Forensic IT – Chartered Institute of Management Accountants (CIMA) Enhancing the usefulness of Investigations with Computer Forensics April 2014 Michael Khoury
Clear Wealth Pty Ltd v Kwong (No 2) [2012] NSWSC 1233 “Whilst I accept that Mr Kwong wanted to delete personal files of his own from the Clear Wealth Computer, I am unable to accept that Mr Kwong removed the Clear Wealth client lists because they were obsolete and accidentally loaded client lists on to his USB drive and then loaded them onto his home computer and / or external hard drives. I find, on the balance of probabilities, that he loaded the client lists with the intent of assisting his new business to gain clients.” Justice Rein, Supreme Court of NSW Forensic IT Page 2
What is Forensic IT Forensic IT is the identification, acquisition, preservation and investigation of data held on electronic media. We do this while ensuring: The data we acquire is complete and valid. The evidence we examine is not modified or damaged by the process. The processes we undertake are ‘best practice’. The conclusions that we reach are supported by the evidence. All of our actions are conducted with the intention that the data may need to be presented to a court as evidence. Correct preservation is the key! Forensic IT Page 3
Forensic IT When is Forensic IT used? Theft of Intellectual Property Proving / disproving the existence of certain documents, their author, time of creation and last modified etc. Unfair dismissal, bullying or discrimination cases. Inappropriate internet usage. Employee and executive fraud. By the police in criminal investigations. By ASIC when investigating corporate wrongdoing. To create a repository for both hard copy and electronic documents that can be searched or filtered using key terms. Forensic backup of company documents for receivers, administrators and liquidators. Forensic IT Page 4
What we can look for – computers and Servers Time and date analysis. Evidence of USB drive activity. Link File Analysis – When, Where, How. Deleted files and folders – USN Journals. Deleted email messages. Whether software capable of permanent deletion has been used. Listing of websites visited. Historical searches performed – Google history Evidence of file copying. Historical images stored on Photocopiers. Evidence of printing activity - hidden spool files and document metadata; and Evidence of malicious activity through remote access or malware. Forensic IT Page 5
Moody Kiddell & Partners Pty Ltd v Arkell [2013] FCA 1066 Judge Jane Jagot – Federal Court of Australia – Oct 2013 Order sought for defence to be struck out as an abuse of process FACTS “I do not accept his evidence that he did not know that the file shredding software erased information from the hard drives so it could not be recovered by forensic computer analysis. The Google search he did about Guttman 35 shredding compared to Department of defence shredding indicates he knew very well that if he deleted an email and then deleted it from his computer’s trash folder it would very likely still be able to be recovered” “Other retrieved Google searches from this computer include “ what happens if you don’t comply with a court order” on 1 April 2012, as well as “ what happens if you don’t comply with a federal court order ”” Forensic IT Page 6
Moody Kiddell & Partners Pty Ltd v Arkell [2013] FCA 1066 DECISION “ I do not accept that he carried out this action only to delete pornography. I infer that he also did so to ensure that documents he did not wish to discover were permanently erased.” “The circumstances are exceptional and the draconian remedy of strike out is necessary to ameliorate that prejudice and ensure a fair hearing for both parties is possible.” Forensic IT Page 7
People still make careless mistakes Despite continued news stories and coverage of forensic IT practices, we still see people: Committing acts of fraud via company systems Download client lists on their way out the door Send emails and texts that they shouldn’t Think using a hotmail or gmail account makes them untraceable Think that once they hit the delete button their message / text is irrecoverable Sending instant messages via Skype, MSN Messenger etc Think that damaging the hardware makes the data irrecoverable. Forensic IT Page 8
