/or financial information resides in the Pixie Dust on the hard disk drive (“HDD”) prior to any sale of computers or other digital devices that is property of the Estate (information such as credit card, personal identity, employee HR, customer history, financial, banking, and medical info. etc.)? Does the Trustee then plan to have the eSleuthHound first thoroughly examine and then sanitize those hard disk drives (“HDD”) prior to their sale?

Obviously, in any bankruptcy case today, computers and digital devices contain the critical information necessary to obtain the money for the creditors and eliminate abuses of the Bankruptcy Code. Time is all-important and the Trustee should consider attaining access to the Debtor’s Pixie Dust before the Section 341 examination.

Time is not on the Trustee’s side

The Trustee would not want to learn after a case is closed that he/she did not find out that the insiders or employees of an unscrupulous Debtor slipped out the front door with the intellectual property of the Estate on a Microdrive, CompactFlash or HDD.

The ideal situation is for the Trustee to react with observation by the eSleuthHound of the computers and digital devices in place on site, and any hesitation on the part of the Debtor and/or insiders to allow that examination should be considered an indication that the evidence is in jeopardy so long as they controlled by the Debtor. Visiting the Debtor’s facilities is key to be able to find things like passwords, the data backup schedules, private e-mail addresses, floppy disks, phone numbers and other information that might not be found in traditional techniques.

Exactly what are we talking about?

Promptly examining the Pixie Dust to find where the money went and who has the money now, before it is all gone, are obvious goals for both the eSleuthHound and Trustee.

What will the eSleuthHound do if the Pixie Dust does not contain the story about the Debtor’s financial history and where the money went, and this information cannot be found in any of the electronic memos, documents, databases, spreadsheets, archives, presentations, graphics, accounting programs, or address books? What if this information was not recorded, revised, encrypted, deleted, backed up, copied, saved, pasted, printed and/or stored on the Debtor’s computer HDD or the wide assortment of PDAs that include Palm, Handspring, iPaq, Jornada, Cassiopeia, Clie, Visor, or Windows CE and/or Pocket PC devices?

Suppose the eSleuthHound cannot find the story in the e-mail messages or any of the arrays of other digital storage sources not already mentioned? In that case the eSleuthHound may conclude by deductive reasoning that the insiders have the computers, PDAs or other digital devices with the Pixie Dust, and that the insiders would not then be able to put back the Pixie Dust when that is finally documented. Simply stated the eSleuthHound is relentless in the pursuit of finding the money for the Estate and will continue searching the Pixie Dust for electronic/digital/optical e-clues to the money trail for the Estate.

Information stored on a computer is often not capable of just being printed on paper so having the right skills to attain access to this data is key for any Trustee. Valuable information including names, addresses, passwords, bank accounts, taxpayer identification numbers or other information about the unscrupulous Debtors or their officers can be hiding behind legitimate files on the HDD as invisible attachments . This historical information was thus never visible, unless one knows how to find it. A wealth of information may be discovered in file slack space, and ram slack or drive slack space found on the HDD. In addition, most word-processing documents, spreadsheets, database files, presentation files and certain other files, contain valuable information, including embedded information about the author, title of the document, actual date and time created, edit or lapsed time, actual date and time modified, file last saved by whom, number of pages, and software program version used. Having this information provided by the eSleuthHound should be any Trustee’s dream. During the examination of the Debtor’s electronic/digital/optical e-data, the Trustee is furnished with detailed, summary and exception reports regarding the investigation of the Debtor’s activities on a regular basis.

How will the eSleuthHound acquire the Pixie Dust?

As Trustee, you will need to insure that your examination techniques are the best and most accepted in the industry. Engaging the eSleuthHound to create what is called an forensic image (sometimes technically referred to as low-level bit-stream image) from the Debtor’s computer HDD, digital devices and related media is the first step in maintaining the best practices for protecting the integrity and validity of the Debtor’s digital information. It is important to recognize that the Trustee is not hiring the eSleuthHound to be the forensic accountant, and the eSleuthHound will not examine the Pixie Dust at this time, as this is something that will require court approval. Rather the Trustee would only engage the eSleuthHound to protect the Pixie Dust by performing the acquisition of the Debtor’s electronic/digital/optical information for the Estate until instructed otherwise. The Trustee and/or the Court could always decide to use a different forensic accountant and in that case, the forensic images would be turned over to that forensic accountant.

