Probing into Financial Cold Cases April 14, 2010 What is a Cold Case? ► Closed investigation – reopened ► Latent case – discovered later ► Delayed.
Download
Report
Transcript Probing into Financial Cold Cases April 14, 2010 What is a Cold Case? ► Closed investigation – reopened ► Latent case – discovered later ► Delayed.
Probing into Financial
Cold Cases
April 14, 2010
What is a Cold Case?
► Closed
investigation – reopened
► Latent case – discovered later
► Delayed prosecution
Stages in a Probe
►
►
►
►
►
►
►
Examine Critical Attributes
Develop a Theory of the Case
Investigate Financial Motives
Examine Business Entities Ties
Consider Explicit Sources
Consider Tacit Sources
Consider Embezzlement Schemes
Stages Con’t
►
►
►
Examine Fraud Sources
Conduct Tracing of Funds
Do Computer Forensics Review
Critical Attributes
► Subject’s
occupation
► Age
► Involvement
in a criminal enterprise
► Banking connections
► Ties to businesses
► Use of alternate financial firms and methods
of payment
Critical Attributes Con’t
► Tax
liens, U.C.C. filings, judgments,
bankruptcies
► Criminal history
► Known assets
► Use of digital devices including cellular
telephones
Family
Associates
Criminal History
Tax liens, U.C.C. filings, judgments, bankruptcies
Cellular
Computer Trails
A
s
Assets
Theory of the Case
► What
is the center of the case?
► Internal evidence
► Proximal
► Distal
► Limbic (world-at-large)
Limbic
Distal
Proximal
Internal
Person
Event
Evidence
Documentary/Databases/Computer
Business Ties/Relatives and Associates/Coworkers
Public records/News sources/Internet/Digital Storage/Assets
Financial Motives
►
►
►
►
►
►
►
►
Asset preservation
Revenge
Financial control of a business or an enterprise
Seeking to gain an inheritance or a benefit
Seeking to resolve personal debts
Rescue a failing business
Removing a financial rival
To finance addictions such as gambling and drug
abuse
Business Ties
►
An individual may help set up a business without being an
officer or director. His or her name, however, may appear
on incorporation papers, loan applications, legal
documents, applications for utilities, and on similar
documents.
►
Assisting with logistics may include operating motor
vehicles, signing for shipments received, making
shipments, including the associated paperwork, supervising
contractors and vendors, and buying supplies and goods.
►
(All of these activities leave a paper or electronic trail.
Even operating a motor vehicle leaves a trail of gas and
maintenance receipts, parking tickets, traffic tickets, and
accident reports.)
Business Ties
►
Financial activity may include doing the banking, signing
checks, making credit card purchases, and paying bills.
►
Even in illegal operations where traditional documentation
is minimal, a trail will exist. Cellular telephone and pager
traffic, files on digital devices, and financial transactions
through alternate institutions and means, as described in
“Examine Critical Attributes” above, all provide evidence of
involvement.
Explicit Sources
► Web
searches under subject’s name
► Local newspaper and news source
databases
► Re-interviewing known witnesses
Tacit Sources
► Computers
and digital devices
► Storage facilities
► Online repositories for information such as
Google Documents®, collaborative spaces
like MySpace® or Facebook ®, and blogs
managed by the subject.
Embezzlement Schemes
► Stealing
from a business or organization
over time can be difficult to detect,
especially when an organization does not
enforce the security principles of least
privilege and separation of duties.
► Look
for aggregation of job duties
► Look for “threat gates”
► Constructing a timeline
Accounting
Payroll
HR Functions
Dangerous Overlaps
Suspect Matrix – Accounts Payable Scheme
Suspect
Center
(06/30/03)
Event
Internal
Proximal
J. Jones
X
Digital
Footprint
High
Coworker Ties to
Suspicions Diversified
Investments
Criminal
History
Coworker
Suspicions
None
P. Sanford
M. Howard
No access
X
Data
access
None
Distal
A friend of J.
Jones
Limbic
Personal
Bond
Fraud Sources
► Online
News Sources
► FBI and law enforcement sites
► Cyberprofiling
Tracing of Funds
► Aided
by documentary evidence uncovered
in the topics of connections and sources and
supplemented by computer forensics, the
investigator can visualize the flow of money
in the past.
