Probing into Financial Cold Cases April 14, 2010 What is a Cold Case? ► Closed investigation – reopened ► Latent case – discovered later ► Delayed.
Download ReportTranscript Probing into Financial Cold Cases April 14, 2010 What is a Cold Case? ► Closed investigation – reopened ► Latent case – discovered later ► Delayed.
Probing into Financial Cold Cases April 14, 2010 What is a Cold Case? ► Closed investigation – reopened ► Latent case – discovered later ► Delayed prosecution Stages in a Probe ► ► ► ► ► ► ► Examine Critical Attributes Develop a Theory of the Case Investigate Financial Motives Examine Business Entities Ties Consider Explicit Sources Consider Tacit Sources Consider Embezzlement Schemes Stages Con’t ► ► ► Examine Fraud Sources Conduct Tracing of Funds Do Computer Forensics Review Critical Attributes ► Subject’s occupation ► Age ► Involvement in a criminal enterprise ► Banking connections ► Ties to businesses ► Use of alternate financial firms and methods of payment Critical Attributes Con’t ► Tax liens, U.C.C. filings, judgments, bankruptcies ► Criminal history ► Known assets ► Use of digital devices including cellular telephones Family Associates Criminal History Tax liens, U.C.C. filings, judgments, bankruptcies Cellular Computer Trails A s Assets Theory of the Case ► What is the center of the case? ► Internal evidence ► Proximal ► Distal ► Limbic (world-at-large) Limbic Distal Proximal Internal Person Event Evidence Documentary/Databases/Computer Business Ties/Relatives and Associates/Coworkers Public records/News sources/Internet/Digital Storage/Assets Financial Motives ► ► ► ► ► ► ► ► Asset preservation Revenge Financial control of a business or an enterprise Seeking to gain an inheritance or a benefit Seeking to resolve personal debts Rescue a failing business Removing a financial rival To finance addictions such as gambling and drug abuse Business Ties ► An individual may help set up a business without being an officer or director. His or her name, however, may appear on incorporation papers, loan applications, legal documents, applications for utilities, and on similar documents. ► Assisting with logistics may include operating motor vehicles, signing for shipments received, making shipments, including the associated paperwork, supervising contractors and vendors, and buying supplies and goods. ► (All of these activities leave a paper or electronic trail. Even operating a motor vehicle leaves a trail of gas and maintenance receipts, parking tickets, traffic tickets, and accident reports.) Business Ties ► Financial activity may include doing the banking, signing checks, making credit card purchases, and paying bills. ► Even in illegal operations where traditional documentation is minimal, a trail will exist. Cellular telephone and pager traffic, files on digital devices, and financial transactions through alternate institutions and means, as described in “Examine Critical Attributes” above, all provide evidence of involvement. Explicit Sources ► Web searches under subject’s name ► Local newspaper and news source databases ► Re-interviewing known witnesses Tacit Sources ► Computers and digital devices ► Storage facilities ► Online repositories for information such as Google Documents®, collaborative spaces like MySpace® or Facebook ®, and blogs managed by the subject. Embezzlement Schemes ► Stealing from a business or organization over time can be difficult to detect, especially when an organization does not enforce the security principles of least privilege and separation of duties. ► Look for aggregation of job duties ► Look for “threat gates” ► Constructing a timeline Accounting Payroll HR Functions Dangerous Overlaps Suspect Matrix – Accounts Payable Scheme Suspect Center (06/30/03) Event Internal Proximal J. Jones X Digital Footprint High Coworker Ties to Suspicions Diversified Investments Criminal History Coworker Suspicions None P. Sanford M. Howard No access X Data access None Distal A friend of J. Jones Limbic Personal Bond Fraud Sources ► Online News Sources ► FBI and law enforcement sites ► Cyberprofiling Tracing of Funds ► Aided by documentary evidence uncovered in the topics of connections and sources and supplemented by computer forensics, the investigator can visualize the flow of money in the past. Computer Forensics Review ► In a financial cold case investigation, when warning flags are up that serious business and transactions occurred digitally, going to the expense of a forensic examination of the digital devices is warranted. Investigative Stage Rationale Other Considerations Examine Critical Attributes Enumerate the known Start with the known connections