The chances of the creditors receiving a dividend are improved when the Trustee hires the eSleuthHound to create and protect this electronic/digital/optical information early on. The forensic images will permit the eSleuthHound to assess the Debtor’s activities with a greater degree of completeness and this in turn allows the Trustee to promptly ascertain the location of property of the Estate and the appropriate causes of actions for the Estate. Try as they may, the forensic accountant or others on the Creditors’ team should never use the Debtor’s computers and/or copy its computer files and then somehow hope to find the trail of money. In fact these types of actions likely will only compromise the integrity of the digital evidence in the Pixie Dust.

Why does a forensic image need to be created?

Before the forensic accountant can begin to do an examination of the Debtor’s books and records, the Trustee needs to have an forensic image created of the computer HDD, PDAs and other digital storage sources that are exact forensic image copies that will be admissible as evidence in court. The “trail of evidence” must be proven unbroken from the Debtor’s digital data sources to the witness stand.

Using forensically sound hardware and software, the eSleuthHound prepares an absolutely sanitized or sterile HDD to receive the forensic image that will be created from the Debtor’s HDD, PDAs and other digital devices. The eSleuthHound will match (bit by bit) the e-data present on the Debtor’s original source HDD, PDAs and other digital devices with the forensic image being created during the acquisition process. As the forensic image is being created, it is sent to the destination drive awaiting verification that both the source and destination drives match. The eSleuthHound is not done until this does match

During the acquisition phase, the match of the digital information is verified using what is called a cryptographic Hash value . The cryptographic Hash is designed to calculate and produce a digest that establishes that the electronic/digital/optical information does match exactly. A digest is a characteristic number value used for verification of data authenticity. However, digests are more than that, as they are exceedingly strong one-way cryptographic Hash codes, and can be created for a single electronic file or document, or an entire HDD. The digest is a digital signature, an algorithm that is unique and cannot be replicated, just like the fingerprint.

What is the harm if the Trustee fails to have the eSleuthHound create the forensic image from the Debtor’s computer HDD, PDAs and other digital devices? The Debtor, or the insiders and/or others in an Adversary Proceeding, might allege that the digital information was nothing but some unsupported Pixie Dust and that the information obtained by the forensic accountant for the Trustee from the Debtor’s computer HDD was unsubstantiated and could not be corroborated. Under those circumstances, would the documents supposedly found on the Debtor’s computer HDD by the forensic accountant be admissible when challenged by the Defendant’s eSleuthHound who made an examination of the Debtor’s HDD, PDAs and other digital devices and will testify that the Trustee and the forensic accountant failed to follow sound forensic practices and did not make an forensic image of the Debtor’s HDD, PDAs and other digital devices?

Would the Debtor, or Defendant(s) in an Adversary Proceeding, under the same circumstances mentioned above, more likely than not prevail if the Defendant’s attorney produced excerpts of deposition transcript(s) taken of the Trustee and the forensic accountant at trial stating clearly that the Debtor’s computer HDD, PDAs and other digital devices were used after the filing of the Petition; the dates shown on the Debtor’s HDD, PDAs and other digital devices changed since the Petition date; hundreds of Debtor documents and files from the HDD, PDAs and other digital devices were used, and neither the Trustee nor the forensic accountants could verify who used those documents, files and programs or why they were used; the Trustee was unable to provide the documents used, created, retained and/or destroyed by the forensic accountants subsequent to the filing of the Petition; the forensic accountants could not identify who had access to the Debtor’s HDD, PDAs and other digital devices; the forensic accountant failed to maintain chain of custody logs for the Debtor’s HDD, PDAs and other digital devices?

