Reference no: EM133703587
Q 1. Jackson Company manufactures pet supplies for birds and cats. Its top-level staff includes two accountants, a technology coordinator, a production manager, a warehouse manager, an office manager, two sales managers, two assistants, and the CEO. The company's main offices and manufacturing plant in Los Angeles consist of an office building, a plant building, and two small warehouses. All buildings are connected via underground fiber optic cable. The servers, hubs, and routers are stored in the main office building.
The brain behind the IT network includes three server machines, named Washington, Jefferson, and Adams. The Adams server hosts the Mixta accounting system, which processes all internal and external accounting transactions in real time.
A recent audit by a regional accounting firm discovered six customer accounts that could not be traced back to real people. The auditors' confirmations had been returned in the mail, marked "Undeliverable" and with "Invalid Address" stamps. To make things worse, all six accounts had been written off for nonpayment of amounts ranging from $4,200 to $7,000. The discovery was a complete surprise to Sandra Winger, the credit manager, because she always reviewed and personally approved all write-offs over $2,500. She was sure that she had not approved any of these.
Sandra called in Tom Surefoot, a local forensic accountant, to investigate. She was sure that fraud was involved, and she strongly suspected that Betty Beanco, one of the office managers, had somehow gotten into the accounting system and set up the phony customer accounts and had probably sold the written-off accounts on the gray market. Sandra was furious.
"I don't care how much it costs," Sandra told Tom. "I want you to catch that woman. I'm not going to let her get away with robbing me like that."
How could Tom apply computer forensics and other techniques to determine whether or not Betty Beanco should be a suspect?
Jacksons network and the Mixta accounting system are a wonderful place for Mr. Surefoot to begin his investigation. A forensic accountant that can apply computer sciences to their investigation can recover lost data, restore deleted databases or files, identify if the suspect is internal or external and even pinpoint the device used in the fraud. If Jacksons network is secure, it is likely that the fraud is coming from inside the company, this narrows down the list of suspects in the investigation. Once a list of suspects is compiled Tom should conduct background checks and conduct interviews focusing on who would likely fit in the fraud triangle and eliminating suspects accordingly. It would also be prudent of Tom to investigate the "customers" whose accounts have been written off. It is likely that the "customer" is an accomplice to whomever is writing off these accounts.
Q 2 Julia Katchum is in charge of the Eastern Regional Counterterrorism Computer Forensics Unit. Her recent investigations led her to believe that an imminent threat of a terrorist act in the Chicago area exists. She did not know much about the attack except that at least four terrorists were involved, and one of them had just made a phone call from inside the main offices of Stevenson and Barnes International Accounting Firm. Her immediate task was to proceed directly to Stevens and Barnes with an eight-person tactical team including a counterterrorism field officer to apprehend the suspect.
Julia's primary mission was to search the suspect's office and home computers and find any information that could help thwart the attack. It was thought the attack could take place before the day was over.
When Julia and the CTU (counterterrorism unit) team arrived at the accounting firm, only the CTU officer went inside to avoid drawing undue attention.
Inside, the CTU officer surreptitiously spoke to the security guard at the front desk and asked to be escorted to the office of the head of security. Once there, the CTU officer used the building's surveillance cameras to locate the suspect who was in the center of a very large room full of staff accountants working in individual cubicles.
The CTU officer decided against sending in the entire team and to make the arrest alone. There was too big a chance that the suspect could see the team coming at him because of his position in the center of the room. If he saw them coming, he could have time to delete valuable evidence or to notify other terrorists.
The CTU officer worked his way through the cubicles in as casual a way as possible, but when he got half way to his destination, the suspect seemed to identify him and began typing frantically on his computer. When the CTU officer realized what the suspect was doing, he ran the rest of the way and stopped the suspect by pressing his 10mm pistol into the side of the man's head.
The CTU raided the suspect's home at the same moment he was arrested. Just a few minutes later, the officer in charge of that raid delivered the notebook computer to John Dobson, CTU's forensic accountant, as he was just beginning to look over the suspect's computer in the Stevens and Barnes offices.
John noted the following facts:
The suspect's office computer had open an instant messenger program. He could see a piece of a message written in Arabic.
The battery in the home notebook computer was warm, even though it was turned off and not plugged in when it was seized.
What approach should John take in examining the two computers? What are some specific things that he should include in his examination?