Choosing your Computer © CGI GROUP INC. All rights reserved Forensic Expert ACFE Asia Pacific Conference Ajoy Ghosh Chief Information Security Office Logica Australia Pty Ltd (now part of CGI)
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Choosing your Computer
© CGI GROUP INC. All rights reserved
Choosing your Computer Forensic Expert
ACFE Asia Pacific ConferenceAjoy GhoshChief Information Security OfficeLogica Australia Pty Ltd (now part of CGI)
Why I’m here
• Academic:• Law, international studies and policing in Australian and international universities
• Expert witness in court:• Civil: contract, evidence, reliability, authorship, times• Complex criminal: terrorism, identity theft, fraud, stalking, data leakage• Content: child pornography, terrorism, spam, harassment, vilification• Serious criminal: homicide, rape, corruption
• Coach:• Lawyers, judges, prosecutors, tribunals and Commissions• Specialist in developing capability HB171: Guidelines for the Management of IT Evidence (above)
HB231: Guidelines for Information Security Risk Management (below) Specialist in developing capability
• 20+ years experience in information security, investigations and policy:• Police, Military, Corporate & Consultant• Currently Chief Information Security Office at Logica Australia Pty Ltd (now part of CGI)• Asia Pacific Senior IT Security Professional for 2009• CISSP, IRAP, MACS-CP and GAICD accreditations
• Best practice:• Author of HB171 – Guidelines for the Management of IT Evidence• Co-author HB 231 – Information Security Risk Assessment Guidelines• Currently working on ISO 27037 – Guidelines for identification, collection, acquisition and preservation of digital evidence• Currently working on update of AS 38500 - Corporate Governance of Information and Communication Technology • Currently advising ACS on “Specialism” for Information Security
HB231: Guidelines for Information Security Risk Management (below)
ISO 27037
3
Confidential
Agenda
Advertised content
• From computer to courtroom, the computer forensic experts can be an expensive investment for the investigation budget.
Agenda
1. Introductory2. Computer forensic disciplines3. The role of the Computer investigation budget.
• Gain an understanding of the different computer forensic disciplines and learn how to match them to your needs so that you get the best outcome for your fraud examination
3. The role of the Computer Forensic Expert (CFE)
4. Briefing the CFE5. Integrating the CFE into the
investigation
4
Confidential
Roadmap
EVIDENCE
•Whistleblower
EVIDENCE•Admissibility•Form of evidence•Privileged material•Prohibited material•Privacy & surveillance•Children•Whistleblower
CRIMINAL•Prosecutor of Defendant•Standard of proof•Obligations•Sensitive evidence•Copyright
INTELLIGENCE•Legally obtained•Privacy & surveillance
CIVIL•Cost•Copyright
5
Confidential
•Privacy & surveillance•Children•Whistleblower
•Copyright•Rights of witnesses
PRESENTATION•Reputation•Report•Expert’s conference•“Hot tub”•Witness box
STANDARDS & BILLING•Professional standards•Taxation•“Costs in the cause”
Cost
Analyst/Associate
Examiner/Senior
Expert/Supervisory Taxation
SydneyMelbourne
$150-$200 $250-$350 $500-$750 $275 (Syd)
Canberra and other regional
$90-$150 $150-$275 $350-$550 $275
• Based on Minter-Ellison survey (2011)• Some other estimates (I don’t necessarily agree):
• Typical computer/phone = $5000• Acquisition for $800• Discovery $1 to $2 per document
• Court rules requires cost estimate in billing units (typically one hour)• Time and materials
6
Confidential
Reliable tools don’t need to be expensive
My cheap kit My mid-range kit Enterprise Kit
Size of Job Up to 10 computers 20+ computers1million documents
Large corporateSo far ~370m documents
Web 2.0 Capture n/a $20 per-seat $5 per-seat
Computer forensic (standard data recovery)
Free$500
$5,000 $8,000
OCR Free $500 $5,000
Text searching $0 $6,000 $20,000
7
Confidential
Text searching $0 $6,000 $20,000
Voice-to-text $300 $5,000 $60,000
Face Recognition Free $150,000
Voice Identification Free $200,000
Video processing $400 $1000 n/a
Visualisation Free $3,000 $10,000
Productions $4-5 per page $10,000 $50,0004c per page
• What does the Act encompass?1. A person who owns their business or has Director or Officer in their title;2. Who provides advise to someone with Director or Officer in their title, even
occasionally;3. Who is a member of a Chartered firm
