Digital Breadcrumbs: Identifying Assets Using Digital Forensics
By Kevin J. Baker, EnCE, ACE, Director, Advisory Services
Proper asset identification can be a challenging process in matrimonial matters as well as other litigation. Oftentimes there is a concern that assets are not being fully disclosed or are being intentionally hidden. This is especially true when a spouse has business ventures or other external investments. Digital forensics can be used to uncover and identify these assets so that a proper and fair accounting can be conducted.
To begin, let’s define digital forensics in this context. Digital forensics is the use of specialized data collection and analysis tools, both hardware and software, to collect data in a forensically sound manner and then analyze the data for use in litigation. The process used is significantly different than the methods commonly used by IT personnel for normal business operations and data productions.
Most often the process starts by preparing digital forensic hard drive images of the devices to be analyzed. These forensic hard drive images contain an exact bit-for-bit copy of the evidence. This includes the “empty” or free space on the hard drive where deleted files and other valuable information may exist. The forensic hard drive images also contain hash values, or digital fingerprints, that can be used to verify the integrity of the evidence throughout the litigation. Additionally, computer memory that can contain encryption keys, passwords, and other sensitive data is routinely imaged during the digital forensic collection process.
Digital forensics also involves the forensically sound collection of data from online or cloud-based data sources such as Google Workplace (Gmail), Microsoft 365, and QuickBooks Online. With the increasing amount of data being hosted online, these sources can provide a substantial amount of information about financial transactions, purchases, real estate, and other assets subject to distribution. With appropriate permission or legal authority, cell phones can also be collected and analyzed in a forensically sound manner. New technologies are also being utilized and require consideration for complete asset identification. For example, Bitcoin and other difficult-to-trace cryptocurrencies have become popular methods by which to hide assets. Even social media data from Facebook, Instagram, LinkedIn, and other sites can be collected and analyzed for asset identification purposes.
Once the data is collected, it is processed using a variety of forensic analysis tools such as Cellebrite, Axiom Cyber, EnCase Forensic, and AccessData Forensic Toolkit. These tools allow an investigator to perform a thorough analysis of system activity, deleted information, metadata, and extensive other artifacts that can uncover historic financial activity. During processing, the data is indexed so that keyword searches can be performed. This allows for efficient searching of the data for specific account numbers, names, or phrases. Once undisclosed transactions or assets are identified, the investigator can then efficiently search for and identify related documents, communications, and other data to locate additional assets.
Asset Identification Techniques
A spouse may have maintained investment and bank account information in Excel spreadsheets on a home computer. When the potential for divorce materialized, she or he may have decided to delete the spreadsheets or remove relevant information that identified the assets. A digital forensic analysis could recover deleted files to identify hidden assets. In addition, the Microsoft Windows operating system’s Previous Versions feature and Apple’s Macintosh’s Time Machine feature provide the ability for users to automatically back up versions of files. Recovery of this information can reveal different versions of files that can identify changes made over time. Frequently, it’s the recently deleted or modified files that are most relevant to an investigation. In addition to local file storage, the proliferation of online storage platforms such as iCloud, Google Drive, and One Drive can provide a plethora of data for analysis. This can be especially revealing because documents created on remote devices may be automatically synced to a home computer or other device available for analysis.
When reviewing accounting information, such as the books and records of a spouse’s business, a forensic analysis can provide information about transactions that have been modified or improperly recorded. Many accounting software programs include an audit trail or some other record of transactions that were modified or deleted. For example, QuickBooks has an audit trail for every transaction, including the user who modified the transaction, when the change occurred, the original data, and the modified data. A review of these records could identify deleted accounts, transactions that were modified to reduce apparent income, business assets that were removed, and other relevant information. Backups of the accounting records could also be recovered, showing changes over time.
Computers track a significant amount of information about the actions a user takes. This can include the files that were opened or modified, the programs that were run, the websites that were visited and even what was searched for on Google. There are extensive Most Recently Used (MRU) lists that are designed as a convenience to help users locate recently used programs and files. However, these same lists provide insight into a user’s daily activities and are helpful when searching for documents or activity related to assets. During a digital forensic analysis, using these lists to begin reviewing the most recently used data can shortcut the investigation and provide the most relevant information with efficiency.
Recovered search engine entries and other web browser history can provide a comprehensive picture of someone’s online activity. Although personal webmail, such as Gmail and Yahoo!, do not normally get downloaded to a computer, when they are accessed, online cached versions of the webpages are stored on the computer and can contain copies of individual emails or listings of the email in folders such as the inbox. When these accounts are accessed from a home computer, the cached information may be accessible to the other spouse during a digital forensic analysis. Particularly in cases of infidelity, this can be a valuable tool to identify if and when marital assets were transferred to other parties.
Someone’s online presence is not limited to web searches and email. Account data from Google and other services provide a wealth of information about someone’s activity and assets. If permission or legal authority is provided to collect data from online accounts, a digital forensic collection and analysis can be invaluable. For example, Google tracks location information, health data, search history, browser activity, payments, and many other items, not to mention email, calendar, and contacts. When analyzing all of this online account data — including where a person goes, what they do, when they do it, what they buy, who they communicate with, etc. — many aspects of their life can be observed. All of this data can then be used to identify undisclosed assets.
Following the Digital Breadcrumbs
As technology and digital information have become a significant part of asset acquisition and maintenance, most assets now leave a digital trail. It is rare that any significant transaction doesn’t include an email, electronic proposal, DocuSign PDF, online account, or another digital reference. This makes it difficult to hide assets during litigation if all the right data is thoroughly examined. Using the information described above and many other digital breadcrumbs, assets can be identified for proper accounting and distribution. When questions of proper asset disclosure arise in matrimonial matters, digital forensics can assist with identification.