Chaps,
I’ve been here for a while now, and just hoping you guys could help me out. As part of my research I’m currently undertaking, I am looking into the locations for evidence found in fraud investigations and I would like to obtain this data from a wide range of professional sources.
Would anyone be willing to contribute any information to my research based on their experience in fraud investigations and where they have found their evidence in the past?
An example would be the following types of information I’m after for a fraud case
Case 1
C\User\#####\Documents FileType-Doc
C\User\#####\Desktop\UserDefinedFolder FileType-Doc
Obviously I’m not after any personal data etc just data like in the above example, file paths and any type.
Any contributions would greatly help my research, feel free to PM if you would like any more details or have any thoughts on it.
Many Thanks
Surely the common / default location of the user's files is just dependent on the operating system in use?
Sorry guys, don’t think I explained myself well enough, I’m more interested in the evidence at a case level. For instance when you investigated fraud case #1 for example your evidence was located in the following places for example
C\User\#####\Documents\UserDefinedFolder FileType-db
C\User\#####\AppData\Local\Microsoft\TemporaryInternetFiles\Content.Outlook FileType-jpg;
C\User\#####\Pictures\SamplePictures FileType-jpg
I am looking at researching into what your cases look like in terms of where evidence is situated on a whole case level.
I hope that explains things a little more.
Passmark - yes im sure it does depends on what operating system your investigating, but I would like to see where on these OS's that evidential data is residing.
cheers
(1) What do you mean by 'evidence found in fraud investigations'? I'd assume you mean files containing material used in support of fraud-related charges.
(2) What do you anticipate to be the value of knowing the file paths and file types of such evidence? Having dealt with a lot of fraud cases I'm struggling to see how it might help.
I don't remember the last case where I had evidence in just one particular place. It's always in hundreds of places - combinations of internet history of several browsers, the registry files, recent files, link and shortcuts, application settings. The only time that it's going to be in a single file somewhere is if it's been downloaded onto or written on the computer, in which case it will be in the default downloads or documents folder in most cases. Even then, the other places will need to be examined for metadata regarding it - has it been downloaded, accessed, printed, shared, distributed, emailed, etc.
The context for which you need this information might help people understand a little better what it is you're getting at. I echoed joethomas's perspective in my PM to you and I also share the view of pragmatopian's 2nd point.
Is this question being asked because you are writing a thesis, or a manual of some kind and attempting to give the reader a basic overview of where key file types reside with regards to a fraud case? If so, then you're going to need a large Appendix section to list all the possible locations!
It's also worth pointing out that if it is a fraud case, and the suspect has any common sense, they would attempt to obfusacte the evidence by either encrypting with PGP, or by hiding the data in locations that a rookie examiner might not think to look in, or changing the file extensions (obviously signature analysis would pick this up but you get my point). It appears that you are asking people here if there is a specific location that evidence is found in time and time again throughout this type of investigation, in which case I refer you back to joethomas's post.
It's also worth pointing out that if it is a fraud case, and the suspect has any common sense, they would attempt to obfusacte the evidence by either encrypting with PGP, or by hiding the data in locations that a rookie examiner might not think to look in
agreed. If the suspect is a bit clever, he will hide information in places that he would not expect the investigator to parse.
Yet your question could be interesting in malware cases, where it could be interesting to see some charts of the most commonly used folders to hide files.
I bet "system32" would be a good one to start with -)
As part of my research I’m currently undertaking, I am looking into the locations for evidence found in fraud investigations and I would like to obtain this data from a wide range of professional sources.
I think that the biggest question right now, at least for me, is, what constitutes "fraud" with respect to to your research?
A great deal of fraud can be performed without the need to hide data (in any manner mentioned in this thread), or even saving files on the local system.
Maybe you can define some scenarios of fraud, and go from there?