in the trenches: computer forensics and data mining meetings/100311 in the trenches with...
TRANSCRIPT
![Page 1: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/1.jpg)
acumen
insight
ideasideas
attentionIn The Trenches: Computer reach
expertiseForensics and Data Mining
p
depthJohn MalleryManaging ConsultantBKD LLP agility
talent
BKD, LLP816.221.6300
![Page 2: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/2.jpg)
acumenAgenda insight
ideas
AgendaDescribe my perspective ideas
attentionDescribe my perspective
Talk about cell phonesreach
expertiseNew stuff I’m seeing
Data Mining p
depthData Mining
Lot’s of lively discussionagility
talent
![Page 3: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/3.jpg)
acumenCell Phone Forensics insight
ideas
Cell Phone ForensicsWe are seeing more and more requestsideas
attentionWe are seeing more and more requests for cell phone analysis.
P bl t d di ti it i reach
expertise
Problem – no standardization, so it is nearly impossible to keep up with cables
d t lp
depthand tools
No one tool does it all.agility
talent
![Page 4: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/4.jpg)
acumenCell Phone Forensics insight
ideas
Cell Phone ForensicsBut backups can be recovered from theideas
attentionBut, backups can be recovered from the computers they sync to.
reach
expertisep
depth
agility
talent
![Page 5: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/5.jpg)
http://www.rapidrepair.com/guides/iphone3g/iphone3grepairguide.html
![Page 6: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/6.jpg)
acumenHowever insight
ideas
However…iPhone Backups are created every ideas
attentioniPhone Backups are created every time the phone is syncedWi d C \D t & reach
expertise
Windows – C:\Documents & Settings\USER\Application Data\Apple Computer\MobileSync\ Backup p
depthComputer\MobileSync\ Backup
Mac ~/Library/Application Support/MobileSync/Backup/ “hex folder agility
talent
Support/MobileSync/Backup/ hex folder name”
![Page 7: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/7.jpg)
acumenTools insight
ideas
ToolsBlack Bag Tech – ideas
attentionBlack Bag Tech http://www.blackbagtech.com
M bil S B reach
expertise
MobileSync Browserhttp://homepage.mac.com/vaughn/msync/p
depthiPhoneParserhttp://www.macosxforensics.com/Downloads/files/iPhone
agility
talent
Parser.app.zip
![Page 8: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/8.jpg)
acumeniPhoneParser
C t i h b k f ld D kt insight
ideas
Creates iphone_backup folder on Desktop
ideas
attention
reach
expertisep
depth
agility
talent
![Page 9: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/9.jpg)
acumen
insight
ideasideas
attentionLibrary_Safari_History.plistreach
expertisep
depth
agility
talent
![Page 10: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/10.jpg)
acumen
insight
ideasideas
attentionLibrary Maps Directions.plist
reach
expertise
Library_Maps_Directions.plist
p
depth
agility
talent
![Page 11: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/11.jpg)
acumenLibrary_SMS_sms.db http://sourceforge.net/projects/sqlitebrowser/
insight
ideasideas
attention
reach
expertisep
depth
agility
talent
![Page 12: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/12.jpg)
acumen
insight
ideasideas
attentionhttp://homepage.mac.com/vaughn/msync/
reach
expertisep
depth
agility
talent
![Page 13: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/13.jpg)
acumenBut insight
ideas
But…With iTunes 9 you now have the ability toideas
attentionWith iTunes 9, you now have the ability to encrypt your iPhone backup
reach
expertisep
depth
agility
talent
![Page 14: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/14.jpg)
acumeniPhone Voice Memo App insight
ideas
iPhone – Voice Memo AppCreates voice memosideas
attention
Creates voice memos as m4a files.