The Trustees best answer should be that “the Pixie Dust”, the e-data found on the Debtor’s computer HDD, PDAs and other digital devices “was obtained in accordance with established forensic practices; that the eSleuthHound preserved the Debtor’s computers, and the evidence, including the forensic images, has been made available to the Defendant for inspection at reasonable times; and to the best of his or her knowledge the Defendant has not challenged the authenticity of the electronic/digital/optical information discovered and preserved by the eSleuthHound”.

Overall the real cost to the Estate could be enormous if the Trustee fails to authorize the creation of the forensic image copies, and instead allow the Debtor’s computers, PDAs and other digital devices to be accessed by someone who lacks eSleuthHound experience and the skills necessary to conduct a forensically sound examination. One must seriously consider that merely starting up and/or just turning on or off the Debtor’s computer/servers, PDAs and other digital devices may jeopardize the evidence. (So did someone again mention chain of custody?) This would become the shibboleth for the Trustee, because the Defendants’ eSleuthHound can destroy the Trustee’s case as it relates to the electronic/digital/optical evidence.

In those cases in which the Trustee makes a referral to the Unites States Trustees Office regarding Bankruptcy fraud under the criminal statues, the forensic images and the resulting e-data discovered will be crucial (one assumes that the forensic images and related digital information would greatly assist the U.S. Trustees Office in dealing with the unscrupulous Debtor).

What about PDAs and Digital Devices?

It is almost a certainty that several new Personal Digital Assistant (PDA) or other digital devices have hit the marketplace since the completion of this article. However, the more popular ones need to be addressed here as to their characteristics.

PDAs and Hand Held Devices:

Generally the operating systems save information using memory (RAM and ROM) and this includes the Palm, Handspring, iPaq, Jornada, Cassiopeia, Clie, Visor, or Windows CE and Pocket PC devices. Practically all items found on a Palm PDAs are saved and stored in databases in some form. It is these database files, the Debtor’s e-data, that the eSleuthHound will recover during the acquisition process of creating the forensic image, including deleted files and the slack space found on the Palm. The Windows CE devices saves the e-data using similar methods found in Windows and this image is sent to the destination drive. The eSleuthHound always creates an forensic image and performs the Hash authentication as the e-data is acquired and once the forensic image is acquired from the PDA, the particular hardware and software specification then becomes available. Since the Debtor’s e-data is stored in memory, it is imperative that the battery be properly charged. If the PDAs were to lose power, the e-data would generally be lost. Most Palm and related PDAs rely on synchronizing with big brother, the desktop computer, but the eSleuthHound will not rely on this method, and it is most important that the eSleuthHound acquire the e-data that was last accessed by the Debtor and/or insider.

Other Digital Devices:

These includes for purposes of this article, CDs, DVDs, PCMCIA HDD, Microdrives, CompactFlash cards, digital hand held devices of every type, and quite literally, hundreds of other electronic/digital/optical storage devices. Generally, if the e-data is stored on a digital device, then the probability exists for the eSleuthHound to acquire, recover, examine, search, and review the information discovered.

When e-data is written to a CD-RW, DVD-RW or DVD+RW and thereafter deleted, exactly what happens to the e-data is dependent on the specific software application being used to create this media. Many of the software applications will add the area occupied by the files that were deleted to the available free space, and that space will not be used until the entire disc has been written to once, and only then will this freed space be reused. It is unfortunate that some of the software for CD-RW, DVD-RW or DVD+RW will immediately reuse the space occupied by the file, but the eSleuthHound will determine the method used and proceed accordingly with the examination of the Debtor’s e-data.

The eSleuthHound will find the orphaned files (when they have not been immediately overwritten) and acquire the e-data still present on the CD-RW, DVD-RW or DVD+RW. Because the most common form used with re-writable media actually write files in disparate parts rather than contiguously on the disc, it makes searching for deleted files not a trivial matter. The eSleuthHound will find and locate the Debtor’s e-data that has been deleted on CD-RW, DVD-RW or DVD+RW searching the entire media source looking for any e-data, including slack space and the contents of deleted files.

