Association of Government AccountantsLincoln, Nebraska Chapter

April 22, 20151

In order to use the internet as a tool or resource to assist us in investigating fraud, we must first understand how it works

The internet was originally designed as a method of communication for our military

2

3

4

5

6

7

8

The first two nodes of what would become the

ARPANET were interconnected between Leonard

Kleinrock 's Network Measurement Center at the

UCLA's School of Engineering and Applied Science and

Douglas Engelbart's NLS system at SRI International

(SRI) in Menlo Park, California, on 29 October 1969.

By December, 4 more nodes

9

1991 – 36 web host servers

1999 - Over 9.5 million web sites

As of January, 2014 – 180,000,000

Doubling every 9 months

In U.S. alone, over 280 million people with access

Over 87% of all individuals in the US have access to the internet

Worldwide, over three trillion people use the internet on a daily basis

As of 2012, over 8.7 billion devices were connected to the internet

As of April 6th at 2:00 PM, there were approximately 15,346,705,800 connections to the internet

In 2013, there were 80 connections per second It is estimated that by 2020, there will be 250 things

connecting to the internet each second Things include mobile devices, parking meters, thermostats,

cardiac monitors, tires, roads, cars, supermarket shelves, and even cattle

It is estimated that 40 billion devices will be connected by 2020 (Rob Soderbery, Cisco Executive – January 2013)

10

11

Large collection of WANsNo central authorityGreatest asset & weakness

◦ Easy to add to◦ Management problems◦ Difficult to find information

12

Communication requires standard language◦ TCP/IP◦ TCP = Transmission Control◦ IP = Internet◦ “Interconnected Networks”

13

Packets contain address informationPhysical route unimportantEach computer examines packet & either

keeps or forwards

14

Internet Service ProviderCompany or organization that provides

Internet accessLocal vs. international

15

Before, only textUNIX1991Hypermedia concept

16

1st time that media other than text is available

Hypermedia vs. PrintHTML, DHTML & XMLHome page or web site?

17

Unique for each computerUser name + IP address = individual

addressComposed of 4 numbers, all less than

256

18

Decoded from left to rightNot assigned geographicallyFixed vs. dial-up connection

199.182.120.203199.182.120.203199.182.120.203199.182.120.203

19

wmanning@199.182.120.203wmanning@199.182.120.203

20

Uniform Resource Locators

21

Usually no spacesAlways uses forward slash / Incorrect entry cannot locate page

22

• 1st part on left = type of resource

• “home” = specific computer

• 1st part on left = type of resource

• “home” = specific computer

http://home.netscape.com/home/welcome.html

http://home.netscape.com/home/welcome.html

23

URLsURLs

• “netscape.com” = domain name

• “/home” = directory on server

• “netscape.com” = domain name

• “/home” = directory on server

http://home.netscape.com/home/welcome.html

http://home.netscape.com/home/welcome.html

24

URLsURLs

• “welcome.html” = file• “welcome.html” = file

http://home.netscape.com/home/welcome.html

http://home.netscape.com/home/welcome.html

25

IP addresses are hard to rememberDomain Name System (DNS)Equates word or phrase to IP address

26

DNS tablesSimilar to postal addressWords separated by “dots”

27

White House◦ http://198.137.240.91◦ http://www.whitehouse.gov

28

wmanning@199.182.120.203

wmanning@ix.netcom.com

wmanning@199.182.120.203

wmanning@ix.netcom.com

29

30

Top-level domain names, primarily U.S.:◦ .com (commercial)

◦ .edu (educational)

◦ .gov (U.S. govt.)

◦ .mil (U.S. military)

◦ .net (networks & ISPs)

◦ .org (organizations)

31

Domain NamesDomain Names• Top-level domain names, non-U.S. (244):

.ca.fr.de.uk.stat.aue.fl.us

• Top-level domain names, non-U.S. (244):

.ca.fr.de.uk.stat.aue.fl.us

32

Domain NamesDomain Names

• New Domain Names

.aero (air-related) .biz (business) .coop (cooperatives) .info (information) .museum (museums) .name (individuals) .pro (professionals)

• New Domain Names

.aero (air-related) .biz (business) .coop (cooperatives) .info (information) .museum (museums) .name (individuals) .pro (professionals)

