Investigation

Question 1

Graphology (graphoanalysis)

Answer 1

Graphology (or graphoanalysis) has been described as a pseudoscience in which its practitioners have the purported ability to determine a person’s character, moral traits (honesty/dishonesty, etc.), personality, and mental state based upon an analysis of that person’s handwriting. Graphology is often erroneously confused with forensic document examinations, especially by the media. Fraud examiners should be aware that some individuals practicing graphological analyses might have little academic and scientific training.

Question 2

Anachronisms

Answer 2

Anachronisms are items located at a time when they could not have existed or occurred. Generally, exposing anachronisms in fraudulent historical documents requires the expertise of investigators, historical experts, scientific laboratories, and forensic document examiners. For example, accurate handwriting comparisons are rarely possible in the absence of adequate contemporaneous genuine writings of the purported author. In such cases, the experts will examine the materials used to produce the documents, such as paper, ink, printing, adhesives and seals, bindings, and covers.
Often, to add credibility to forged documents, fraudsters will backdate them. To determine whether contemporary documents were backdated, experts usually rely on diligent investigation and forensic document examiners.

Question 3

The proper method for developing latent fingerprints that have been absorbed into porous materials, such as paper, is to dust them with fingerprint powder. T/F

Answer 3

Fraud examiners should never try to develop latent fingerprints that have been absorbed into paper or other porous materials by dusting with fingerprint powder or any other means. Such efforts will not only be unsuccessful, but they will prevent additional examinations. Instead, fraud examiners should preserve the evidence by placing it into a labeled protective container, such as a sealable, acid-free paper envelope. Also, fraud examiners should label the item’s container with their initials, the current date, where the document was taken from, and an identifying exhibit number (if any).
Experts will use various methods to examine fingerprints on porous surfaces, including iodine fuming and brushing or spraying silver nitrate solution or ninhydrin spray, which reacts with the body chemicals and other substances in the latent prints that have soaked into the absorbent surface. Some of these methods will permanently discolor a document.

Question 4

Best way to organize large amount of evidence

Answer 4

Keeping track of the amount of paper generated is one of the biggest problems in fraud cases. Good organization in complex cases includes the following:
Segregating documents by either witness or transaction
Making a “key document” file for easy access to the most relevant documents
Establishing a database early on in the case of a large amount of information
During the evidence gathering stage of an investigation, organizing the documents chronologically is not recommended because it will make searching for relevant information more difficult. It is generally better to organize the documents by transaction or by party. The fraud examination report often follows a chronological timeline to give a narrative of a fraud scheme, in which case displaying key documents chronologically often makes sense. But in the organization phase, there usually is too much clutter for chronological organization to be effective.

Question 5

A(n) ___________ is a writing, usually a signature, prepared by carefully copying or tracing a model example of another person’s writings.

Answer 5

A simulated or traced forgery is a writing, usually a signature, prepared by carefully copying or tracing a model example of another person’s writings. Although identifiable as a forgery, a simulated, or traced signature, forgery often does not contain enough of the forger’s normal handwriting characteristics to permit expert identification.

Question 6

Autoforgery

Answer 6

A person creates a forgery of their own name and deny it later on.

Question 7

Limitation to Benford’s Law

Answer 7

Benford’s Law distinguishes between natural and non-natural numbers, and it is important to understand the difference between the two types because Benford’s Law cannot be applied to data sets with non-natural numbers. Natural numbers are those numbers that are not ordered in a particular numbering scheme and are not human-generated or generated from a random number system. For example, most vendor invoice totals will be populated by dollar values that are natural numbers. Conversely, non-natural numbers (e.g., employee identification numbers and telephone numbers) are designed systematically to convey information that restricts the natural nature of the number. Any number that is arbitrarily determined, such as the price of inventory held for sale, is considered a non-natural number.

Question 8

Which of the following data analysis functions is most useful in testing for hidden journal entries?

Answer 8

Gap testing is used to identify missing items in a sequence or series, such as missing check or invoice numbers. It can also be used to find sequences where none are expected to exist (e.g., employee Social Security numbers). In reviewing journal entries, gaps might signal possible hidden entries.

