Normal Size Small Size show me how
|common methods of obtaining documentary evidence
|oral consent of the subject/custodian
|what is indented writing
|the impression a writing instrument leaves on sheets of paper underneath the sheet that contains the original writing
|what is oblique-lighting method
|method used to discover the text of an indented writing by shining a bright beam of light at an oblique angle across the document to note shadows from indentations.
|what is chain of custody
|process and a document that establishes that there has not been a material change or alteration to a piece of evidence by memorializing who has had possession of the item and what they have done with it.
|purpose of maintaining the chain of custody
|to be able to effectively authenticate an item of evidence during litigation, if necessary
|how should the chain of custody be documented
|by creating a memorandum of interview with the custodian of the records when the evidence is received.
|what should be included when documenting the chain of custody
|what items were received, when they were received, from whom they were received, where they are maintained
|what is an anachronism
|an item that appears to have existed or occurred at a time when it could not have existed or occurred (e.g. an account transaction that is backdated to before the account was opened.
|what is simulated forgery
|a writing, usually a signature, prepared by carefully copying or tracing a model example of another person's writing
|order questions should be asked during an interview
|as a general rule, questions should proceed from the general to the specific
|what is rapport?
|a relationship marked by harmony, conformity, accord or affinity
|what is free narrative?
|an orderly, continuous account of an event
|what is double-negative question
|a question that has two forms of negation within a single clause
|what is controlled answer technique
|a statement that can be used to simulate a desired answer or impression
|what is a complex question
|a Question that consists of a series of interrelated questions
|what are open questions
|questions worded in a manner that makes them difficult to answer with a yes or no.
|what is meant by calibrating a witness
|process of observing an interviewee's behavior prior to posing critical questions
|common nonverbal indicators of deception
|full body motions away from interviewer, physical responses (sweating),changes in use of illustrators, interruptions to the flow of speech, hands over mouth, manipulation of objects (a pencil),
|more non verbal indicators
|body positioned in a fleeing position, crossing of arms, unnatural or casual reaction to evidence.
|what is a leading question
|question that is framed in a way that evokes a specific reply from the respondent (e.e., a question that contains a suggested answer.)
|what is chronological confusion
|respondent's tendency to confuse order of experiences
|what is inferential confusion
|confusion and inaccuracies resulting from errors of inference
|3 types of informational questions
|Open, leading, closed
|what are extrinsic rewards?
|rewards interviewee receives that are not directly related to the interview experience: they cause the respondent to see the interview as a means to an end.
|what is catharsis?
|process by which a person obtains a release from unpleasant emotional tensions betaking about the source of these tensions
|what is meant by establishing the interview theme
|process of stating the purpose of the interview prior to serious questioning
|objectives of closing questions
|reconfirming facts, gathering additional facts, closing the interview on a positive note
|what are closed questions
|questions that deal with specifics and require a precise answer, such as yes or no.
|what are assessment questions
|questions that seek to establish the credibility of the respondent
|what are manipulators
|displacement activities that reduce nervousness
|4 objectives of introductory questions
|provide an introduction, establish rapport, engender cooperation, observe reactions.
|what is ritualistic conversation?
|a form of verbal behavior that has no real significance other than to provide security in interpersonal relations (e.g. Good Morning)
|what is an inhibitor of communication
|any social-psychological barrier that impedes the flow of a conversation, such as an interview, by making the respondent unable or unwilling to provide the requested information
|what is proxemic communication
|use of interpersonal space to convey meaning
|what are illustrators
|Motions made primarily with the hands that demonstrate points when talking.
|what are facilitators of communication
|socio-psychological forces that make conversations, including interviews, easier to accomplish
|5 types of interview questions
|introductory, informational, admission-seeking, assessment, closing
|what is paralinguistic communication
|use of volume, pitch, and voice quality to convey meaning
|what is kinetic communication
|use of body movement to convey meaning
|what is chronemic communication
|use of time in interpersonal relationships to convey meaning, attitudes and desires
|what is pacing
|an interview that has the potential to bring about strong emotional reactions in the respondent
|what is altruism?
