Action to be taken when computerised accounting records are discovered

March 2011  

Part 2 Action to be taken when computerised accounting records are discovered

66.11 Media to be obtained

Where the official receiver becomes aware that computerised accounting records have been kept he/she should obtain:

  1. the storage media on which the records are held, e.g. computer hard drive, external disk drive, flash drives, data/memory sticks, DVDs, CDs, floppy disks,  tapes, zip drives etc. (see also paragraphs 66.13 to 66.14);
  2. a detailed record of the system and its operators including system user names and passwords (see paragraph 66.15);
  3.  where practical, a printout of the accounting information (see paragraph 66.12).

 

66.12 Records maintained by a computer bureau or other agent

A business which uses computerised accounting records will not necessarily have any computing capacity of its own. All or part of its records may be maintained by a computer services bureau (or similar external agent) located elsewhere. Where a third party is in control of the insolvent’s records, the official receiver should obtain details of the contract between the insolvent and the third party and establish their contact details.  In the first instance the official receiver should contact the third party to ask for copies of the computerised accounting records on a storage medium such as a DVD/CD or in a paper printout.  The director or bankrupt is under a duty to provide the official receiver/liquidator/trustee with the company’s/his/her accounting records, and the accounting bureau/agent can be required to co-operate in the same way as an accountant can be required to provide access to the insolvent’s records [note 1][note 2][note 3][note 4][note 5]. The official receiver will need to consider any cost implications with regard to the obtaining of the records where he/she is required to pay to obtain the data stored by the third party.  Obtaining records to establish the cause of failure is part of the normal duties of the official receiver and will therefore be covered by the administration fee, authority is not required where a debit balance of £500 or less is likely to be incurred, but where a debit in excess of £500 is to be incurred, reference should be made to Technical Section.   Where the records are to be recovered for investigatory purposes the official receiver can charge any associated costs against his/her enforcement budget as necessary.  See also Chapter 32.3 paragraph 32.3.44.

Where the information is provided by the computer bureau/third party on a computerised storage medium (CD/DVD etc.) rather than a printout, it should be treated in the same way as electronic media handed over by a director or bankrupt. The Forensic Computing Unit (FCU) should be contacted by the examiner to request an imaged copy of this media, so that the copy can be used to access the data, this will ensure the integrity is maintained of the data provided by the third party.

Refer also to the procedure for contacting FCU outlined at paragraphs 66.17 to 66.22.

 

66.13 Primary handling of electronic storage media handed over by director/bankrupt

When a director or bankrupt hands over any disks containing accounting records the examiner should ensure the following information is obtained:

  • details of the software package the records are held on,
  • details of which version of the package is being used,
  • any passwords used, if applicable (see paragraph 66.15),
  • what period the data relates to,
  • that as far as the director is aware, the media is undamaged, and
  • whether any third parties have accessed the media and why (see paragraph 66.16).

Computerised accounting records should be listed and a receipt given when the records are delivered in the same way as for manual records,  using forms SRHO, BPRCT and BPL.  See Chapter 10 Part 2 paragraphs 10.13 to 10.21 and Chapter 10 Part 3 for full instructions on the protocols for the receipt and listing of records.

 

66.14 Action by examiner on receiving the electronic storage media

It is vitally important that the examiner does not access the media to confirm any of the information. This includes switching on, loading or connecting computers, equipment or electronic media; any such action will alter key files and change the data, which will seriously compromise the official receiver’s ability to use the data in legal proceedings at a later date.

 

66.15 Passwords required to access the computerised records

The examiner should require the director or bankrupt to provide all passwords used by key users to gain access to the system and/or specific data areas.   Passwords can be required for system start up, login, software applications or file level.  Accessing the electronic storage systems without the necessary passwords is likely to be extremely protracted, or may not be possible at all, and lack of passwords will result in a delay in returning the imaged data copy to the official receiver.  If FCU experiences difficulties in accessing the media the official receiver will be contacted and any alternative possibilities for accessing the information discussed.

