Forensic IT – Chartered Institute of Management Accountants (CIMA) IS YOUR FIRM A RISK? Enhancing the usefulness of Investigations with Computer Forensics August 2014 Michael Khoury
Clear Wealth Pty Ltd v Kwong (No 2) [2012] NSWSC 1233 “ Whilst I accept t hat Mr Kwong want ed t o delet e personal files of his own from t he Clear Wealt h Comput er, I am unable t o accept t hat Mr Kwong removed t he Clear Wealt h client list s because t hey were obsolet e and accident ally loaded client list s on t o his US B drive and t hen loaded t hem ont o his home comput er and / or ext ernal hard drives. I find, on t he balance of probabilit ies, t hat he loaded t he client list s wit h t he int ent of assist ing his new business t o gain client s.” Justice Rein, S upreme Court of NS W Page 2 Forensic IT
What is Forensic IT Forensic IT is the identification, acquisition, preservation and investigation of data held on electronic media. We do this while ensuring: The data we acquire is complete and valid. The evidence we examine is not modified or damaged by the process. The processes we undertake are ‘ best practice’ . The conclusions that we reach are supported by the evidence. All of our actions are conducted with the intention that the data may need to be presented to a court as evidence. Correct preservation is the key! Page 3 Forensic IT
Forensic IT When is Forensic IT used? Departing employees - Theft of Intellectual Property Proving / disproving the existence of certain documents, their author, time of creation and last modified etc. Unfair dismissal, bullying or discrimination cases. Inappropriate internet usage. Employee and executive fraud. By the police in criminal investigations. By AS IC when investigating corporate wrongdoing. To create a repository for both hard copy and electronic documents that can be searched or filtered using key terms. Forensic backup of company documents for receivers, administrators and liquidators. Page 4 Forensic IT
What we can look for – computers and S ervers Time and date analysis. Evidence of US B drive activity. Link File Analysis – When, Where, How. Deleted files and folders – US N Journals. Deleted email messages. Whether software capable of permanent deletion has been used. Listing of websites visited by employee. Historical searches performed by employee – Google history Evidence of file copying. Historical images stored on Photocopiers. Evidence of printing activity - hidden spool files and document metadata; and Evidence of malicious activity through remote access or malware. Page 5 Forensic IT
Malicious Destruction of Evidence Digit al foot print s – A pat h of dest ruct ion! Remnant art efact s Court percept ion is never a good one Moody Kiddell Partners v David Brooke Former Police officer t urned financial broker Allegat ions of t heft of IP Court ordered discovery obligat ions Dest ruct ion of evidence, concealment , non- corroborat ive excuses = CONTEMPT!! Page 6 Forensic IT
Moody Kiddell & Part ners Pt y Lt d v Arkell [2013] FCA 1066 Judge Jane Jagot – Federal Court of Australia – Oct 2013 Order sought for defence to be struck out as an abuse of process FACTS “ I do not accept his evidence t hat he did not know t hat t he file shredding soft ware erased informat ion from t he hard drives so it could not be recovered by forensic comput er analysis. The Google search he did about Gut t man 35 shredding compared t o Depart ment of defence shredding indicat es he knew very well t hat if he delet ed an email and t hen delet ed it from his comput er’s t rash folder it would very likely st ill be able t o be recovered” “ Ot her ret rieved Google searches from t his comput er include “ what happens if you don’t comply with a Federal court order” on 1 April 2012.” Page 7 Forensic IT
Moody Kiddell & Part ners Pt y Lt d v Arkell [2013] FCA 1066 DECISION “ I do not accept t hat he carried out t his act ion only t o delet e pornography. I infer t hat he also did so t o ensure t hat document s he did not wish t o discover were permanent ly erased.” “ The circumst ances are except ional and t he draconian remedy of strike out is necessary t o ameliorat e t hat prej udice and ensure a fair hearing for bot h part ies is possible.” Page 8 Forensic IT
