CSI at FTB?
Computer forensic lab helps solve tax crimes
Each month in "Criminal Corner," we report the latest news on tax criminals brought to justice. Our Investigations Bureau special agents work closely with California counties’ District Attorneys and court systems to uncover fraud and illegal behavior – but you probably did not know that our investigations program also has a state of the art computer forensic lab, which fills a very important niche in "crime scene investigation."
The Computer Forensic lab's goals are to facilitate gathering facts and evidence to determine the truth, and maintain FTB's credibility in the court and in the eyes of the public. Highly trained special agents, or forensic examiners, execute search warrants, seize computers and computer systems, acquire forensically sound images, and conduct forensic analysis of those images to retrieve vital financial information in support of the investigation.
What it takes to become a forensic examiner
Forensic examiners are sworn peace officers, each with more than 500 hours of computer forensic training. All agents assigned to the forensic unit hold these certifications:
- Seized Computer Evidence Recovery Specialist, certified by the Federal Law Enforcement Training Center, a Federal Certification.
- Certified Forensic Computer Examiner, certified by the International Association of Computer Investigative Specialists.
- Certified Encase Computer Examiner, certified by Guidance Software, makers of the industry-leading forensic software Encase.
- They also are certified to retrieve data from cellular telephones and PDAs (Personal Digital Assistant).
Why forensic examinations are so important
The business world has gone digital and made the move to computers versus paper documentation of business transactions. Forensic examiners find that more often than not, people are keeping less paper, and using electronic storage instead.
Computers hold valuable information that even the suspect may be unaware of, including file time stamps, computer ownership information, document ownership, and Internet usage history. Our agents are able to recover deleted files and entire hard drives because data is never really deleted.
Most financial information is also maintained on computers and can provide valuable incriminating evidence recovered from the hard drive. Internet communication can also be retrieved, like online banking off-site file storage, for example.
Forensic examiners must always stay at least one step ahead of computer-savvy scofflaws. Computer evidence can be easily destroyed by booby traps set up by the suspect, or by improperly handling computer equipment. Computer forensic agents undergo an extraordinary amount of training on how to successfully retrieve data.
How it all works
All criminal tax investigations begin with special agents gathering intelligence through informants or undercover field operations. They determine the size of the operation, and estimate the number of computers in use, the type of systems, size of the network, etc. Based on this information, search warrants are executed, and the forensics lab gathers all electronic evidence. Forensic examiners analyze the evidence and prepare a computer forensics report, which is given to the case agent. Because we only get one chance to gather the evidence, our field agents always assume there is more computer evidence to gather than what is observed. Forensic agents don’t have the time or ability to "run to the store" and pick up additional storage devices; they must travel with everything they think they will need. On one particular search warrant, which consisted of seven locations and 30 computers, the forensics team set up a field lab at 6:00 a.m. and did not complete their work until 2:00 a.m. the following day.
A search warrant recently executed by special agents netted 14 computers, and resulted in approximately one terabyte of information. To understand its scale, data in a terabyte is equivalent to more than 300 feature length movies, 50,000 trees made into paper and printed, and enough words that it would take every adult in America speaking at the same time five minutes to say them all.
Clearly, this is a lot of evidence to sort through. To accomplish this, agents run keyword searches and extract the various files that contain those keywords to see if the file is relevant to the investigation. They also extract emails, both active and deleted, and extract financial data files including Quicken, Excel, Money, Peachtree, TurboTax, etc. They identify multiple sets of accounting/tax books that require the agent to reconcile which file is the most reliable source for income reconstruction.
Closing the tax gap
Forensics lab results speak for themselves. Since the lab’s inception, forensics special agents have assisted on every case worked by the FTB Investigations Bureau. Of cases referred for prosecution, 99 percent have resulted in either convictions or plea bargains.