Professional Standards Act
No. 8
ACS Certified Professional
• Qualify for coverage under Professional Standards Act
• “Liability limited under a scheme approved by the Professional Standards Act.” ($1.5M)
• Need right level of insurance• Need to stay current – Continuing Professional
Education
• In 2011, I advised on 6 “negligence” or “misleading and deceptive conduct” cases brought against computer expert’s as individuals:computer expert’s as individuals:
• Three cases settled:• In one, plaintiff was asking $100M and
defendant had offered $20M• In another two, plaintiff was the insurance
company of the defendant’s employer• One case the defendant has self-harmed and has
been found unfit for trial – he is now claiming compensation from his former employer
• Two cases are ongoing:• In one, plaintiff has claimed $22M
COMPUTER FORENSIC DISCIPLINES
10
Confidential
Disciplines and lifecycle
AQUISITION ANALYSIS ANALYTICS PRESENTATION
Computer/server(operating system)
Handset
Network(i.e. Non-telco)
11
Confidential
(i.e. Non-telco)
Telco/ISP
Specialist device(e.g. SCADA, car, ATM,
etc)
Cloud(Acquire from 3rd
parties)
Discovery
Telco
12
Confidential
Cloud
• 3rd-party providing a computing service• Application and infrastructure• Social media
• Challenges• Jurisdiction• Shared with others• Contractual
Like a chess tournament, each player • Contractual
• Biggest challenge is that everyone is still trying to understand the rules so the default answer is “NO you can’t have it”
• Expert needs to navigate the major providers to legally acquire the data you are entitled to...and in a timely manner
13
Confidential
tournament, each player has a different board. We don’t know the rules and the players can arbitrarily changes them...as can governments
Analytics and Visualisation
1. Text reporting
2. Manually convert data for use with Anna-cappa tools
• Timeline• Link analysis
3. Integrate with visualisation• Complex link analysis• Contextual view (incl.
geospatial)
No. 15
ROLE OF THE COMPUTER FORENSIC EXPERT
17
Confidential
Experts and other witnesses
• Lay witness : who is only permitted to give direct or sensual evidence i.e. I did, I saw, I smelt, etc. The lay witness is expected to give evidence to their best recollection (i.e. from memory) and is not expected to understand the process of giving evidence. Any documentary evidence (e.g. statement) is expected to be taken by an investigator;
• Investigator : is expected to find evidence, make a factual analysis and prepare factual reports. In many cases, an investigator is obligated to make reasonable efforts to discover both incriminating and exculpatory evidence. An investigator is only permitted to give factual evidence and when giving evidence is usually permitted to refresh their memory from contemporaneous notes;
• Expert witness : is allowed to provide opinion evidence so long as it is within their area of expertise. Whilst an expert witness may have an interest in a party involved in the matter (e.g. as an employee) they are obliged to act in the best interests of the Court and are expected to understand their other obligations as an expert witness as per the Expert Witness Code of Conduct and are expected to limit their opinion to the particular questions they have been instructed to answer. In some jurisdictions, expert witness reports are required to prepare reports that contain specific information and wording;
• Independent expert witness : in addition to the obligations of an expert, is expected to have no interest in the matter other than their instructions from an officer of the Court . The key difference between an expert and an independent expert is the presumption of bias. Independent experts are obligated to inform the Court if they acquire or are offered any interest.
18
Confidential
Do you need and expert ?
• In many cases, a person who is not an expert can produce evidence copies and present factual evidence about the copy.
• A non-expert is also able to present the measurements of so-called notoriously scientific instruments. Such instruments are presumed to be reliable and the onus is on the party claiming it is unreliable to prove that. Such instruments commonly used include clocks, cameras, video cameras, telephones and recently GPS. At the time of writing, some jurisdictions are considering whether or not forensic software should be included in this category.category.