Can be emailed asreach
expertise
Can be emailed as attachments
Attachments namedp
depthAttachments named “Memo.m4a”
Not keyword agility
talent
Not keyword searchable
![Page 15: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/15.jpg)
acumen
insight
ideasideas
attentioniPod Stuff reach
expertise
iPod Stuffp
depthDiagnostic and Disk Modes
agility
talent
![Page 16: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/16.jpg)
acumen
insight
ideasideas
attention
reach
expertisep
depth
agility
talent
![Page 17: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/17.jpg)
acumen
insight
ideasideas
attention
reach
expertisep
depth
agility
talent
![Page 18: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/18.jpg)
acumen
insight
ideasideas
attention
reach
expertisep
depth
agility
talent
![Page 19: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/19.jpg)
acumen
insight
ideasideas
attention
reach
expertisep
depth
agility
talent
![Page 20: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/20.jpg)
acumen
insight
ideasideas
attention
reach
expertisep
depth
agility
talent
![Page 21: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/21.jpg)
acumenStranger Devices insight
ideas
Stranger DevicesCrane black box ideas
attentionCrane black box
Computer from a surgical robotreach
expertiseAutomatically records procedure as default
Patient dies p
depthPatient dies
Relevant video has been deleted
O agility
talent
Oops
![Page 22: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/22.jpg)
acumenStill seeing insight
ideas
Still seeingTechnology implemented without any ideas
attentionTechnology implemented without any consideration to:
Legal requirements reach
expertise
Legal requirements
Document retention
D t/Fil tp
depthDocument/File management
Internal controls
agility
talent
Security or Privacy
![Page 23: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/23.jpg)
acumenExample insight
ideas
ExampleDentist’s office has a backup of their ideas
attention
Dentist s office has a backup of their “system” on a hard drive in a safeSafe gets stolen reach
expertise
Safe gets stolenDentist’s office want’s to know if PII is
ibl p
depthaccessibleDeveloper says “no” our database is in a
agility
talent
proprietary and closed format.However…
![Page 24: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/24.jpg)
acumenExample insight
ideas
ExampleName address phone number SSN ideas
attentionName, address, phone number, SSN, patient notes, and patient id number all accessible by opening the backup file in areach
expertise
accessible by opening the backup file in a hex editor.
M h dit f !!p
depthMany hex editors are free!!
agility
talent
![Page 25: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/25.jpg)
acumenAnother example insight
ideas
Another exampleNurses decide they don’t want to changeideas
attention
Nurses decide they don t want to change in the nurses dressing roomChange in an area monitored by a CCTVreach
expertise
Change in an area monitored by a CCTV cameraS f l h t p
depthSue for sexual harassmentUnable to view video files except on server
agility
talent
they were originally created uponCan’t be viewed by the court, lawers, etc.y , ,
![Page 26: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/26.jpg)
acumenForensic Data Mininginsight
ideas
g
ideas
attention
reach
expertisep
depth
agility
talent
![Page 27: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/27.jpg)
acumenForensic Data Mininginsight
ideas
g“Advanced data analysis used to identify activity ideas
attentionpatterns in financial and customer data not discernible through a manual review process.”
reach
expertise“The process of discovering meaningful new p
depthThe process of discovering meaningful new
relationships, patterns and trends by sifting through data using pattern recognition
agility
talent
g g p gtechnologies as well as statistical and mathematical techniques.”
![Page 28: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/28.jpg)
acumenThe Data Mining Continuuminsight
ideas
g
H h i T i K l d Di ideas
attentionHypothesis Testing(Symptom-Based)
Knowledge Discovery(“Symptomless”)
reach
expertisep
depth
agility
talent
![Page 29: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/29.jpg)
acumenWhy it is Effectiveinsight
ideas
Why it is EffectiveWhile 70% of all frauds are found by tips, accidental discovery and
disclosure ideas
attentiondisclosure…30% of all frauds are found by analysis
(David Coderre, “Fraud Detection”)
reach
expertiseMajority of data is in electronic format
D i i i d f i ip
depthData sets are massive in size and often proprietary in
format
agility
talent
“100% analysis is the most effective way to analyze for fraud” (Dr. Conan Albrecht, BYU)
![Page 30: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/30.jpg)
acumenCommon Areasinsight
ideas
Common AreasFictitious (ghost) employees ideas
attentionShell companies and “phoenix operators”
Loan fraud and other banking schemesreach
expertiseMerger and acquisition due diligence
Foreign Corrupt Practices Act investigations p
depth
g p g
Money laundering
Insurance claims fraudagility
talent
Insurance claims fraud
Subprime lending
Embezzlement and financial statement fraudEmbezzlement and financial statement fraud
![Page 31: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/31.jpg)
acumenForensic Data Mininginsight
ideasFraud Symptoms ideas
attention
reach
expertisep
depth
agility
talent
![Page 32: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/32.jpg)
acumenFraud Symptomsinsight
ideas
Fraud SymptomsPayroll
ideas
attentionEmployees with no deductionsActivity subsequent to termination or before hireEmployee with no sick/vacation/timeoff reach
expertise
Employee with no sick/vacation/timeoffHigh pay vs department baselinesDuplicate phone number(s) p
depthDuplicate addressesDuplicate direct deposit accountsShort duration of hire/termination
agility
talent
Short duration of hire/terminationSame employee assigned to multiple departmentsTimecard anomalies (threshold punchouts)I ll b t t h li t ti l filIn payroll but not on phone list or active employee files
![Page 33: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/33.jpg)
acumenFraud SymptomsVendors or Customers (Companies Banks etc ) insight
ideas
Vendors or Customers (Companies, Banks, etc.)