to develop connections of the subject new ones, previously unknown to money and finance Develop a Theory of the Establish a starting Case framework Always subject to revision as new facts develop Investigate Financial Motives Seek to understand why transactions and activity occurred New motives may emerge as the investigation progresses Examine Business Entities Ties Understand who all the players were An ongoing activity during the investigation Consider Explicit Sources Research all available published and public sources. Re-interview witnesses. May provide only partial answers, but can serve as useful starting points for leads, reinterviewing witnesses can produce new leads. Consider Tacit Sources Consider and locate previously unconsidered witnesses and documentary evidence, including computer-based evidence If you think someone could have useful financial information, talk to him or her. If you find an “old” digital device related to the subject, have it examined. Embezzlement Scheme Considered Determine if this was a factor in the case Embezzlement schemes explain a lot of behavior in a case. Much criminal activity occurs in connection with embezzlements. Fraud Sources Examined Look for online and conventional scams involving the subject Footprinting via the Internet can be productive. Tracing of Funds Understand where the money went This investigative activity may require the integration of all the subjects and entities discovered in a case. Computer Forensics Review Locate and examine digital devices and computers possibly affecting the case This stage may come into play earlier in the case depending upon the role of digital evidence in the events associated with the crime. TOPICS AND MAIN AVENUES OF INVESTIGATION Connections ► Interrelationships that existed between people and entities, such as businesses and organizations. ► Developing connections creates a framework for understanding the role of money or finance in the case. Background Investigation ► Do a background investigation on the subject to uncover critical attributes from available evidence such as alternate financing cards, birth certificates, credit cards, credit histories, criminal history records. ► Including criminal intelligence sources, death certificates, debit cards, driver’s license information, marriage licenses, divorce records. ► In addition, run registration and ownership information on any known assets such as real estate, motor vehicles, boats, recreational vehicles, or aircraft. More Background ► Check tax liens, U.C.C. filings, judgments, bankruptcies for the subject and for any discovered businesses. ► Research any incorporation or business licenses for discovered businesses with the Secretary of State (SOS) or corporation authority in the relevant jurisdiction. ► Also, most important, run an officer/director search for the subject and any known associates on the database with the SOS. Backgrounding Con’t ► Obtain cellular and pager records on the subject. Locate and seize legally any digital devices belonging to the subject. Arrange for computer forensics examination when appropriate to the case. ► Research public records and filings related to any discovered businesses for evidence of the subject’s involvement in the business. Backgrounding - Analysis ► Obtain by legal search or subpoena any business records of related companies that speak to the subject’s financial involvement. These records include payroll information, invoices, purchase orders, and shipping receipts. ► Organize the collected information using timelines, chronologies, link diagrams, and analytical software such as i2’s Analyst’s Notebook to gain a wide picture of the subject’s business involvement at the time of the events that made the basis of the cold case. Timeline 02/01/03 Conference with banker 2/18/03 Vehicle purchased 2/10/03 Meeting at café 01/23/03 Life Insurance purchased Analytical Chart Example Ft. Worth Business Houston Business 40 10 Pay telephone near residence 15 38 Cellular calls from subject’s vehicle Subject’s residence Number of telephone calls in a month http://www.i2inc.com/products/analysts_notebook/ Motives ► If the crime was one that presented opportunity for embezzlement, analyze the vulnerabilities or “threat gates” in the business’ operations that permitted the crime. ► Research which employees had the opportunities to exploit those vulnerabilities. Investigate past work assignments, schedules, access to funds, and skill-sets that facilitated the crime. “A” is a threat gate. Could a check issue without supporting documents? Motives Con’t ► Identify persons within the company that had a motive to