People still make careless mistakes Despite continued news stories and coverage of forensic IT practices, we still see people: Committing acts of fraud via company systems Download client lists & other confidential information on their way out the door S end emails and texts that they shouldn’ t Think using a Hotmail or Gmail account makes them untraceable Think that once they hit the delete button their message / text is irrecoverable S ending instant messages via S kype, MS N Messenger etc Think that damaging the hardware makes the data irrecoverable. Page 9 Forensic IT
What’s on my smartphone e.g iPhone? Call activity including deleted. Phonebook directory information including deleted. S tored voicemails and text messages. Photos and videos (with GPS data if available). Deleted emails, text messages and instant chats etc. Hidden screenshots – the magic ‘ home’ button. Applications. Websites visited. WiFi connections made. Passwords. GPS co-ordinates – (to within 10 metres). Page 10 Forensic IT
Current Issues in Forensic IT Evidence is being increasingly challenged (e.g Baden-Clay phone) Virtual Machines Cloud-based and remotely accessible data S kydrive, Dropbox, iCloud, Google Drive Content duplication (web browsers) Data encryption IP Obfuscation (Blind Routers, Tor service) Rapid smart phone technology development S oftware as a S ervice (S aaS ) applications Increase in data storage sizes Challenging hardware (Tablets, S S Ds, etc) Page 11 Forensic IT
False positives - Baden-Clay committal evidence The court hears evidence from a forensic electronics analyst responsible for downloading the ‘ power log’ from Mr Baden-Clay’s mobile phone. Neil Robertson, from the Queensland Police S ervice’s Electronic Evidence Examinations unit, says the accused connected his iPhone to a charger hours after he claimed to have gone to bed on the night Allison disappeared. He admits an initial analysis, which found Mr Baden-Clay had made a “ Face Time” call about 12.30am on 20 t h April 2012, was incorrect . “ There was a false positive in the tests,” Mr Robertson says. Page 12 Forensic IT
What can we do with the data collected? Provide a forensically sound image – we work on a copy. Quickly determine if electronic evidence of wrong doing exists. Clear any innocent parties promptly. Conduct forensic investigations. Articulate findings in plain English. Make documents and emails accessible – we know that you need to be able to look at documents directly. We have the capacity to load data to review platforms (such as Clearwell), and to search and filter data for export directly to Ringtail. Page 13 Forensic IT
How can Forensic IT help? Preserve now, analyse later: Relatively inexpensive – imaging can be on a price per computer / phone or server basis. For law firms: by doing so, you provide your client with a choice on whether to litigate at a later date. Know quickly – Preliminary assessment: Does clear and obvious evidence of wrong doing exist? Validate the findings of opposing expert witnesses: Ensure false positives such as the “ Face Time” call in the Baden-Clay case, are discovered. Evidence gathered without regards to forensic procedures in many cases may be struck out. Want a second opinion? Talk to us about providing a review of a case in progress. Page 14 Forensic IT
Questions? Michael Khoury Justin Geri Partner Senior Manager Level 13, Grosvenor Place Level 29, 600 Bourke Street 225 George Street Melbourne VIC 3000 Sydney NSW 2000 T +61 3 9604 5142 T +61 2 9286 9864 E justin.geri@fh.com.au E michael.khoury@fh.com.au Peter Chapman Jean Pierre Du Plesis Consultant Director Level 13, Grosvenor Place Level 6, 81 Flinders Street 225 George Street Adelaide SA 5000 Sydney NSW 2000 P +61 8 8100 7696 T +61 2 9286 9933 E Jean-Pierre.DuPlessis@fh.com.au E peter.chapman@fh.com.au Matthew Ashby Sean Powell Director Director Level 7, 145 Eagle Street Level 26, BankWest Brisbane QLD 4000 Tower 108 St George‘s Terrace T +61 7 3834 9297 Perth WA 6000 E matthew.ashby@fh.com.au T +61 8 9214 1409 E Sean.Powell@fh.com.au Page 15 Forensic IT
Recommend
More recommend