Christa: Hello and welcome to the Forensic Focus podcast. Monthly we interview experts from the digital forensics and incident response community on a host of topics ranging from technical aspects to career soft skills. I’m your host, Christa Miller.
Today we’re talking with Ryan Duquette, a partner at RSM Canada. Ryan focuses on litigation support, cyber incident response, privacy and technology risks, digital forensics and cyber fraud matters. An investigator for over 20 years, Ryan was previously a police officer focusing on cyber crime and fraud cases. He works closely with clients involved in workplace investigations and civil litigation matters including intellectual property theft, HR investigation, and data breaches.
Ryan is a director for the Toronto chapter of the Association of Certified Fraud Examiners. He has been qualified as an expert witness on numerous occasions and is a frequent presenter at fraud, digital forensics, cybersecurity, and investigative conferences worldwide. He previously taught digital forensics at the University of Toronto. Ryan, welcome to the show.
Ryan: Thank you so much for having me. It’s a pleasure.
Christa: So let’s start with your background. As a police constable, you analyze digital evidence on a wide variety of cases. What led you to digital forensics to begin with? And from there, what made you specialize in fraud investigations upon joining the private sector?
Ryan: That’s a great question. So back in my earlier career as a police officer, I was actually working for the Fraud Bureau. And every bureau prior to actually getting into working in fraud, I just sort of knew how to use computers.
I’ve always been sort of a computer guy, and so when I got into the Fraud Bureau, we had a very large fraud we were working on and we were actually partnering with some consulting firms. And my boss at the time said to me, well you know computers, so why don’t you be part of that unit and you can go out and partner with these other consulting firms. It was a criminal civil collaboration that we are working on for this investigation. So I started going out to all of these meetings with digital forensic people working at the consulting firms and going to meet the clients. And I just found it interesting.
It was a whole new language for me, what they were talking. I didn’t really have a clue what they were talking about, but I just started soaking it all in and I thought, “this world sounds absolutely fascinating to me.” This was, I’m trying to remember what year it was, 2003 / 2004, around that time frame, and they were talking all this forensic language and it was fascinating. I really, really enjoyed it.
So I started to learn a little bit more about it while I was on that three-year fraud that we were working on, it was a very large scale fraud. And I thought to myself, this is what I want to do. This is really, really fascinating work. It’s really interesting. And I was a little bit, you know, future-thinking and thinking, this is never going to go away. It’s only going to get larger.
So I started to develop my skills in computer crime and computer fraud and tech crime, started taking some courses, and that led me to get a posting in the tech crimes unit at the police, and the rest is history.
Christa: And then from there, you continued to specialize in fraud investigations rather than be more of a digital forensics specialist. So I’m curious about what resonated with you about fraud.
Ryan: I did do you know, general cases as well, especially with when I was with the police. I did a variety of different cases from, you know, more child exploitation cases — that was probably the majority of my work — homicides, you name it, I worked on it. However, when I was in the Fraud Bureau, I decided to get a fraud certification and join a fraud organization called the ACFE, and I got my certified fraud examiner designation way back in the day. So I’ve always sort of been interested in that type of work.
So whenever frauds, you know, a fraud case came along, even working in the Fraud Bureau or you know, in the tech crimes unit, whenever a fraud case came around and landed on my plate, I really seemed to enjoy it and seemed to work on it, because a lot of frauds, they spider web out and they can go in a variety of different places. So I just sort of continued that beyond my policing days and now in the private sector, I enjoy working on those. I still do work on a variety of different cases and matters, but I’m quite ingrained in the fraud community and try to keep up on the latest fraud cases.
Christa: So when you got to the private sector, how did your law enforcement experience inform your approach to clients, and then what did clients teach you in addition?
Ryan: That’s a great question as well. I think the one aspect of having a law enforcement background — and this isn’t only people that have law enforcement backgrounds have this, I’ve seen investigators that didn’t come from law enforcement that have this mentality as well — but I think the investigative mindset is a real skill that a lot of police officers have, that helped me with my clients. I was able to sort of sit down and look holistically at the challenge or the problem that they’re dealing with and think of it in an investigative mindset.
And the other aspect I think as well that resonates with a lot of clients is thinking that every case that I do is potentially going to go to court and I’m going to be on up on the stand having to explain my actions. Because in law enforcement there’s obviously that opportunity for every case you’re working on.
And I’ve continued that, those methods and those procedures that I learned in law enforcement, and the handling of evidence and all of that, I’ve continued that obviously in private sector from, you know, the question of what do clients teach me? That’s really been an enjoyable aspect over the years of working with clients.
