smart solutions: data analytics to support fraud …...geocoding: enriching and validating data 31...

Smart Solutions: Data Analytics to

Support Fraud Examinations

About me

Understanding data

Cleansing data

Enriching and validating data

Importing data

Analyzing data

Reporting

Agenda

2

Jörn Weber

Certified Fraud Investigator

19 years experience—German law

enforcement

Since1999 Managing Partner at

corma GmbH:

Solution provider

Partner for corporate security

About Me

3

About corma GmbH

4

Stops suspects by:

analytical investigations

operative investigations

Saves time by:

online research

online monitoring

Increases efficiency

and saves money by:

data analytics

global intelligence

solutions

Data Modeling

5

© corma GmbH

Workflow

Understanding data

Cleansing/standardizing data

Enriching and validating data

Importing data

Analyzing data

Reporting

What Are “Smart Solutions?”

6

We need to understand data related to

our cases.

Which data?

Understanding Data

7

It is a challenge to understand data.

What kind of challenge? Data quantity

Understand relationships and background

Bring data into context

How does it work? In four steps

Understanding Data

8

© Dan Roam

Look at the data:

Understanding Data

9

© Dan Roam

See the pattern:

Understanding Data

10

© Dan Roam

Imagine:

Understanding Data

11

© Dan Roam

Show: Summarize your findings

Understanding Data

12

© Dan Roam

What did we accomplish?

Understanding Data

13

corma Workflow in 3 Steps

1. Chain of custody

a) Record all your steps

i.e., in a Word document

Software: CaseNotes, OneNote by Microsoft

b) Store original data in a secure area

c) Create digital fingerprints: MD5 Hash

http://md5deep.sourceforge.net

www.bitdreamers.com (Checksum Verifier)

Compare file content (UltraCompare)

d) Work with a copy of the original data only

Understanding Data

14

2. Identify data formats

a) Research www.file-extensions.org

www.filext.com

www.fileinfo.com

.gpi

.bqy

.blb

Understanding Data

15

Garmin Point of Interest file

BrioQuery database file

ACT! database file

2. Identify data formats

b) View (read only) www.uvviewsoft.com

Understanding Data

16

2. Identify data formats

c) Deep view (editable) www.ultraedit.com

Understanding Data

17

3. From raw data to smart structured data

Understanding Data

18

Develop first ideas for analytical

approach

Understanding Data

19

Result: Identified and understood data

Understanding Data

20

First import and analytics

Data preparation

Workflow

Understanding data

Cleansing/standardizing data

Enriching and validating data

Importing data

Analyzing data

Reporting

What Are “Smart Solutions?”

21

Challenges

High data quality required for good

analysis results

Constantly increasing data quantity

Cleansing/Standardizing Data

22

“Bad data” samples

Cleansing/Standardizing Data

23

Why should data be cleansed:

Reliable analysis results are required.

Data cleansing saves time that otherwise would come up during the analysis process.

Reduce unwanted deviations and variations.

Identify entities (e.g., person, organization, address).

Insights often lead to further findings.

Cleansing/Standardizing Data

24

Fast and flexible handling of large quantities of data

Flexible import from various data sources

Intuitive research

Analyses, calculations, statistics

Business Intelligence

Ad hoc reporting

25

Solution

Combine different data formats

Fix data quality issues

Identify missing data

Optimize link analysis results

Apply different tools for standardized data cleansing

26

With InfoZoom you can

27

Sample Data Cleansing

Developing automated queries saves

time

28

Benefits

Benefits:

Time-saving

Flexible

Maximize effectiveness

Team “compatibility”

Easy to learn

By means of:

Developed workflow for recurring processes

Standardized processes (templates)

Workflow

Understanding data

Cleansing/standardizing data

Enriching and validating data

Importing data

Analyzing data

Reporting

What Are “Smart Solutions?”

29

Imagine:

Enriching and Validating Data

30

Geocoding: www.gpsvisualizer.com

Enriching and Validating Data

31

Geocoding: www.gpsvisualizer.com

Enriching and Validating Data

32

Geocoding: www.gpsvisualizer.com

Enriching and Validating Data

33

Whois query - manually

Enriching & Validating Data

34

Whois batch query

Enriching and Validating Data

35

Whois

Enriching and Validating Data

36

Whois

Enriching & Validating Data

37

Address verification—manually

Enriching & Validating Data

38

Address verification—service

provider or software (for large amounts

of data):

AddressDoctor

www.addressdoctor.com

Experian www.qas-experian.com.au

Enriching & Validating Data

39

Workflow

Understanding data

Cleansing/standardizing data

Enriching and validating data

Importing data

Analyzing data

Reporting

What Are “Smart Solutions?”

40

Importing Data

41

42

Sample Import:

i2 IBM-Database

43

Case Study:

Insurance Claims Audit

One file ready for analysis

Workflow

Understanding data

Cleansing/standardizing data

Enriching and validating data

Importing data

Analyzing data

Reporting

What Are “Smart Solutions?”

44

Analytics … yes … but structured:

Identify needed analytical steps.

Develop “questions” to data.

What has prompted the need for the analysis?

What is the key question that needs to be answered?

How to create evidence out of data?

Visualize your thinking!

Analyzing Data

45

Analytical techniques

Chronologies and timelines (understand

timing and sequence of events)

Sorting (categorizing and hypothesis

generation)

Ranking, scoring, prioritizing (determine

which items are most important)

Network analysis—analyze relationships

between entities (e.g., people,

organizations, objects)

Analyzing Data

46

Best practice:

Document processes in intranet/wiki.

Select the right tool for each task.

Train the users.

Keep the users “busy.”

Look out for new solutions.

Analyzing Data

47

Query—an investigative question,

converted into database search

Analysis Sample i2 IBM

48

How many organizations are known at

this address?

Analysis Sample i2 IBM

49

50

Analysis Sample (InfoZoom)

Decoding (classification; i.e., phone data)

51

Email Analysis with Intella

52

Timelinemaker

i2 IBM Analyst’s Notebook

Timeline Charts

53

Classic view: Event log

View: Event log Explorer

Windows Event Log Analysis

54

Windows Event Log Analysis

Workflow

Understanding data

Cleansing/standardizing data

Enriching and validating data

Importing data

Analyzing data

Reporting

What Are “Smart Solutions?”

55

Final work starts when single

components are ready:

Reporting the Results

56

Reporting the Results

57

58

Jörn Weber—jw@corma.de

+49 (162) 1009402

corma GmbH · Heinz-Nixdorf-Straße 22 · D-41179 Mönchengladbach ·

Tel: +49 2161 277 85 - 0 · Email: mail@corma.de · Web: www.corma.de

Thank You!