June 1996

         Downloading: Using Computer Software as an 
                   Investigative Tool


     By Arthur L. Bowker, M.A. and Leonard N. Drinkard

______________________

Mr. Bowker and Mr. Drinkard are investigators with the Office of
Labor Management Standards, U.S. Department of Labor, Cleveland,
Ohio.
______________________

(Downloading can help to eliminate complicated and time-consuming
computer crime-solving procedures, such as seizing bulky computer
equipment and wading through volumes of paperwork.)   

Consider the following scenario. At 9 o'clock one Monday morning,
the owner of a local business makes a frantic call to your
agency's fraud unit. She reports that she arrived at work early
that morning and was surprised to find the office manager, a
5-year employee, already busy at the computer. He appeared
extremely nervous, and as the owner approached the computer, she
discovered that he had gained un-authorized access to the
company's payroll files.

When asked why, the office manager nervously responded that he
thought the system had miscalculated the withholdings on his last
paycheck, and he was only "checking it out." Suspicious of this
response, the owner checked the computer's access log for the
payroll system, something she had not done for some time.

Her inquiry revealed that the office manager had accessed the
system before and after each payday for the past year.
Investigating further, the owner made a startling discovery. The
company that prepares her firm's checks had been issuing 60
paychecks every pay period, even though she employs only 55
people.

Confronted with the discrepancy, the office manager admitted to
"borrowing" some funds. Heavy drinking had dulled his memory of
exactly how much money he had "borrowed."  He refused to answer
any more questions and tendered his letter of resignation.

When the police responded, the owner promised to cooperate with
the investigation. Yet, she also informed the officers that she
could not afford to have her business disrupted in any way.

This unfortunate business own-er had fallen victim to a computer
manipulation crime, an offense that involves changing data or
creating records in a computer system to commit another crime,1
in this scenario, embezzlement. Although the law enforcement
community has recognized the seriousness of these crimes for more
than a decade,2 investigations typically have been complicated,
time-consuming, and disruptive to the victim's business
operations. However, using a technique known as downloading, law
enforcement agencies now can use their computer software as an
investigative tool to solve computer manipulation crimes quickly
and easily.

NOT FOR COMPUTER EXPERTS ONLY

Downloading is the process of transferring a computer program,
file, or other electronic information from a remote database or
other computer to a user's own computer.3 When investigating 
computer manipulation crimes, law enforcement officers can
download the victim's computerized financial records to a disk,
return to their office, and use their agency's software to
reorganize the data into a format that enables them to detect
falsifications.

Specifically, downloading enables investigators to sort, select,
and organize entries in whatever manner the investigation
demands. This method makes analyzing the data much easier than
manually examining journals, ledgers, or check registers in
whatever manner the entries might be organized, such as by date
or check number.

Investigators can examine only those entries that may be evidence 
of a crime--such as checks with false payees, fictitious voided
checks, or checks for large dollar amounts--without searching
every computer entry and every canceled check by hand. By
reducing the number of computer entries investigators need to
compare to hard-copy evidence (for example, canceled checks,
vouchers, or invoices), downloading permits easy detection of any
discrepancy and/or falsification the embezzler used to conceal
the crime.

In short, downloading allows law enforcement agencies to use
commercially available software to analyze volumes of data
without seizing computer equipment, disrupting the victim's
business, and manually searching every piece of evidence.
Downloading possesses clear advantages over the methods
traditionally used to investigate computer manipulation crimes.

TRADITIONAL INVESTIGATIVE METHODS

Some investigators note that investigations into computer
manipulation crimes comprise 90-percent detective work and
10-percent computer work.4 This division between detective and
computer work also is reflected in the two types of software law
enforcement officers traditionally have used to solve these
crimes--investigative and application software.

Investigative Software

Investigative software allows users to search computer systems,
particularly the computer's hard drive, for hidden files or data
that subjects sometimes conceal in a deliberate attempt to thwart
law enforcement. For instance, drug traffickers might hide
information about their foreign bank accounts on a hard drive.

Investigative software packages typically prove most useful in   
cases involving uncooperative subjects whose business is crime.
In such cases, investigators must   serve a search warrant and
seize all of the components of the computer system,5 a
cumbersome, time-consuming, and disruptive process.

In computer manipulation cases, however, subjects most often
commit their crimes against their employer, who operates a
legitimate business. Furthermore, these subjects usually have
limited computer expertise; rather, they have a general
understanding of how the victim's computer system works and where
its weaknesses lie. This limited knowledge allows them to
manipulate the system, but not to hide files. For this reason,
traditional investigative software is inappropriate in these
types of crimes.6

Application Software 

Investigators primarily use application software--which includes
programs for word processing, spreadsheet, and database
functions--to document and later to present their findings to the
proper authorities. By doing so, they do not use the software to
its fullest potential. Because of increased compatibility among
computer systems, many of today's application software packages
permit the easy downloading of data created in other software
packages. As a result, white-collar crime investigators can use
today's application software to do more than write reports and
present evidence. With the ability to download, investigators can
use application software as an investigative tool.

