ARTICLE
16 April 2012

The Digital Detective

CS
Crowe Soberman LLP

Contributor

Crowe Soberman LLP logo
Providing audit, tax, and advisory services to mid-sized businesses, individuals, NPOs and public companies. Based in Toronto, our unique size allows us to provide a wide range of services while focusing on providing close partner attention to clients. We serve clients worldwide as an independent member of Crowe Global. Visit crowesoberman.com.
Explore
They got Al Capone for tax evasion; not for any one of the hundred or so other crimes he allegedly committed. Apparently, it was testimony of his accountant and the discovery of a mysterious "second set of books" that finally put Capone away. The books were well hidden. Fortunately, the accountant knew where to find them.
Canada Accounting and Audit
Person photo placeholder
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

They got Al Capone for tax evasion; not for any one of the hundred or so other crimes he allegedly committed. Apparently, it was testimony of his accountant and the discovery of a mysterious "second set of books" that finally put Capone away. The books were well hidden. Fortunately, the accountant knew where to find them.

Had it been today, Capone might well have gotten away with it. Nowadays, it is trivial to keep one, two or three sets of books based on the same transactions - one for the tax auditor, one for the police and one for real. All three copies can be saved on a USB key the size of a stick of gum. Moreover, the accounting files can be encrypted so that no one, with the possible exception of the National Security Agency, can read them1.

The Digital Detective (or more accurately, the digital forensics specialist (DFS) now enters the scene. He or she is a modern-day sleuth capable of tracking down electronic evidence, recovering deleted files, reconstructing Internet transactions, finding oh-so-carefully hidden emails, sifting through huge masses of data and finding "the smoking gun." In the last decade, digital forensics has grown from an esoteric subspecialty to a full-blown profession. Training is extensive and includes college or university degree programs, postgraduate training, mandatory work experience and professional certification (e.g., Certified Computer Examiner designation – CCE). Most importantly, the DFS earns widespread recognition and acceptance by police forces and the courts as a valid (even preferred) source of evidence and amicus curia (friend of the court) in criminal and civil matters.

The DFS often works with lawyers, forensic accountants and law enforcement as part of an integrated investigation team. The lawyer may obtain physical evidence by using an Anton Piller order (civil search warrant). The forensic accountant provides a theory of the crime and helps to narrow the search parameters (e.g., time frame, key words and accomplices). The DFS then proceeds to electronically search the hard drives, smart phones, tablets, USB keys and even cloud-based storage of the suspect using specialized software and utilities. This is not a "Google" search. It requires a high degree of technical proficiency with operating systems, application software, file structures, malware and custom-built electronic equipment designed to recover every last bit of information.

A legally valid digital forensics examination and expert report should (at minimum) address the following:

  • The computer, hard drive, etc., was obtained legally, or if "hacked," done with court permission;
  • A documented chain of custody was maintained to ensure that items were not lost or tampered with;
  • A forensic copy (exact duplicate made with special equipment) of all hard drives, etc., was made prior to the commencement of any work that can serve as a reference and prove that the electronic records were not modified;
  • The software tools used to search and analyze the hard drives must be recognized and accepted by the court (e.g., EnCase® software), or their validity must otherwise be established;
  • There must be a detailed record of all the scans and searches run by the DFS, and the results must be reproducible;
  • The report must set out the findings in an objective and impartial way, preferably in a way that is understandable to non-technical judges and juries;
  • The DFS must be appropriately trained and certified and, ideally previously qualified as an expert by the court; and
  • The DFS must attest (as do other experts) that his/her report is impartial and accurate.

One of the most difficult aspects of an examination is insightfully limiting the scope. Decisions of this nature, because of their importance, are often made jointly by the professional team. Too detailed an examination can be prohibitively expensive; too superficial an examination may overlook critical evidence upon which the case may turn.

Footnote

1. Recent American case law supports the proposition that one can be compelled to disclose an encryption password to law enforcement officials, but this has not yet been tested in Canada, nor thoroughly litigated in the U.S.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Person photo placeholder
Jerrard B. Gaertner
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More