Computer Forensics Review
► In
a financial cold case investigation, when
warning flags are up that serious business
and transactions occurred digitally, going to
the expense of a forensic examination of
the digital devices is warranted.
Investigative Stage
Rationale
Other Considerations
Examine Critical
Attributes
Enumerate the known
Start with the known connections to develop
connections of the subject new ones, previously unknown
to money and finance
Develop a Theory of the Establish a starting
Case
framework
Always subject to revision as new facts
develop
Investigate Financial
Motives
Seek to understand why
transactions and activity
occurred
New motives may emerge as the investigation
progresses
Examine Business
Entities Ties
Understand who all the
players were
An ongoing activity during the investigation
Consider Explicit
Sources
Research all available
published and public
sources. Re-interview
witnesses.
May provide only partial answers, but can
serve as useful starting points for leads, reinterviewing witnesses can produce new leads.
Consider Tacit Sources
Consider and locate
previously unconsidered
witnesses and
documentary evidence,
including computer-based
evidence
If you think someone could have useful
financial information, talk to him or her. If
you find an “old” digital device related to the
subject, have it examined.
Embezzlement Scheme
Considered
Determine if this was a
factor in the case
Embezzlement schemes explain a lot of
behavior in a case. Much criminal activity
occurs in connection with embezzlements.
Fraud Sources
Examined
Look for online and
conventional scams
involving the subject
Footprinting via the Internet can be productive.
Tracing of Funds
Understand where the
money went
This investigative activity may require the
integration of all the subjects and entities
discovered in a case.
Computer Forensics
Review
Locate and examine
digital devices and
computers possibly
affecting the case
This stage may come into play earlier in the
case depending upon the role of digital
evidence in the events associated with the
crime.
TOPICS AND MAIN AVENUES OF
INVESTIGATION
Connections
► Interrelationships
that existed between
people and entities, such as businesses and
organizations.
► Developing
connections creates a
framework for understanding the role of
money or finance in the case.
Background Investigation
►
Do a background investigation on the subject to uncover
critical attributes from available evidence such as
alternate financing cards, birth certificates, credit cards,
credit histories, criminal history records.
►
Including criminal intelligence sources, death certificates,
debit cards, driver’s license information, marriage
licenses, divorce records.
►
In addition, run registration and ownership information
on any known assets such as real estate, motor vehicles,
boats, recreational vehicles, or aircraft.
More Background
►
Check tax liens, U.C.C. filings, judgments, bankruptcies
for the subject and for any discovered businesses.
►
Research any incorporation or business licenses for
discovered businesses with the Secretary of State (SOS)
or corporation authority in the relevant jurisdiction.
►
Also, most important, run an officer/director search for
the subject and any known associates on the database
with the SOS.
Backgrounding Con’t
►
Obtain cellular and pager records on the subject.
Locate and seize legally any digital devices
belonging to the subject. Arrange for computer
forensics examination when appropriate to the
case.
►
Research public records and filings related to any
discovered businesses for evidence of the
subject’s involvement in the business.
Backgrounding - Analysis
►
Obtain by legal search or subpoena any business
records of related companies that speak to the
subject’s financial involvement. These records
include payroll information, invoices, purchase
orders, and shipping receipts.
►
Organize the collected information using
timelines, chronologies, link diagrams, and
analytical software such as i2’s Analyst’s
Notebook to gain a wide picture of the subject’s
business involvement at the time of the events
that made the basis of the cold case.
Timeline
02/01/03
Conference with banker
2/18/03
Vehicle purchased
2/10/03 Meeting at café
01/23/03 Life Insurance purchased
Analytical Chart Example
Ft. Worth Business
Houston
Business
40
10
Pay telephone
near residence
15
38
Cellular calls from subject’s
vehicle
Subject’s residence
Number of telephone calls in a month
http://www.i2inc.com/products/analysts_notebook/
Motives
►
If the crime was one that presented opportunity
for embezzlement, analyze the vulnerabilities or
“threat gates” in the business’ operations that
permitted the crime.
►
Research which employees had the opportunities
to exploit those vulnerabilities. Investigate past
work assignments, schedules, access to funds,
and skill-sets that facilitated the crime.
“A” is a threat gate. Could a check issue without supporting documents?
Motives Con’t
►
Identify persons within the company that had a
motive to commit the crime: financial distress,
addiction problems, serious dissatisfaction with
company, and family problems.