33

Numerous companies capable of registration

Currently $70 for 2 years Internet Corporation for Assigned Names

and Numbers (ICANN)

34

Link a word, phrase or graphic in a web page coded to take the user to information located somewhere else

Cookie a short string of text sent from an Internet server to a user’s computer

35

Internet was not designed as a research tool or library

Primary design was to facilitate communications

“It must be true…”

36

• E-mail has been used to: Send death threats

Send racial hate mail

Make libelous statements

• Newsgroup postings have contained confidential information or financial corporate data

• E-mail has been used to: Send death threats

Send racial hate mail

Make libelous statements

• Newsgroup postings have contained confidential information or financial corporate data

New Investigative ChallengesNew Investigative Challenges

37

• Anonymous postings have contained information about pending mergers and IPOs, in violation of SEC regulations

• Internet stalking is a growing phenomenon -- and there are almost no laws against it

• Auction-related fraud is also growing

• Anonymous postings have contained information about pending mergers and IPOs, in violation of SEC regulations

• Internet stalking is a growing phenomenon -- and there are almost no laws against it

• Auction-related fraud is also growing

New Investigative ChallengesNew Investigative Challenges

38

New Investigative ChallengesNew Investigative Challenges

• Use of Internet to send millions of e-mail advertisements is growing daily

• Many ads involve fraudulent investment scams, chain letters or pyramid schemes

• This type of fraud is very cost-effective

• Use of Internet to send millions of e-mail advertisements is growing daily

• Many ads involve fraudulent investment scams, chain letters or pyramid schemes

• This type of fraud is very cost-effective

39

Investigative QuestionsInvestigative Questions

• How does a message get from Point A to a specific server (Point B)?

• How can the IP address of a site be determined?

• How does a message get from Point A to a specific server (Point B)?

• How can the IP address of a site be determined?

40

Enter host name & tool returns IP address

Reverse name lookup – enter IP address to find host name

41

NSLOOKUPNSLOOKUP

42

NSLOOKUPNSLOOKUP

43

NSLOOKUPNSLOOKUP

44

WHOIS?WHOIS?

• Database of domain name records

• Query will return registered owner of domain and contact information for host

• Database of domain name records

• Query will return registered owner of domain and contact information for host

45

WHOIS?WHOIS?

46

WHOIS?WHOIS?

47

Formerly known as “UseNet”Designated servers that exchange e-mail

tagged with predetermined subject headers

48

Currently over 30,000 newsgroupsSimilar to public bulletin boardUsers control what is discussed &

what information is allowed

49

Group of people who subscribe to email publication about specific topic

ACFE fraud information letter

50

Also called “channels”Real-time discussionsMay be public or privateUsed in a wide variety of crime

51

Totally unorganizedFree floating, loosely strung, gold mine

of informationAvailable to those who know how to find

it

52

Search EnginesSearch Engines

• Sites that provide searchable indexes

of Internet resources

• Also “directories”

• True search engines use software

agents to automatically index

• Sites that provide searchable indexes

of Internet resources

• Also “directories”

• True search engines use software

agents to automatically index

53

• Directories rely on people to

categorize listings

• Human editors or web site owners

provide description & category

• Directories rely on people to

categorize listings

• Human editors or web site owners

provide description & category

Search EnginesSearch Engines

54

• Directories -- better for general

information

• General categories

• Sub-categories

• Increasingly specific

• Directories -- better for general

information

• General categories

• Sub-categories

• Increasingly specific

Search EnginesSearch Engines

55

• Search engines -- better for specific

information

• Many services index every word of web

sites

• May locate sites not even listed in

directories

• Search engines -- better for specific

information

• Many services index every word of web

sites

• May locate sites not even listed in

directories

Search EnginesSearch Engines

56

• Search engines may return too much

information

• Choice of service can be important

• Search engines may return too much

information

• Choice of service can be important

Search EnginesSearch Engines

57

News organizationsNewspapersUniversity librariesState government listingsTelephone Numbers and Addresses

58

Additional SourcesAdditional Sources

• Mapping sites

• Legal resources

• Federal government sites

• Criminal justice resources

• International web sites

• Mapping sites

• Legal resources

• Federal government sites

• Criminal justice resources

• International web sites

59

• Consider type of information desired

• Be as specific as possible!

• Use Math!

• Look for advanced search

capabilities

• Consider type of information desired

• Be as specific as possible!

