Computer Forensics Insights into Locating Undisclosed Assets

<b>Editor's Note:</b>
<i>
Please see a related article in this issue by Jack Seward.
</i>

</blockquote>

<p><img src="/AM/images/letters/i.gif" align="LEFT" border="0" hspace="5" vspace="5">n most bankruptcies,
there is little cash to go around, so trustees and creditors are always on
the lookout for additional assets. In some cases, the trustee or creditors
are bewildered to find out that the company or individual has no assets.
The debtor made lots of money each year for several years, and then
suddenly is insolvent. All indicators suggest that the debtor should have
more assets than reported on the bankruptcy petition. However, it is not
readily apparent what happened, and inevitably the trustees and creditors
ask: "Where'd the money go?"

</p><p>One explanation may be that the debtor concealed
assets prior to filing for bankruptcy. Using computer forensics, an
expert may be able to uncover a small clue or key piece of information
that ultimately leads to the undisclosed assets. This article is meant to
introduce some computer forensic concepts to generate awareness regarding
the type of information that can be found as trustees or creditors search
for debtor assets not disclosed on the bankruptcy petition.

</p><p>During the last decade, the use of computers has
increased significantly. The Y2K scare showed just how much businesses and
individuals rely on computers to handle daily activities. Because of the
extensive use of computers, the "paper trail" that once existed
has quickly faded. Most information is now stored or maintained on some
type of digital media.

</p><p>In the past, businesses stored their records in
filing cabinets and desk drawers. However, in today's environment,
more books and records are being stored on laptops, network servers and
third-party servers. Companies are conducting more and more business via
e-mail. Computers are used to create company memoranda, correspondence,
strategies, business plans, product designs and economic forecasts using
word processing and spreadsheet software. In most cases, these digital
files are stored only on digital media.

</p><p>One of the first steps in the computer forensics
process is identifying the digital media on which digital information may
be stored. Because technology changes each day, it is difficult to identify
all of the devices that may contain digital information. However, there are
some clear areas where digital information can be found, which include the
following:

</p><ul>
<li>work and home desktop and laptop hard drives

</li><li>network servers, which include e-mail

</li><li>personal information managers (PIMs) and
personal digital assistants (PDAs)

</li><li>pagers

</li><li>voicemail

</li><li>printers, facsimile machines and digital
copiers with buffer memory

</li><li>third-party servers such as Internet service
providers (ISPs)

</li><li>back-up and archival tapes. At first glance,
these two physical areas may appear to be the same, but they are quite
different. Back-up tapes are created on a periodic basis in case a computer
system fails. The back-up tapes may be recycled, meaning that the data on
the tapes is constantly being overwritten with new data. Therefore, the
information on the back-up tapes may not be permanent. If the computer
fails, the back-up tapes can be used to restore a system back to a specific
point in time. On the other hand, the archival tapes are permanent and are
not used to store data on a periodic basis.

</li><li>removable media such as CD-ROM, hard disks,
Smart Media, Compact Flash Card Type I/II, Click Drive, Memory Stick and
Trek Drive.
</li></ul>

<p>Once the digital media have been identified, the
following non-physical areas need to be searched:

</p><ul>
<li>active files

</li><li>deleted items: active files that have been
"erased" but still remain on the digital media

</li><li>e-mail files

</li><li>slack space: This term is explained as follows:

<blockquote>
When computer disks are first formatted, they are
divided into tracks and sectors. A combination of two or more sectors on a
single track is called a cluster—the basic storage unit of a disk.
Different disk formats have different cluster sizes, but the concept is the
same. When you save a file that takes up less than one cluster, other files
will not use the additional space in that cluster. In short, once a cluster
contains data, the entire cluster is reserved. This is similar to the
situation in most restaurants. If three people are sitting at a table that
seats four, the additional seat remains empty until the three people have
finished using the table. The idea is that a fourth stranger might
interfere with these three people's meal. Similarly, if a computer
tried to squeeze extra data into the unused part of a cluster, the new data
might interfere with the old. The extra space in a cluster is called slack
space. Even when a deleted file is overwritten, if the new file does not
take up the entire cluster, a portion of the old file might remain in the
slack space. In this case, a portion of a file can be retrieved long after
it has been deleted and partially overwritten.<small>^{<a href="#3" name="3a">3</a>}</small>
</blockquote>

</li><li>unallocated space: This concept refers to disk
space that the computer is not actively using to store data. Imagine a disk
that has many tracks running around it similar to a running track at a
local high school. The tracks closest to the middle are used first, and as
the disk is filled, the computer stores data further away from the middle.
If the computer had stored data in unallocated space, the data may still
exist if the space was never reused.
</li></ul>

<p>Trying to find electronic data that leads to
additional assets is like trying to find a needle in a haystack. The search
for key data can be greatly enhanced if the search is narrowed to specific
areas. One must be smart about what information is collected and analyzed.
The objectives of the computer forensic investigation should be very clear;
otherwise, a lot of precious cash will be expended without achieving the
desired results.

