IRS agents root out cybercrime
Forensic computer expertise uncovers frauds
By MICHAEL P. MAYKO [email protected]

George Francischelli and Dori Schulze are the last people you'd want to see if your home or business is being searched by the IRS.

That's because once these two IRS special agents, who specialize in computer investigations, start to work on a suspect's computer, there's almost nothing on the hard drive that will remain hidden, deleted or unscrutinized.

They'll use programs like ILook, developed by a member of Scotland Yard to analyze a hard drive. It'll find, separate and mark digital information by file extensions, key words or numerical notations.

It can uncover hidden, deleted, lost files or folders.

ILook allows us to do in days what used to take months, said Schulze. If we suspect skimming, we can quickly access the spread sheets and run comparisons.

Such technical expertise makes the IRS' computer investigative special agents essential to criminal probes, said Joseph Galasso, special agent in charge of criminal investigations run out of the IRS' Boston field office, which includes Connecticut.

It's mandatory that they are present whenever a search warrant involving computers is executed, said Galasso. They are included in the planning stages for a search.

Agents assigned to be computer investigative specialists, or CIS, participated in the December 19, 2000, execution of search and seizure warrants as part of the Bridgeport municipal corruption probe. Schulze was one of those called into action during the July 26, 2001, Waterbury corruption raids.

Once a CIS gets their hands on a computer, they can work magic.

Take a terrorist who thought he deleted e-mails.

Schulze, Francischelli or any of the other 100 IRS computer investigative specialists nationwide can use ILook and other programs that will recover the e-mails, and in some cases, help locate the recipients.

Take a child pornographer who changes the jpeg extensions on photo files. ILook will compare a file's signatures to its extension. It'll then mark those files that are mismatched.

Take the unscrupulous businessman who keeps a double set of books and does not report all his income. ILook and other programs will unravel the scheme by uncovering invoices, balance sheets and cash payments.

Galasso said the program has proven very effective, not only for investigating tax evasion but also narcotics trafficking, terrorism, organized crime, corporate fraud and health-care fraud.

In the past year, CIS processed over 80 terabytes [1,000 megabytes] of information [nationwide from suspects' computers], said Schulze. That's an incredible amount of information

particularly when you consider that the Library of Congress consists of only 15 terabytes.

Schulze is the lead investigator for the IRS' North Atlantic criminal investigation electronic crime program. She supervises 17 IRS computer investigative specialists

including Connecticut's Francischelli

stationed in offices from Pennsylvania to Maine.

During her nearly 25 years with IRS, Schulze oversaw the computer aspects of criminal investigations into a tax evasion scheme at Stew Leonard's; the massive fraud concocted by Martin Frankel, a renegade stockbroker; and a sophisticated Stamford-based gambling operation in which computers were triggered to erase their hard drive if the wrong key was pressed.

The IRS was the first agency to develop an expertise in computer forensics, said Schulze. There wasn't anyone else doing it.

Today, there might not be anyone better at it.

Most of the evidence we want is stored in digital form somewhere, Galasso said. That somewhere could range from the largest server to the smallest thumb drive, which resembles an encapsulated pipe.

They're portable storage devices, Schulze said. They can contain anywhere from 256 megabytes to a gigabyte of a business computer's most important information.

Accessing the thumb drive's information is as simple as plugging it into a computer port and turning the machine on.

Schulze has seen these devices hanging off employees' key chains.

You have to keep up with technology, said Schulze, fingering a thumb drive in her palm. New devices are constantly coming out.

The first thing Francischelli will do when he comes upon a suspect's computer is make an exact copy or image of the hard drive.

He'll take a controller card out of his black bag and insert it into a vacant slot on the suspect's computer. He'll then wire it to one of the empty hard drives he brings along.

I can copy a 40-gig hard drive, which is common for a small business, in 25 minutes, he said. That's not a bad speed.

In a recent Caribbean investigation, CIS agents copied 90 hard drives in 17 hours.

In the old days we'd be trucking the entire computer back to our office, said Galasso. We'd be putting people out of business for months. In some recent cases, we've had more than 100 computers at a site.

We couldn't keep up with the work, said Francischelli. Now I can have a copy of the hard drive up and running on the case agent's desk the next day.

When CIS says copying a hard drive, they mean everything deleted files, swap files, free space. I have an exact copy of what's on that hard drive.

Back at his office, Francischelli will copy the hard drive's copy.

We keep the original copy for evidentiary purposes and analyze the work [on the second] copy, he said.

The analyzing starts with ILook. IRS provides ILook free to local law enforcement.

It'll scan the drive and mark all files separating them into word documents, photographs, spreadsheets, data bases, zip files

the full tree structure of the computer, said Francischelli. It looks like Windows Explorer.

ILook allows them to search for key words. It'll take every file including those words and put them in a folder.

If I know of a particular offshore bank account I can search for that, Francischelli said. What usually happens is the case agent supplies me with a typed list and we run all the words or names through ILook.

If a file is password protected, CIS has another program that will scan and eventually unlock it.

Francischelli will look at cookies

a trail left behind showing where a person has been on the Internet.

For assets, he'll look at jpeg or photo files, which may show money, boats, houses, statements and even associates.

CIS even has programs that allow them to get into encrypted files, mailboxes and address books.

Windows creates a lot of information for its own troubleshooting purposes, Francischelli said. We have the programs and knowledge to use that information to our own advantage.

That's why we want senior agents as computer investigative specialists, said Galasso. They've got to be more than just computer experts.

Their job is not only to preserve, extract and analyze the evidence, but also to know what to look for, what questions to ask and how to prepare evidence for a trial.

Michael P. Mayko, who covers legal issues, can be reached at 330-6286.

connpost.com