Employee Fraud Investigation

Case Project 3-4A

A bank has hired your firm to investigate employee fraud. The bank uses four 20 TB machines on a LAN. You’re permitted to talk to the network administrator, who is familiar with where the data is stored. What diplomatic strategies should you use? Which acquisition method should you use? Write a two-page report outlining the problems you expect to encounter, explaining how to rectify them, and describing your solution. Be sure to address any customer privacy issues.

In this scenario, an employee at a bank is under investigation for fraud; to accomplish this, we must carefully navigate the four large twenty TB machines’ data, ensuring we don’t access anything we cannot, as well as collect the data we need efficiently. First, with assistance from the network administrator and our firm, we need to identify the type of fraud in question, the employee name, his device/network IDs, as well as the proper method for obtaining the data while navigating the ‘yellow tape’ of the bank’s private data and processes.

One method of data acquisition would be to make copies of the files in the suspect’s hardware. If the suspect’s drive sizes are large, it will take a significant amount of time to collect the necessary information, such as trying to copy all of the data from the four, twenty TB machines. Due to the increased storage size, we could use either logical or sparse acquisition. In logical acquisition, we will use research to identify and collect only the files of interest in the investigation. For example, if the case involved a certain bank account and messaging service, we could search the network and hardware using those terms, allowing us to significantly reduce the amount of data we need to comb through. If we were searching through emails, we could, for example, only look at .psd or .ost files. In sparse acquisition, the process is similar to logical acquisition; however, we would also collect fragments of unallocated (deleted) data (Nelson, Phillips, Steuart, 2019).

We could use several tools for data acquisition on the four, twenty TB machines on the network, including FTK Imager, EnCase, and ProDiscover Basic. With FTK Imager, we could view a specific disk partition and create disk-to-image files. Encase, often used for remote acquisition, would allow us to get the data in a variety of formats, and even search through RAM. If the employee is currently still working, we could use ProDiscover to capture live data from their device; this may provide us with substantial evidence on his/her illegal activities. In this investigation, we must ensure that the various laws and company regulations on privacy are not broken, specifically only examining the suspect’s data and nobody else’s. By working closely with the bank’s legal team and our firm, we can legally collect the incriminating data we require (if there is any) to ensure that it is able to be presented in court (Nelson, Phillips, Steuart, 2019).


Nelson, B., Phillips, A., & Steuart, C. (2019). Guide to Computer Forensics and Investigations. Boston, MA: Cengage Learning.


Nelson, B., Phillips, A., & Steuart, C. (2019). Guide to Computer Forensics and Investigations. Boston, MA: Cengage Learning.

Categories: Security

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s