Question 9

First phase of data analysis: and tasks involved.

Answer 9

As with most tasks, proper planning is essential in a data analysis engagement. Without sufficient time and attention devoted to planning early on, the fraud examiner risks analyzing the data inefficiently, lacking focus or direction for the engagement, running into avoidable technical difficulties, and possibly overlooking key areas for exploration.
The first phase of the data analysis process is the planning phase.

This phase consists of several important steps, including:
Understanding the data
Articulating examination objectives
Building a profile of potential frauds
Determining whether predication exists

Question 10

Textual analytics

Answer 10

Textual analytics can be used to categorize data to reveal patterns, sentiments, and relationships indicative of fraud.

Question 11

Why would a fraud examiner perform duplicate testing on data?

Answer 11

To identify transactions with matching values in the same field

Question 12

Examples of data analysis queries that can be performed by data analysis software on asset accounts to help detect fraud:

Answer 12

The following are examples of data analysis queries that can be performed by data analysis software on asset accounts to help detect fraud:
• Generate depreciation to cost reports.
• Compare book and tax depreciation and indicate variances.
• Sort asset values by asset type or dollar amount.
• Select samples for asset existence verification.
• Recalculate expense and reserve amounts using replacement costs.

Question 13

Join function

Answer 13

Data analysis technique that combines fields from two sorted input files into a third file.

Example: Compare two different files with differing records, or looking for ghost employees by comparing payroll to employee master file

Question 14

A fraud examiner is conducting textual analytics on journal entry data and runs a keyword search using the terms override, write off, and reserve. With which leg of the fraud triangle are these fraud keywords typically associated?

Answer 14

Opportunity.

Question 15

Link analysis

Answer 15

data analysis tool that is effective in identifying indirect relationships and relationships with several degrees of separation

Question 16

multi-file processing

Answer 16

data analysis software function that allows users to relate several files by defining relationships in collected data, without the use of the join command.

Question 17

Which of the following is an example of a data analysis function that can be performed to help detect fraud through examination of payroll accounts?

A. Compare customer credit limits and current or past balances.

B. Compare approved vendors to the cash disbursement payee list.

C. Identify paycheck amounts over a certain limit.

D. Generate depreciation to asset cost reports.

Answer 17

Identify paycheck amounts over a certain limit.

The following are examples of data analysis queries that can be performed by data analysis software on payroll accounts to help detect fraud:
• Summarize payroll activity by specific criteria for review.
• Identify changes to payroll or employee files.
• Compare timecard and payroll rates for possible discrepancies.
• Prepare check amount reports for amounts over a certain limit.
• Check proper supervisory authorization on payroll disbursements.

Question 18

The primary concern when analyzing digital evidence is

Answer 18

The primary concern when analyzing digital evidence is to maintain the integrity of the data at all times. Fraud examiners must be especially careful with computer equipment because a careless investigator might inadvertently alter important evidence. Therefore, it is helpful to develop procedures to prevent the opposing party from raising allegations that the methodology used to collect or analyze data was improper and could have damaged or altered the evidence

Question 19

When a forensic investigator is seizing a running computer for examination, he can retrieve data from the computer directly via its normal interface if the evidence needed exists only in the form of volatile data. T/F

Answer 19

True
When seizing a computer that is running, the party seizing the system should not, in most situations, search the computer for evidence because doing so might damage and taint relevant evidence. But in some situations, it might be appropriate to perform live evidence collection (i.e., collect evidence during the seizure phase when a suspect system is not shut and is up and running). Generally, live evidence collection (i.e., collection directly from the computer via its normal interface) is appropriate when a formally trained computer investigator is seizing the computer, and the evidence that the investigator needs to collect exists only in the form of volatile data.

Question 20

When analyzing data for evidence, the fraud examiner should look for…

Answer 20

When analyzing data for evidence, the fraud examiner should look for inculpatory evidence (i.e., evidence that serves to incriminate the subject of the investigation) and exculpatory evidence (i.e., evidence that serves to disprove the subject’s involvement in the misconduct).