►
Overlay the information developed about
motives with the connections data. Analyze the
relationships and money flows from information
developed in these other avenues of inquiry.
Sources
►
Re-contact and re-interview known witnesses from the
initial investigation to see if they have any additional
information to shed light on the financial aspects of the
case.
►
Locate any media accounts through news database
searches on subjects, related businesses, or associates.
►
(Nexis® on News and Business Solutions at
http://www.lexisnexis.com is a good source for searching
a vast number of news sources. Google News at
http://www.google.com is a free news research tool.)
More Sources
►
Review any documentary evidence in the case file that
may offer previously overlooked avenues for uncovering
financial information about the case.
►
For example, the case file indicates that the subject
owned property in another county, but there is no record
in the file of follow-up on the issue.
►
Determine if any information developed in the
connections or motives avenues helps to identify new
witnesses that need locating and interviewing about
relevant financial facts.
Sources….
►
Consult fraud sources available online at sites such as
“Fraud Schemes” at the FBI
(http://www.fbi.gov/majcases/fraud/fraudschemes.htm)
►
And “Crimes of Persuasion” at http://www.crimes-ofpersuasion.com/victims/investigation.htm to obtain
intelligence and background information about online
scams.
►
Do online “footprinting” of a suspect’s activity on the Web.
Construct a criminal history from online sources if possible.
Sources…Cyberprofiling
MO (Modus Operandi)
Personal ID
Geographical
Financial
Transactional
Internal
Organizational
Publications
Writings and
publications
Financial
Transactions
Hobbies and interests
Computer-based
information
News Accounts
The Infosphere
Resumes
and
CVs
New Media
(USB, etc.)
Online Postings
Laptops and PDAs
common storage
Modus Operandi
Inmate Searches
Deadbeat Parents
Criminal Records
Most Wanted
Sites Selling Criminal Supplies/Equipment
Newspaper, TV, Radio sites
Personal ID
Vital Records
Civil Records
Genealogical
Trade, Professional Organizations
Newspaper, TV, Radio Sites
Fee Based Sites
Colleges, Universities
Resumes
Personal Websites
Published Writings
Collaborative Spaces
Geographical
Maps - Google
Telephone Address Directories
Reverse Look ups
Mail Drops
Locate Sites
Financial
►
►
►
►
►
►
►
►
Licenses
Bankruptcy
Civil Records
Corporations (Officer/Director)
DBA
Property Sales, Tax Records
Fee-based Search Sites
Motor Vehicles, Boats, Aircraft
Deep Web sites of interest
SEC Edgar – ownership in public companies
eBay – online auctioning
Federal Express – shipping
UPS – shipping
Lexis-Nexis – public records, news accounts
Genealogy –ancestry.com – relatives
Dun & Bradstreet – business reports
Westlaw – court cases
Secretary of state offices – corporate records
Transactional
Domain Name Owner
E-mail Directories
Web Site Postings
Collaborative Spaces (MySpace)
Search Engines
Online Auctions
News Groups
SIGs
Specific Techniques:
Computer Forensics
Tracing of Funds
Computer Forensics
►
Data that ties the subject or person of interest to the
device or media is crucial. Without establishing a
connection between the digital evidence and the subject,
anything discovered has limited probative value.
►
This associative evidence includes information only
known by the subject: account numbers, usernames,
passwords, financial details, e-mail addresses, personal
details and facts, and the like.
►
Creation, access, and modification dates and times in
files can tie the subject to data on the machine or
device.
Computer Forensics - Keywords
►
Locating keywords reflecting illicit trade or
business tells a great deal.
►
Or, keywords particular to the case
Keywords
in Identity Theft Investigation
►
►
►
►
►
►
►
►
►
►
►
►
►
Business identity theft
Personal identity theft
Credit card fraud
SSN
DOB
Credit card skimming
Name
Address
Trojans in identity theft
Phishing
Shoulder surfing
Cross-site scripting
Fraudulent Web sites
►
►
►
►
►
►
►
►
►
►
►
►
Drivers’ licenses
Birth certificates
Dumpster diving
Address change
Stealing identification
Pretexting
Bank or finance fraud
Government documents fraud
Renting property
Getting a job
Avoiding correct identification
when arrested
Phone or utilities fraud
Forensics… Transactions
►
Data that details financial transactions in
spreadsheets, financial statements, financial
documents, loan papers, and similar documents.