What’s on my smartphone e.g iPhone? Call activity including deleted. Phonebook directory information including deleted. Stored voicemails and text messages. Photos and videos (with GPS data if available). Deleted emails, text messages and instant chats etc. Hidden screenshots – the magic ‘home’ button. Applications. Websites visited. WiFi connections made. Passwords. GPS co-ordinates – (to within 10 metres). Forensic IT Page 9
Current Issues in Forensic IT Evidence is being increasingly challenged (e.g Baden-Clay phone) Virtual Machines Cloud-based and remotely accessible data Skydrive, Dropbox, iCloud, Google Drive Content duplication (web browsers) Data encryption IP Obfuscation (Blind Routers, Tor service) Rapid smart phone technology development Software as a Service (SaaS) applications Increase in data storage sizes Challenging hardware (Tablets, SSDs, etc) Forensic IT Page 10
False positives - Baden-Clay committal evidence The court hears evidence from a forensic electronics analyst responsible for downloading the ‘power log’ from Mr Baden - Clay’s mobile phone. Neil Robertson, from the Queensland Police Service’s Electronic Evidence Examinations unit, says the accused connected his iPhone to a charger hours after he claimed to have gone to bed on the night Allison disappeared. He admits an initial analysis, which found Mr Baden-Clay had made a “Face Time” call about 12.30am on 20 th April 2012, was incorrect . “There was a false positive in the tests,” Mr Robertson says. Forensic IT Page 11
What can we do with the data collected? Provide a forensically sound image – we work on a copy. Quickly determine if electronic evidence of wrong doing exists. Clear any innocent parties promptly. Conduct forensic investigations. Articulate findings in plain English. Make documents and emails accessible – we know that you need to be able to look at documents directly. We have the capacity to load data to review platforms (such as Clearwell), and to search and filter data for export directly to Ringtail. Forensic IT Page 12
How can we help? Preserve now, analyse later: Relatively inexpensive – imaging can be on a price per computer / phone or server basis. By doing so, you provide your client with a choice on whether to litigate at a later date. Know quickly – Preliminary assessment: Is clear and obvious evidence of wrong doing available? Validate the findings of opposing expert witnesses: Ensure false positives such as the “Face Time” call in the Baden-Clay case, are discovered. Evidence gathered without regards to forensic procedures in many cases may be struck out. Want a second opinion? Talk to us about providing a review of a case in progress. Forensic IT Page 13
About the presenter Michael Khoury Partner Level 13, Grosvenor Place 225 George Street Sydney NSW 2000 T +61 2 9286 9864 E michael.khoury@fh.com.au Michael is a partner in Forensic IT services with Ferrier Hodgson. His areas of specialisation include computer forensic investigations for matters pertaining to corporate fraud and financial crime, intellectual property theft, cyber-crime, employee and contractual disputes. Michael has supported a large number of civil and criminal investigations for various industry sector groups including government, private and corporate clients. He has also assisted a number of law firms with their litigation and commercial disputes, including executing live search warrants and Anton Pillar orders. Michael also appears as an expert witness in State and Federal courts. Forensic IT Page 14
Questions for our team? Michael Khoury Justin Geri Partner Senior Manager Level 13, Grosvenor Place Level 29, 600 Bourke Street 225 George Street Melbourne VIC 3000 Sydney NSW 2000 T +61 3 9604 5142 T +61 2 9286 9864 E justin.geri@fh.com.au E michael.khoury@fh.com.au Peter Chapman Jean Pierre Du Plesis Consultant Director Level 13, Grosvenor Place Level 6, 81 Flinders Street 225 George Street Adelaide SA 5000 Sydney NSW 2000 P +61 8 8100 7696 T +61 2 9286 9933 E Jean-Pierre.DuPlessis@fh.com.au E peter.chapman@fh.com.au Sean Powell Janine Cole Director Director Level 26, BankWest Level 7, 145 Eagle Street Tower 108 St George‘s Terrace Brisbane QLD 4000 Perth WA 6000 T +61 7 3834 9230 T +61 8 9214 1409 E janine.cole@fh.com.au E Sean.Powell@fh.com.au Forensic IT Page 15
Recommend
More recommend