I work a lot with counsel on a lot of our cases. A lot of cases, intellectual property theft or other types of frauds. And when I’m doing my expert’s report at the end of the matter, I work with different counsel on that. And also some direct clients that I’ve worked with on some of my reporting. And I’ve learned more on how to structure my report and tell the narrative and get the information in my report in a way that people are going to understand… the different stakeholders in the organization are going to understand it. I’ve learned more from interacting with my clients or counsel that’s been involved than I did back in my law enforcement days. So I feel that the reporting aspect and the the sharing of knowledge to our different stakeholders is something that I’ve been able to tweak over the years a little bit.
Christa: That’s really interesting.
Ryan: I’ve been very thankful to all of the council and all of the clients. I had one client who is a subject matter expert themselves in a different field — in the engineering field — and so he’s been a subject matter expert for 30 years. So when we were helping them, he actually said, got your report. It’s great. Here’s some suggestions of things that I’ve done over the years that may assist you a little bit. And I’m very thankful for those that are willing to take the time to better me in my skills.
Christa: So you’re now a partner at RSM Canada, which provides tax audit and consulting services. Can you briefly talk about the types of services you provide your clients and how did your broad digital forensic expertise prepare you for this current role?
Ryan: RSM Canada is part of RSM global and like you said, we are a tax audit consulting. So we have a variety of different services. I work in the consulting group, which has, again, a variety of different consulting service that we offer our clients. I’m in the risk advisory group focusing specifically on security, privacy, risk consulting.
So we do a variety of different cybersecurity assessments, governance and risk, virtual CISO type work, all the way over to breach response, incident forensics, OSINT matters, vulnerability assessments and testing. So we have a wide variety of services we offer our clients. And it’s a great team of people we have over the world that we work with.
So my forensic experience helped me prepare for this role especially over the last, I would say, four or five years since leaving law enforcement. Helping, working with the clients that I’ve worked with in the past, and now coming to a larger organization that has more resources and more internal teams that I can work with as well.
So it’s… working with my clients has been great to introduce them to other partners at the firm, and other aspects that we do, and other service lines that we offer. So it’s a great team approach where everybody at RSM is coming together and introducing us to other people. So it’s been great and enjoyable.
Christa: Your career has spanned two decades of technological advancement. What would you say are the top three tech trends that are affecting fraud investigations, and how has that evolved over time?
Ryan: I see a few of them. So I think the interesting one for me from a cyber fraud perspective is phishing and ransomware, I think, is the largest one, and how technology is now being used against us. For years and years, we told people to use this technology, here’s a device or an app or a program that we’re supposed to use and now we’re telling people to to slow down and be a little bit more careful about that.
And so I find that shift in the use of our technology is quite interesting. We all know that we get all these phishing attacks and everything every single day, and people really have to slow down, and really be a little bit more cautious about that, whereas for years and years we told people: use this email program, and answer these emails, and respond as quickly as possible: now we need to consider that.
And from a fraud perspective, criminals are now using social engineering tactics and psychological behavior tactics to get us to do certain things, which I find fascinating, especially from a fraud perspective. If I look at some of the larger or or more popular frauds over the years, a lot of them have that psychological component to them. And phishing attacks and whatnot in this digital realm is just one of those ones that I see happening more and more.
The other tech trends I see affecting fraud investigations is deep fake technology, because I think that is another one. And again, it doesn’t have just have to be videos; audio as well, and the use of our facial recognition software, things like that being used against us. I’ve got numerous clients that are very concerned about this and you know, using verbal recognition for the transferring of money, things like that. So it’s certainly something that’s on the horizon and it’s here. Well it’s not even on the horizon, it’s here now; and it’s coming up with methods for organizations to protect themselves from that sort of technology.
The third, I think tech trend is not something that criminals are using against us, but it’s obviously big data. And AI I think is from a fraud investigation, especially in the forensic realm as you know, you’re well aware that the amount of data that we have to look through and piece together is getting exponentially larger. So having big data and analytical tools or AI to help us spot these fraudulent activities or trends that we’re sort of seeing in a large amount of data I think is a valuable investigative tool. And one that I see pressingly getting larger moving forward.
Christa: So I guess that’s a lead in, if you’re talking about the quantities of data. That’s a lead into my next question about the biggest digital evidence challenges that are facing fraud investigators today.
Ryan: Well I think again, I’m looking at this from a little bit of a, a different lens. You know, just traditional fraud investigators, they have lots of digital challenges. But when I put on my tech crimes hat as well, because I’m sort of half a digital forensic person and half fraud person as well.
But I think the two things that are affecting those types of investigations, and again, one is data size. It’s getting extremely challenging now to be able to look through everything. And we still get requests like that: Can you take this hard drive or this amount of data and look through it to spot fraudulent activity?