• Use Math!

• Look for advanced search

capabilities

Search StrategiesSearch Strategies

60

• Addition

• Clinton Gore

• +Clinton +Gore

• +Windows+98+file+utilities

• Addition

• Clinton Gore

• +Clinton +Gore

• +Windows+98+file+utilities

Search MathSearch Math

61

• Subtraction

• Clinton -Lewinsky

• Subtraction

• Clinton -Lewinsky

Search MathSearch Math

62

Search MathSearch Math

• Multiplication

• +Windows +98 +file +utilities

• “Windows 98 file utilities”

• Not “Windows 98 file utility”

• “Windows 98 file utilit*”

• Multiplication

• +Windows +98 +file +utilities

• “Windows 98 file utilities”

• Not “Windows 98 file utility”

• “Windows 98 file utilit*”

63

Search StrategiesSearch Strategies

• Read instructions

• Use more than one service

• Experiment

• Pay attention to spelling

• Pay attention to case

• Read instructions

• Use more than one service

• Experiment

• Pay attention to spelling

• Pay attention to case

64

• Recent Study

• Even the most comprehensive search

engine is aware of no more than 18%

of the estimated 4.63 billion pages on

the Internet

• As of April 2, 2015

• Recent Study

• Even the most comprehensive search

engine is aware of no more than 18%

of the estimated 4.63 billion pages on

the Internet

• As of April 2, 2015

How Complete?How Complete?

65

• Gap between new pages posted &

pages indexed is widening

• Increasingly difficult for search

services to keep up

• Gap between new pages posted &

pages indexed is widening

• Increasingly difficult for search

services to keep up

How Complete?How Complete?

66

How Complete?How Complete?

• Most major search engines index less

than 10%

• Even after combining all major

search engines, only 42% of the Web

has been indexed!

• Most major search engines index less

than 10%

• Even after combining all major

search engines, only 42% of the Web

has been indexed!

Many public records now available on-line Some sources are free Other sources available for a fee Public Access to Court Electronic Records

Records from U.S. District and Bankruptcy courts

67

“Privacy” is not found in either the U.S. Constitution or the Bill of Rights

Referenced in many court rulings, but only to address specific circumstances and/or types of records

68

Designed to facilitate access by citizens to records from Executive Branch

Most states have similar legislation Exceptions:

Law enforcement investigations Intelligence Personnel and/or medical records Where release would violate privacy

69

Depending on where & how records are maintained, it could take a while to obtain them…

Agencies can generally charge requestor for costs associated with production

Costs could be significant Example -- clerk searching non-computerized records

70

71

Freedom of Information Act

• Public records include:• Tax rolls

• Voter registration

• Assumed names

• Real property records

• Divorce/probate suits

72

Freedom of Information Act

• Public records do not usually include:• Banking records

• Trust records

• Telephone records

• Passenger lists

• Stock ownership

73

Fair Credit Reporting Act

• Formerly applied only to consumer credit reports

• Now also interpreted to include any information collected about a person

• Could include criminal records and DMV searches

74

Fair Credit Reporting Act

Consumer Report:

Any written, oral, or other communication by a consumer reporting agency bearing on a customer’s credit worthiness, credit standing, character, general reputation, personal characteristics, or mode of living.

75

Fair Credit Reporting Act

Consumer Reporting Agency:

Anyone who sells information about people. It could be an online service such as IRSC or CDB-Infotek, or it could be a private investigator. Also included are the three main credit bureaus: Experian, Equifax, and Trans Union.

FCRA does not apply when gathering information directly from the source

Use of a third party to gather the information triggers notice and consent provisions of the FCRA

76

Sale of individual credit reports restricted to someone with “permissible purpose”

Several states are even more restrictive, requiring requestor to tell where report is going and for what purpose

77

Permissible Purpose:◦In response to court order◦With written waiver of release

78

79

Fair Credit Reporting Act• Permissible Purpose:

– To anyone the CRA believes will use the information in conjunction with: a credit transaction

employment

the issuance of an insurance policy

eligibility for public license or other benefit where financial responsibility is required by law

a “legitimate business purpose”

Types of information that cannot be included in credit report: Debts over 7 years old Negative information (including bankruptcy) over

10 years old Medical information Unless for employment, information related to age,

marital status, or race.