Question 21

Cloud forensics presents challenges not faced in traditional forensic practices

Answer 21

Conducting digital forensic investigations in the cloud environment (i.e., cloud forensics) presents challenges not faced in traditional forensic practices. Some of the important challenges of acquiring evidence from the cloud are:
Lack of frameworks and specialist tools
Lack of information accessibility
Lack of data control
Jurisdiction of storage
Electronic discovery
Preserving chain of custody
Resource sharing
Lack of knowledge

Question 22

Metadata

Answer 22

Metadata is a type of computer-generated data that can be helpful in a fraud investigation. Metadata is data about data, and these file tidbits contain a tremendous amount of information. Metadata information can help determine who wrote a document; who received, opened, copied, edited, moved, or printed the document; and when these events occurred.

Question 23

What is the procedure used to convert information using an algorithm (called a cipher) that makes the information unreadable.

Answer 23

Encryption

Question 24

Steganography

Answer 24

Process of hiding one piece of information within an apparently innocent file. For example, a user can use the least significant bits of a bitmap image to hide a message. By hiding the message in the least significant bits of an image, there is almost no perceivable change in the bitmap image itself. And without directly comparing the altered image to the original, it is practically impossible to tell that the image was altered.

Question 25

Darren is conducting a fraud examination of Cooper, an employee at his organization, a government entity. Darren has strong reason to believe that Cooper has incriminating evidence on a personal smart phone that he brings to work. Can Darren search Cooper’s personal smart phone?

Answer 25

Darren may search the phone if his organization has a privacy policy informing employees that personal smart phones are subject to search.

Question 26

Informant Payment

Answer 26

If the fraud examiner decides to pay an informant or source, he should make the payment in cash and obtain a receipt. If the source will not sign a receipt, the fraud examiner should not pay him. There have been numerous instances where a receipt was not obtained and the informant subsequently denied receiving funds or challenged the amount paid. If this happens, the fraud examiner will have to defend himself without proof; indeed, some investigators have been accused of having embezzled the payments. Payments should only be made on a cash on delivery (COD) basis.

Question 27

When should covert operations be used:

Answer 27

The following situations are those in which covert operations have traditionally worked well:
There is reliable information about criminal activity or asset losses, but insufficient detail for prevention or apprehension.
Losses are known to be occurring in an area, but there is no information as to how they are occurring or who is responsible.
It is desirable to gather information concerning personal relationships or to identify the contacts made with or by certain people.
It is desirable to compare actual practices with supposed or required practices.
It is important to obtain information in an indirect manner from people believed to possess it.

Question 28

Uniform Commercial Code (UCC) filing can help.

Answer 28

A search of Uniform Commercial Code (UCC) filings can help fraud examiners identify personal property that an individual or business has financed. These filings identify:
Name of the debtor or joint debtors
Current address of the debtors
Name of the financial lender
Type of collateral pledged as security
Date of filing and continuations

Question 29

Internet archives & deep Web

Answer 29

The term Internet archives refers to archived versions of Web pages that have since been updated or are no longer available online. The most popular tool for searching the Internet archives is the Wayback Machine, located at www.archive.org. The Wayback Machine allows users to see archived versions of Web pages throughout time. Fraud examiners can use the Wayback Machine to find historical information, such as:
A photo posted on a website that has been removed
Content, views, writing, and opinions rescinded by an author
A company’s old job ads, statements, affiliations, or product lines
Alternatively, the deep Web (also known as the invisible Web) refers to Web content that is not indexed by standard search engines. There are a number of reasons why the deep Web exists. For instance, there are sites where Web crawlers (search engine robots or spiders) cannot enter. Web crawlers are scripts that create a copy of a visited Web page which are later indexed by a search engine to provide faster searches. These deep Web resources include websites without any links pointing to them, certain file formats that search engines cannot handle, sites that have been blocked from crawler access, password-protected sites, and information stored in databases. Also, search engines limit the depth of their crawl on a website. Moreover, Web crawlers cannot crawl as quickly as pages are added or updated.