And yes, we can. But as the amount of data continues to grow and the amount of storage size on systems continues to grow, it’s just coming up with methods and tools to be able to get to that information and look at it in a better manner.
The other one, which I think is probably the more significant challenge facing, you know, not just fraud investigators but all types of investigators, is encryption. It’s now very simple for people to encrypt all of their devices. And a lot of it comes by default. And being able to even just access these devices and get access to the data can be extremely challenging.
I know in my law enforcement days, and I know law enforcement investigators nowadays, it’s a huge challenge for them. Not as much of a concern in the private realm, because we are oftentimes given that information. But even the way that a lot of systems are set up: people will set up encryption, they don’t remember their passwords for certain things. So it’s a bit of a challenge, but certainly one that we can continue to strive to get around.
Christa: So you’ve talked a little bit about the different trends including ransomware and phishing and so on. And you’ve also posted on LinkedIn and other places about the different fraud types, including ransomware and so on. You noted in a recent LinkedIn post that many organizations don’t spend on cybersecurity because they don’t see the return on investment relative to the cost of doing business losses due to these threats. Where is the cognitive disconnect and how can fraud and digital forensics examiners help to educate businesspeople?
Ryan: Yeah, that was a really interesting… some stats that I saw from the Canadian Anti-Fraud Center and their top three types of frauds that were reported to them in 2018 were ransomware — you know, emails asking for personal information — and then phishing. And then they gave some stats around that as well. I think spearfishing from a was the number one financial, if you look at the metrics, you know, the number one for 21.5 million or something like that.
Now they did also have a caveat, a little bullet point at the bottom, saying that they only think less than 5% of the actual amount of fraud was reported to them. So it shows you how prevalent these types of fraud are in our society. And we still do find that a lot of organizations don’t want to put resources towards this. They would rather focus on other aspects of their company, right? Marketing or sales or what not. Again, because they don’t see the return on return on the investment.
And sometimes I sort of consider it a little bit like, do you want to spend the money on something that you’re not making money on? Right. And that’s the challenge is a lot of organizations would rather spend the money to drive sales, or to drive their service, or whatnot.
However, the challenge becomes: the cost of mitigating these risks is going up. And we see that in other types of surveys and reports that we see coming out all the time. The net diligence report that just came out last year shows that the average cost of a breach has gone up significantly. It’s something that organizations need to think about. And you spend a little bit of money now to potentially save yourself spending a lot of money down the road.
So there’s a lot of things. So I think the disconnect for many years has been that organizations didn’t see security and risk at the same level as the rest of the functions in the organization. You know, like I said, marketing or business development or the product or service. They didn’t think of the security risk at that same level.
And we’re starting to see, over the last year or so that starting to change. We’re starting to see a lot more boards of organizations starting to think about this, and talk about this, and wanting to know the metrics around this and what their organization is doing. I go in and I speak to a lot of boards, and a lot of organizations, about this and about the need for them to take action now. Right?
It’s no longer the time to think, okay, well we’ll get to this in a few years. Organizations need to do something now. Now again, that doesn’t mean that they need to blow the budget on all of this. There are lots of different things that can do. I think they just need to start. They need to start thinking about this and the data that they hold.
I think about fraud investigations and fraud examiners, how they can help with this, is educate people a little bit more about the types of frauds that are out there, and also how their organization may be at risk. I think there’s a lot more as fraud investigators that we can be doing from a preventative standpoint.
A lot of fraud investigators I know at least that deal in the cyber realm, they’re well aware of all these types of scams and frauds that are out there, and it’s just keeping your organization aware of that as well and helping the organization mitigate that risk. I think it’s an important thing.
Christa: Can you give an example, because it sounds like something that a lot of examiners or investigators are deeply familiar with, to an extent that maybe it’s something that they need to learn to talk to the C-suite about: to speak a different language, in other words, can you give an example of how that might go?
Ryan: Sure. So I’ll give you a great example of a type of digital fraud, so to speak, or an issue, where we’re fraud examiners can help. So let’s take a look at insider threats. Right?
A lot of organizations they think, “we need to protect ourselves from hackers or external threats.” And they put measures in place, and they do user awareness training, and they put systems on their email that show that this email is coming from an external source so be careful about links. And people and organizations are getting a lot better at that, at starting to spot some of these external threats.
But a lot of them don’t deal with the internal threat, right? You know, obviously people with inside of a company can have access to data, you know, they log in every day, they can move things around, they can share stuff with somebody else with a competitor, they leave and they take stuff with them.
