smart solutions: data analytics to support fraud …...smart solutions: data analytics to support...
TRANSCRIPT
©2013
SMART SOLUTIONS: DATA ANALYTICS TO SUPPORT FRAUD EXAMINATIONS
Data plays an important role in the course of every investigation; in fact, the first detailed data
analysis often leads to an investigation. Investigators must be able to understand and use this data
and know how to deal with this challenge accordingly. This presentation illustrates proven data
analytics workflows and how to establish them to make your investigations more efficient and
effective.
JOERN WEBER, CFE
CEO
corma GmbH
Moenchengladbach, Germany
Joern Weber is an experienced investigator and CEO of corma GmbH, protecting clients in
Germany, Europe, and the United States for more than a decade. He is an analytical thinker,
organizing global investigations and audits, and providing services for intelligence projects.
Joern Weber listens and responds to different customer challenges and transforms this
knowledge into successful investigations and projects, resulting in stopped suspects, recovered
money, civil legal actions, or criminal court convictions.
He founded corma in 1999 (headquartered in Germany), and provides professional
investigations and research and data analytics services (i.e., supporting corporate security
departments in successfully managing their investigative work). Prior to corma, Joern Weber
advanced through the ranks to Chief Inspector/Investigator at German Law Enforcement.
“Association of Certified Fraud Examiners,” “Certified Fraud Examiner,” “CFE,” “ACFE,” and the
ACFE Logo are trademarks owned by the Association of Certified Fraud Examiners, Inc. The contents of
this paper may not be transmitted, re-published, modified, reproduced, distributed, copied, or sold without
the prior consent of the author.
SMART SOLUTIONS: DATA ANALYTICS TO SUPPORT FRAUD EXAMINATIONS
2013 ACFE European Fraud Conference ©2013 1
NOTES Introduction
Understanding Data
Cleansing/Standardizing Data
Enriching and Validating Data
Importing Data
Analyzing Data
Reporting
Introduction
Data plays an important role in the course of every fraud
examination. In fact, the first detailed data analysis often
leads to an investigation. Investigators must be able to
understand and use this data and know how to successfully
integrate with it to expose new patterns. This presentation
illustrates proven data analytics workflows and how to
establish them to make your investigations more efficient
and effective.
Data Model
This model shows how the different types and
categories of data we may receive during a fraud
SMART SOLUTIONS: DATA ANALYTICS TO SUPPORT FRAUD EXAMINATIONS
2013 ACFE European Fraud Conference ©2013 2
NOTES examination are linked to various methods and
processes for data processing and data analytics.
Understanding Data
The understanding of data is crucial in every investigation.
It is a challenge to understand relationships and background
of data; data quantity plays an important role, as well as
bringing data into context to successfully apply in fraud
examinations.
Understanding Data Works in Four Steps
Look at the data
Which data am I looking at?
Data quantity?
Time frame?
SMART SOLUTIONS: DATA ANALYTICS TO SUPPORT FRAUD EXAMINATIONS
2013 ACFE European Fraud Conference ©2013 3
NOTES See the pattern
What do I see?
Which patterns emerge?
Imagine
What seems to be missing?
Imagine what happens if you receive the
missing data.
Show—summaries your findings
Does it make sense?
Clarify the best ideas how to interrogate with
this data.
corma Workflow for Understanding Data
1. NOTE TAKING
A crucial part in any investigation is the taking of
clear case notes. The application for note taking,
whether it is a piece of paper or electronic note-
taking software, should allow for creative freedom
in both the recording of notes and the data that can
be included in them.
Some recommended tools:
Document template1
Digital tools:
CaseNotes: qccis.com/resources/forensic-
tools/casenotes-lite
OneNote: office.microsoft.com/en-
us/onenote
2. STORE THE ORIGINAL DATA IN A SECURE
AREA
Save a copy of the data in your case folder.
1 s. Attachment I, Investigation Protocol sample.