Question 30

Privacy Act of 1974

Answer 30

The Privacy Act of 1974 establishes a code of information practices that regulates the collection, maintenance, consumption, and distribution of personally identifiable information that is maintained by federal agencies. It restricts information about individuals, both employees and nonemployees, and it applies to governmental agencies and government contractors running a system of records on behalf of the government. The Privacy Act prohibits an agency from disclosing such information without the written consent of the subject individual.
Under the Act, an agency may maintain records about a person containing information that is relevant and necessary to accomplish a purpose of the agency. This information may include a person’s education, finances, medical history, criminal history, employment history, and identifying information (fingerprint, voiceprint, or photograph).

Question 31

Rights to Financial Privacy

Answer 31

The Right to Financial Privacy Act prohibits financial institutions from disclosing financial information about individual customers to governmental agencies without the customers’ consent, a court order, a subpoena, a search warrant, or other formal demand. There are, however, limited exceptions to this rule.
Although the Act applies only to demands by governmental agencies, most banks and other financial institutions also will not release such information to private parties absent legal process, such as a subpoena issued in a civil lawsuit. The Act does not, however, make it a crime for them to do so.

Question 32

Exceptions when person’s consent not required to obtain the individual’s credit report.

Answer 32

The Fair Credit Reporting Act (FCRA) generally requires a party to obtain the consent of an individual before accessing that person’s consumer or credit report. However, there are some exceptions to this rule. The Fair Credit Reporting Act (FCRA) governs, among other things, the circumstances under which employers may request consumer credit reports and consumer investigative reports on prospective or active employees. The Fair and Accurate Credit Transactions Act of 2003 amended the FCRA to exempt certain reports involving employee misconduct investigations. As a result of these amendments, an employer who uses a third party to conduct a workplace investigation no longer has to obtain the prior consent of an employee if the investigation involves suspected misconduct, violation of laws or regulations, or violation of any preexisting policy of the employer.
To qualify for this exception, the report from the third party must not be communicated to anyone other than the employer, an agent of the employer, or the government. It is also important to note that this exception is for internal investigations, and it will not justify access to an external party’s credit report without consent simply because that party is being investigated for fraud.
In this case, Bianca may not access the suspect’s credit report because the individual works for a separate company

Question 33

Metasearch engines

Answer 33

Metasearch engines (ex: Zoo, Dogpile, Mamma) send user requests to several other search engines and aggregate the results for display.

Question 34

The net-worth method (or comparative net-worth analysis)

Answer 34

The net-worth method (or comparative net-worth analysis) is used to prove illicit income circumstantially by showing that a person’s assets or expenditures for a given period exceed that which can be accounted for from known or admitted legitimate sources of income. Fraud examiners should use the net-worth method when several of the subject’s assets or liabilities have changed during the period under examination and when the target’s financial records are not available.

Question 35

indirect method

Answer 35

An indirect method employs circumstantial evidence to analyze the relationship between a suspect’s receipt and subsequent disposition of funds or assets.

Question 36

Direct Method

Answer 36

In contrast, a direct method uses the subject’s books and records (or financial transaction records belonging to third parties) to analyze the relationship between a suspect’s receipt and subsequent disposition of funds or assets.

Question 37

letter rogatory

Answer 37

Government officials may make a formal government-to-government request for assistance, or letters rogatory, to obtain foreign evidence. Letters rogatory are formal requests that a court in one country makes to seek judicial assistance from a court in another country. Letters rogatory also permit formal communication among the judiciary, a prosecutor, or a law enforcement official of one country and their counterpart in another country. The most common types of assistance sought by letters rogatory are service of process and taking of evidence.

Question 38

Mutual Legal Assistance (MLA)

Answer 38

Mutual legal assistance (MLA) is a process by which countries request and provide assistance in law enforcement matters, such as gathering information, obtaining provisional remedies, and enforcing foreign orders and judgments. To obtain assistance from a foreign government, the government seeking assistance makes an MLA request. An MLA request is a written request to the government of a foreign country that is used to obtain assistance in law enforcement matters. Generally, MLA can be used to obtain assistance in matters such as conducting searches, gathering evidence, compelling sworn testimony and the production of documents, issuing search warrants, issuing subpoenas, serving process, exchanging affidavits, obtaining provisional remedies, and providing assistance in forfeiture proceedings.