 

66.16 Third parties who have accessed the media

Where the director or bankrupt states that the computer media has been accessed by third parties prior to it being delivered up to the official receiver, a full statement as to who accessed the documents, how, when and why,  should be obtained.  Examples of people who might previously have accessed the media are for example a liquidator (provisional or otherwise), accountant or insolvency practitioner, etc. 

 

66.17 Initial data imaging service request to FCU  

Where the official receiver requires imaged copies of the media (for accessing the data or obtaining printouts) a service request will need to be initiated with the FCU using a ”Request for service” (RFS) form, also referred to as the Financial Data Recovery (FDR) form. This is the only form required by FCU in connection with obtaining imaged copies of the media and is available by clicking HERE.

A copy of the RFS/FDR form should be partially completed at boxes 1 to 15,  from the box entitled “Region” to the box entitled “Request Description”. The examiner should provide the court number, (the case name is optional), the name of the examiner dealing with the case, the operating system used and the type of application software used.  Stepped instructions to assist with handling this form once completed can be found in the “Handling the Request for Service form” flowchart on the OROS/FDR intranet page HERE.

Whilst a copy of the RFS/FDR form can be emailed to the FCU as an attachment (see paragraph 66.23), a hard copy of this form should be printed off and included with the media when the evidential bag(s) are sealed and tagged (see paragraph 66.18). All media items relating to one case should be listed on the same RFS/FDR form and each RFS/FDR form is specific to each request to FCU for data imaging, which is why a copy should be retained with the hardware/media item at all times.  Local variations of this form must not be used. See also paragraph 66.21.

 

66.18 Securing the electronic media in evidential bags

All electronic media (DVDs, CDs, disks, memory sticks etc.) and computers received by the official receiver should be placed and sealed in approved evidential bags (clear plastic bags) using evidentially numbered tags.  The bags and tags (which are supplied to official receivers’ offices by FCU) should be available centrally within the office, and there are various sizes available depending on the size and quantity of the media to be sent. If there is room in the evidential bag and there is more than one item,  several media items can be included in one evidential bag, and a copy of the RFS/FDR form listing all the media items included with the media (see paragraph 66.17).  All media items should be bagged and tagged upon receipt.  For more information go to the OROS/FDR intranet page HERE.

 

66.19 Targeting data recovery requests

It is important that in the comments field (“Request description” field) the detail of the data that is required to be extracted is stipulated clearly, and also the nature of the data that it is anticipated will be found on the media.  In the case of removable media (e.g. memory sticks or disks) the request will most likely be for the entire contents of the media, but where the media has a large memory capacity (e.g. a computer hard drive or external hard drive) the request for data may need to be more focused, e.g. concentrating on monthly management accounts produced since the date of the last set of audited accounts.

Where there are large volumes of data, when deciding the exact requirements of the data to be recovered, some suggestions as to questions to ask or information to be provided on the RFS/FDR form are as follows:

  1. If financial data is required, which software package is being used (e.g. Sage, QuickBooks etc.)?
  2. Will some of the information be available on spreadsheets, which may already be printed out and/or stored separately from the software package?
  3. If all office documents (e.g. MS Word, Excel etc.) are required, would it be more helpful to have all the files as a list, or would it be of more use to retain them in their original directory/folder structure?

 

66.20 Increased efficiency from targeting data requests

The more focused a request for the information required, the more relevant the data will be that can be supplied and the quicker the turn around in providing imaged data.  As the FCU retains copies of the data image (see paragraph 66.28) further requests for additional information can be dealt with at a later date.  A complete file listing can also be provided, which may be of use in an investigation.

 

66.21 Sending a request to FCU  

Following completion of the information in the RFS/FDR form and “bagging and tagging” as detailed at paragraphs 66.17 to 66.20, the examiner should email a copy of the form to the FCU mailbox (fcu@cib.gsi.gov.uk). FCU aims to return the completed acceptance or rejection of the request within two working days of receiving the original request. FCU will email a response to the examiner, which is a copy of the FDR form containing details of the acceptance or rejection of the request. Usually the request will be accepted (noted in boxes titled “Accepted Date” and “FCU Examiner”) but if the RFS/FDR request is rejected an explanation will be given by FCU in their response (RFS/FDR form box no.18 entitled “FCU Comment”).