Options for the eSleuthHound

The prudent eSleuthHound will make multiple forensic images at the time of the original acquisition of the Debtor’s e-data. The ideal number will vary depending upon the particular facts and information technologies used by the Debtor. In every case the forensic image copies will be identical (just like the fingerprint) to the Debtor’s source HDD, PDAs or other digital devices.

These image copies are normally used as follows:

One forensic image is always kept for safe keeping, remains pristine during the life of the case, (plan on at least six years) and will always agree with the Debtor’s computers as they initially were examined (using the MD5 Hash digest discussed previously), for the Trustee’s protection should any attempt be made to challenge the authenticity of the forensic image;

The other forensic image will be used to recreate the live computer environment of the Debtor’s system during the investigation and this can be used by the Trustee (for example) for the collection of accounts receivable, determining preference actions, fraudulent conveyances, creditor claims, printing Debtor’s hard copy financial reports, spreadsheets, correspondence, memos etc. In addition these “working images” will be used to complete many tasks during the life of the case, such as finding deleted electronic documents and files, locating altered financial records, searching e-mail files, examination of the books and records and issues regarding the confirmation of substance over form issues.

The costs associated with the purchase of HDD have decreased and this approach is economical for the Estate in that it will reduce the administrative costs associated with the e-forensic efforts during the term of the case.

What information will the Trustee gain from Pixie Dust?

The eSleuthHound maintains an extended collection of forensic software tools designed to assist and find the money for the Estate. The eSleuthHound will examine the e-data found on the Debtor’s computer HDD, external HDD, backup media, floppy disks, Zip drives, Jazz drives, tape drives, CDs, DVDs, PDAs and numerous other digital devices from the forensic images created at the beginning of the case, and each of these media storage systems will require specific forensic tools.

Combined Digital DataSource:

This eSleuthHound will typically take all the Pixie Dust (using the forensic image copies) and create the Debtor’s combined Digital DataSource to be used in connection with the examination of the e-data. It is important to recognize that this image is in addition to the forensic image copies previously discussed. The Debtor’s combined Digital DataSource constitutes a complete universe of the digital alpha/numeric indexed text from all sources and this database will contain every word, number, electronic commerce, phrase, business terms, acronyms, passwords, special purpose words that relate to the Debtor’s and/or the insider’s business, addresses, personal and business assets, lifestyle activities, and any and all dates and times that pertain to any document or actions by the Debtor and/or insiders, business affiliates or related parties. Using multi-language support tools, the eSleuthHound will search and locate documents and files that may contain evidence of foreign languages and these will be documented and Bates stamped for further examination. The combined Digital DataSource adds enormous data mining capabilities for the Creditors and during the course of the case the results will continue to evolve and the eSleuthHound will provide the Trustee with meaningful reports regarding the investigation of the Debtor.

The eSleuthHound uses the powerful search capabilities, intuitive and fuzzy logic, to conduct unlimited and simultaneously searches of the Debtor’s combined Digital DataSource looking for e-clues from the positive “hits” found in the e-data. This method of searching the Debtor’s entire digital universe of forensic evidence environments could possibly uncover fraudulent accounting activities and point to how and where to find the money.

The eSleuthHound can search the combined Digital DataSource and locate practically anything that exists on Pixie Dust. In summary, what can be defined can be found, and the following are just a few examples:

Find any documents or files for any given date, or any range of dates;
Locate specific types of documents or files pertaining to any select number of days or dates for spreadsheets, correspondence, e-mail, memos etc.;
Locate any document or files based on the original date created, date modified and date last accessed;
Find all documents or files from any source using any number of specific words, phrase, addresses, and/or names or numbers;
Again, because the Trustee had the eSleuthHound create the forensic images, the Debtor’s computer was never used, or turned on during the case.

