Rene Hamel, senior manager of corporate investigation services in the computer forensics and business intelligence tools department at the Royal Bank of Canada (RBC), shares some crime-busting stories from his RCMP and KPMG days.
Money lender bumped off
A couple in Vancouver is loaning money at a high interest rate; the wife balances the books. Her husband comes home and finds her dead. Hamel images their computer and locates all the files modified just before her death. He cracks the password on a Quicken file and finds a list of borrowers. Suspicions are raised that one of those borrowers may be the murderer, but the list is huge and seemingly impossible to narrow down — until a few days later when the RCMP discovers a drug squad has been writing down the license plates of all the people parking in the area over the last few days. They verify that one of the names tied to the license plates matches a name in the Quicken file. Suspect is apprehended and confesses.
Fraud culprit tracked
A huge amount of money exists in a trust fund. A law firm employee changes the number of a file stored in the company document management system and transfers the money overseas. Hamel’s KPMG team looks at the workflow in the firm and narrows the list down to 35 or 40 suspects. They search the suspects’ computers for the fraudulent document number, and find it on one computer. To cover his tracks, the culprit deleted the document and used a utility to clean up the system. But he modified the file in WordPerfect, which stores in its memory the document’s last 10 actions. Perpetrator also overlooked a directory that saved earlier drafts of the fake file.
The last written word
A woman is found dead at her computer desk at home. Officer on the scene finds an open Word document containing a letter she was writing around the time of her death. Computer is taken to local IT shop, where employee boots up the system and looks at some files — but as he opens and closes them, he corrupts their time stamps. Luckily, Hamel’s RCMP team finds the backup version of the document in the computer’s temp file; the metadata shows the last edit to the document was about 71 hours ago, confirming the coroner’s assessment of the time of the victim’s death.