Computer Forensics Insights into Locating Undisclosed Assets
n most bankruptcies, there is little cash to go around, so trustees and creditors are always on the lookout for additional assets. In some cases, the trustee or creditors are bewildered to find out that the company or individual has no assets. The debtor made lots of money each year for several years, and then suddenly is insolvent. All indicators suggest that the debtor should have more assets than reported on the bankruptcy petition. However, it is not readily apparent what happened, and inevitably the trustees and creditors ask: "Where'd the money go?"
One explanation may be that the debtor concealed assets prior to filing for bankruptcy. Using computer forensics, an expert may be able to uncover a small clue or key piece of information that ultimately leads to the undisclosed assets. This article is meant to introduce some computer forensic concepts to generate awareness regarding the type of information that can be found as trustees or creditors search for debtor assets not disclosed on the bankruptcy petition.
During the last decade, the use of computers has increased significantly. The Y2K scare showed just how much businesses and individuals rely on computers to handle daily activities. Because of the extensive use of computers, the "paper trail" that once existed has quickly faded. Most information is now stored or maintained on some type of digital media.
In the past, businesses stored their records in filing cabinets and desk drawers. However, in today's environment, more books and records are being stored on laptops, network servers and third-party servers. Companies are conducting more and more business via e-mail. Computers are used to create company memoranda, correspondence, strategies, business plans, product designs and economic forecasts using word processing and spreadsheet software. In most cases, these digital files are stored only on digital media.
One of the first steps in the computer forensics process is identifying the digital media on which digital information may be stored. Because technology changes each day, it is difficult to identify all of the devices that may contain digital information. However, there are some clear areas where digital information can be found, which include the following:
- work and home desktop and laptop hard drives
- network servers, which include e-mail
- personal information managers (PIMs) and personal digital assistants (PDAs)
- printers, facsimile machines and digital copiers with buffer memory
- third-party servers such as Internet service providers (ISPs)
- back-up and archival tapes. At first glance, these two physical areas may appear to be the same, but they are quite different. Back-up tapes are created on a periodic basis in case a computer system fails. The back-up tapes may be recycled, meaning that the data on the tapes is constantly being overwritten with new data. Therefore, the information on the back-up tapes may not be permanent. If the computer fails, the back-up tapes can be used to restore a system back to a specific point in time. On the other hand, the archival tapes are permanent and are not used to store data on a periodic basis.
- removable media such as CD-ROM, hard disks, Smart Media, Compact Flash Card Type I/II, Click Drive, Memory Stick and Trek Drive.
Once the digital media have been identified, the following non-physical areas need to be searched:
- active files
- deleted items: active files that have been "erased" but still remain on the digital media
- e-mail files
- slack space: This term is explained as follows:
When computer disks are first formatted, they are divided into tracks and sectors. A combination of two or more sectors on a single track is called a cluster—the basic storage unit of a disk. Different disk formats have different cluster sizes, but the concept is the same. When you save a file that takes up less than one cluster, other files will not use the additional space in that cluster. In short, once a cluster contains data, the entire cluster is reserved. This is similar to the situation in most restaurants. If three people are sitting at a table that seats four, the additional seat remains empty until the three people have finished using the table. The idea is that a fourth stranger might interfere with these three people's meal. Similarly, if a computer tried to squeeze extra data into the unused part of a cluster, the new data might interfere with the old. The extra space in a cluster is called slack space. Even when a deleted file is overwritten, if the new file does not take up the entire cluster, a portion of the old file might remain in the slack space. In this case, a portion of a file can be retrieved long after it has been deleted and partially overwritten.3
- unallocated space: This concept refers to disk space that the computer is not actively using to store data. Imagine a disk that has many tracks running around it similar to a running track at a local high school. The tracks closest to the middle are used first, and as the disk is filled, the computer stores data further away from the middle. If the computer had stored data in unallocated space, the data may still exist if the space was never reused.
Trying to find electronic data that leads to additional assets is like trying to find a needle in a haystack. The search for key data can be greatly enhanced if the search is narrowed to specific areas. One must be smart about what information is collected and analyzed. The objectives of the computer forensic investigation should be very clear; otherwise, a lot of precious cash will be expended without achieving the desired results.
Although time is critical when performing computer forensic work, the parties and investigators must spend some time up-front planning the work to be performed and determining where to focus their search. One way to do this is by interviewing employees to determine where specific information may reside within the business. The company's IT professionals should be consulted to add intelligence to the search effort. With up-front planning and a focused approach, trustees or creditors will have a better chance of finding the needle in the haystack.
Once the digital information is recovered, the investigator should look for patterns. For example, if an investigator finds that there were many files deleted on a particular day near the time of the bankruptcy filing, this may be suspicious, and the investigator should pay particular attention to the deleted files. This situation does not automatically indicate fraud or wrongdoing, but suggests further review is necessary.
By searching the electronic data, the investigator may find key e-mails or documents (partial or whole) that lead to the discovery of undisclosed assets, such as:
- bank and brokerage accounts
- coin or art collections
- affiliated companies with assets
- unfiled tax refunds
- real property
- insurance policies with value
E-mail can be quickly and efficiently reviewed using key word searches. For example, during the bankruptcy proceedings, the trustee or creditors may learn that the debtor company may own a coin or art collection that was not disclosed on the bankruptcy petition. One way to review vast amounts of data is by searching the company's e-mail using key words such as coin, art, artwork, paintings or collections.
A word of caution: Although there are many benefits associated with computer forensics, the cost of collecting and analyzing digital information may prohibit trustees and creditors from employing these types of techniques for smaller bankruptcy cases. The costs may range from as little as $4,000 to collect and analyze one hard drive to more than $1 million to collect and analyze more than 100 hard drives and servers in multiple company locations. A team of professionals may be necessary to guide trustees and creditors through the computer forensics process. Because these professionals are so specialized, trustees and creditors can expect to pay in excess of $200 per hour for their services.
It is difficult to estimate exactly how much a computer forensics investigation will cost because it depends on the amount of information that is collected and analyzed. In most cases, investigators do not know how much data is "out there" until they start recovering it. The cost of the investigation also depends on how much data the client wants to recover.
The cost of the computer forensics work needs to be addressed before the examination starts because it will dictate how much digital information can be recovered and analyzed. Creditors or trustees with limited funds in an estate that cannot afford a full computer forensics examination may decide to take a less-costly course of action, such as recovering and analyzing only company e-mail.
Before trustees or creditors can use key digital information, they must find it first. To do this, they will need to hire experts to identify, collect, extract and analyze digital information. Because specific electronic data may not be easily accessible or may be buried among vast amounts of digital information, computer forensic techniques are needed to recover the desired information. In some cases, examiners may need to collect and extract digital evidence that has been deleted, while in other cases they may need to cull through trillions of bytes to find just the right information. Whatever the case, it is clear that some electronic clues may go undetected without the use of computer forensics.
1 Matthew Schwartz is a partner in the Insolvency and Litigation Services Department of Bederson & Co. LLP. An officer of the Association of Insolvency Restructuring Advisors, he has spent the past 15 years investigating and consulting on matters related to insolvency, bankruptcy and related litigation. Return to article
Cecil is a manager in the Insolvency and Litigation Services Department of
Bederson & Co. LLP. He has spent the past 16 years investigating and
consulting on matters related to white-collar crime and related litigation. Return to article
Wednesday, September 1, 2004