Name similarity (phonetics, etc.)Acceleration (systematic spending increases) ideas
attentionAcceleration (systematic spending increases)Employee address matches customer/vendor addressCustomer Tax ID matches another customer Tax IDCustomer/vendor phone number matches employee phone
reach
expertise
Customer/vendor phone number matches employee phoneDuplicate invoices or slightly altered attributesSudden spike in invoice volume or activityMissing contact information (address, phone, names) p
depth
g ( , p , )High volume of transactions ending in 0 or 5Unusual activity compared to similar vendors or customersWeekend or holiday transaction dates
agility
talent
yTransactions processed at unusual hoursAddress is PO Box, maildrop, prison or high-risk ZIP code“Dormant” account suddenly active
![Page 34: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/34.jpg)
acumenBank Data Mining Exampleinsight
ideas
Loan Master File
ideas
attention
reach
expertisep
depth
agility
talent
(1) Name similarity(2) Customer address matches CEO address(3) Customer phone matches CEO cell phone(3) Customer phone matches CEO cell phone(4) Customer TIN matches other customer TIN
![Page 35: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/35.jpg)
acumenBank Data Mining Exampleinsight
ideasideas
attentionP & Q
reach
expertisep
depth
agility
talentCEO’s Personal Checking Account
![Page 36: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/36.jpg)
acumenForensic Data Mininginsight
ideasLess Obvious Relationships: ideas
attentionLess Obvious Relationships:
Addresses and Geocodingreach
expertisep
depth
agility
talent
![Page 37: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/37.jpg)
acumenFictitious Companyinsight
ideas
p y
ideas
attention
reach
expertiseCross Reference Against:
Maildrops (Mailbox Services)C ti l F iliti
The UPS Store1221 East Kearneyp
depthCorrectional FacilitiesHigh-Risk ZIP Codes
ySpringfield, MO
agility
talent
![Page 38: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/38.jpg)
acumenFictitious Companyinsight
ideas
p y
ideas
attention
reach
expertisep
depth
agility
talent965 Feet965 Feet
![Page 39: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/39.jpg)
Mapping Employee-Vendor Relationship
Employee Home
UPS Store
Employerp y
![Page 40: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/40.jpg)
acumenGeocodinginsight
ideas
g
AP Manager ideas
attention
reach
expertisep
depth
agility
talentVinny’s Salvage YardYard
![Page 41: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/41.jpg)
acumenVisual Mappinginsight
ideas
pp g
ideas
attention
reach
expertisep
depth
agility
talent
![Page 42: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/42.jpg)
acumenData Mininginsight
ideasideas
attentionBenford’s Law reach
expertise
Benford s Law(aka Digital Frequency Analysis)
p
depth
agility
talent
![Page 43: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/43.jpg)
acumenBenford’s Lawinsight
ideasideas
attention
reach
expertisep
depth
agility
talent1. Not random as one would expect2 Also works on 1st 2 digits 3 digits and decimals2. Also works on 1st 2 digits, 3 digits and decimals
![Page 44: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/44.jpg)
Benford’s Law
Normal Pattern0.35
FIRST DIGIT DISTRIBUTION
Population size: 500,000 Transactions
0.25
0.30
0.20
ST D
IGIT
0.10
0.15
FIR
S
0 00
0.05
0.001 2 3 4 5 6 7 8 9
PROPORTION
Actual Benford's Law
![Page 45: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/45.jpg)
Benford’s Law
0 18
0.20
SECOND DIGIT DISTRIBUTIONAbnormal PatternPopulation size: 300,000 Transactions
0.14
0.16
0.18
0.10
0.12
OR
TIO
N
0.06
0.08PRO
PO
0.02
0.04
0.000 1 2 3 4 5 6 7 8 9
SECOND DIGIT
Actual Benford's Law
![Page 46: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/46.jpg)
Expense Account Padding
![Page 47: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/47.jpg)
acumenExpense Account Paddinginsight
ideas
p g
ideas
attention
reach
expertisep
depth
agility
talentSpending limit per meal without receipt is $25
![Page 48: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/48.jpg)
acumenData Mininginsight
ideas
gTime Series
ideas
attention
reach
expertisep
depth
agility
talent
![Page 49: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/49.jpg)
acumenTime Seriesinsight
ideasVendor: JLM Plumbing AP Clerk: Janice McPhearson
1600 ideas
attention1200
1400
1600
Getting Greedy
reach
expertise800
1000
Acceleration as Confidence Builds p
depth200
400
600
Testing the Waters
agility
talent0
1/21/2006 2/21/2006 3/21/2006 4/21/2006 5/21/2006 6/21/2006 7/21/2006 8/21/2006
![Page 50: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/50.jpg)
acumenName Manipulationinsight