Viruses:

The eSleuthHound needs to be careful of all e-mail and related attachments, inasmuch as this is the most common method for spreading viruses and generally transported in e-mail attachments. Two of the leading Antivirus software programs are use to examine the Debtor’s e-data, inasmuch as one cannot be too careful in protecting the Pixie Dust for the Trustee. Before the eSleuthHound begins to examine e-mail messages, all of the attachment files will be analyzed to determine if its name and/or file type matches any known virus (another reason to make additional forensic images).

Recovery of Debtor’s deleted information:

This article does not attempt to comment on the effects of the Sarbanes-Oxley requirements relating or pertaining to electronic document retention and the destruction of financial information for publicly held companies, their respective accounting firms and corporate counsel (Sections 802 and 1102 of the Act). Nor is 18 U.S.C. Section 1020 dealing with fraud and related activity in connection with computers cited in this article. However, that being said, the eSleuthHound experience would benefit the investigation of white-collar crime in any setting.

Most participants in the Bankruptcy process are now aware after the scandals of Enron, Andersen, WorldCom, and HealthSouth etc. that when you typically delete electronic/digital/optical information, (documents, files, folders, directories and drives) that the computer only marks this information as deleted in the (computer) file system. The deleted e-data while concealed does remains on the HDD and will generally only be erased when the section of the HDD that had that information is overwritten with new e-data. All Trustees had better recognize that previously deleted e-data is extremely delicate from an evidentiary standpoint, and that allowing the use (other than the eSleuthHound) of the Debtor’s computer HDD, PDA and other Digital Devices during the administration of a case will overwrite information on those devices, and that he or she is jeopardizing discovery by allowing this conduct to take place.

Even in the sophisticated corporate setting and using secure methods and adequate document retention policies, you may not get rid of all of the Pixie Dust. The relentless eSleuthHound may still have a chance of finding the e-data that existed even after the Debtor and/or others used these secure methods, because many software programs create numerous temporary files and several versions may still exist with different names and these files may not have been deleted.

The electronic documents may have already been saved or backed up to more than one computer or computer servers and/or tape drives (many times this is done automatically), external HDD, or other media, or possibly be on an individuals notebook or PDAs, and in those cases the Pixie Dust still exists after the electronic shredding of specific documents and files. Sometimes the e-data has been copied to an individual’s or insider’s personal laptop or corporate computer and numerous “pieces” of documents from other sources may be found, and that does not begin to take into consideration those nagging electronic footprints that are left behind by unscrupulous Debtors or their officers.

In many cases, it is likely that e-data files have been deleted, and the eSleuthHound will recover those deleted files and then Bates stamp those files for further examination. The eSleuthHound will search the recovered deleted files and documents for specific excerpts of text using GREP regular expressions , logical expressions and lightning fast multiple simultaneous text searches of the Debtor’s e-mail messages, documents, and files, including familiar programs that include WordPerfect, Word, Excel, PowerPoint, Visio Drawings, Publisher, Project, Photo Draw, Adobe PageMaker, PDF documents, Text documents, Rich Text Format, HTML, Compression Archives, Multimedia, Databases, QuickBooks, Quicken, Money, Access, MS SQL, Crystal Reports, financial and accounting applications , and Macintosh files just to mention a few. The eSleuthHound will have tools available for the quick search of files with metadata information , and providing for the identification of more than six-thousand (6,000) programs, documents, spreadsheets, databases and a monumental list of file extensions if indeed they exist amidst in the Debtor’s Pixie Dust.

After the recovery of the Debtor’s deleted e-data, and using the forensic images created to simulate the Debtor’s computer (as previously discussed), the recovered deleted e-data can be added by the eSleuthHound, thus creating a second simulated restored computer. A view of what was on the Debtor’s computer prior to any deletions, and the resulting electronic footprints showing how it all fits, ought to be of enormous monetary value to the Estate (not to mention supporting possible denial of the unscrupulous Debtor’s discharge resulting from the discovery of deleted, concealed and/or falsified recorded information). This additional information source created by the eSleuthHound may provide e-clues that could uncover fraudulent accounting activities and point to how and where to find the money trail for the Estate.