So I think as a fraud investigator at a company, or even an external fraud investigator, you can maybe help your clients with that one. You know, you can work with internal IT. You can work with internal legal counsel. You can work with internal HR; and you can develop a little bit of an insider threat team, right, to help protect the organization’s data.
There’s a lot that can be done. You know, you can put certain policies in place to monitor people a little bit more than is being done, or to even get to the level of perhaps capturing their data: taking images of drives of people that have access to very, very important data.
So you know, a lot of fraud investigators and other investigators, they have a risk management mindset a lot of the times and an investigative mindset, which is fantastic. So I think there are certain things that they can be doing internally to help that organization as well.
Christa: What do you see as most important for digital forensic examiners to know about fraud investigations and working with fraud examiners?
Ryan: One thing that I’ve done in the past when I’m working with a fraud investigator… a lot of times — and I think I mentioned it before — a lot of times with frauds, they spiderweb out and they go a variety of different places. And I can think of some of the larger frauds I’ve worked with over the years. It went, you know, in directions that we never thought that the investigation was going to go.
So I think as a digital forensic examiner, it’s ideal that you have a very good communication channel with that fraud investigator. You know, if it’s somebody that works inside of a company that you’re assisting, or even an external fraud investigator that you’re working with. Just have that open communication and realize that you’re both here to do certain things.
Now, in the private realm, obviously a lot of the times our investigations on the digital component are very narrow in scope. You know, we provide that fraud investigator with a certain dataset: here are emails, or here are communications for you to look through.
But again, I think it’s working with that fraud investigator to perhaps if they don’t know [the] digital forensic world and they don’t know the types of data that may be on a device or the types of artifacts that we can gather, it’s educating them on what can be found. I’ve had lots of fraud investigations that I might have worked on with another examiner — a fraud examiner — where they come to me and they say, I just need to show this. I need to show evidence of something happening.
So I would then sit back and say, okay, well let’s sort of unpack this a little bit, and let’s try to figure out where evidence of that might reside on a device, or on a network or wherever, and then let’s work together to make sure that we’re covering all those bases and I’m getting you all the relevant information. An example: they’re looking for communication between two parties, and a lot of examiners in the past have been like, you know, just give me emails or whatnot. Well, once we start that conversation, you know, is there other communication you may need? Or it expands out a little bit.
Christa: So for my final question, you’ve presented and taught for many years. How did you come to start speaking and what advice would you give to other forensic or fraud examiners who might be uncertain about sharing their expertise in this way?
Ryan: That’s a great question. Yeah. I started doing some presentations back when I was in law enforcement. And I was very hesitant to. I was pretty shy about doing it, I didn’t want to put myself out there. I was nervous in front of an audience.
And I had an opportunity after I left law enforcement: I had an opportunity to go work for Magnet Forensics for some time. And a large portion of that role was going to be presentations and webinars, and I was very nervous about that. But I took that role knowing full well it was going to take me outside of my comfort zone a little bit and force me into getting in front of people and then speaking with people. And that was such a great opportunity, not only to work with an amazing organization, but also getting me outside of my comfort zone and teaching me some skills that I might not have developed as much in my, in my prior law enforcement life.
So I think, advice for examiners who may be uncertain about sharing is: take it baby steps, right? Like you don’t have to stand up in front of a room of a thousand people and give a deep level presentation to start. That can be a little daunting for some people.
So start small, right? Start by connecting to people on social media, or on LinkedIn, and share some articles and share some advice, and just get yourself out there a little bit. Fully expecting that there may be some people that disagree with you, and that’s okay. And then do some webinars because you don’t need to be on video, or whatever. There are lots of opportunities. Go to a meetup, whatever. There are lots of opportunities for somebody to develop those skills.
And you know, the more you do it, obviously the more comfortable you’re going to be. And even me, I do a lot of it and it’s still nervewracking sometimes, you know, standing up in front of a room and… looking at you and critiquing you and… but it’s incredibly valuable. It’s great when you can share knowledge with others and then you develop those relationships with people, you talk to them afterwards.
But also fully realize that you’re not going to please everybody in the room. And I think initially I had that mentality, right? I need to make this valuable to everybody, and that’s often not the case, right?
So yeah, just start off small. I mentor a lot of people, and I just say to them just to just do something very small, or maybe go to organizations that teach you how to present and teach. Knowing how to stand up in front of a room and then just talk about things: that can be very valuable as well.
Christa: Yes. Yes. Well, Ryan, thank you again for joining us and thanks to our listeners for joining us on the Forensic Focus podcast. You can find more articles, information, and forums at www.forensicfocus.com. If there are any topics you would like us to cover, or if you’d like to suggest someone for us to interview, please let us know.