E Disclosure & Computer Forensics The Brave “Not So” New World
Definitions What is a computer? • Computing technology is constantly changing as is hardware and software. There is no set definition under law as to what constitues a computer. However the U.K. Department for Business Innovation and Skills defines a computer as follows:• “ A device made or adapted to store, process and display data”
So what are Forensics? •This is an example text. Go ahead an which replace it withto • Taken from the latin word “Forens” means your own This is example discuss ortext. examine inan open forum.text. Forensics is the practice of examining or investigating a known or suspected course oftext. events. •This is an example Go ahead an replace it with your own text. This is an example text.
Definitions What is an Electronic Document? • “Any information or intelligible data that may be read, interpreted or output from a computer system” •See Definition in Practice Direction 31B
Examples? •This is an example text. Go ahead an replace it with • Word Document. your own text. This is an example text. • Excel Spreadsheet.
• PDF. •This is an(Server example text. Go ahead an replace it with • E-Mail. & Webmail) your own text. This is an example text. • Database. • Picture. • Etc Etc Etc.
Computer Forensics Locard‘s Principle? • Edmund Locard (1877 – 1966) was a poineering Forensic Scientist who started the worlds first crime laboratory. • Locard’s Principle also known as Locard’s Theory is as follows:- “Everywhere you go you take something with you, and leave something behind”
So what are Computer Forensics? •This anofexample Go ahead an replace it with • Theisart finding text. that something! your own text. This is an example text. •This is an example text. Go ahead an replace it with your own text. This is an example text.
What can I tell you? • The simple act of “booting up” a computer system alone changes approximately 25 files in the machines operating system. • This is before the operator has deliberately changed, up-dated, sent an E-Mail or deleted anything.
• So what can a Computer Forensic Investigation discover? • Deleted files. • Deleted E-Mail. • Web Mail. • Details of web browsing. • Altered Files. • Previous versions of files. • Etc. Etc. Etc.
Ministry of Justice Directions • Practice Direction 31B • (6) “General Principles” • • “When considering disclosure of Electronic • Documents the parties and their legal • representatives should bear in mind the following”•
E. D. should be managed efficiently to minimise costs. Technology should be used in order to ensure that document management activities are efficient & effective. Disclosure should be given in a manner which gives effect to the overriding objective. Electronic Documents should be made available in a form which allows the receiving party to access, search, review, and display in the same way as the disclosing party. The disclosure of non relevant material may place an excessive burden in time and cost on the party to whom disclosure is given.
• • • • • • •
Ringtail Clearwell Verve Autonomy Intella Quick View Plus? Windows 7?
Tools • There are many E Discovery tools available for use. • Caveat Emptor!!!! • Evaluate and choose carefully! • Often better go in low end first.
• There is no “One Stop Shop” when it comes to Electronic Discovery & Disclosure!!!!!!!
• A recent case dealt with at De Vere’s (Y & F) • Incorporated deleted files, Police seized material Web Mail, sage files, servers mobile devices and second hand equipment!!!!!!!
Electronic Disclosure • Which ever way you cut it E Disclosure goes hand in glove with computer forensics. One is the extension of the other. • At the conclusion of a C.F. operation one may be left with thousands or millions of files.
• What does one do with them?
Any Problems? • Computer Systems can have an awful lot of storage space associated with them. • When carrying out a Computer Forensic Investigation the investigator should never examine primary evidence. (Primary evidence being the evidence in question IE the Hard Drive of the computer) • Always secondary evidence namely an exact copy of the Hard Drive. • This means obtaining a “Bit Stream Image” of the computer concerned. • A “Bit Stream Image” is a 1 for 1 copy with every piece of data copied. • Primary evidence MUST be preserved!
Problems? •Imaging must be carried out in an “Auditable” and methodical way. • It can take some time. • Often by the time the Computer Forensic Investigator is called in many inviduals have viewed and “Changed” the evidence.
Result? • Evidence probity in doubt. • Evidence not admitted? • Case Dismissed? • Case lost?
What can we do then? • Preserve your data! • Assist in your “Decruitment” Policy and proceedure. • Recover deleted data. • Reconstitute deleted e-mail and archives. • “Keyword” search all data and unallocated as well as “Slack” Space. • Extract “Metadata” • Ascertain when files were moved/deleted and by whom. • Ascertain recent activity. • Ascertain recent connections. • Prove or disprove a known or suspected course of events. • Keep the client appraised at every step.
What can be examined? • Anything with storage capacity. • Desktop Computer. • Laptop Computer. • PDA. • Mobile Phone. • Storage media.
Then what? • Report. • Statement. • Affidavit. • Produce Exhibits. • Give Evidence.
What should the first responder do? • Treat the suspected computer (Or data) as a potential crime scene. • If the computer is off leave it off. • If its on, get a competent person to ascertain what its doing and power it down. • Pull the power? • Keep it safe and unadulterated. • Call an investigator!
Preserving evidence and data. • There are many computer forensic tools on the market. • SOME of them do what they are supposed to. • The most popular and reliable. • EnCase • FTK • To be used in conjunction with “Write Blocking” devices to produce a “Bit Stream Image” which can be added to a “Data Set”
Potential Sources of Data? • When considering commencement of operations it is vital to ascertain:• Where the target data may be found? • Physical or Virtual Data Assets?
• Laptop Computers. • Desktop and/or servers. • Other systems granted access to/client facilities. • Cloud storage. • Media Facilities. • Mobile Facilities. • Archived Data.
Who are De Vere & Co?
•Established in 1992, De Vere & Co has for many years served Corporate and Professional clients in the UK and overseas.
•Investigative services and support to a number of prominent finance providers and lawyers as well as other professionals.
•Our clients include prominent banks, asset based lenders, legal firms, insolvency practitioners, public sector bodies and hedge funds.
•We are based in the heart of the legal community in Gray's Inn, London.
•We have investigated a number of large scale frauds in the finance industry, working closely with banks/ funders and their lawyers.
• Our in-house multidisciplinary team includes specialists from all relevant fields.
•The consistent quality of our services and products has led us to be considered one of the leading risk and recovery specialists in the financial and insolvency sectors.
If in doubt. Call De Vere & Co. +44 (0)207 242 1012 Geoffrey Waller MSc. MIPI. CFE. [email protected]