Steganography and Encrypted e-data:

An extensive investigation is made of the Pixie Dust to locate encrypted documents, folders, directories, and drives, on the Debtor’s HDD, PDAs or other digital devices. Once these encrypted files are identified, indexed and Bates stamped it will be necessary to decrypt those files using passwords provided by the Debtor. In addition, it is recommended that the eSleuthHound perform a steganalysis for the discovery of hidden embedded information inasmuch as steganography amidst the Pixie Dust poses a significant threat to the investigation of the Debtor’s e-data. If the Debtor is hiding e-data, don’t you want to know about it?

When encryption and/or steganography has been discovered on the Debtor’s forensic images, the Debtor/insiders and others will be given the opportunity to provide the passwords to the e-data files to save costs for the Estate. In those cases that the Debtor is uncooperative, the eSleuthHound will utilize decryption and steganalysis software to discover and break the passwords and find the hidden information if possible.

Most often encrypted and hidden information will likely provide confidential information that the Debtor, insider or author is concealing, and accordingly this information may provide extensive e-clues that could expose fraudulent accounting activities and point to how and where to find the money. This can be a lengthy process, but it will be shortened if the eSleuthHound has current decryption software available for the task. In addition, the eSleuthHound may want to utilize the services of confidential international decryption experts for the most difficult situations.

E-Mail and Instant Messages:
Sometimes it may be necessary for the eSleuthHound to find, recover and examine extensive e-mail and instant messages that could number from 10,000 to 10,000,000 or more (no limit) e-mail messages from corporate servers, individual desktop/mini-tower computers, laptops etc. Once the e-mail and instant messages are found, it will be necessary to use extraction tools to carve out specific lists of e-mail addresses (removal of duplicates are automatic) and identify the original server that sent the message if necessary. The eSleuthHound has forensic software for filtering and sorting of these message based on the specific need of the case. In addition, features such as searching for whole words, exact words, case sensitive, ignore case, sounds like, approximately, date or date range, GREP regular expressions, logical expressions, and search parameter commands, are used during the examination of the Debtor’s e-mail and instant messages.

The forensic software tools allow for the identification of the location of attachments to the e-mail message that will generally identify the source of the documents or files, the software application used to create the document, the author of the document and the exact date and time of creating the document or files, including any changes and modification to that document or file. This is most beneficial in examining financial transactions between the Debtor, insiders and/or others to determine substance over form issues related to financial information that may be part of an all-pervasive accounting fraud. Most e-mail programs actually create a database using proprietary programs and this becomes no small task to extract the information from computer servers that contain the databases such as Microsoft Exchange Server. The eSleuthHound will use extraction tools and techniques, in addition to those previously discussed, for the examination of the e-mail messages and the related text from the e-clues contained in them.

Useful Information:

The eSleuthHound provides the Trustee with detailed, summary and exception reports on the Debtor’s activities, insiders, divisions, subsidiaries, brother sister companies, sales of property, customers, creditors, employees, products, inventory, and for any subject matter, place or circumstances, allowing for the creation of a relative time-line analysis as it relates to any of the above. The true picture of the financial and business activities of the Debtor are to be found on the forensic images and this map and chronology cannot be logically compared to any other examination of the Debtor’s business affairs.

The following is a small example of how the Pixie Dust can assist the Trustee and lead to the discovery of the trail of the money for the Creditors of the Bankrupt Estate.

Some specific Bankruptcy situations:

Discovery of e-clues that could uncover fraudulent accounting activities and point to how and where to find the money, including theft of intellectual property, trade secret, and customer information.
Hidden assets, including the ability to trace individual transactions from start to finish.
Insider transactions, including money and property transfers and complex related-party activities.
Fraudulent conveyances and conversion of assets.
Assisting in solvency and asset valuation.
Discovery of the backdating of vital documents.
Discovery of facts and circumstances relating to issues of substance over form that could not otherwise be documented.
Determining compliance with Section 521(4) Re: Examination of the Debtor’s e-data from all sources
Section 727 abuses and the destruction and/or withholding of computer and electronic/digital/optical information.