►
E-mails, text messages, Internet messaging,
chat room discussions, Web site postings, and
other electronic correspondence that documents
financial connections.
►
Evidence of online banking and financial
transfers.
Digital Thieves
►
Financial forms including blank negotiable
instruments like checks and money orders. This
could be evidence of a forgery or a
counterfeiting operation.
►
Software used to generate credit card numbers,
to skim credit card numbers, or to capture credit
transactions from say retail point-of-sale wireless
networks. Evidence of credit card fraud through
stolen account numbers.
Electronic Theft
►
Caches of credit card numbers and customer information,
social security numbers, and other personal identifiers.
Evidence of identity and credit theft.
►
Desktop software to generate fraudulent invoices, financial
statements, and correspondence. Often, legitimate
companies’ documents and logos will be in a file to
facilitate creating forgeries.
►
Accounting software to create a bookkeeping system for a
business. Presence of a general ledger and journal entries
for a business, which can be legal or illicit. The same
software could generate fraudulent financial statements.
Tracing of Funds
►
►
►
►
►
►
How was the business or enterprise financed?
What commodities, goods, or services served as
the basis for the enterprise?
Which financial institutions were involved?
Were alternative financial tools involved?
Was money laundering involved in the
enterprise?
Who were the principal players in the enterprise?
Tracing…
►
►
►
►
What were the personal financing
arrangements?
Were there collateral investigations of the
enterprise by the IRS, SEC, or state taxing
authorities?
Where did the subject’s funds go?
Were there attempts to hide assets? How
did the hiding take place?
Indicators of Suspicious Financial
Activity
► Multiple
transfers to foreign bank accounts,
► Constantly clearing third party checks to foreign
accounts, and attempts to deposit cash in multiple
bank accounts with each deposit below the
$10,000 reporting requirement of the Bank
Secrecy Act.
► Other warning signs include interlocking corporate
entities with common officers and directors, used
to shuttle funds between the entities
More Suspicious Activity
►
Regular deposits to charities in foreign countries. Terrorists
operate behind front organizations and businesses to move
money around to finance terrorist operations.
►
Layers of dummy corporations and diverse bank accounts
enable them to launder and to transfer funds under the
guise of legitimate business or charitable operations. It
creates a labyrinth of paper and electronic trails to follow,
making it difficult for financial investigators.
►
Using nontraditional banking channels
Topic
Impact
Investigative Avenues
Connections:
Business
Entities Ties
Critical
Attributes
Theory of the
Case
Understanding the nature of the
subject’s business dealings;
Uncovering connections to
people, business, money;
Developing a working
framework for understanding the
relationship of money to the
case.
Doing research of public records
and databases, reviewing
business documents, and
interviewing persons knowing
about past business dealings;
Building a background history
on the subject;
Using Chronologies, Link
Diagrams, Analytical Software.
Motives:
Embezzlement
Scheme
Financial
Motives
Detecting a crime of
opportunity: What opportunities
did the suspect have?
What role did money or
financial activities play in the
crime?
Investigating past work
assignments, schedules, access
to funds, and skill-sets.
Analyzing the relationships and
money flows from information
developed in other avenues.
Sources:
Explicit
Sources
Fraud Sources
Tacit Sources
Published media, Known
witnesses, Documentary
evidence in the case
Subject’s involvement in illegal
financial activities
Previously unknown witnesses,
Hidden information on
computers or digital devices
Doing research in print media
and on the Internet;
Conducting Internet footprinting
of a subject’s transactions;
Doing criminal histories;
Locating new witnesses, doing
computer forensics.
Specific
Techniques:
Computer
Forensics
Tracing of
Funds
Uncovering hidden financial
dealings and relationships
Where did the money go? Who
was involved?
Locating and examining
computer and digital devices;
Conducting forensic accounting,
hidden asset investigations.
More Information
► Probing
into Cold Cases – Charles C.
Thomas Publisher –www.ccthomas.com and
Amazon.com
► On
► My
Google search for “Ronald Mendell knol”
“knol” will stay updated about the book
and cold case investigations
More
► How
To Do Financial Asset Investigations 3rd
edition (Working on the 4th edition)
► Charles C. Thomas Web site
► Amazon.com