The sum is greater than the parts: How computer forensics and investigative data analytics support and feed off each other


The sum is greater than the parts: How computer forensics and investigative data analytics support and feed off each other

While Computer Forensics and Investigative Data Analytics are two different disciplines, they complement each other and if jointly applied to an investigation, can surgically identify and quantify the modus operandi and losses.


The following case studies summarises how these two disciplines can work in tandem, providing raw intelligence which is refined and acted upon by the other discipline and the investigation team.


Case Study 1

In this case an accounts payable supervisor was suspected of manipulating the accounting systems to generate false payments for her own benefit.  The investigation strategy involved the dual approach of forensically imaging all the company devices she used, including tablet, mobile phone and the email servers.  Data from the internal accounting SAP system was acquired under the same strict evidential protocols by taking two copies of the SAP data, monitoring and documenting the extraction process, retaining any specific computer scripts used to extract the data, and sealing one copy of the data in an approved evidence bag.  Using recognised forensic tools such and Encase and Nuix the data was indexed and key word searches were conducted based on the understanding of the allegations and suspicions.  Data analytics was used to analyse the system audit logs for any suspicious changes.  This analysis identified changes to dormant supplier’s details including:


name changes;


new bank account details; and


logging that several user ids were used to make the changes.  This new intelligence refined the Nuix searches which in turn identified further transactions, suppliers and associated user ids which were applied to the accounting information which identified additional associations between the bank accounts and suspect employee.  The end result was a successful criminal conviction, a three year sentence and an asset recovery order for over £350,000. 


Case Study 2

In assisting another client, the core allegation was the use of ghost employees working on a large construction site.  Access to the site was via the old fashioned manual “Clock Cards” which recorded when an employee entered and left the site.  The Police had seized several thousands of these cards as well as the back office accounting machines.  Adopting this dual approach of computer forensics and data analytics the Sage payroll system was recovered and core payroll data extracted.  An evidentially sound conversion process was developed in-house to record the clock card information.  This data analysis quickly identified that there were many variations for potentially the same person such as; J Smith, Jon Smith, John Smith, Jack Smith. Jack Smyth, Jason Smith etc.  Computer forensics identified Excel spreadsheets which were used to consolidate all these time sheets into invoices which were submitted to the next level in the supply chain for authorisation.   A review of the emails sent from the corrupt supplier to the authoriser in the next level of the supply chain, identified that he has been compromised by accepting a new car and overseas holidays.  The analysis of the Sage payroll confirmed that the number of employees did not agree with the invoices and that associated with a real John Smith there were false clock cards for numerous false identities.  The evidence provided in this investigation was accepted by the defence without cross examination resulting in custodial sentences and asset recovery orders in excess of £500,000.


Each of these investigative disciplines can be successfully used in isolation, but the combination of these two reduces the investigation process and inevitable produce a successful out-come.


For more information contact [email protected]

For further information please click here