Trends in Electronic Evidence.

Transcription

1 Trends in Electronic Evidence. Collecting and Processing Large Data Sets in Digital Forensic Investigations With Dr Allan Watt CFCE, CFE

2 Webinar outline Authentication of electronic documents: contracts, wills and s IP employee theft Collecting and processing large data sets Is someone leaking your data from either side of the fence Plus many other potential risks

3 Background Former NZ Army Soldier (9 years) Former NZ Police Officer (9 years) 5 years as intelligence analyst Managed own computer forensic business in NZ for (8 years) Moved to Sydney 2008 Head of e.forensics for corporate litigation support company 2011 commenced with NSW Police as Senior Electronic Evidence Specialist 2013 commenced as Cyber Program Coordinator/Lecturer at PICT, Macquarie University Formed Digital Forensics Pty Ltd

4 Background Diploma NZ Policing Bachelor of Business Studies (Accounting) Bachelor of Science (Information Systems) Post Graduate Diploma Forensic Science Master of Science (Honours) Thesis on Cyber Terrorism Doctor of Philosophy Thesis on file movement and concealment

5 Background Completed over 1000 investigations Recognised expert witness most Jurisdictions in Australia and New Zealand Engaged as a court appointed independent expert NSW Supreme Court Evidence was accepted as Expert by the Privy Council, London in 2013 in an historic murder appeal

6 Poll Question 1 a) Are you (a) A barrister (b) A solicitor (c) An expert (d) General council (e) Other?

7 Authentication of electronic documents Let s state the obvious What documents these days are NOT created electronically? That is the key issue, nearly everything: communications, finance, trading, reporting, contracts and many more are all conducted electronically. You don t need to be a genius to fabricate digital files.

8 Wills Modified Deleted and new versions created Codicils created How would you even know, if they are original?

9 Contracts/ s False contracts created from scratch Contracts falsely created to impose a debt Contracts modified to suit one party or create liability s originality Additional copies Reposted with modifications

10 Triggers Lack of originals Often something else that raises suspicion Shoddy workmanship Some will try and be elaborate alter the clock Others don t think they will get caught

11 Solutions Sometimes application versions trip them up Need access to the device they were created on in most cases Check the clock Check the file date Metadata Check author and other metadata

12 Solutions With , the headers are needed Don t ask them to access or copy the data, continued access to files degrades the quality of the evidence Any matters where parties are producing documentary evidence created on digital devices, needs to be questioned for authenticity and where possible seek the digital original

13 Poll Question 2 a - Have you had the need for the investigation of Digital evidence in the past? (a) Yes (b) No

14 Poll Question 2 b - If you had the need did you use? (a) An experienced Digital Forensic Expert (b) An IT professional (c) The Client used their own internal IT staff (d) other

15 IP employee theft Exiting employees Disgruntled employees Hostile employees IT Staff IT contactors internal IT contactors external Cloud or ISP

16 IP employee theft Copy IP USB Thumb drive or hard disk drive Cloud Dropbox Connect their own computer to the network VPN Download at home to their own computer All the above will leave a trace

17 IP employee theft Need to get access to their computer and or the server quickly DO NOT LET your clients IT staff touch the devices, have HR or management seize them With respect to IT people all over the world, they look for technical solutions to the problem and not a forensic analytical approach I have had cases in the past where IT staff obliterated the entire evidence by attempting to investigate themselves

18 Poll Question 3 - Did you know there are more Digital Forensic Practitioners that are from Law Enforcement than IT? (a) Yes (b) No

19 IP employee theft In all cases we make a forensic image of the device or components of the server to international industry standards This can be done covertly if necessary to avoid concerns over destruction of your clients data Covert investigations of senior staff s computers in the past have revealed actions by these staff that were not in the best interests of the company

20 Collecting and processing large data sets The Cloud, though a good thing, has its issues Difficulty getting access Slow speed Many offshore Jurisdiction to access it That s if you even now where the cloud is Security of data while attempting to acquire it

21 Collecting and processing large data sets Cloud storage is cheap Entities no longer have to worry about backups or costly upgrades Just buy more space and don t worry about archiving Problem then becomes size and acquisition of data will have to be selective Multiple users on cloud platforms can impact on data downloads

22 Collecting and processing large data sets Acquisitions of data still have to be made to obtain the evidence However a plan will be needed to determine what is needed Acquisition of cloud data will take time, sometimes a long time If you don t get it the first time it may not be there the second time A digital forensic investigation is often reliant on system files and logs and other data in the deleted space, there will be many cases this data will not be available in a cloud based investigation

23 Collecting and processing large data sets The data sets will get bigger and the forensic tools are not designed or handle well, supersized data If it is fact based it can be processed with e.discovery tools, as in if a document is there, it is there However how it got there and who put it there and when? Is a forensic matter and digital forensic investigators need access to system information, to seek evidence to answer these questions.

24 Poll Question 4 How do you locate an expert? (a) Recommendation from colleague (b) Existing relationship (c) Law journal advert (d) Google Search (e) Other Search (f) Mail out by expert with contact details (g) Other

25 Poll Question 5 - How important is it for the Expert you seek to have International Industry Certification(s) in Digital Forensics? (a) A must (b) Nice to have (c) Not an issue

26 Is someone leaking your data from either side of the fence How trusty are your IT team? Your client may be spending $$$ on infrastructure, systems and other IP and your IT team or IT contractors maybe walking out the door with it How secure are the third party vendors who provide hardware and or software to your client? Do they have backdoors that are insecure and unknowns may be accessing your data and taking it?

27 Is someone leaking your data from either side of the fence Worse still, it may be your ISP who has access and can syphon off your s and attachments as they pass through Make copies and sell off your IP How safe, secure and trusted is your/their network service provider and other technology contractors?

28 Plus many other potential risks Mobile technology has provided one of the greatest breakthroughs in the Information Paradigm However it has also produced many hidden and undetected risks Bluetooth and Wi-Fi are present on many devices and your client may also have these protocols setup and these can be interfaced with through a device and download data directly Or where restrictions are in place, simply take a photograph of the screen with their iphone or Android device

29 Final word If there is a risk that a staff member has acted suspiciously or is exiting the company, act early seize the device Don t believe anything you read it may have been altered to suit their own proceedings The bigger the cloud the worse the storm Consider the risks tablets and mobile phones pose to your client s infrastructure

30 Contact Richard Skurnik expertsdirect.com.au expertsdirect.com.au Sydney Office: Suite 1, Level 20 MLC Centre, Martin Place, Sydney NSW 2000 Australia SYDNEY MELBOURNE BRISBANE PERTH