 

66.22 RFS/FDR form must be enclosed with any media sent to FCU

In all cases a copy of the most up-to-date RFS/FDR form must be enclosed with any media being sent to the FCU, as detailed at paragraph 66.17.  This also applies where further media is discovered at a later date.  A copy of the most up-to-date RFS/FDR form should also be emailed to the FCU mailbox fcu@cib.gsi.gov.uk) when any media is sent to them.

 

66.23 Accepted RFS/FDR requests

If the FCU accepts the RFS/FDR request, the copy RFS/FDR form sent to the examiner confirming acceptance of the request will contain details of the FCU examiner who is dealing with the request, the date it was accepted by FCU and the date by which the request should be completed. Once the request for data recovery has been accepted by FCU, the examiner should then prepare the bagged and tagged media to send to the FCU (see paragraph 66.18 for details of “bagging and tagging”).  It should be placed inside one of the zipped plastic pouches supplied to the office by FCU for this purpose, along with a copy of the updated RFS/FDR form.  The pouch should be zip-locked using a locking tag (usually stored centrally in the office with the evidential bags, tags and zipped plastic pouches) and then that pouch should be placed in an envelope before sending it to FCU via Royal Mail Recorded Delivery Post (suitable for most standard financial data recovery requests) or Royal Mail Registered Post for high priority financial data recovery requests.  Parcelforce may also be used.

All media to be imaged should be sent to :

The Forensic Computing Unit

Companies Investigation Branch

Ground Floor

Insolvency Service

4 Abbey Orchard Street

London

SW1P 2HT

To reduce the possibility of media going missing over a weekend when staff are not available to confirm it has been delivered safely, it is suggested that where possible, media should not be sent to FCU from the official receiver’s office on a Friday.

 

66.24 Agreed targets for completion of “medium” urgency requests

The Service Level Agreement (SLA) that FCU has agreed with OROS is that all “medium” urgency data imaging requests (which should constitute the majority)  the removable media (diskettes, memory sticks, CDs, DVDs, Jazz/Zip drives, external hard drives etc.) will be imaged and returned by FCU within 10 working days from their receipt.  This 10 days does not include the time the data is in transit, and may be exceeded where the FCU has to obtain specialist software outside of its normal resources to be able to complete the request.

The SLA between official receivers and the FCU is contained within the FCU Procedures document at paragraph 6 of the section headed "Procedures for requesting service from the FCU". This document can be accessed on the intranet by clicking HERE.

 

66.25 Agreed targets for completion of “high” urgency requests

For “high” urgency requests, the imaged data will be returned as soon as is possible, depending on any technical difficulties that may arise.  The usual criteria for a request to be considered as “high” urgency are where the case:

  • is subject to a current or on-going police investigation;
  • is subject to press, ministerial or MP interest;
  • is a case which has been transferred to another office and only 2 months remain before the investigation deadline is due.

Any “high” urgency request should include a full explanation by the examiner as to why this level of urgency is justified.

 

66.26  Action where agreed target is missed

Every effort will be made to maintain the agreed targets as detailed at paragraphs 66.24 and 66.25, however, where it becomes apparent that a target will be missed, FCU will report this to the relevant examiner/official receiver with an explanation as to the reason why the target cannot be met, recorded in the FCU comment area of the FDR form.  The FCU will continue to liaise with the examiner as to the progress of their request should any further delays occur, which may happen for example where several “high” urgency requests are received at the same time,  causing a delay in processing a “medium” urgency request.

