Fraud

January-February 2004 — PRINT EDITION

Table of Contents

E is for evidence

By Tae Kim
Illustration: Cathy Pentland

Electronic evidence can sometimes be found in the most unlikely places

He's very clever. If he's guilty, I doubt that he's left any tracks," said Chuck Grant, in-house counsel for Strathcona Manufacturing Ltd., a large furniture manufacturer located in Western Canada. He was referring to Arnie Stukowitz, Strathcona's director of purchasing, who had just been implicated in a poison-pen letter as having taken kickbacks from three of the company's biggest suppliers, which were named in the letter.

Grant was briefing Karen Morgan, a forensic accountant he had summoned after receiving the letter. "I don't like Arnie," Grant said. "There's always been something about him that felt a bit odd to me. But he's good at his job and he's got a clean record. Look, he's the type that will sue us — and very loudly — if we make the slightest wrong move against him." For that reason, he instructed Morgan to conduct a very discreet and limited investigation into the allegations. "I don't want you interviewing anyone," he said, "especially the suppliers. I don't want to take the chance that it could get back to Arnie."

With such an imposing restriction, Morgan knew the assignment would be challenging. She realized if she obtained enough preliminary evidence to address the allegations and to back them up, Grant would likely allow her to do a more thorough investigation. Her plan was to examine the electronic evidence stored in devices that Stukowitz used or accessed while conducting his work.

"I doubt Arnie would be so careless as to leave incriminating evidence on his hard drive," Grant said when Morgan discussed her strategy. "He also knows about deleted files and how they can be retrieved. I've heard him talking to colleagues about how they can often be recovered."

Electronic evidence, Morgan countered, can be found in sources other than a hard drive. "We have an e-evidence expert, Marty McLaughlin, who will work with me on this case. You'll be surprised how much evidence can be examined, aside from a hard drive." Grant approved Morgan's plan, which required Morgan and McLaughlin to do most of their work at night and on the weekend. To reduce the chance of Stukowitz catching them — he often came into work late at night and on weekends — they had Grant arrange for Stukowitz to attend a course out of town for a few days. McLaughlin suspected Stukowitz would likely take his laptop with him, as he did, McLaughlin came in one night and discreetly made a copy of the hard drive on Stukowitz's laptop.

Grant was right — if Stukowitz was indeed demanding kickbacks from suppliers, there was nothing in the active or deleted files of his hard drive that implicated him in any way. The next step, McLaughlin recommended, was to access Stukowitz's e-mails. In 2002, the Wall street Journal estimated businesses in North America sent 3.25 trillion e-mails. Accessing e-mails is not hard, since they can reside in several locations: a user's hard drive, on e-mail servers, on ISP servers (a court order is required to access these) and in company backup tapes (although they might only be stored for a short period of time, depending on a company's policy).

In this case, they had a copy of Stukowitz's hard drive, which included his recent e-mails. Morgan and McLaughlin were able to view them because some privacy laws treat e-mails like personal conversations. (Strathcona requires all employees to sign an agreement that clearly states that e-mails and all other forms of communication using Strathcona technology are the property of the company and can be reviewed at any time.)

Stukowitz's recent e-mails, however, produced no evidence of wrongdoing either. Morgan asked whether it was possible to review deleted e-mails, which might have been saved on the company's backup tapes. "It can be done," McLaughlin said, "but given how careful Stukowitz appears to have been, recovering backup tapes could be time-consuming and expensive. Let's leave that option as a last resort."

McLaughlin suggested they continue their review of available sources. Next was a review of Stukowitz's phone logs, both his office line and cellphone. The investigators focused on calls to and from the suppliers named in the letter. After reviewing the electronic phone log with the assistance of some visualization tools, a distinctive pattern emerged in how Stukowitz was making his calls. "This is curious," said Morgan, as she reviewed their analysis of several periods leading up to contract renegotiations with the suppliers in question. "I don't see an unusual volume of calls," McLaughlin said. "In fact, it looks very light." That was what Morgan found curious. She had compared the volume of calls during working hours between Stukowitz and suppliers not named in the letter during times when they were renegotiating their contracts. "It's much heavier, more normal in my opinion, given what was taking place."

