smart solutions: data analytics to support fraud …...smart solutions: data analytics to support...

©2013

SMART SOLUTIONS: DATA ANALYTICS TO SUPPORT FRAUD EXAMINATIONS

Data plays an important role in the course of every investigation; in fact, the first detailed data

analysis often leads to an investigation. Investigators must be able to understand and use this data

and know how to deal with this challenge accordingly. This presentation illustrates proven data

analytics workflows and how to establish them to make your investigations more efficient and

effective.

JOERN WEBER, CFE

CEO

corma GmbH

Moenchengladbach, Germany

Joern Weber is an experienced investigator and CEO of corma GmbH, protecting clients in

Germany, Europe, and the United States for more than a decade. He is an analytical thinker,

organizing global investigations and audits, and providing services for intelligence projects.

Joern Weber listens and responds to different customer challenges and transforms this

knowledge into successful investigations and projects, resulting in stopped suspects, recovered

money, civil legal actions, or criminal court convictions.

He founded corma in 1999 (headquartered in Germany), and provides professional

investigations and research and data analytics services (i.e., supporting corporate security

departments in successfully managing their investigative work). Prior to corma, Joern Weber

advanced through the ranks to Chief Inspector/Investigator at German Law Enforcement.

“Association of Certified Fraud Examiners,” “Certified Fraud Examiner,” “CFE,” “ACFE,” and the

ACFE Logo are trademarks owned by the Association of Certified Fraud Examiners, Inc. The contents of

this paper may not be transmitted, re-published, modified, reproduced, distributed, copied, or sold without

the prior consent of the author.


2013 ACFE European Fraud Conference ©2013 1

NOTES Introduction

Understanding Data

Cleansing/Standardizing Data

Enriching and Validating Data

Importing Data

Analyzing Data

Reporting

Introduction

Data plays an important role in the course of every fraud

examination. In fact, the first detailed data analysis often

leads to an investigation. Investigators must be able to

understand and use this data and know how to successfully

integrate with it to expose new patterns. This presentation

illustrates proven data analytics workflows and how to

establish them to make your investigations more efficient

and effective.

Data Model

This model shows how the different types and

categories of data we may receive during a fraud



NOTES examination are linked to various methods and

processes for data processing and data analytics.

Understanding Data

The understanding of data is crucial in every investigation.

It is a challenge to understand relationships and background

of data; data quantity plays an important role, as well as

bringing data into context to successfully apply in fraud

examinations.

Understanding Data Works in Four Steps

Look at the data

Which data am I looking at?

Data quantity?

Time frame?



NOTES See the pattern

What do I see?

Which patterns emerge?

Imagine

What seems to be missing?

Imagine what happens if you receive the

missing data.

Show—summaries your findings

Does it make sense?

Clarify the best ideas how to interrogate with

this data.

corma Workflow for Understanding Data

1. NOTE TAKING

A crucial part in any investigation is the taking of

clear case notes. The application for note taking,

whether it is a piece of paper or electronic note-

taking software, should allow for creative freedom

in both the recording of notes and the data that can

be included in them.

Some recommended tools:

Document template1

Digital tools:

CaseNotes: qccis.com/resources/forensic-

tools/casenotes-lite

OneNote: office.microsoft.com/en-

us/onenote

2. STORE THE ORIGINAL DATA IN A SECURE

AREA

Save a copy of the data in your case folder.

1 s. Attachment I, Investigation Protocol sample.

http://qccis.com/resources/forensic-tools/casenotes-lite

http://qccis.com/resources/forensic-tools/casenotes-lite

http://office.microsoft.com/en-us/onenote

http://office.microsoft.com/en-us/onenote



NOTES 3. CREATE “DIGITAL FINGERPRINTS”

The MD5 Message-Digest Algorithm is created by

taking a string of any length and encoding it into a

128-bit fingerprint. Encoding the same string using

the MD5 algorithm will always result in the same

128-bit hash output. The procedure allows you to

secure the original data for future evidence.

Recommended tools:

md5deep.sourceforge.net

www.bitdreamers.com/en/products/checksum-

verifier (Checksum Verifier)

You can compare the file content with the original

data using such tools as UltraCompare

(www.ultraedit.com/products/ultracompare.html).

UltraCompare includes text compare, binary file

compare, with the capability to merge differences

between compared files.

4. ALWAYS WORK ONLY WITH A COPY OF THE

ORIGINAL FILE

Any examination of the file should be done only

with a copy.

5. IDENTIFY DATA FORMAT

Recommended tools for data formats research:

www.file-extensions.org (provides information

on what kind of data file it is, and with which

application it is associated; large number of file

type entries have detailed descriptions)

www.filext.com (database of file extensions and

various programs that use them)

www.fileinfo.com (contains a searchable

database of thousands of file extensions with

http://md5deep.sourceforge.net/

http://www.bitdreamers.com/en/products/checksum-verifier

http://www.bitdreamers.com/en/products/checksum-verifier

http://www.ultraedit.com/products/ultracompare.html

http://www.file-extensions.org/

http://www.filext.com/

http://www.fileinfo.com/



NOTES detailed information about the associated file

types)

View (Read Only)

www.uvviewsoft.com (advanced file viewer

for wide range of formats; various plug-ins

support additional formats)

Deep View

www.ultraedit.com (flexible text, HTML,

PHP, JavaScript editor, integrated file

viewer, Unicode)

Understanding data is an interactive process that

often leads to more interesting findings.

