Case study: Using VFC to aid Financial Investigations

About MD5 LTD
MD5 Ltd are the manufacturers of the world-renowned software, Virtual Forensic Computing (VFC). We are a Digital Forensics and eDiscovery service provider and have worked closely with Law Enforcement and Government Agencies since inception.

Accounting software such as QuickBooks and Sage can be a very valuable source of evidence when investigating Fraud, internal business problems, staff investigations and IP theft.

Often with accounting programs such as this, a proprietary file format is used that can be difficult to view outside of the native application. The challenge for a forensic investigator is providing the information identified within the respective applications in a format that can be easily understood by everybody involved in a case.

When it comes to QuickBooks and Sage, investigators will have some success with tools such as EnCase and Nuix but providing that information to a client in a user-friendly format can often prove challenging. Virtual Forensic Computing (VFC) software, by MD5 can offer an alternative approach.

In this particular Fraud case, investigated by MD5, our analyst used VFC to create VM copies of a number of computer exhibits which were all running QuickBooks and which all contained QuickBooks application data. By doing this, the analyst was able to browse, identify and extract a significant volume of key evidence which directly related to the investigation, in a format that would otherwise have been unintelligible, without the need to run a separate instance of the accounting software.

This data was exported to Excel spreadsheets and extracted from the Virtual Machine environment then uploaded to our ‘eForensics’ online review platform for further investigation by the Police investigators.

Here follows a breakdown of the case and the steps the analyst took to accomplish this:

Phase 1 (VFC – preliminary steps)

This case involved multiple computers and servers, all of which were running QuickBooks. After taking forensic images of the devices, I generated them all as Virtual Machines, using VFC.

The process for each VM involved mounting the E01 forensic image as ‘Physical Only’ and ‘Block Device / Writable’ using FTK Imager. From this mounted image, VFC was used to generate a Virtual Machine and the VM was then launched using VMware Workstation.

The system booted to the login page and a password was requested. With no password provided as part of the examination paperwork I utilised VFC’s password bypass feature. This routine allowed me to log in as the user of the system. After doing some initial inspections of the device I turned to the QuickBooks data that had been identified earlier in the examination.

Phase 2 (VFC – specific application)

1. I launched QuickBooks and noted that 3 Projects were listed in the Recently Opened Files section of the software. After browsing the application’s dashboard, I launched one of the data files listed as ‘recently opened’.

2. This opened up a QuickBooks data file that contained a lot of information that ranged from Contacts, Payments, Stock History and Transactions to Members of Staff. Each section contained information that was relevant to the enquiry.

3. From within the Virtual Machine, I then browsed through the various sections of the data file and examined the data stored within. Of particular note was the Transaction page; this page contained thousands of entries that painted a picture of who the company had dealt with, when that business had been done and what was involved as part of each transaction.

4. QuickBooks, Sage and other database programs allow their users to export data as Comma Separated Values (.CSV files) or Excel spreadsheets (.XLS or .XLSX) to allow data to be used outside of the applications. Utilising this feature within the VM environment, I exported the data from the Transaction page as a spreadsheet. I repeated this process for each page that contained information of note.

5. VMware contains a suite of Tools which can be installed onto a VM to give additional functionality, such as copying files from the VM environment to the host computer. I installed VMware Tools and ‘dragged and dropped’ the relevant spreadsheets to my own physical system.

6. By the end of the process I had a range of spreadsheets that helped to portray exactly what the business had been doing over an extended period of time. At this stage I provided a copy of the spreadsheets to our client.

Phase 3 (eForensics)

7. The client for this examination was using our online review platform to review documents and emails that were stored on the devices submitted for examination. Online Review is offered as part of MD5’s eForensics solution and allows our clients to review data online at any time of day, from anywhere in the world. After consultation with the client it was agreed that the spreadsheets containing the QuickBooks data would be uploaded to the online review platform along with the other documents that were extracted. This allowed the client to utilise keyword searching and date criteria as part of the Online Review process to really narrow down the data that was stored within the spreadsheets.

 

(29)

Share