In this scenario, there appears to be a situation involving check fraud and possibly embezzlement. The $12,750 check appears to have been falsely created; this could have happened for two reasons: the person who created the check could have kept the extra $2000 from the original $10,750 check by cashing it themselves, or by working with the subcontractor, the check could have been deposited in the usual manner; however, the extra funds could have been sent back to the employee who created the check. Additionally, the check could have been fraudulently handled by someone the subcontractor works with, without his knowledge. This situation could also possibly just be due to user error, so the investigation would need to be carefully and methodically carried out, taking great care not to raise any alarms. If alarms are raised, evidence gathering would be much more difficult, allow the possible subject to destroy evidence, as well as persuade them into making a last-ditch effort to steal more funds from the construction company.
First, due to the missing company checkbook and ledger, a thorough investigation into the company’s video surveillance should be made (both internal and external cameras); in this process, all video recordings should be saved and stored on multiple storage devices (to increase redundancy). Furthermore, during the collection of the video recordings, proper documentation and labeling of all devices with the individuals who performed the searches, the time they did it, and ensure that each video is time and date stamped. If any type of monitored entry to the physical location is present, such as a pin pad or front desk, these should be scanned for who was in the building that day, when they left, and who was present (security guard, receptionist) when each entry/exit occurred. If any visitors were present, they need to be recorded.
Next, due to the accounting program’s single authorized user, I would immediately interview them, as well as suspend their access to the system. By checking logs of the software, I would determine if the authorized individual logged into the system, or if someone else used their credentials. I would also call the bank that the company uses to put a stop on all checks, as well as determine if the original $10,750 check was ever cashed, who did it, and when and where the transaction was completed. If it is found that the check was indeed cashed (or attempted to), I would interview the bank’s representatives, primarily any managers present, and get video recordings of the incident, which are also time and date stamped. Collecting as much information from each possible entity is of utmost importance.
I would also interview the subcontractor in question to determine and collect his side of the story. Does he have any subordinates that could have cashed the check? What happened to the first check (why does he need a new one?) Also, I would inform him of the incident at hand and that there will be a short delay before any new checks get sent to him. On the IT-side of things, I would access the server logs to determine when was the last time the single person who is authorized to log in to the accounting software, as well as who else was logged into each computer, device, system, and software that day. Since the issue could have been performed outside of the physical location, the search would have to look at outside IP addresses as well. Finally, the company checkbook/ledger needs to be located and recorded; the video recording should be efficient in finding it.
If any information gathered at this point puts an employee into question, a statement would have to be made to all employees, as well as possibly any outside companies that deal with the construction company, informing them of the incident and the steps that are being made. Avoiding further issues with possible fraud is vital to ensuring that the event doesn’t happen again. Furthermore, if an employee is found to be a suspect, his/her workstation needs to be thoroughly searched, confiscating all hardware found, including their PC, removable storage devices, and paperwork. If using VoIP phones, call logs should be collected, as well as all call recordings (if possible). All hardware should be searched, and all data should be backed up to multiple devices.
By now, the investigation should have enough evidence to piece together what happened, who did it, and make the necessary arrangements for the possible perpetrator. During each evidence-gathering phase, the collection of material needs to follow a secure and well-documented chain-of-custody, ensuring that each stage meets both the requirements of state and local law, the business, as well as aid with possible police interactions. All confiscated hardware needs to be securely stored in a protected environment, and all communications with employees, local law enforcement, the bank, and any other companies that do business with the construction company need to be recorded, signed and dated, as well as securely stored. While there are a lot more things one can do in this scenario, they depend on the findings of the abovementioned material.
Nelson, B., Phillips, A., & Steuart, C. (2019). Guide to Computer Forensics and Investigations. Boston, MA: Cengage Learning.