What the Trustee should expect from the eSleuthHound

Disclaimer and qualification:
One should take care and consider this section when making the appropriate decision to engage the eSleuthHound for a Debtor case. This list is not intended to be the complete list of the individual steps that the eSleuthHound needs to follow during the examination of the Debtor’s e-data. However, the eSleuthHound knows that the Trustee needs to have some idea of what to expect, and it is only in this regard and not as to completeness, that this list has been prepared. e-Forensic methodologies:

Dealing with technical aspects of a case, the eSleuthHound must use established sound e-forensic methodologies. The following is a non-exhaustive list of best practices for the acquisition of forensic evidence within the bankruptcy context:

Always document every step during acquisition, preservation and processing of the Debtor’s e-data;
Keep a chronological diary with dates, times, and notes as to the investigation process;
Do not allow the writing of any information to the Debtor’s HDD or digital devices;
Do not rely on write-protection software, and always use write protection hardware;
Sanitize HDD prior to the copying/storage of the Debtor’s forensic image;
Acquire the forensic image using a cryptographic Hash digest value for the Debtor’s HDD and preserve the evidence;
Should the forensic image fail, the destination drive will be wiped (sanitized) before re-use;
Provide for the secure and absolute authentication of the Hash value;
Be prepared to protect and secure the first forensic image for possibly several years including providing for storage and related environmental safeguard and other conditions;
Create multiple forensic images for expanded investigation if necessary;
Restore the additional forensic image to another sterile drive to have a bootable clone;
Use current e-forensic hardware and software for examination of the Debtor’s e-data;
Be prepared for confronting computer viruses and worms early in the case;
Maintain adequate e-forensic software for locating and breaking encrypted information;
Examine all media sources for possible steganography and/or encrypted files, folders and drives;
Search forensic image for hidden disk partitions and disk areas early in the case;
Examine date settings early in the case;
Review possible file backdating early in the case;
Create a time line analysis for the e-data found on the forensic images;
Prepare complete DataSource for alphanumeric index text of the forensic images(s);
Index the Debtor’s combined Digital DataSource for each file type/signature;
Filter e-mail and instant messages by name, subject, key information, text, dates, and multiple addresses;
Create and regularly update the combined Digital DataSource for fast searches;
Use Bates numbers to identify case facts, files, and documents as necessary;
Be familiar with the forensic tools that you are using to gather or analyze digital evidence.
Always gather and analyze the digital evidence in accordance with written polices and procedures, and allowing for flexibility as may be necessary for the individual case.
Do not turn on, start or use the Debtor’s computers, PDAs or other Digital Devices until the e-data has been safeguarded and only after receiving authority to do so.

Note: Each Debtor case needs to be tailored to the facts and circumstance related to the information technologies used and this cannot necessarily be pre-fabricated. Every circumstance needs to be examined on a case-by-case basis.

Forensic Software

The eSleuthHound can get to the Pixie Dust, the Debtor’s e-data, using many different and alternative approaches to solving a given problem, because most complex situations are never exactly the same and the eSleuthHound believes in being prepared to handle the next hurdle to find the e-clues.

In summary, the eSleuthHound should have an extensive eForensicWorkbench of hardware and software and may have been involved in the design of some of the hardware and/or software.

Comment to all Trustees

Most eSleuthHounds would generally welcome the opportunity to talk with Trustees about how to help the Estate and find the money due creditors. As a suggestion, the Trustee should always engage the services of the eSleuthHound if she or he does not know everything about the Debtor’s electronic/digital/optical information.

Again, if you the reader cannot retain anything that has been stated up to this point, just please remember this:

You never want to turn on (or off) the Debtor’s computer or digital devices prior to the eSleuthHound’s safeguarding them – never.

Leave a Comment