|an individual's need to identify with a higher value beyond immediate self-interest
|common verbal indicators of deception
|changes in speech patterns, repetition of question, comments regarding the interview, selective memory, oaths, answering with a question, overuse of respect, avoidance of emotive words, tolerant attitudes, feigned unconcern
|3 general approaches for obtaining a verbal confession
|chronologically, by event, by transaction
|points to include in signed statements
|voluntariness of the confession, willingness to cooperate, the confessor's intent, approximate dates, approximate amounts, approximate number of incidents, a confessor's moral excuse, confessor has read the statement, truthfulness of the statement
|3 methods for halting a suspect's denial
|delays, repeated interruptions, reasoning
|common themes used to establish rationalization during an interview
|unfair treatment, inadequate recognition, financial problems, aberration of conduct, family problems, accusers' actions, stress, revenge, depersonalizing the victim, minor moral infraction, altruism, genuine need
|what is an alternative question
|question that is phrased in such a manner that the respondent is forced to choose between 2 answers that both imply guilt
|what is a benchmark admission
|the first instance in which a suspect makes a culpable statement, often following an alternate question
|what are admission-seeking questions
|inquiries designed to obtain a legal admission of wrongdoing
|information to obtain during a verbal confession
|that the act was committed intentionally, facts only known to the confessor, motive for offense, when the offense was terminated, if others were involved, physical evidence, disposition of proceeds, locations of assets, specifics of each offense.
|2 major types of covert operations
|undercover operations, surveillance operations
|what is an undercover operation
|an operation in which evidence is directly sought from people involved in the offense through the use of disguise and deceit
|what is surveillance operation
|an operation in which evidence about subject's activities is gathered using observation rather than direct interaction
|what is qualified confidentiality
|a promise to maintain the confidentiality of a source's identity or other information where possible, but that still allows the fraud examiner to reveal such information to appropriate parties as necessary to the case.
|what is unqualified confidentiality
|a promise to fully maintain the confidentiality of a source's identity or other information under any circumstances
|information to document in a covert operation memorandum
|Info upon which the covert operation will be based, info that is expected to be gained from the operation, identities of suspects, if known, operatives under your care or control (use symbols for confidential sources)
|what is entrapment
|what is covert operation
|an investigation technique designed to obtain evidence by use of agents whose true role is undisclosed to the target
|what is a confidential source
|source who furnishes information as a result of his occupation or profession and who has no culpability in the alleged offense
|what is confidential informant
|source who has a direct or indirect involvement in the matter under investigation and who might be culpable
|what are public records
|records kept by a governmental agency that may be accessed by the public
|common uses of public records in a fraud examination
|to supply information about employees, suspects and witnesses, to corroborate or refute witness statements, to track stolen cash or assets, to recover fraud losses
|what is pretexting
|impersonating someone else or making false or misleading statements to obtain, sell, or buy information about a person or organization
|How did the Graham-Leach-Bliley Act affect pretexting?
|by prohibiting pretexting against financial institutions to protect customer information
|valuable types of non-public records in fraud examinations
|banking/financial records, was returns and related documents, credit records, private phone records, personal health care records
|information available through a city's building inspector office
|permit application information, building blueprints and plans, building inspector reports
|What is the HIPPA privacy rule designed to protect?
|"Protected health information," or information relating to an individual's past, present, or future physical or mental health; payment for services; or health care operations.
|primary function of the Privacy Act of 1974
|to regulate the collection, maintenance, consumption, and distribution of individual's information that is maintained by federal agencies
|what does the Freedom of Information Act govern
|Availability of governmental records to the general public
|Primary function of the Right to Financial Privacy Act
|to prohibit financial institutions from disclosing customer information to the government without consent, legal order, or other exception
|uses of external sources of information in fraud examinations
|to locate witnesses, to locate assets, to determine ownership of entities, to research a suspect's financial condition, to document a suspect's lifestyle and background
|Where are a domestic corporation's articles of incorporation found?
|the secretary of state's office where the entity is incorporated
|Primary function of the Fair Credit Reporting Act
|to regulate the dissemination of consumer information to third parties by credit reporting agencies
|who maintains files on all active and closed lawsuits in a jurisdiction
|the court clerk of that jurisdiction
|types of records maintained by the Securities and Exchange Commission (SEC)
|public records of corporations with stocks and securities sold to the public such as financial statements and identification of the entity's officers, directors, and major shareholders.
|Information found in Uniform Commercial Code (UCC) filings
|name of the debtor or joint debtors, current address of the debtors, name of financial lender, type of collateral pledged as security, date of filing and continuations.
|what self-regulatory organization oversees and maintains records of firms in the futures markets
|National Futures Association
|Information available in the probate records of a deceased individual
|names of individuals with an interest in the estate, financial position of the deceased at time of death, dispersal of estate assets, names and addresses of heirs, value of property willed to heirs.
