Recently, Vestige has been engaged in multiple matters involving the analysis of billing records. The analysis request has stemmed from the desire to determine one of two possible theories with respect to billing records. Theory number one is that the billing records have been altered (changed, added or deleted) after a specific date. Theory number two is that the records have not been added contemporaneously. Billing records not added contemporaneously could point to records that are intentionally or unintentionally inaccurate. In some circumstances, the fact that the billing records are not added contemporaneously could make them invalid in seeking to have them paid.
While some companies still use Excel spreadsheets (or something similar), that is becoming less the norm. Excel doesn’t always allow for analytic reporting of billing data or professionally looking invoices. Yet, since it is still used, what can the analysis of Excel spreadsheets tell us? First there is the obvious, when was the spreadsheet created and when was it last altered? While that metadata can be obtained from the file system, the Excel spreadsheet itself holds another copy of a created and last written date. Furthermore, the spreadsheet provides information such as the author and who last modified the document. Of course an environment that uses Excel for billing likely has relaxed security and therefore if multiple people are using the same user account, author information isn’t too helpful.
To be honest, if billing is in Excel, the best you can hope for is multiple copies of the spreadsheets, including copies in backups, email and locations long forgotten. Absent of that, spreadsheets don’t have the granularity to determine when each entry was entered, just when the spreadsheet itself was created and last saved. But realize that these lack of authentication features can be a double edged sword. If the presenter of the records has other flaws in their story (such as generally sloppy billing practices), they may not be able to rely upon the authentication data in Excel and similar spreadsheets.
Other Billing Software
Thankfully, most organizations today use more robust billing and time entry software. The software possibilities are plentiful and the purpose of this blog is not to say which is better than another. However, let’s look at the forensic “goodies” one can obtain from billing records stored in software packages.
The first goodie is that most software requires separate logon. Each user logs in with their account to enter in their time entries, run reports and print invoices. Quite often the activity they perform is tracked and audited by the login account. We’ve even seen billing records where it is possible to determine who first entered the information, who approved it and who edited it. Knowing the user that had a hand in the billing records is helpful if one starts to see a pattern of erroneous, sloppy or untruthful entries tied to one account.
The next goodie is that many packages not only record the date and time one enters for the record in accordance with when the work was allegedly done, but the package will also record when someone entered that information. It is this dual tracking of dates that is one way to determine whether the entry for four hours of work on 1/31/2016 actually was recorded on 1/31/2016 or was recorded on 3/15/2016.
Some software packages have in-depth auditing. In these packages, one’s billing record is entered, reviewed, approved, sent back for modifications and eventually submitted. Each of those steps or actions is tied to a specific individual as well as a date and time as to when that action occurred. This information again can be used to determine patterns of creating or approving skeptical billing records.
But is this information accessible? I’ll provide two examples when it wasn’t. Vestige investigated one piece of software that didn’t have reporting available to determine when records were actually entered. However, an examination of the underlying database uncovered fields in the billing records that allowed us to identify when entries were recorded and altered and by whom. Testing, of course, was performed to back up our observations. In another example, records were “deleted” from the billing software but again an examination of the database uncovered records that were merely “marked deleted” but were capable of being viewed, they were just hidden by the software.
How Digital Forensics Analysis Can Uncover Billing Evidence
But let’s get a little technical here. When dealing with billing software, the data is often in a database. That database consists of what are called “tables”. A table is very synonymous to an Excel spreadsheet in that there are rows data and columns of information for each row. But tables are much more powerful in what can be done with them. For example, many database tables will have a unique ID that is auto-generated and recorded for each record. That ID is often a sequential number. Nothing is more telling than lining up a set of records in order of this sequential ID and seeing entry dates and times bounce back and forth. A tell-tale sign of someone back-dating records.
Some of you may be thinking “well this is all well and good, but can’t people modify their clocks”? Certainly that can happen, however, let’s discuss the issues with someone maliciously changing the time on their computer to affect a billing record. If the billing software is in the cloud, you can alter whatever time you want on your computer, the software in the cloud runs on its own clock that can’t be altered by the users that use the software. If the software being used is stored locally at the company using it, yes, altering the clock on a computer can fool the software into thinking that something is being entered at a time that it really isn’t. However, that isn’t easy with today’s computers as there are internal mechanisms built into today’s computers that forces them to synchronize their clock automatically behind the scenes with an authenticated time server. For argument’s sake, let’s say someone can get past the desire for the computer to fix itself, in that case, Locard’s principle takes over. (In forensic science, Locard’s exchange principle holds that the perpetrator of a crime will bring something into the crime scene and leave with something from it, and that both can be used as forensic evidence.) Altering the clock on a computer causes other changes to the computer and potentially to the billing software that go undetected by the perpetrator. Consider the example above with the sequential ID.
So if you are in the midst of authenticating billing records and want to know when they were entered, by whom and otherwise examine their authenticity, contact your local digital forensic expert – they may be able to help out.