Question 39

Proxemic communication

Answer 39

Proxemic communication is the use of interpersonal space to convey meaning. The relationship between the interviewer and respondent is both a cause and effect of proxemic behavior. If the distance between the interviewer and the respondent is greater, there is more of a tendency for them to watch each other’s eyes for clues to meaning.

It is important to position the respondent’s chair and the interviewer’s chair at an acceptable distance. The correct conversational distance varies from one culture to another. In the Middle East, the distance is quite short; in Latin America, equals of the same sex carry on a conversation at a much closer distance than in North America. Often, as the subject matter of the interview changes, the interviewer can note the changes in the respondent’s proxemic behavior. If the person is free to back away, he might do so when the topic becomes unpleasant or sensitive.

Question 40

“I don’t remember,” this type of response

Answer 40

Usually, “I don’t remember” is not an expression of resistance. Instead, it is an expression of modesty, tentativeness, or caution. One of the best ways to respond is to simply remain silent while the person is deliberating. He is saying, in effect, “Give me a moment to think.” If this is not successful, the best way to counter is to pose an alternate, narrower question.

Question 41

Confession by trickery and deceit allowable?

Answer 41

The use of deception to gain information can sometimes be employed legally. The theory is that information can be obtained by nearly any means, with the exception of force or threats. The interviewer, however, may not employ any deception likely to cause the innocent person to confess. The use of deception is not justified regarding promises of leniency or confidentiality, nor is it justified to obtain a monetary or business advantage.

Question 42

Catharsis

Answer 42

Catharsis is the process by which a person obtains a release from unpleasant emotional tensions by talking about the source of these tensions. We often feel better by talking about something that upsets us. Although we all are familiar with the frequent necessity for catharsis in ourselves, we do not always perceive the same need in others. The need for sympathetic understanding and the need for catharsis are related, but they are not the same thing. The interviewer who does not have time to listen to what he considers inconsequential or egocentric talk will often find the respondent unwilling to share important consequences.

Question 43

Manipulators

Answer 43

Manipulators are motions like picking lint from clothing, playing with objects such as pencils, or holding one’s hands while talking. Manipulators are displacement activities that reduce nervousness.

Question 44

Inferential confusion

Answer 44

Inferential confusion denotes confusion and inaccuracies resulting from errors of inference. These errors generally fall into two categories: induction or deduction. Induction occurs when the respondent is asked to convert concrete experiences into a higher level of generalization. Deduction occurs when the respondent is asked to give concrete examples of certain categories of experience.

Question 45

When asked a “yes” or “no” question, it is generally easier for an individual to answer “yes” than it is to answer “no? T/F

Answer 45

True
Throughout the interview process—from the introduction to the close—the interviewer should seek continuous agreement by attempting to phrase the questions so that they can be answered “yes.” It is generally easier for people to reply in the affirmative than the negative.

Question 46

Some of the most effective information-seeking questions are phrased as subtle commands. T/F

Answer 46

True
During the information phase of the interview, the interviewer should endeavor to ask primarily open questions to stimulate conversation. Some of the best open questions are subtle commands.

Question 47

Controlled answer techniques or statements

Answer 47

Controlled answer techniques or statements may be used to stimulate a desired answer or impression. These techniques direct the interview toward a specific point. For example, it might be possible to get a person to admit knowledge of a matter by phrasing the question: “I understand you were present when the internal controls were developed; would you please describe how they were constructed?” This phrasing provides a stronger incentive for the respondent to admit knowledge than does: “Were you present when the internal controls were developed?” To stimulate the person to agree to talk or provide information, you might use a prompt such as: “Because you are not involved in this matter, I am sure you would not mind discussing it with me.” This provides a stronger incentive to cooperate than: “Do you have any objections to telling me what you know?” Avoid negative construction, such as: “I don’t guess you would mind answering a few questions?”