commit the crime: financial distress, addiction problems, serious dissatisfaction with company, and family problems. ► Overlay the information developed about motives with the connections data. Analyze the relationships and money flows from information developed in these other avenues of inquiry. Sources ► Re-contact and re-interview known witnesses from the initial investigation to see if they have any additional information to shed light on the financial aspects of the case. ► Locate any media accounts through news database searches on subjects, related businesses, or associates. ► (Nexis® on News and Business Solutions at http://www.lexisnexis.com is a good source for searching a vast number of news sources. Google News at http://www.google.com is a free news research tool.) More Sources ► Review any documentary evidence in the case file that may offer previously overlooked avenues for uncovering financial information about the case. ► For example, the case file indicates that the subject owned property in another county, but there is no record in the file of follow-up on the issue. ► Determine if any information developed in the connections or motives avenues helps to identify new witnesses that need locating and interviewing about relevant financial facts. Sources…. ► Consult fraud sources available online at sites such as “Fraud Schemes” at the FBI (http://www.fbi.gov/majcases/fraud/fraudschemes.htm) ► And “Crimes of Persuasion” at http://www.crimes-ofpersuasion.com/victims/investigation.htm to obtain intelligence and background information about online scams. ► Do online “footprinting” of a suspect’s activity on the Web. Construct a criminal history from online sources if possible. Sources…Cyberprofiling MO (Modus Operandi) Personal ID Geographical Financial Transactional Internal Organizational Publications Writings and publications Financial Transactions Hobbies and interests Computer-based information News Accounts The Infosphere Resumes and CVs New Media (USB, etc.) Online Postings Laptops and PDAs common storage Modus Operandi Inmate Searches Deadbeat Parents Criminal Records Most Wanted Sites Selling Criminal Supplies/Equipment Newspaper, TV, Radio sites Personal ID Vital Records Civil Records Genealogical Trade, Professional Organizations Newspaper, TV, Radio Sites Fee Based Sites Colleges, Universities Resumes Personal Websites Published Writings Collaborative Spaces Geographical Maps - Google Telephone Address Directories Reverse Look ups Mail Drops Locate Sites Financial ► ► ► ► ► ► ► ► Licenses Bankruptcy Civil Records Corporations (Officer/Director) DBA Property Sales, Tax Records Fee-based Search Sites Motor Vehicles, Boats, Aircraft Deep Web sites of interest SEC Edgar – ownership in public companies eBay – online auctioning Federal Express – shipping UPS – shipping Lexis-Nexis – public records, news accounts Genealogy –ancestry.com – relatives Dun & Bradstreet – business reports Westlaw – court cases Secretary of state offices – corporate records Transactional Domain Name Owner E-mail Directories Web Site Postings Collaborative Spaces (MySpace) Search Engines Online Auctions News Groups SIGs Specific Techniques: Computer Forensics Tracing of Funds Computer Forensics ► Data that ties the subject or person of interest to the device or media is crucial. Without establishing a connection between the digital evidence and the subject, anything discovered has limited probative value. ► This associative evidence includes information only known by the subject: account numbers, usernames, passwords, financial details, e-mail addresses, personal details and facts, and the like. ► Creation, access, and modification dates and times in files can tie the subject to data on the machine or device. Computer Forensics - Keywords ► Locating keywords reflecting illicit trade or business tells a great deal. ► Or, keywords particular to the case Keywords in Identity Theft Investigation ► ► ► ► ► ► ► ► ► ► ► ► ► Business identity theft Personal identity theft Credit card fraud SSN DOB Credit card skimming Name Address Trojans in identity theft Phishing Shoulder surfing Cross-site scripting Fraudulent Web sites ► ► ► ► ► ► ► ► ► ► ► ► Drivers’ licenses Birth certificates Dumpster diving Address change Stealing identification Pretexting Bank or finance fraud Government documents fraud Renting property Getting a job Avoiding correct identification when arrested Phone or utilities fraud Forensics… Transactions ► Data that details financial transactions in spreadsheets, financial statements, financial documents, loan papers, and similar documents. ► E-mails, text messages, Internet messaging, chat room