• Further, the evidence copy is considered to be “documentary evidence” and certain classes of documents are presumed to be reliable i.e. the onus is on the party claiming it is unreliable to prove that. Such classes commonly used include:
• Official (i.e. government) documents• Banking records• Telecommunications records• Business records (only for civil cases)
19
Confidential
Criminal matters
Standard of Proof• The standard of proof for the prosecution is
beyond reasonable doubt (e.g. §13.2 of the Criminal Code Act Cwth 1995) and for the defence is on the balance of probabilities (e.g. §13.5 of the Criminal Code Act Cwth 1995).
Sensitive evidence• Certain material is considered to be
sensitive evidence (e.g. §281B of the Criminal Procedures Act NSW 1986) and cannot be provided to the defendant.
• A CFE instructed by the prosecution should understand what material contains “sensitive evidence” and ensure that it is
Obligations• The prosecution is obliged to make
reasonable efforts to discover both incriminating and exculpatory evidence.
“sensitive evidence” and ensure that it is not provided to the defendant.
• When sensitive evidence is co-mingled with other evidence, a CFE should be capable of excising the sensitive material from an evidence copy so the other material can be provided to the defendant.
20
Confidential
Civil matters
Standard of Proof• The standard of proof in civil cases is
consistent in all Australian jurisdictions. The standard of proof is “beyond reasonable doubt” (e.g. §140 of the Evidence Act Cwth 1995).
Obligations• According to §37M of the Federal Court of
Australia Act (Cwth) 1976:• The overarching purpose of the civil practice and
procedure provisions is to facilitate the just resolution of disputes:
a) according to law; andb) as quickly, inexpensively and efficiently as possible.
• This means that when determining if a particular method is appropriate, the CFE should consider if more cost effective or efficient method is available.
• Court’s have become quick to criticise corporate litigants who might be perceived to be making unreasonable demands of their less affluent adversary.
21
Confidential
BRIEFING THE COMPUTER FORENSIC EXPERT
22
Confidential
Selecting an expert
• Advocacy 101:1. Attack the evidence2. Attack the process3. Attack the witness
• Qualifications as an expert... in the relevant ICT field• Specialism in the right ICT field. Consider aligning with SFIA (Skills For an Information Age)• Specialism in the right ICT field. Consider aligning with SFIA (Skills For an Information Age)
• Experience in the process• How many times have they done that particular examination before?
• Adverse judicial or other commentary• Consider running background check• Gather material published about the Expert (including self-published on Internet)
• Written versus oral communication i.e. In the witness box• Can they explain technical concepts to lay person (i.e. lawyer, judge and jury)• How do they react to always having to justify their actions or to personal attacks?• Well versed in the “theatre” of the Courtroom
23
Confidential
Letter of instruction
1. Briefing about the matter• Avoid creating a perception of bias
2. Name of parties for conflict of interest• Include any relevant 3rd-parties (e.g. ICT provider)
3. Specific questions to be answered• Clear and specific and not open to misinterpretation• Clear and specific and not open to misinterpretation• Final question: “Any other matter the Expert believes is relevant”
4. Material upon which the expert is to rely• Balance probative value to your expert versus the adversary• Be prepared for the adversary to resist production of materials or produce them in a way that is
incomplete or frustrating
5. The relevant Expert Witness Code of Conduct
6. The expert is required to attach the letter to their report
24
Confidential
Receiving materials
10%20%
PoliceIncludes when briefed by prosecution
10%10%
Civil matters
50%
20%
Produced
Incomplete
Printed only
Resisted
25
Confidential
40%
10%
30%
Produced
Incomplete
Printed only
Resisted
Settled
Bias
• ... “I declare that I have made all enquires that I believe are desirable and appropriate and that no matters of significance which I regard as relevant have, to my knowledge, been withheld in this report (from the Court)”
• Consider obligations (e.g. prosecutor is obliged to make all reasonable efforts to discover both incriminating and exculpatory evidence)
• Time is usually not an accepted explanation...but the expert must limit themselves to answering the specific question(s) they are asked in their letter of instruction
• Courts are not usually sympathetic to arguments of means e.g. A large corporation is expected to fund expensive examinations but a consumer is not
• Numerous precedents for email discovery, searching and data recovery
26
Confidential
Related Documents