GUIDELINES FOR DOWNLOADING EVIDENCE

Preparation

Investigators first should try downloading on a small scale, such
as in a case where an embezzler only had access to the computer
for a short time or where the organization's receipts or
disbursements are small. By starting out with smaller cases,
investigators will gain the experience and confidence they need
to solve those cases involving greater amounts of data.
As with any new investigative technique, before downloading,
investigators must become thoroughly familiar with the functions
and limitations of their agency's application software. In
particular, they should know what data files it can translate
into a readable format.

Procedures


First and foremost, investigators must secure the victim's
system. This ensures that the subject no longer can access the
system to change or destroy data, or worse, to steal additional
funds.

Methods to secure the victim's system vary, but generally they  
consist of changing the passwords for all users and from all
points of entry, including computers in the office and telephone
lines that allow users to access the system from remote
locations. The subject also must be prevented from entering the
premises after the passwords have been changed, which may mean
placing the subject on administrative leave and notifying
co-workers that this person no longer has clearance to enter the 
workplace.

After securing the system, investigators should determine what
software the company uses to maintain its financial data. Some
small companies contract with computer firms for customized
financial software packages, and as a result, may not know what
format they use.

Fortunately, these computer firms often customize a product by
making only minor modifications in a standard software program.
In such cases, investigators can determine which program the
victim uses by viewing a directory of its financial files and
checking the three-symbol extension after each file name. For
example, WKS and WK1 represent two types of Lotusr software.

If the victim and the agency use the same file format, the
downloading process entails merely copying the necessary files to
a disk. If not, the company's system or the agency's software may
be able to convert the data into a compatible format.
Specifically, if the victim's or agency's software can save the
file in the American Standard Character Information Interchange
(ASCII), a standard data information format, then any spreadsheet 
or database program can read the file.

Although not all software packages can convert data to ASCII,
they can transmit data to a printer and produce a hard copy of
the file. By the same token, with a slight variation in print
commands, users can send data to a file instead of to the
printer. Once created, this print file can be copied to a disk.
Special software, called a print file reader, can read the data
and convert it to a format that the agency's application software
will understand.

Downloading's Investigative Counterparts

In addition to downloading, investigators can use the
password-based security controls built into many computer systems
to discover who made the fraudulent entries and when. In many
cases, computer access logs reveal that suspects enter the system
after-hours and on weekends, when they have no legitimate reason
to do so. In such cases, suspects will be hard-pressed to deny
the evidence, as well as to explain why they needed to access the
computer system at times when no one could witness their actions.

LEGAL CONSIDERATIONS

Although law enforcement officers traditionally have seized
entire computer systems to investigate white-collar crimes,
victims of computer manipulation cases usually cannot afford to
have their businesses disrupted in this manner. Downloading
allows investigators to access computerized records without
removing the computer itself. Still, search warrants may be
required, and investigators should consult their department's
legal advisor or the local prosecutor for guidance.

Another important area of consideration involves the
admissibility of computerized records in court. In general,
computerized records are subject to the hearsay rule, the best
evidence rule, and the authentication requirement.7 Investigators
should seek legal advice in these areas as well.

Furthermore, as with any piece of evidence, establishing a proper
chain of custody helps to ensure the admissibility of
computerized records in court. To accomplish this, investigators
must document fully the procedures they used to obtain and store
the downloaded data, including where, by whom, and under what
circumstances they gained access to the victim's system, and
which specific files they downloaded. These files must be
maintained on a write-protected disk, which prevents data from
being altered. To provide additional protection against data
loss, investigators should use copies of the downloaded files to
sort, select, and organize the data during the investigative
process and should remember to back up the files periodically.

HELPING BUSINESSES PREVENT COMPUTER EMBEZZLEMENT

White-collar crime investigators should encourage  businesses to
institute security procedures to combat computer manipulation
crimes.8 First, companies should institute computer access
controls. Specifically, employees authorized to access the
computer should have access codes or passwords.

Computer systems should recognize authorized users, as well as
their level of authority, and admit them accordingly. For
example, the payroll clerk might be permitted to sign on to the
system only every payday, while an office assistant might be
denied access entirely. Computer systems also should change
access codes periodically.

In addition, companies should establish and maintain internal
accounting controls. These include separating financial duties so
that the person who keeps the records is not the same person who
prints the checks; periodically rotating duties; developing and
documenting financial policies and procedures, such as defining
authorization limits for checks; and conducting periodic internal
audits and surprise inspections.

Third, the computer system should log every unusual occurrence
automatically. For example, a system might search for checks that
are out of sequence; transactions that are out of the ordinary--
too high, too low, too many, too often; or an employee who
repeatedly attempts to gain access improperly. To be effective
tools, however, these reports must be inspected periodically. The
business owner in the opening scenario who fell prey to computer
embezzlement failed to check her computer's access log on a
regular basis.