Cleansing/Standardizing Data

Computer processes are faster than ever and information

technologies are able to integrate huge amounts of data.

With all of these high-end capabilities, there are still

limitations in performing effective data analytics, and much

of that has to do with data quality. It plays a crucial role in

fraud examinations. Errors and variations in the data are

most often seen as the result of typos, misspellings, or

abbreviations. Additionally, there is often intentionally

misrepresented data.

Why Should Data Be Cleansed?

Reliable analysis results are required.

Data cleansing saves time that otherwise would

come up during the analysis process.

Reduce unwanted deviations and variations. Even

small data variations can have a significant impact

on the final result.

Identify entities (e.g., person, organization,

address).

Insights often lead to further findings.

http://www.uvviewsoft.com/

http://www.ultraedit.com/



NOTES There are solutions that help deal with the above

mentioned situations by cleaning, transforming, and

restructuring data, including:

InfoZoom (www.data-analytics.de/home.html?L=2)

Flexible import for various data sources

Intuitive research

Analyses, calculations, statistics

Business intelligence

Ad hoc reporting

InfoZoom benefits:

Combining different data formats

Fixing data quality issues

Identifying missing data

Better link analysis results

Some of the key items to consider during the

standardizing process are:

Develop automated queries.

Develop workflow for recurring processes.

Standardize processes (templates).

Benefits:

Time saving

Flexible

Maximizes effectiveness

Team “compatibility”

Easy to learn

Enriching and Validating Data

Geocoding: www.gpsvisualizer.com

Whois: a query and response protocol that queries

databases that store such information as a domain

name; an IP address of the registered users of an

Internet resource

http://www.data-analytics.de/home.html?L=2

http://www.gpsvisualizer.com/



NOTES Manual query: www.ewhois.com

Batch query: www.bulkseotools.com

Address verification

Manually in Google Maps (maps.google.com);

Google Street View explores places around the

world through 360° street-level imagery

Using service provider or address verification

software (for large amounts of data), including:

AddressDoctor: www.addressdoctor.com

Experian: www.qas-experian.com.au

http://www.ewhois.com/

http://www.bulkseotools.com/

http://maps.google.com/

http://www.addressdoctor.com/

http://www.qas-experian.com.au/



NOTES Importing Data

Sample Import: i2 IBM-Database

(www-01.ibm.com/software/industry/i2software)

Analyzing Data

Identify needed analytical steps.

Develop “questions” to data.

What has prompted the need for the analysis?

http://www-01.ibm.com/software/industry/i2software



NOTES What is the key question that needs to be answered?

“Create” evidence out of data.

What can you prove?

What do you want to prove?

Visualize your thinking!

Analytical Techniques

Chronologies and timelines help understand timing

and sequence of events, and aid in the identification

of patterns and correlations among events.

Sorting large amounts of data into relevant

categories that are compared with each other can

provide you with insights into trends, similarities,

and differences that otherwise would go unnoticed.

Ranking, scoring, and prioritizing helps you to

determine which items are most important.

Network analysis is the review, gathering, and

understanding of data to determine relationships

between entities (e.g., people, organizations,

objects).

Supporting Tools

Documenting processes in intranet/wiki

Selecting the right tool for each task

Training the users

Keeping the users “busy”

Analysis Samples

Query

An investigative question, converted into database

search

NOTES



NOTES



Decoding (Classification, i.e. Phone Data)

Email Analysis

Intella (www.vound-software.com/home):

Processing engine and unique visual presentation

enables you to quickly and easily search and review

email, cellphone, and other electronically stored

information to find critical evidence and visualize

relevant relationships.

Timeline Charts

i2 IBM Analyst’s Notebook (www-

142.ibm.com/software/products/us/en/analysts-

notebook)

http://www.vound-software.com/home

http://www-142.ibm.com/software/products/us/en/analysts-notebook/



NOTES



Timelinemaker (www.timelinemaker.com)

Reporting

Final work starts when single components are ready. Please

follow these rules while creating a report.

What makes an excellent report?

Easily understood—small, familiar words and short,

clear sentences

Comprehensive—having both scope and depth in terms

of specific facts as brief as possible

The test of time—so written that the events of the

investigation can be reconstructed after a prolonged

lapse of time

http://www.timelinemaker.com/

NOTES



Objective—no place for speculations, hypothesis, or

opinion

Factual—do not assume the facts are there when they

are not

A report should include:

Cover page—including company’s name, client’s

name, the date, and the name of the report

Case introduction—a very brief statement that

introduces the reader to the overall investigation and its

primary conclusion

Summary of findings—summary of significant

findings; current status of the matter

Topical sections (i.e., investigative steps, case

chronology, company details, listing of witnesses,

disclaimer)

Professional close—identify the investigator or analysts

who contributed to the case; specify who ultimately

wrote the report

Also necessary to include:

Exhibits and attachments, including photographs,

records, documents, or accounts of evidence; should be

labeled or numbered and referred to in the body of the

investigative report

Witness or contact list—a list of people and their

contact information with whom you spoke or had

contact with during your investigation

smart solutions: data analytics to support fraud …...smart solutions: data analytics to support...

Documents