Phil Beckett, partner at Proven Legal Technologies – the corporate forensic investigation and e-disclosure firm, discusses how firms must take steps towards preparing for and carrying out an effective investigation themselves, following new sentencing guidelines for fraud, bribery and money laundering offences. Beckett also highlights the importance of understanding how to manage data during an investigative process.

On 1st October 2014, new guidelines for fraud, bribery and money laundering offences came into effect. The guidelines outline the sentencing ranges for these offences, depending on their level of seriousness. It is encouraging to see that the guidelines continue to emphasise the significance of these crimes. When this is combined with the prosecutorial approach that David Green is advocating for the Serious Fraud Office (SFO), there is a clear consistent message from policy makers for companies to take these offences very seriously indeed.

However, given the current priorities of the relevant law enforcement agencies, unless the size or characteristics of the alleged offence demands it, the investigation is often left to companies themselves to carry out. For this reason, firms must take steps towards preparing for and carrying out an effective investigation alone. For the inexperienced, investigations can be full of complex procedures and stress. Consequences of an investigation could include legal responsibilities, admissibility of evidence, strain on human resource, potential bad PR and the simple fact that investigations can dramatically distract management from day-to-day operations.

Communications evidence

The key to investigating allegations often lies in evidence that is housed on computers and emails. This evidence not only reveals ‘smoking gun’ documents, but also the communications surrounding the alleged offences. Most businesses use an array of technical devices as part of their daily routine, including laptops, personal smartphones and tablets, all of which hold a vast amount of information. Emails and other communicative means are often overlooked, but due to the details and context they can provide, they must be seen as a fundamental source of evidence in helping unravel the facts behind allegations.

Dealing with data

There are three essential considerations that must be taken on board when dealing with data during an investigation. The first being that it is important, especially given the seriousness of the offences, that a full forensic approach is followed. Not only does this ensure that any evidence or intelligence that is identified through the investigation is admissible, but it also provides access to many investigational sources that are not readily available. These include the ability to: recover deleted files, including those partially overwritten; analyse internet browsing artefacts, specifically looking at web-based communications, such as webmail and chat messages; and examine the internal-workings of the operating system to, for example, identify the use of USB devices, smartphone backups and the use of cloud-based storage.

The second consideration is that the relevant data universe must be understood. It is important to look at this from two dimensions: firstly, who is likely to hold relevant documents; and secondly, what devices they used could hold relevant information. As a minimum, the following systems need to be considered as part of an investigation: computers/laptops; smartphones/tablets; network data (home, shared and profile directories); e-mail and chat data (live and archives); back-up media (official and personal); and application/structured data.

Finally, it is paramount that appropriate intelligent tools and methodologies are used to investigate the data that is forensically captured. This is not as obvious as it sounds, as one of the paradoxes of data is that as well as containing useful and relevant information, there will also be huge volumes of irrelevant material that must be sifted. This compounded by the fact that key documents are not always obvious in isolation, especially if the suspects are aware that (a) what they are doing is wrong and (b) there is likely to be an investigation at some stage. Suspects therefore tend to use code-words or phrases, in order to not use official forms of communication and try to hide potential evidence. Therefore, it is essential that appropriate methodologies and tools are used within the investigation. This tends to lead to two streams of investigation: the first looking at documentary content and the second a forensic artefact analysis. It is critical that these tasks are not performed in isolation and that they are fully integrated into the other investigation tasks. This is so that the findings from one stream can enlighten the other.

Using technology intelligently

Intelligent technology also has a role to play here. Amongst other things, it allows for duplicates and near-duplicates to be ignored, the possibility of locating non-work email accounts, the identification of password protected documents and the use of linguistic clustering and concept analysis for enhanced searching. However, it is important here, not to get too distracted by technology, but to harness it so that it enhances the investigation process.

Given the seriousness of these offences, the impact they can have on an organisation and the priorities of law-enforcement, it is paramount that an organisation conducting an internal investigation does so professionally and thoroughly so they avoid any subsequent issues compounding an already significant issue.

Phil Beckett, partner at Proven Legal Technologies – the corporate forensic investigation and e-disclosure firm