Finally, employers should pay attention to their workers. The
behavior of employees who deviate from the firm's standard
operating procedures or merely from their own past performance
levels may signal that something is amiss.

CONCLUSION

In the past, businesses locked  up their books and records to
prevent destruction, falsifications, and losses. Unfortunately,
today's technology enables embezzlers to manipulate data and
falsify records, even at their leisure from their own homes. Law
enforcement agencies must accept the fact that financial records,
once falsified by pen and pencil, now can be altered by computer.

Fortunately, investigators can fight back by using their agency's
own computers to detect false entries quickly and accurately,
establish criminal intent, and successfully prosecute embezzlers.
By using downloading as an investigative tool, white-collar crime
investigators can take a "byte" out of computer crime.
_____________________

Endnotes:

1 U.S. Department of Justice, National Institute of Justice,
Office of Justice Programs, "Computer Crime," NIJ Reports,
January/February 1990, by C. Conly and J.T. McEwen, 3.

2 A 1986 survey conducted by the National Institute of Justice
determined that between 63 and 84 percent (range based on
differences in jurisdiction size) of responding police chiefs and
sheriffs believed that computer crime investigations would be a
"significant cause of future workload in their departments."
Follow-up contacts with selected respondents revealed specific
concerns over computer manipulation to commit fraud and
embezzlement. J.T. McEwen, U.S. Department of Justice, National
Institute of Justice, Dedicated Computer Crime Units, 
June 1989, 8.

3 Charles Sippl, The New Webster's Computer Terms (Costa Mesa,
CA:  Lexicon Publications Inc., 1990), 120.

4 Ibid, 49.

5.Supra note 1, 5.

6 Certain software packages prove advantageous in rare cases
involving a computer-literate subject  who tampers with the
victim's software or hardware to facilitate the embezzlement.  An
example of this is a bank computer specialist who designs a
hidden program that "slices" a penny of earned interest from
every customer's account and deposits the proceeds into a
personal account, a scheme known as the "salami method."

7 See John Gales Sauls, "Computerized Business Records As
Evidence:  Required Predicates to Admission," FBI Law Enforcement
Bulletin, October 1985, 26. See, e.g , Brandon v. State, 396
N.E.2d 365 (Ind. 1979); United States v. Vela, 673 F.2d 86 (5th
Cir. 1982); Hatton v. State, 498 N.E.2d 398 (Ind. App. 4 Dist.
1986); American Oil Co. v. Valenti, 426 A.2d 305 (Conn. 1979);
Barbiarz v. Hartford Special Inc., 480 A.2d 561, 567 (Conn. App.
1984); King v. State ex rel Murdock Acceptance Corporation, 222
So.2d 393, 397 (Miss. 1969); United States v. Russo, 480 F.2d
1228, 1241 (6th Cir. 1973); United States v. Sanders, 749 F.2d
195, 199 (5th Cir. 1984); Monarch Federal Savings and Loan
Association v. Genser, 383 A.2d 475 (N.J. Super. St. Ct. Ch. Div.
1977); Palmer v. A.H. Robbins Co., Inc., 684 P.2d 187, 201 (Colo.
1984).

8 Jack Bologna, How to Detect Embezzlement (Madison, WI:  Assets
Protection Publishing, 1994), 7-8.
_______________
Note:
For additional information on downloading, contact Leonard
Drinkard, U.S. Department of Labor, Office of Labor Management
Standards, Room 831 Federal Office Building, 1240 East Ninth
Street, Cleveland, Ohio 44199-2054, phone 216-522-3855.
_______________

Sidebar 1

The Benefits of Downloading

Downloading allows investigators to:

- Use a familiar software package to examine, analyze, and
organize volumes of data

- Reduce considerably the time required to investigate and
document a case

- Limit greatly the intrusion into the victim's business by
avoiding the need to seize hardware and software to investigate
the crime

- Authenticate work papers and schedules that document a loss and
can be used in court because they represent an exact copy of the
original data


-  Eliminate errors that might occur if investigators needed to
enter data into the computer from hard copies of ledgers,
journals, check registers, canceled checks, etc.

________________

Sidebar 2

Investigative Tips

Guidelines for Downloading

Investigators should:

- Try downloading on a small scale to gain confidence

- Become familiar with the functions and limitations of your      
  agency's application software

-  Secure the victim's system to prevent unauthorized access

-  Determine the victim's software package
   (If the package is the same as your own, copy the data onto a  
   disk, if it is not the same:

   --convert to an ASCII file and use spreadsheet or database     
     software to read; or
   --create print file, copy onto disk, and use print file reader 
     software to convert data)

Preventing Computer Manipulation Crime

Business owners should:
-  Institute computer access controls
-  Establish and maintain internal accounting controls
-  Program computers to record unusual occurrences
-  Regularly review security logs
-  Note employees who deviate from acceptable procedures or       
   performance levels.

Source: Jack Bologna, How to Detect Embezzlement                  
(Madison, WI: Assets Protection Publishing, 1994), 7-8.

                  _______________________