Don't get caught short! Consider all sources of digital evidence. 

It is imperative that evidence is collected and preserved from a pool of suspects who could potentially be involved in the fraud. A corporate employee hierarchy chart can help determine all possible suspects. Consider administrative assistants and/or individuals who reported the fraud, they could be involved. Once you have pinpointed the suspects, collect and preserve data from their desktops, laptops, smartphones and corporate/personal emails in a forensically sound manner.
 
Moreover, cloud storage such as Dropbox, Google and iCloud are potential places where evidence may be found. To identity an individual’s cloud storage provider, check their expense reimbursements or vendor payments. Remember to obtain a release if data will be pulled from personal accounts.
 
Lastly, consider email archive systems if available. It’s a good source to collect and preserve from because archive systems retain all emails even if the user has deleted them from their mailbox.
 
In conclusion, don’t get caught short, consider all sources of digital evidence and be ready to defend your decisions. 
​​
The items above are considered friendly advice. Not all computer fraud investigations are the same. 

Be sure to preserve data from all laptops, desktops, smartphones, servers and emails!

There are a few preservation techniques and tools I use to make sure the IT portion of the project is done right. Check out my recommendations below.
 
Corporate Emails - They are usually stored in an Outlook Exchange email server controlled by the entity or in Office 365 on the cloud controlled by the entity’s IT provider. Prior to email preservation, e-Discovery hold feature should be enabled for the individual(s) whose emails are being preserved to avoid accidental or purposeful spoliation. There is a process within Office 365 which allows you to export emails to a PST file through the Security & Compliance section under the Administration Center menu. This is the most forensically sound way to acquire emails from Office 365.
 
Internet Emails - In regards to email preservation from popular internet email providers such as Gmail, Yahoo and AOL, I recommend using “Aid4Mail” – this software exports emails from the subject's web-mail to a PST file. Although it is possible to “POP” emails to a desktop from the Microsoft Outlook application, this process is more labor intensive and not as accurate.
 
Desktops & Laptops - The best way to preserve data from computers is to create forensic image (bit-for-bit copy). If the hard drive is not encrypted, I prefer to use forensic duplicator hardware from Guidance software. If the hard drive is encrypted, the computer first needs to be turned-on/logged-in state in order for data to be preserved. While there are a dozen forensic software tools available in the marketplace, I like using applications from EnCase, AccessData or X-Ways.
 
Servers - To preserve servers, the forensic software above will work well. Given that data capture may take a long time due to large storage capacity of servers, it’s best to start this process on a Friday night (if possible) and let it run over the weekend. Make sure all users are off-line prior to starting this process because if there are files that are active, they will not be preserved. 
 
Smartphones - If a smartphone is involved in fraud investigation, the best mobile forensic tool to perform forensic data capture is called UFED Ultimate from Cellebrite.
 
There are many effective forensic tools available in the marketplace to preserve data in a forensically sound manner. The key is to ensure the data collection process, tools and documentation is defendable in court.

The items above are considered friendly advice. Not all computer fraud investigations are the same.