|What is a Form 10-K
|an annual report that public companies regulated by the SEC must file: it contains the company's financial statements, ownership information, and other key business information
|where will fictitious name or doing business as (DBA) records be found
|either in county or state records, depending on the jurisdiction
|what is the deep Web )or invisible Web)?
|Web content that is not indexed by standard search engines
|what is the historical web
|archived versions of Web pages that have since been updated or are no longer available on line.
|which county records include information on real estate purchases
|real property records, proper records, tax assessor records.wha
|what are social media (or networking) sites
|websites that use software to build online social networks for communities of people with shared interests
|what are advanced search operators (or Boolean operators)?
|Symbols that help search engines better understand exactly what the user is looking for; they improve a search and return relevant results faster
|what are meta-search engines
|Online search engines that send user requests to several other search engines and aggregate the results for display
|what are search engines
|online programs that search websites and documents for specified keywords and return a list of sites and documents whee the keywords were found.
|what is a credit header
|information in a credit report that gives basic information about a person to whom the credit report applies
|what is a tax lien
|a legal hold or claim that a governmental entity places on a taxpayer's property (both real property and personal property) to secure the payment of taxes
|What are Uniform Commercial code (UCC) filings?
|public records of secured transactions in which the debtor(s) owes a stated value to a secured party or parties.
|what is data mining
|the science of searching large volumes of data for patterns
|what is a tree map
|a type of heat map in which rectangular space is divided into regions, and then each region is divided again for each level in the hierarchy
|what is link analysis
|a data analysis technique that creates visual representations of date (e.g. charts with lines showing connections) from multiple data sources.
|what can link analysis be used to analyze
|movement of money, complex networks, trends and patterns in communications, indirect relationships, relationships with several degrees of separation
|what is geospatial analysis?
|use of visual analytics to depict intersections between various types of data and their corresponding geographical locations
|types of fraud risks geospatial analysis can be used to analyze
|potentially fraudulent insurance claims, bribery and corruption risks, accounts payable risks, travel and expense risks
|what does the join function do
|combines fields from 2 sorted input files into a third file
|what is the compliance verification function used for
|to determine whether company policies are met by employee transactions
|what is the correlation function used for
|to determine the relationships between different variables in raw data
|what does the date function do
|checks the differences in dates between 2 fields or enables an aging analysis
|examples of fraud keywords related to the pressure to commit fraud
|deadline, quota, target, short, problem, concern
|examples of fraud keywords related to the opportunity to commit fraud
|override, write off, recognize revenue, adjust, discount, reserve
|examples of fraud keywords related to the rationalization of committing fraud
|reasonable, deserve, borrow, discover, temporary
|what is textual analytics
|a method of using software to extract usable information from unstructured text data and analyze it to reveal patterns, sentiments, and relationships indicative of fraud
|4 phases of the data analysis process
|planning phase, preparation phase, testing and interpretation phase, the post-analysis phase
|4 steps of the planning phase of the data analysis process
|understand the data, articulate examination objectives, build a profile of potential frauds, determine whether predication exists
|4 steps of the preparation phase of the data analysis process
|identify the relevant data, obtain the data, verify the data, cleans and normalize the data
|tasks during the testing and interpretation phase of the data analysis process
|performing txts, analyzing results, addressing any false positives that result
|tasks during the post-analysis phase of the data analysis process
|following up on identified anomalies, documenting findings in a report if necessary, monitoring the data
|purpose of Benford's Law analysis
|to identify fabricated numbers by comparing the actual distribution of digits in a data set of natural numbers against the expected distribution of digits
|What is Benford's Law?
|BL provides that the distribution of the digits in natural numbers is not random; instead, it follows a predictable pattern
|What are the natural numbers for the purpose of a Benford's Law analysis?
|Numbers that are not ordered in a particular numbering scheme and are not human-generated or generated from a random number system, such as total sales figures and invoice amounts
|what is a non-natural number for the purpose of a Benford's Law analysis
|any number that is arbitrarily determined or systematically designed to convey information, such as inventory prices and invoice numbers
|what is duplicate testing used for
|to identify transactions with duplicate values in specified fields that should only contain unique values.