 

66.27 Dealing with large items to be sent to FCU

Where the media item is larger (such as a computer hard-drive) it should be bagged and tagged (see paragraph 66.18) and, where it is too large to be placed in a pouch it should be placed in a suitably sized box, sealed and posted via recorded delivery or track and trace DX (Gold service).  It is very important that computers are sent complete and unopened, as this means that the evidential integrity is maintained, damage is prevented and all necessary equipment is received by the FCU.

 

66.28  FCU action after original media is received for imaging 

Following receipt of the media, a member of the team will update the FDR form and email a copy back to the examiner to confirm that the media has arrived and provide an estimated time within which the imaging will be completed, and the copy media returned to the examiner (see also paragraphs 66.23 to 66.26).

FCU will then make an image of the contents of the media, where possible.  The data will be photographed and a full image of the data taken and retained by the FCU.  Once the image has been taken,  the original media will be re-assembled (in the case of a computer) and re-bagged and re-tagged.  FCU will make a working copy using data extracted from the image, and this will be returned to the examiner along with the original media,  via recorded delivery.  An email containing the updated FDR form will also be emailed to the examiner, containing details of the work undertaken and the dispatch date, and a list of the output data.  Also included will be a “Satisfaction Response Form”, which should be completed and returned so that all parties can gauge the service received or given,  and any issues can be addressed.

 

66.29 Best practice to ensure data integrity

The Financial Data Recovery process is carried out in this way as described at paragraph 66.28 to ensure that the integrity of the data is maintained.  The FCU works to the guidelines set out by the Association of Chief Police Officers “Good practice Guide for Computer-Based Electronic Evidence” a copy of which can be accessed on the web HERE.

The FCU have provided guidance for official receivers concerning the Financial Data Recovery process, available on the intranet HERE.

 

66.30 Records held on computer system - no removable media available and on-site visit required

Where the records are held on a computer system which cannot be removed, and the director/bankrupt is unable or unwilling to provide a copy on appropriate media, or the volume of data is too great to be printed, a site visit (inspection) may be requested and/or a request made for the imaging of the data to be carried out at the insolvent’s trading premises.  The reason for the requirement to carry out an on-site imaging visit must be clearly explained.   If the resources to undertake this work are not available within the unit,  assistance and advice on using third parties will be provided by FCU.

 

66.31Action by official receiver’s staff where on-site visit required

The examiner or inspecting officer should immediately ascertain details of:

  • who the computer belongs to,
  • whether it is a stand alone or network system,
  • what operating system is used,
  • any usernames and passwords,
  • what package the records are held on,
  • what version of the package is being used,
  • what period the data relates to, and
  • that as far as the director/bankrupt is aware the system is undamaged and operational.

Under no circumstances should the official receiver’s staff turn the machine ‘off’ or ‘on’ or attempt to access the system or data. In such circumstances the examiner should immediately contact FCU to discuss what should be done.  FCU can be contacted by telephone on 020 7596 6162, by fax on 020 7596 6207 or emailed at fcu@cib.gsi.gov.uk.  If the system cannot be removed, either for technical reasons or because it is owned by a third party or shared, it should be secured as well as possible,  and FCU should be contacted to arrange for an officer to go to the trading address as a matter of urgency to extract the data, and the RFS/FDR form should be completed and sent to FCU (see paragraphs 66.17 to 66.21 for guidance on this).

   

66.32 Action by official receiver where computer removed to office following advice from FCU

If following consultation with FCU (see paragraph 66.31) they advise the official receiver that the computer system can be removed from the trading premises, it should be bagged and sealed and taken back to the official receiver’s office.  Where the computer is too large to send to FCU (see paragraph 66.27) the examiner should arrange a date for an FCU officer to visit the office to take an image or remove appropriate hardware/media (this can be arranged by telephoning FCU). The examiner should provide FCU with the name of the case, court number, the name of the examiner dealing with it and the type of system and software. FCU will log the case detail and issue an identification number. FCU will then advise the examiner of when an officer from FCU can attend the office to carry out the data imaging.

 

[Back to Part 1 – Introduction to computerised accounting records and definitions used in connection with their storage and recovery]

[On to Part 3 - Making a record of the computer system and its contents]