SMART SOLUTIONS: DATA ANALYTICS TO SUPPORT FRAUD EXAMINATIONS
2013 ACFE European Fraud Conference ©2013 4
NOTES 3. CREATE “DIGITAL FINGERPRINTS”
The MD5 Message-Digest Algorithm is created by
taking a string of any length and encoding it into a
128-bit fingerprint. Encoding the same string using
the MD5 algorithm will always result in the same
128-bit hash output. The procedure allows you to
secure the original data for future evidence.
Recommended tools:
md5deep.sourceforge.net
www.bitdreamers.com/en/products/checksum-
verifier (Checksum Verifier)
You can compare the file content with the original
data using such tools as UltraCompare
(www.ultraedit.com/products/ultracompare.html).
UltraCompare includes text compare, binary file
compare, with the capability to merge differences
between compared files.
4. ALWAYS WORK ONLY WITH A COPY OF THE
ORIGINAL FILE
Any examination of the file should be done only
with a copy.
5. IDENTIFY DATA FORMAT
Recommended tools for data formats research:
www.file-extensions.org (provides information
on what kind of data file it is, and with which
application it is associated; large number of file
type entries have detailed descriptions)
www.filext.com (database of file extensions and
various programs that use them)
www.fileinfo.com (contains a searchable
database of thousands of file extensions with
SMART SOLUTIONS: DATA ANALYTICS TO SUPPORT FRAUD EXAMINATIONS
2013 ACFE European Fraud Conference ©2013 5
NOTES detailed information about the associated file
types)
View (Read Only)
www.uvviewsoft.com (advanced file viewer
for wide range of formats; various plug-ins
support additional formats)
Deep View
www.ultraedit.com (flexible text, HTML,
PHP, JavaScript editor, integrated file
viewer, Unicode)
Understanding data is an interactive process that
often leads to more interesting findings.
Cleansing/Standardizing Data
Computer processes are faster than ever and information
technologies are able to integrate huge amounts of data.
With all of these high-end capabilities, there are still
limitations in performing effective data analytics, and much
of that has to do with data quality. It plays a crucial role in
fraud examinations. Errors and variations in the data are
most often seen as the result of typos, misspellings, or
abbreviations. Additionally, there is often intentionally
misrepresented data.
Why Should Data Be Cleansed?
Reliable analysis results are required.
Data cleansing saves time that otherwise would
come up during the analysis process.
Reduce unwanted deviations and variations. Even
small data variations can have a significant impact
on the final result.
Identify entities (e.g., person, organization,
address).
Insights often lead to further findings.
SMART SOLUTIONS: DATA ANALYTICS TO SUPPORT FRAUD EXAMINATIONS
2013 ACFE European Fraud Conference ©2013 6
NOTES There are solutions that help deal with the above
mentioned situations by cleaning, transforming, and
restructuring data, including:
InfoZoom (www.data-analytics.de/home.html?L=2)
Flexible import for various data sources
Intuitive research
Analyses, calculations, statistics
Business intelligence
Ad hoc reporting
InfoZoom benefits:
Combining different data formats
Fixing data quality issues
Identifying missing data
Better link analysis results
Some of the key items to consider during the
standardizing process are:
Develop automated queries.
Develop workflow for recurring processes.
Standardize processes (templates).
Benefits:
Time saving
Flexible
Maximizes effectiveness
Team “compatibility”
Easy to learn
Enriching and Validating Data
Geocoding: www.gpsvisualizer.com
Whois: a query and response protocol that queries
databases that store such information as a domain
name; an IP address of the registered users of an
Internet resource
SMART SOLUTIONS: DATA ANALYTICS TO SUPPORT FRAUD EXAMINATIONS
2013 ACFE European Fraud Conference ©2013 7
NOTES Manual query: www.ewhois.com
Batch query: www.bulkseotools.com
Address verification
Manually in Google Maps (maps.google.com);
Google Street View explores places around the
world through 360° street-level imagery
Using service provider or address verification
software (for large amounts of data), including:
AddressDoctor: www.addressdoctor.com
Experian: www.qas-experian.com.au
SMART SOLUTIONS: DATA ANALYTICS TO SUPPORT FRAUD EXAMINATIONS
2013 ACFE European Fraud Conference ©2013 8
NOTES Importing Data
Sample Import: i2 IBM-Database
(www-01.ibm.com/software/industry/i2software)
Analyzing Data
Identify needed analytical steps.