Question 48

Signs of deceptive behavior

Answer 48

The dishonest person will often try to appear casual and unconcerned, will frequently adopt an unnatural slouching posture, and might manipulate objects, such as a pencil. He also might react to questions with nervous or false laughter or feeble attempts at humor.

Nonverbal indications of deception include:
• Full-body motions away from the interviewer
• Physical responses such as sweating or labored breathing
• Changes in the use of illustrators
• Interruptions to the flow of speech
• Hands over the mouth
• Manipulation of objects such as a pencil
• Body positioned in a fleeing position
• Crossing of the arms
• Unnatural or casual reaction to evidence

Question 49

Assessment Questions

Answer 49

Assessment questions seek to establish the respondent’s credibility. They are used only when the interviewer considers previous statements by the respondent to be inconsistent because of possible deception. When evaluating a subject’s response to an assessment question for credibility, it is critical to observe both verbal and nonverbal reactions.

Question 50

Alternative question

Answer 50

The alternative question forces the accused to make one of two choices, both of which imply guilt. One alternative provides the accused with a morally acceptable reason for the misdeed; the other paints the accused in a negative light. Regardless of which answer the accused chooses, he is acknowledging guilt.

Question 51

Which of the following is the most appropriate example of an alternative question?

A. “Did you deliberately plan this, or did it just happen?”

B. “Will you repay the money now or later?”

C. “How else might this situation be explained?”

D. “Did you, or did you not, commit this crime?”

Answer 51

A,
why because this alternative questions provides one alternative with a morally acceptable reason for the misdeed, the other paints the accused in a negative light. Regardless, he is acknowledging guilt.

Question 52

admission-seeking interview is

Answer 52

The admission-seeking interview is designed to obtain a legal admission of wrongdoing. It also serves various other purposes. For example, it seeks to clear an innocent person and encourage a culpable person to confess. A culpable individual will frequently confess during the admission-seeking phase of an interview, while an innocent person will not do so unless threats or coercion are used. Also, the interviewer will seek to obtain a valid confession. And finally, admission-seeking interviews are designed to convince the confessor to sign a written statement acknowledging the facts.

Question 53

Fraud examiners can use several techniques to stop or interrupt denials

Answer 53

Fraud examiners can use several techniques to stop or interrupt denials, including delays, repeated interruptions, and reasoning.

Question 54

Fraud theory approach

Answer 54

When conducting fraud examinations, fraud examiners should adhere to the fraud theory approach. The fraud theory approach is an investigative tool designed to help fraud examiners organize and direct examinations, based on the information available at the time. According to the fraud theory approach, when conducting investigations into allegations or signs of fraud, the fraud examiner should:
• Analyze the available data.
• Create a hypothesis.
• Test the hypothesis.
• Refine and amend the hypothesis.

Question 55

Net worth can be defined as the difference between assets and liabilities at a particular point in time. T/F

Answer 55

T

Question 56

When seizing a running computer for forensic examination, the seizing party should perform a graceful shutdown by turning the computer off using the normal shutdown process. T/F

Answer 56

F
When seizing a computer that is running, the seizing party should not perform a graceful shutdown by turning it off using the normal shutdown process. If a system is turned off using normal shutdown routines, a number of temporary files will be deleted and possibly overwritten during the shutdown process, and such files might be important to the investigation.

Question 57

The goal of establishing an interview theme should be to:
A. Inform the respondent that an official inquiry is being conducted.
B. Declare that the interviewer suspects the respondent of wrongdoing.
C. Determine the respondent’s guilt or innocence.
D. Get the respondent to make a commitment to assist before commencing serious questioning.

Answer 57

D

Question 58

Which of the following terms refers to the search for evidence showing what has happened to property, identifying the proceeds of property, and identifying those who have handled or received property or the proceeds of property?
 A. Tracing 
 B. Replicating	
 C. Acceding 
 D. Patterning

Answer 58

A

Question 59

Gamma, a Certified Fraud Examiner, is attempting to locate the birthplace of Theta, a fraud suspect. Where is Gamma most likely to find such a record, if it exists?
 A. County recorder 
 B. State's driver's license bureau	
 C. County tax assessor	
 D. State's bureau of vital statistics

Answer 59

D