Perhaps Stukowitz was making calls to suppliers from home or from a pay phone, she theorized. McLaughlin suggested another scenario. "He was known to work late at night," he said. "Maybe he was making them from here, but from another phone." The thought of reviewing the phone logs of all Strathcona employees made Morgan gasp with dread. They headed for the mailroom. It had been McLaughlin's experience that internal fraudsters sometimes used the phone on a company fax machine to place calls they didn't want traced back to them. Sure enough, an examination of the logs for the main fax line revealed a large number of calls to the three suppliers in the evenings leading up to their contract renegotiations.

"This is encouraging," Morgan said, "but there's no proof who made the calls. Grant's right, he really is clever." Perhaps, McLaughlin said, but there's always a trail, always something the fraudster didn't take into consideration. "I remember a case where an IT guy decided to sabotage his company's management payroll system," he said. "He wanted management to suffer some kind of financial stress by not getting their cheques out on time. So he wrote a script and planted it in the system so it would go into effect the day after he left the company. He also changed the passwords on the server so no one else could get in to set the thing right. And it worked. It took the company almost two weeks to fix the problem." McLaughlin had been retained to help identify the culprit. "He thought he was safe," McLaughlin continued, "because it could have been any of a number of employees. Except for one piece of evidence."

McLaughlin pulled out the security card he and Morgan had used to enter the mailroom. A lot of employees, he explained, think this just opens the door. They don't realize it leaves a record of who uses the card and when. "That's how we knew which IT guy changed the program. There was only one person who accessed the server room during the time the program was rewritten," he said. "So let's see what Stukowitz's security card logs shows."

Sure enough, the security logs confirmed that Stukowitz had been in the mailroom on the evenings, and at the times, when the phone calls were placed to the suppliers. A review of the log of sent faxes for the nights and times in question showed no record of faxes having gone through the machines. Now the investigators had proof that Stukowitz was communicating with the suppliers in a suspicious manner during contract renegotiations. But Morgan doubted it would be enough to convince their cautious client to let them interview Stukowitz or the suppliers.

McLaughlin suggested they review data on Stukowitz's Blackberry, a device known as a personal digital assistant, which his company purchased. "People tend to be more careless about what they store on them," he said, "because they see the devices as being very personal and private, unlike their computers." And, he added, people are less diligent about deleting entries in a calendar than they are about e-mails. "But how do we get it," Morgan asked, "without raising his suspicions?"

"We don't need to get it," said McLaughlin. Strathcona, he said, was running an Outlook Exchange server that synced wirelessly with its employees' Blackberry pagers. This meant everything on Stukowitz's Blackberry was also on the server.

This was the turning point in the case. An examination of Stukowitz's day planner for the previous six months revealed a weekend meeting with one of the suppliers about a week before a lucrative contract had been renegotiated with Strathcona, at a price that came in a fraction below the next lowest tendered bid. "This supplier was either very lucky or knew what the competition was bidding," said Morgan.

More incriminating was a notation by Stukowitz to give the supplier "directions to the cottage lot." Further investigation revealed that Stukowitz recently had an expensive cottage built, and that the supplier had provided some of the building supplies and labour.

This body of evidence was enough for Grant to authorize a full-scale investigation. Morgan then approached the principals of each of the three suppliers, who authorized her to conduct interviews with key employees at their firms. At first they all denied having paid any kickbacks to Stukowitz. But when the CEO of the supplier implicated in the cottage scheme was presented with Morgan's evidence, he admitted what had happened. Once he confessed, the others did too. In fact, they said they were relieved that the truth was out in the open. Stukowitz, they all claimed, gave them no choice to secure the business. Pay him some benefit — usually not cash; he preferred goods and services, especially travel to exotic resorts — or lose the busi-ness. Interviews with suppliers who did not win contracts with Strathcona confirmed that Stukowitz had cut them off when they refused to go along with his demands. "I'm certain one of them sent the letter," Morgan told Grant, "perhaps one who refused to pay Stukowitz."

When she had completed her interviews with the suppliers, Morgan joined Grant in a confrontation with Stukowitz. He denied all allegations, threatened to sue Strathcona and stormed out of the meeting. The next day, however, he returned with his lawyer and said he was willing to negotiate restitution. Grant thanked Morgan for what she and McLaughlin had accomplished and took over from there.

"I had no idea there were so many places you could find evidence," he told Morgan as she left. Fortunately, neither did Stukowitz, or many of the fraudsters who think, foolishly, that they have covered their tracks.

Tae Kim is a senior computer forensic investigator in the Toronto office of Kroll Lindquist Avey. He can be reached at tkim@krollworldwide.com

Technical editor: Roddy Allan, CA•IFA, prinicpal at Kroll Lindquist Avey