Develop “questions” to data.
What has prompted the need for the analysis?
SMART SOLUTIONS: DATA ANALYTICS TO SUPPORT FRAUD EXAMINATIONS
2013 ACFE European Fraud Conference ©2013 9
NOTES What is the key question that needs to be answered?
“Create” evidence out of data.
What can you prove?
What do you want to prove?
Visualize your thinking!
Analytical Techniques
Chronologies and timelines help understand timing
and sequence of events, and aid in the identification
of patterns and correlations among events.
Sorting large amounts of data into relevant
categories that are compared with each other can
provide you with insights into trends, similarities,
and differences that otherwise would go unnoticed.
Ranking, scoring, and prioritizing helps you to
determine which items are most important.
Network analysis is the review, gathering, and
understanding of data to determine relationships
between entities (e.g., people, organizations,
objects).
Supporting Tools
Documenting processes in intranet/wiki
Selecting the right tool for each task
Training the users
Keeping the users “busy”
Analysis Samples
Query
An investigative question, converted into database
search
NOTES
SMART SOLUTIONS: DATA ANALYTICS TO SUPPORT FRAUD EXAMINATIONS
2013 ACFE European Fraud Conference ©2013 10
NOTES
SMART SOLUTIONS: DATA ANALYTICS TO SUPPORT FRAUD EXAMINATIONS
2013 ACFE European Fraud Conference ©2013 11
Decoding (Classification, i.e. Phone Data)
Email Analysis
Intella (www.vound-software.com/home):
Processing engine and unique visual presentation
enables you to quickly and easily search and review
email, cellphone, and other electronically stored
information to find critical evidence and visualize
relevant relationships.
Timeline Charts
i2 IBM Analyst’s Notebook (www-
142.ibm.com/software/products/us/en/analysts-
notebook)
NOTES
SMART SOLUTIONS: DATA ANALYTICS TO SUPPORT FRAUD EXAMINATIONS
2013 ACFE European Fraud Conference ©2013 12
Timelinemaker (www.timelinemaker.com)
Reporting
Final work starts when single components are ready. Please
follow these rules while creating a report.
What makes an excellent report?
Easily understood—small, familiar words and short,
clear sentences
Comprehensive—having both scope and depth in terms
of specific facts as brief as possible
The test of time—so written that the events of the
investigation can be reconstructed after a prolonged
lapse of time
NOTES
SMART SOLUTIONS: DATA ANALYTICS TO SUPPORT FRAUD EXAMINATIONS
2013 ACFE European Fraud Conference ©2013 13
Objective—no place for speculations, hypothesis, or
opinion
Factual—do not assume the facts are there when they
are not
A report should include:
Cover page—including company’s name, client’s
name, the date, and the name of the report
Case introduction—a very brief statement that
introduces the reader to the overall investigation and its
primary conclusion
Summary of findings—summary of significant
findings; current status of the matter
Topical sections (i.e., investigative steps, case
chronology, company details, listing of witnesses,
disclaimer)
Professional close—identify the investigator or analysts
who contributed to the case; specify who ultimately
wrote the report
Also necessary to include:
Exhibits and attachments, including photographs,
records, documents, or accounts of evidence; should be
labeled or numbered and referred to in the body of the
investigative report
Witness or contact list—a list of people and their
contact information with whom you spoke or had
contact with during your investigation