</p><p>Although time is critical when performing computer
forensic work, the parties and investigators must spend some time up-front
planning the work to be performed and determining where to focus their
search. One way to do this is by interviewing employees to determine where
specific information may reside within the business. The company's IT
professionals should be consulted to add intelligence to the search effort.
With up-front planning and a focused approach, trustees or creditors will
have a better chance of finding the needle in the haystack.

</p><p>Once the digital information is recovered, the
investigator should look for patterns. For example, if an investigator
finds that there were many files deleted on a particular day near the time
of the bankruptcy filing, this may be suspicious, and the investigator
should pay particular attention to the deleted files. This situation does
not automatically indicate fraud or wrongdoing, but suggests further review
is necessary.

</p><p>By searching the electronic data, the investigator
may find key e-mails or documents (partial or whole) that lead to the
discovery of undisclosed assets, such as:

</p><ul>

<li>bank and brokerage accounts

</li><li>coin or art collections

</li><li>affiliated companies with assets

</li><li>unfiled tax refunds

</li><li>real property

</li><li>automobiles

</li><li>insurance policies with value
</li></ul>

<p>E-mail can be quickly and efficiently reviewed using
key word searches. For example, during the bankruptcy proceedings, the
trustee or creditors may learn that the debtor company may own a coin or
art collection that was not disclosed on the bankruptcy petition. One way
to review vast amounts of data is by searching the company's e-mail
using key words such as coin, art, artwork, paintings or collections.

</p><p>A word of caution: Although there are many benefits
associated with computer forensics, the cost of collecting and analyzing
digital information may prohibit trustees and creditors from employing
these types of techniques for smaller bankruptcy cases. The costs may range
from as little as $4,000 to collect and analyze one hard drive to more than
$1 million to collect and analyze more than 100 hard drives and servers in
multiple company locations. A team of professionals may be necessary to
guide trustees and creditors through the computer forensics process.
Because these professionals are so specialized, trustees and creditors can
expect to pay in excess of $200 per hour for their services.

</p><p>It is difficult to estimate exactly how much a
computer forensics investigation will cost because it depends on the amount
of information that is collected and analyzed. In most cases, investigators
do not know how much data is "out there" until they start
recovering it. The cost of the investigation also depends on how much data
the client wants to recover.

</p><p>The cost of the computer forensics work needs to be
addressed before the examination starts because it will dictate how much
digital information can be recovered and analyzed. Creditors or trustees
with limited funds in an estate that cannot afford a full computer
forensics examination may decide to take a less-costly course of action,
such as recovering and analyzing only company e-mail.

</p><p>Before trustees or creditors can use key digital
information, they must find it first. To do this, they will need to hire
experts to identify, collect, extract and analyze digital information.
Because specific electronic data may not be easily accessible or may be
buried among vast amounts of digital information, computer forensic
techniques are needed to recover the desired information. In some cases,
examiners may need to collect and extract digital evidence that has been
deleted, while in other cases they may need to cull through trillions of
bytes to find just the right information. Whatever the case, it is clear
that some electronic clues may go undetected without the use of computer
forensics.

</p><hr>
<h3>Footnotes</h3>

<p>^{<small><a name="1">1</a></small>} Matthew
Schwartz is a partner in the Insolvency and Litigation Services Department
of Bederson &amp; Co. LLP. An officer of the Association of Insolvency
Restructuring Advisors, he has spent the past 15 years investigating and
consulting on matters related to insolvency, bankruptcy and related
litigation. <a href="#1a">Return to article</a>

</p><p>^{<small><a name="2">2</a></small>}<span class="text133"> Anthony
Cecil is a manager in the Insolvency and Litigation Services Department of
Bederson &amp; Co. LLP. He has spent the past 16 years investigating and
consulting on matters related to white-collar crime and related litigation. <a href="#2a">Return to article</a>

<p>^{<small><a name="3">3</a></small>} Casey, E.
(2000). <i>Digital Evidence and Computer Crime:
Forensic Science, Computers and the Internet.</i> New
York: Academic Press. <a href="#3a">Return to article</a>

</p><hr>

<br>

<!-- Source Code Copyright © 2003 Active Matter, Inc. www.activematter.com -->

</span></p></td>
<td valign="top" width="125">

<table border="0" cellpadding="0" cellspacing="0" width="125">
<tbody><tr>
<td width="5"><img src="/AM/graphics/spacer.gif" alt="" height="1" width="5"></td>
<td align="center" width="120">
</td>
<td width="5"><img src="/AM/graphics/spacer.gif" alt="" height="1" width="5">