|what is regression analysis used for
|to create a model relationship between a dependent number variable and 1 or more independent variables
|what is multi-file processing used for
|to relate several files by defining relationships between multiple files, without the use of the join command
|what is gap testing used for
|to identify missing items in a sequence or find sequences where none are expected to exist
|what is structured data
|Data that consists of recognizable and predictable structures, such as what you would find in a database
|what is unstructured data
|data that is not organized in a pre-determined structure, such as text-based data
|what is graceful shutdown
|a method of shutting down a computer in which the user relies on the set of built -in processes that prepare a computer for shutdown
|what is hard shutdown
|a shutdown occurring from power failure; it is performed by unplugging all power from the computer, including power cables
|what is a peripheral device
|an auxiliary device that is connected to, but not part of, a host computer
|common methods of detecting the use of steganography?
|(3 of 4)visual detection by looking for visual anomalies image files, audible detection by looking for audible anomalies in media files, statistical detection by determining whether statistical properties of files deviate from expected norm,
|more methods of detecting the use of stenography
|(4 of 4) structural detection by looking for structural oddities that suggest manipulation
|what is steganography?
|Process of hiding information within an apparently innocent file
|what is encryption
|Procedures used to convert information using an algorithm (called a cipher) that makes information unreadable
|what occurs during the image acquisition process in a digital forensic investigation
|a forensic image of a hard drive or other digital media is made and imaged to another hard disk drive or other media for forensic analysis
|what is a forensic image
|an image or exact sector-by-sector, copy of a hard drive or other digital media
|what is metadata
|data about data, such as a file's name, author, or creation date/time
|what is an event log
|a data set containing records of events or transactions on a computer
|what is a system log
|a type of event log that records events executed on an operating system, including miscellaneous events and those generated during system start-up, like hardware and controller failures
|what is an application log
|a type of event log the records the events regarding access to application data
|what happens during the analysis phase of a digital forensic investigation
|Specialized software is used to identify, extract, collect and store digital artifacts that will be used as evidence in an investigation
|primary concern when analyzing digital evidence
|maintaining the integrity of the data at all times
|4 requirements for digital evidence to be admissible in court
|relevant to an issue that is in dispute in the case, material, established as authentic, legally obtained
|what happens during the processing phase of a digital forensic investigation
|identification of relevant information in collected data, segregation of duplicates and other information that is not relevant due to its type, origin or date
|what is digital evidence
|information stored or transmitted in binary form that can be used to prove something
|what are user-created files
|digital files created under a user's direction
|what are computer-created files
|information generated by a computer's operating system
|what is cloud storage
|a service model in which data is stored by a third party host and is accessible online
|what is mobile phone forensics
|techniques used to gather data from smart phone so that the data will be admissible in court
|information included on a wire transfer record
|amount of the transfer, date, name of sender or originator, routing number of the originating bank or financial institution, identity designated beneficiary or receiver of funds, routing # of recipient bank
|what is direct approach to tracing financial transactions
|using the subject's books and records(or financial transaction records belonging to third parties) to analyze the relationship between a suspect's receipt and subsequent disposition of funds or assets
|what is indirect approach to tracing financial transactions
|employing circumstantial evidence to analyze the relationship between a suspect's receipt and subsequent disposition of funds or assets
|what is their comparative net-worth analysis)?
|Method for proving illicit income circumstantially by comparing a person's assets or expenses for a given period of time against known legitimate sources of income.
|when should the net-worth method be used to trace assets
|when several of the subject's assets or liabilities have changed during the period under investigation, when the target's financial records are not available
|Purpose of conducting a net-worth analysis
|to show that the subject's assets or expenditures for a given period exceed that which can be accounted for from known or admitted legitimate sources of income
|what is letter rogatory
|a formal request by the courts of a county seeking judicial assistance from the courts of another county
|what is mutual legal assistance (MLA)?
|a process by which countries request and provide assistance in criminal law enforcement matters
|what is a signature card
|a document that is required to open a personal bank account
|what is the bank deposit method of tracing illicit funds
|method of computing income by analyzing the subject's deposits to financial institutions, cancelled checks, and currency transactions and adjusting for non-income items
|when should the bank deposit analysis method be used to trace assets
|when most of the subject's income is deposited, when the subject's books and records are unavailable, withheld, incomplete or maintained on a cash basis
|when should the asset method be used to compute an individual's net worth
|when the subject is using his illicit funds to accumulate wealth and acquire assets, thus causing his net worth to increase from year to year
|when should the expenditures method be used to compute an individual's net worth
|when the subject spends illicit income on consumables (such as travel and entertainment) that would not cause an increase in net worth
|5 steps for developing an individual's financial profile
|Identify all significant assets held by the suspect, ID all significant liabilities, ID all income sources during the relevant time period, ID all significant expenses incurred during relevant period, analyze the collected information
|what are loan proceeds?
