This may be a premature posting, none the less your feedback is appreciated. I will be getting three PC's today - the investigation involves fraud - my understanding is that the suspect used credit cards to falsely set up accounts and transfer funds. Most of my work these past years has been with CP cases, so this is new territory. From your experience with these types of cases what information should I be looking for? Are there multiple areas of data that need to be coupled with each other to support a fraudulent use of the cards? Any other pointers or tips you might have?
I will update with case specific information as I progress. ?
I wouldn't take a case where I don't know what to look for, is where I would start.
Honestly, if something is not your area, farm it out to someone who it is their area. I'm not shy to forward business to other people if it gets to be something I don't feel comfortable working with.
I humbly disagree with farming it out. A guy has to learn somehow and so long as he sticks to protocol and makes sound copies of the drives, he’s at least safe from damaging evidence. He can always pass the case on to someone else if he feels in over his head.
I would leverage those making the claim to assist with providing you keywords, in this case, perhaps credit card numbers, account numbers, and dollar amounts to search for. Credit card and account numbers are a cinch to find. Finding the those numbers is a good start. From there you can at least substantiate the card info is on the computer. Beyond that you'll need a warrant to get transaction info from the account hosts.
Well let's just hope that it's not your life or business that is attached to the learn while your earn route. There is a good reason to work under someone who has done the work before and learning from them in a lab in the RL.
The poster said it's new territory, I wouldn't take a case from someone who had already worked on it and just then felt they were over their head. No matter what you say about following proper protocols, making sound copies of the evidence, etc. I can tell you that the attorneys would have an absolute field day crossing that guy first, and then the person who he handed it off to.
To boot, he would probably never work in the field in the same city after the word spread around.
You have an interesting perspective. I understood him to be a capable forensic analyst given his experience with CP - which means he should be very capable across the board.
Granted fraud is a different animal, but how would his technical analysis differ such that he would paint himself in a bad light in court? I'm a forensics professional and an expert witness in both Canada and the US… I get different cases all the time and some of them are completely new areas to me. The techniques, process and procedures I use NEVER change.
I assume he is not formulating an opinion, rather he is only collecting evidence. Maybe we need to know more about what his role is. If he's leading the investigation versus just collecting data, perhaps your concern is justified. Besides, the differences in some CP cases could be as vast as differences in crime, wouldn't you agree?
The post is asking how to find what he needs for the case.
Add this to the mix. Would you want to be the client paying for someone to not know to go to this registry key, carve out this txt, etc.?
I don't know many people that will say uncle BEFORE they take a case and know in the initial consult to pass it on to someone who can do the job properly. I do know that early on I feared that cases I passed on to others would end up costing me that client, but I haven't lost any because of that yet, or at least I don't believe I have lost any yet. The client's appreciate honesty and just as no lawyer can be an expert in all forms of law, no CF person can be an expert in all the disciplines of CF.
no CF person can be an expert in all the disciplines of CF.
From that perspective, man I certainly agree. I hear what you're saying about passing the case onto another, the spirit of which also includes not wanting someone else to have to clean up the mess. If he is dealing with an external client, I will concede he should not wing this one.
I'd still like to hear more about this one from the OP
Add this to the mix. Would you want to be the client paying for someone to not know to go to this registry key, carve out this txt, etc.?
The OP can correct me if I'm wrong but I don't believe that's the area he's looking for assistance with. I agree with DonnieW that if most of the examiner's work has been CP he's probably well acquainted with where to look and how to go about doing so. It seems to me the question was related to the data which might be found rather than the discovery process itself.
The point about competence is perfectly valid, of course, but I don't think you necessarily need to be an expert in the subject matter of the case to be able to bring evidence to light in a competent manner. The more knowledge you have the better, though, which I presume was the goal of the original request for advice.
Have a look at Electronic Crime Scene A Guide for First Responders - US DoJ - http//www.forensicfocus.com/downloads/187736.pdf
There are some rough guidelines for suggested areas of investigation within certain case types - including fraud. ( Pages 37/38 ).
It is quite content light - but might give you some ideas … ( and it's free 😉 )
Just to clarify my role and abilities. I have been in this field for 6 years, having processed hundreds of cases; testified in state and federal courts; more than confident in my abilities to navigate Windows (and the registry), OSX and Linux. My work product has NEVER been proven to be flawed or reason for substantial argument within the courts. That said my inquiry was to solicit any patterns or trends that others may have encountered with these types of cases. In addition (unfortunately) there is no one else to farm this case out to. Our unit has suffered from a number of people who were required to relocate to other states and/or retirement. It is just myself and two others who are (as you might imagine) maxed to the gills.
Here is what I know; I have credit card and bank accounts. I have the suspect name, places and dates he made cash withdrawals on the accounts. My thoughts are to look for proprietary programs (for example a check writing program) and if necessary boot through LiveView and VMWare in order to actively use the program. Key word searches to include bank names and accounts, CC numbers, suspect name and the provided routing numbers to the banks. Search excel and word doc's for any records. I am sure that as I process this I will be lead down other paths; however this is my initial approach.