ideas•Mick E. Mowse1. Acronym / Initials 3. Fictitious Names
ideas
attention
Mick E. Mowse•Princess Ariel•George Ruth
reach
expertise
•John Dough
p
depth2. Anagrams4. Others
•SubstitutionI ti O i iagility
talent
•Insertion or Omission•Transposition•Numb3r Subst1tut10nNumb3r Subst1tut10n
![Page 51: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/51.jpg)
acumenThe Fraud Triangle insight
ideas
The Fraud Triangleideas
attentionPerceived pressure
facing
Perceived opportunity t it reach
expertise
facing individual
to commit fraud
p
depth
agility
talentPerson’s rationalization or integrity
![Page 52: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/52.jpg)
acumenFraud Triangle Analytics insight
ideas
Fraud Triangle AnalyticsOpportunityKey Words ideas
attentionPressure/Incentive O ScoreKey Words
Key Words• Override• Write-off• Recognize revenue
reach
expertiseRationalizationFraud
y• Meet the deadline• Make sales quota• Under the gun
Key Words p
depth
Fraud Score
Key Words• I think it’s OK• Sounds reasonable• I deserve
agility
talent
P Score R Score
Source: “Detecting Fraud by Integrating E-mail Analytics with the Fraud Triangle ” Fraud Magazine May/June 2009Source: Detecting Fraud by Integrating E-mail Analytics with the Fraud Triangle, Fraud Magazine, May/June 2009
![Page 53: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/53.jpg)
acumen
insight
ideasideas
attention
reach
expertisep
depth
agility
talent
![Page 54: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/54.jpg)
acumenThe Cutting Edgeinsight
ideas
The Cutting Edge“Symptomless Detection” – Finding answers to questions that haven’t even been ideas
attentionanswers to questions that haven t even been asked.
reach
expertise
Concept Searching – Detection based on tone, recurring themes and communication nuances
p
depthNon-Obvious Relationship Association (Colleen McCue)
Ne ral Net orks and Artificial Intelligence agility
talent
Neural Networks and Artificial Intelligence
Statistical-based prediction of events (Web Bot Project)
![Page 55: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/55.jpg)
acumenThe Cutting Edgeinsight
ideas
The Cutting EdgeNon-Obvious Relationship Association (NORA)Items related by degrees of separation ideas
attentionCarrie Fischer was in Star Wars with
Items related by degrees of separation
reach
expertise
withHarrison Ford who was in The FugitivewithTommy Lee Jones who was in Batman Forever p
depth
ywithVal Kilmer who was in Heatwith
agility
talent
Robert Dinero who was in SleeperswithKEVIN BACON!
![Page 56: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/56.jpg)
acumenThe Cutting Edgeinsight
ideas
g gNORA Example
ideas
attentionCustomer A Customer
BEmployee
reach
expertise
B
Customer A Shares Address With Customer B
Employee Shares Phone # With Customer A p
depth
agility
talentCustomer
C
Customer B Co-Signer For Customer CEmployee is Loan
Officer
a
For Customer C
![Page 57: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/57.jpg)
acumenThe Cutting Edgeinsight
ideas
g gNeural Networks, Statistics and Concept ideas
attention• Uses mathematical algorithms to mimic the human l t k d “l ” th t l i
Searching
reach
expertise
neural network, and “learns” the conceptual meaning of words and phrases from a test set of documents (“digital bloodhound”). p
depth
( g )• The more documents the engine “sees”, the more
accurate its grasp of human language.agility
talent
• Adept at detecting current conditions and predicting likelihood of future events based on language and patterns in corporate documents and emailpatterns in corporate documents and email.
![Page 58: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/58.jpg)
acumenRead More About It insight
ideas
Read More About It…“Fraud Examination” – Steve Albrecht and Conan Albrecht
ideas
attention“Fraud Detection” – David Coderre
“Di it l A l i U i B f d’ L reach
expertise
“Digital Analysis Using Benford’s Law – Mark Nigrini
“Data Mining and Predictive Analysis” p
depthIntelligence Gathering and Crime Analysis - Colleen McCue
“Forensic Data Mining: Finding Needles in the Haystack” –agility
talent
g g yArchived Webcast at http://www.bkd.com/service/Forensics/Webcast/
![Page 59: In The Trenches: Computer Forensics and Data Mining Meetings/100311 In The Trenches with Mallery.pdfacumen insight ideas In The Trenches: Computer attention reach expertise Forensics](https://reader033.vdocuments.us/reader033/viewer/2022052613/6051ce8a2ac3be32273c529f/html5/thumbnails/59.jpg)
acumenQuestions? insight
ideas
Questions?ideas
attentionJohn MalleryBKD LLP reach
expertise
BKD, LLPTwelve Wyandotte Plaza
120 W. 12th Street, Suite 1200 p
depthKansas City, MO 64105
agility
talent