|the net amount a lender disperses to a borrower under the terms of a loan agreement
|what is asset tracing
|search for evidence showing what has happened to property, identifying the proceeds of property, and Identifying those who have handled or received property or the proceeds of property
|what is net worth?
|the difference between assets and liabilities at a particular point in time
|what are certified checks
|customer checks stamped with the paying bank's guarantee that the maker's signature is genuine and that there is enough money available in the holder's account to cover the amount to be paid
|what is a trust
|a fiduciary relationship in which a person (the trustee) manages property for the benefit of another (the beneficiary)
|what should the executive summary section of an examination report include?
|an overview of what was done during the examination process
|what should the summary section of an examination report include
|a succinct summary of the fraud examination and its results.
|what should the background section of an examination report include
|details about why the fraud examination was conducted
|when should a party seeking prosecution submit the case to prosecutors
|after completing the fraud examination and the accompanying report
|steps fraud examiners can take to enhance the chances that a prosecutor pursues a case
|obtain a legal and binding admission of guilt, obtain a commitment from the outset for the prosecutor to consider the case, pledge to help the prosecutor during the trial process, follow up regularly with prosecutor,
|who should the examination report writer expect to possibly read the report?
|company insiders, attorneys, defendants and witnesses, press and media outlets, juries
|what is a conclusion in the context of a fraud report
|an observation based on factual evidence
|what is an opinion in the context of a fraud examination report
|a statement that calls for an interpretation of the facts
|types of opinions allowed in fraud examination reports
|opinions regarding technical matters where the fraud examiner is qualified as an expert in the matter
|what is a memorandum of interview
|a written record used to document each interview conducted during a fraud examination
|how much of an interview's subject's testimony should be included in the examination report
|all statements and facts that are relevant to the examination
|when should an interview be documented in a memorandum of interview
|ASAP after questioning -preferably on same day of the interview
|basic reporting documents in an examination report
|memoranda, cover page, exhibits, documents or enclosures, forms, indexes, transmittal letter
|what is a matrix used for in an examination report
|to show the relationship (for points of contact) between a # of parties in the form of a grid
|4 characteristics of a well-written report
|Accuracy, clarity, impartiality and relevance, timeliness
|what should the scope section of an examination report include
|a description of the range of issues reviewed during the examination process
|what should the approach section of an examination report include?
|a description of the approach used to examine the fraud
|what should the findings section of an examination report include
|a detailed description of the tasks performed and the team's findings
|what should the impact section of an examination report include
|a description of the impact of any misconduct identified during the examination
|what is a link-network diagram used for in an examination report
|to show the relationships between people, organizations, and events using different symbols to represent different entities.
|What is a fraud examination?
|A process of resolving allegations of fraud from inception to disposition.
|how should documents be organized during the collection stage of an examination?
|by transaction or by party
|ways to access bank records held by financial institutions
|written consent from the accountholder court order (e.g. subpoenas at warrant)
|what is a fraud response plan?
|A plan that outlines the actions an organization will take when suspicions of fraud have arisen
|What is the fraud theory approach?
|An investigative approach in which the fraud examiner forms a hypothesis for theory) of what might have occurred and then tests the hypothesis to determine whether it is provable
|What is a volatile interview
|An interview that has the potential to bring about strong emotional reactions in the respondent
|What is predication
|The totality of circumstances that would lead a reasonable professionally, trained, and prudent individual to believe a fraud has occurred, is occurring, or will occur
|what assumption must fraud examiners make about every fraud examination
|that every case will end in litigation
|general order of witness interviews in fraud examiners
|neutral third-party witnesses, corroborative witnesses, co-conspirators, subject
|4 tasks encompassed in the fraud examination process
|obtaining evidence, reporting, testifying, assisting in fraud detection and prevention
|what is forensic accounting?
|the use of professional accounting skills in matters involving potential or actual civil or criminal litigation
|4 steps of the fraud theory approach
|analyze the available data, create a hypothesis, test the hypothesis, refine and amend the hypothesis
|how should documents be organized during the collection stage of an examination
|by transaction or by party
|What is a key document file
|A file created during the document collection phase of an examination that allows easy access to the most relevant and important files in a case