Image showing NHS employee staff timesheets.


The manager of a hospital 'bank' created ten bogus employees in the payroll system over a period of two and a half years. She used the names of family and friends and submitted time-sheets to claim for work that they had not done. She arranged to have their earnings paid into bank accounts controlled by her.


The Forensic Computing Unit (FCU) was called in, with the following objectives:

  1. To make a forensic copy of the hard drive of the subject's computer and conduct analysis on it;
  2. To search for a keyword list of suspicious names provided by the investigator;
  3. To review emails, documents and spreadsheets for information relating to the fraud.


The computer was transferred to the forensic computing laboratory where the Forensic Computing Specialist removed the hard drive and connected it to a forensic workstation using a write blocker. A forensic copy of the hard drive was then taken, and the original hard drive was replaced in the machine. The original machine was returned to the investigator. All further analysis was conducted on the forensic copy.

A keyword search was conducted that identified a number of hits on some of the names provided. The hits included email correspondence between the subject and people with those names. Some emails relating to the fraud had been deleted and were recovered from unallocated space.

A full report outlining the findings of the investigation was generated by the forensic officer and presented to the investigator.


The estimated loss to the trust was £250,000. The subjects were estimated to have gained £42,500 and £35,700 respectively from the fraud, and were jailed for three years.