Independent Expert Witness’s Use of Computer Forensic
According to Wise Geek (2009), forensic accounting can be defined as an "accounting analysis that can reveal potential fraud fitting for presentation in court. Such evaluation will form the basis for debate, discussion, and dispute decision." Basically, a forensic expert uses his accounting knowledge, criminology and investigative auditing to find out fraud, locate proof and present such evidence in court if necessary to (Forensic Accounting Information, 2009).
In accordance to the presentation of forensic evidences, there are several factors that forensic experts and witnesses need to consider before presenting evidences in the court. Actually, there are numerous forensic evidences that can be use as exhibit during court litigation, however, one of the most crucial to consider especially in accounting cases are the validity of technology or computer-based forensic evidences.
As discussed in the paper of Rezaee, Z. (2002), the new technologies in accounting forensic accountants can provide harm calculations for the whole lot from personal injury, wrongful execution or unjust death, to violate contract restrictions, antitrust patent infraction, and securities litigation. As Rezaee, Z. (2002) added, with the use of new technologies in forensic accounting, other forms of media used in showing financial reports can now be effortlessly trailed leading to evidence of bribery, intellectual property theft, fraud and other crimes. Despite of this advantages, presenting the evidences which are from digital technology are somewhat difficult to justify in the court which should be realized by the independent expert witnesses.
As argued by Glass Lewis & Co. (2006), computer forensics specialists and experts are extremely proficient in the confirmation, acquisition, and restoration of digital or computer-based information. They can help in recognizing the precise information that is wanted, often finding data deliberation to be deliberately destroyed and deleted. Glass Lewis & Co. (2006) also added that, the forensic experts with the assistance of advanced forensic accounting machines can help in evaluating large volumes of information for use in civil proceedings and internal corporate investigation, criminal trial and security.
In court proceedings, independent expert witnesses should carefully explain the present condition of a digital artifact. Glass Lewis & Co. (2006) argued that the term digital artifact may comprise a storage means (e.g. hard disk or CD-ROM), a computer system, an electronic document (e.g. MS document, an email message or JPEG image) or even a series of packs moving over a network of computer. The elucidation can be as simple as "what data is here?" and as exhaustive as "what is the events sequence accountable for the current circumstances?"
According to Golden, T, Skalak, S & Clayton, M 2006, there are many factors to consider why experts are employing computer forensics techniques. Such reasons are:
Ø To get data concerning how computer systems work for the reason of performance optimization, debugging, or reverse-engineering.
Ø To collect facts against a staff that an organization desires to terminate.
Ø To recover information in the incident of software and a hardware malfunction.
Ø To assess a computer system after a intruding, for instance, to identify how the aggressor gained access and what the aggressor did.
Ø In legal litigations, specifically in accounting fraud cases, computer forensic techniques are commonly used to evaluate computer systems belonging to litigants.
In accordance to the presentation of computer-based evidences in court proceedings, special measures should be taken by independent expert witnesses since they aimed to consider this to have fruitful results in a court of law. One of the vital measures is to guarantee that the proof/evidence has been accurately gathered and that there is apparent custody sequence from the event scene to the investigator---and in due course to the court (Forensic Accounting Information, 2009).
Similar to other evidences, computer-based evidences should maintain integrity. For example in Britain forensic investigations, British examiners or their independent expert witnesses are needed to comply with the guidelines imposed by the Association of Chief Police Officers (ACPO). As indicated in their guidelines, these are made up of four principles as follows (ACPO 2009):
From the stated principles, the independent expert witnesses also need to consider the factors that could affect integrity of evidences. Meaning, independent expert witnesses should value the information or factors related in collecting digital evidence, live vs. dead analysis, imaging electronic media (evidence), and collecting Volatile Data.
Collecting Digital Evidence
As Golden, T, Skalak, S & Clayton, M (2006) argued, digital evidence can be gathered trough numerous means. And since we are on the digital age, obvious sources include cell phones, computers, hard drives, digital cameras, USB memory devices, CD-ROM, and many more. There are also non-obvious sources which include digital thermometers settings, RFID tags, black boxes, and also web pages. However, WebPages must be saved as these are subject to alterations.
Special care must be taken by independent expert witnesses when handling computer evidence because most of it is easily altered, and once altered it is more often than not impossible to notice that an alterations has taken place unless other actions have been considered (Forensic Accounting Information, 2009). With this, it is a usual practice to compute the evidence file cryptographic hash and to document that hash somewhere else, typically in the notebook of an investigator, so that one can set up in an appropriate point of time that the proof has not been altered since the hash was computed.
Other definite practices to consider in the managing of digital evidence comprise (Owojori, A & Asaolu, T O 2009):
Ø Maintain and establish the custody chain.
Ø Only use methods and tools that have been evaluated and tested to confirm their consistency and accurateness.
Ø Recording the whole lot that has been done.
Ø Imaging computer media with the write blocking instrument to guarantee that no data is added to the suspect device.
Usually most of the important information gathered in a forensic examination comes from the user of the computer. Actually, an interview with the user can give in important data about the applications, system configuration, methodology and encryption keys. According to Holton, L (2009), forensic analysis is easy to perform when analysts have the user's passwords to access containers, network servers, and encrypted files.