80

Information about criminal convictions has no time limitation

Information reported in response to application for job with salary more than $75,000 has no time limit

81

82

Fair Credit Reporting Act

• Information reported due to application for over $150,000 of credit or life insurance has no time limit

• Information about lawsuits or unpaid judgments can be kept for 7 years or until the statute of limitations expires - whichever is longer

Citizens have right to know about all credit history inquiries for previous 6 months (unless for employment, when time is previous 2 years)

Any person requesting information from credit report must then be listed on that report

83

Before an employer can obtain a consumer report for employment reasons, employee or prospect must be notified and give permission

EEOC -- rejection of job applicants due to poor credit rating = adverse impact on minority groups, and therefore illegal

84

Investigative Consumer ReportCan include information about character,

reputation, personal characteristics, or mode of living

Obtained through personal interviewsMay require additional notice

85

86

• Investigative Consumer Report Must disclose nature and scope of investigation

(if requested) If requested, subject must be given a copy of the

complete report Subject must be given opportunity to dispute

findings of the report

Fair Credit Reporting Act

What can they be used for?

87

Locating people

Financial or credit information

Locating assetsFinding legal records

Background checks

Civil court federal records

Criminal court federal records

State civil court records

State criminal court records

Marriage/divorce indexes

UCC filings

OSHA records

Professional licenses

Corporate filings

Tax assessor rolls

DMV recordsVoter registration records

Property records

Telephone listings

Credit header information

Types of records vary widely from state-to-state

Searches are limited by geography On-line records may be brief abstract of

original record

88

89

Limitations…

• Source of information must be reliable

• Accuracy and currency of data must be verified

• On-line records may not go back very far

Most information available on-line

Some information may need to be retrieved in hard copy and delivered

Annual, monthly or “pay as you go”

90

91

Commercial On-line Services

• ChoicePointCDB InfotekIRSCDBT OnlineKnowX

92

Commercial On-line Services• Lexis-Nexis

• USDatalink

• infoUSA.com

• Security Software Solutions

• Diligenz

• Dialog Information Retrieval Service

93

Commercial On-line Services• Dun & Bradstreet

• Experian

• DCS Information Systems

• Merlin Information Services

94

Other Sites of Interest

• Court web sites

• CPA/Professional Directories

• SEC filings

• Death records

95

Database Technologies• Charles Kallestad

• DOB 8/36 Age 61

• SSN: 470-38-4689

• Phone Number: 512 327-2282

• Address 1: 5/1/1993 PO Box 162890 Austin

• Address 2: 2/8/1992 305 Rowland Dr. Austin

• Address 3: 3/8/1992 1351 The High Road Austin

96

Database Technologies• 12/1/1992 8012 Greenslope Austin• 11/1/1992 9602 Ann Ln Minnetonka MN• 11/1986 1934 Deer Dr Wayzata, MN• 11/90 2132 Caminto Del Barco Del Mar, CA• PO 470301 San Francisco, CA• 1592 Union San Francisco, CA• 4806 Midland TX• 1900 Simler Dr, Big Spring TX - Federal Prison• 55 Minneapolis MN• 1120 S Capital of Texas Highway, Austin, TX

97

• 4353 Marina Santa Barbara, CA• SSN 470-38 4689 issued in Minnesota between 1953 and 1954• Additional SSN 096-91-2360 unknown issue year or is invalid• Telephone numbers listed for each address • For each address additional names and telephone numbers listed• Indicated: No pilot license, aircraft or vessels• Listed address profile for each address: where located, streets

close by, how mail is delivered• Driver’s licenses and description• Listed liens, judgments, and bankruptcies including: Austin, St.

Paul, Rochester

Database Technologies

98

Database Technologies• Listed possible property ownership: Holly Lane, Minneapolis

under Helen Kallestad• Under Holly Lane listed Kimblerly Kallestad and addresses

associated with her — nationwide and driver’s license• Bruno Kallestad — PO Boxes Austin• Listed Helen’s SSN and death claim filed and Helen’s other

addresses• Lists James Kallestad and possible aliases including all addresses

associated with James and driver’s license• Same with Donald and Michael• For every address listed, researched all people who have lived

there and their personal information• Also lists people at surrounding addresses and information

Association of Government AccountantsLincoln, Nebraska Chapter

April 22, 201599