discussions, Web site postings, and other electronic correspondence that documents financial connections. ► Evidence of online banking and financial transfers. Digital Thieves ► Financial forms including blank negotiable instruments like checks and money orders. This could be evidence of a forgery or a counterfeiting operation. ► Software used to generate credit card numbers, to skim credit card numbers, or to capture credit transactions from say retail point-of-sale wireless networks. Evidence of credit card fraud through stolen account numbers. Electronic Theft ► Caches of credit card numbers and customer information, social security numbers, and other personal identifiers. Evidence of identity and credit theft. ► Desktop software to generate fraudulent invoices, financial statements, and correspondence. Often, legitimate companies’ documents and logos will be in a file to facilitate creating forgeries. ► Accounting software to create a bookkeeping system for a business. Presence of a general ledger and journal entries for a business, which can be legal or illicit. The same software could generate fraudulent financial statements. Tracing of Funds ► ► ► ► ► ► How was the business or enterprise financed? What commodities, goods, or services served as the basis for the enterprise? Which financial institutions were involved? Were alternative financial tools involved? Was money laundering involved in the enterprise? Who were the principal players in the enterprise? Tracing… ► ► ► ► What were the personal financing arrangements? Were there collateral investigations of the enterprise by the IRS, SEC, or state taxing authorities? Where did the subject’s funds go? Were there attempts to hide assets? How did the hiding take place? Indicators of Suspicious Financial Activity ► Multiple transfers to foreign bank accounts, ► Constantly clearing third party checks to foreign accounts, and attempts to deposit cash in multiple bank accounts with each deposit below the $10,000 reporting requirement of the Bank Secrecy Act. ► Other warning signs include interlocking corporate entities with common officers and directors, used to shuttle funds between the entities More Suspicious Activity ► Regular deposits to charities in foreign countries. Terrorists operate behind front organizations and businesses to move money around to finance terrorist operations. ► Layers of dummy corporations and diverse bank accounts enable them to launder and to transfer funds under the guise of legitimate business or charitable operations. It creates a labyrinth of paper and electronic trails to follow, making it difficult for financial investigators. ► Using nontraditional banking channels Topic Impact Investigative Avenues Connections: Business Entities Ties Critical Attributes Theory of the Case Understanding the nature of the subject’s business dealings; Uncovering connections to people, business, money; Developing a working framework for understanding the relationship of money to the case. Doing research of public records and databases, reviewing business documents, and interviewing persons knowing about past business dealings; Building a background history on the subject; Using Chronologies, Link Diagrams, Analytical Software. Motives: Embezzlement Scheme Financial Motives Detecting a crime of opportunity: What opportunities did the suspect have? What role did money or financial activities play in the crime? Investigating past work assignments, schedules, access to funds, and skill-sets. Analyzing the relationships and money flows from information developed in other avenues. Sources: Explicit Sources Fraud Sources Tacit Sources Published media, Known witnesses, Documentary evidence in the case Subject’s involvement in illegal financial activities Previously unknown witnesses, Hidden information on computers or digital devices Doing research in print media and on the Internet; Conducting Internet footprinting of a subject’s transactions; Doing criminal histories; Locating new witnesses, doing computer forensics. Specific Techniques: Computer Forensics Tracing of Funds Uncovering hidden financial dealings and relationships Where did the money go? Who was involved? Locating and examining computer and digital devices; Conducting forensic accounting, hidden asset investigations. More Information ► Probing into Cold Cases – Charles C. Thomas Publisher –www.ccthomas.com and Amazon.com ► On ► My Google search for “Ronald Mendell knol” “knol” will stay updated about the book and cold case investigations More ► How To Do Financial Asset Investigations 3rd edition (Working on the 4th edition) ► Charles C. Thomas Web site ► Amazon.com