However, in cases whereas the owner of the digital evidence has not given permission to have his or her digital file/media inspected (as in some accounting fraud cases) special care must be considered to make sure that that the forensic specialist and also independent expert witnesses has the legal right to copy, seize, and review the information. Occasionally authority seeks for search warrant. As a general rule, a forensic investigator whether it is on accounting fraud cases, they should make sure that they have the legal right before conducting any actions.
Dead and Live Analysis
Normally, computer-based evidences like content of hard drives that are under forensic investigations are considered data at rest. Such analysis can be considered as a dead analysis. Forensic experts were usually told to shut off the computer systems when they were confiscated for apprehension that digital time-bombs might cause data to be obliterated (Feldman & Kohn, 1998).
Apparently, there are now some cases in forensic investigations that live systems are performed. Whereas, numerous current attacks against computer systems leave no marks on the hard drive of the computer. There are also some instances that the aggressor only abuses data in the memory of computer. And now in the current age, another cause is the emergent use of cryptographic storage.
Imaging Electronic Media
In most forensic investigations, the process of creating an exact copy of the original media evidence known as imaging has been considered (Golden, T, Skalak, S & Clayton, M 2006). With the use of numerous software or duplicator imaging tools such as IXimager, Guymager or DCFLdd, the entire hard drive is possibly and completely copied. This is frequently prepared at the sector level, creating a bit-stream copy of each element of the user-accessible areas of the hard drive which can actually store data, fairly than copying the file system. The original drive is then moved to protected storage to stop altering. Throughout imaging, a write protection application or device is usually used to make sure that no data is introduced onto the media evidence during the forensic procedure.
As Feldman J. & Kohn R. (1998) show in their paper, the imaging process is confirmed by means of the SHA-1 message digest algorithm or further still possible algorithms such as MD5. At significant points all through the investigation, the media is confirmed again, identified as "hashing", to make sure that the proof is still in its original condition. In accounting environments, such steps are usually ignored because of the time necessary to execute them. They are vital for facts that are to be presented in a court room, however.
Collecting Volatile Data
If the device is still dynamic, any knowledge which can be gained by probing the applications presently open is documented. If the device is suspected of being used for illegal communications, such as terrorist traffic, not all of this data may be stock up on the hard drive. If data stored exclusively in RAM is not recovered prior to powering down it may be lost. This results in the need to gather volatile data from the computer at the beginning of the retort.
As for the investigation in the accounting cases, it is important for independent expert witnesses to focus not only on the different documents of the company including the financial and non-financial documents but also to computer-based information. It is also imperative to examine the different individuals and organizations that are involved in the process and transactions made by the company in a given time duration.
Aside from considering the validity of computer based information or data, it is important to interview all the upper management including the CEO and the directors concerning the issue of financial fraud of the company. It will include asking for supporting documents including the financial statement of the company as well as the different documents which support the financial transactions of the company. It will also important to focus on the personal financial situation/status of the CEO and directors in order to pertains on the issue of fraud which are connected or related with their connection to the current financial problem or issue of the company.
After gathering information about the company, it is also important to focus on the statement of the external parties, organizations and individuals that are involved in different transactions done by the company. Therefore, it is vital to gather information from these companies which will support their connection with the company and by these the legalities and accuracies of the information or data will be analyzed.
Actually, in any judicial systems courts are trying to protect innocent people from criminals, but they must try also to protect the innocent from being mistaken for criminals. Science should be purely impartial in this process—it should prove as much as possible that pieces of physical evidence are what they are supposed to be and that they came from where witnesses and investigators say they came from. Unfortunately, in the some country’s legal system's adversarial approach, there really is no such thing as impartiality of evidence.
As science becomes more complex, the need for experts to translate the meaning of science becomes more sensitive, but not even these experts are impartial: Both the prosecution and the defense in criminal trials, and both parties in civil trials, routinely have their own scientific experts testify on nearly every aspect of the evidence. This leads to the question of whether it is possible to find an expert who will defend any position—as an attorney does—or whether there is so much scientific uncertainty in physical evidence that it really is not possible to use any such evidence in a conclusive manner.
In presenting computer-based evidences, independent expert witnesses must be cautious. They should be careful when it comes to the validity and reliability of forensic evidences. Aside from this, they should know at least to prove that such evidences are valid and free from alterations.
ACPO (2009) Forensic Investigation Guidelines. Assessed: 09/09/09, Available Online: <http://www.acpo.police.uk/asp/policies/Data/ACPO%20Guidelines%20v18.pdf>
Feldman J & Kohn R (1998). Collecting Computer-Based Evidence, New York Law Journal. Assessed: 09/09/09, Available Online : <http://cyber.law.harvard.edu/digitaldiscovery/digdisc_library_8.html>
Forensic Accounting Information (2009), Forensic Accounting, Assessed: 09/09/09, Available Online: <http://www.forensic-accounting-information.com/>
Golden, T, Skalak, S & Clayton, M (2006), A Guide to Forensic Accounting Investigation, Wiley Publishing
Holton, L (2009), Business Valuation for Dummies, For Dummies
Rezaee, Z. (2002) Financial statement fraud." Prevention and detection. New York: John Wiley & Sons, Inc.
Wise Geek, What is Forensic Accounting? Assessed: 09/09/09, Available Online: <http://w ww.wisegeek.com/what-is-forensic-accounting.htm >