Choosing your Computer Forensic Expert ACFE Asia Pacific Conference Ajoy Ghosh Chief Information Security Office Logica Australia Pty Ltd (now part of CGI) CGI GROUP INC. All rights reserved
Why I m here Academic: Law, international studies and policing in Australian and international universities Expert witness in court: Civil: contract, evidence, reliability, authorship, times Complex criminal: terrorism, identity theft, fraud, stalking, data leakage Content: child pornography, terrorism, spam, harassment, vilification Serious criminal: homicide, rape, corruption Coach: Lawyers, judges, prosecutors, tribunals and Commissions Specialist in developing capability HB171: Guidelines for the Management of IT Evidence (above) 20+ years experience in information security, investigations and policy: Police, Military, Corporate & Consultant Currently Chief Information Security Office at Logica Australia Pty Ltd (now part of CGI) Asia Pacific Senior IT Security Professional for 2009 CISSP, IRAP, MACS-CP and GAICD accreditations HB231: Guidelines for Information Security Risk Management (below) Best practice: Author of HB171 Guidelines for the Management of IT Evidence Co-author HB 231 Information Security Risk Assessment Guidelines Currently working on ISO 27037 Guidelines for identification, collection, acquisition and preservation of digital evidence Currently working on update of AS 38500 - Corporate Governance of Information and Communication Technology Currently advising ACS on Specialism for Information Security
ISO 27037 3
Agenda Advertised content From computer to courtroom, the computer forensic experts can be an expensive investment for the investigation budget. Gain an understanding of the different computer forensic disciplines and learn how to match them to your needs so that you get the best outcome for your fraud examination Agenda 1. Introductory 2. Computer forensic disciplines 3. The role of the Computer Forensic Expert (CFE) 4. Briefing the CFE 5. Integrating the CFE into the investigation 4
Roadmap EVIDENCE Admissibility Form of evidence Privileged material Prohibited material Privacy & surveillance Children Whistleblower CRIMINAL Prosecutor of Defendant Standard of proof Obligations Sensitive evidence Copyright INTELLIGENCE Legally obtained Privacy & surveillance Children Whistleblower CIVIL Cost Copyright Rights of witnesses PRESENTATION Reputation Report Expert s conference Hot tub Witness box STANDARDS & BILLING Professional standards Taxation Costs in the cause 5
Cost Analyst/ Associate Examiner/ Senior Expert/ Supervisory Taxation Sydney Melbourne Canberra and other regional $150-$200 $250-$350 $500-$750 $275 (Syd) $90-$150 $150-$275 $350-$550 $275 Based on Minter-Ellison survey (2011) Some other estimates (I don t necessarily agree): Typical computer/phone = $5000 Acquisition for $800 Discovery $1 to $2 per document Court rules requires cost estimate in billing units (typically one hour) Time and materials 6
Reliable tools don t need to be expensive My cheap kit My mid-range kit Enterprise Kit Size of Job Up to 10 computers 20+ computers 1million documents Web 2.0 Capture n/a $20 per-seat $5 per-seat Computer forensic (standard data recovery) Free $500 $5,000 $8,000 OCR Free $500 $5,000 Text searching $0 $6,000 $20,000 Voice-to-text $300 $5,000 $60,000 Large corporate So far ~370m documents Face Recognition Free $150,000 Voice Identification Free $200,000 Video processing $400 $1000 n/a Visualisation Free $3,000 $10,000 Productions $4-5 per page $10,000 $50,000 4c per page 7
Professional Standards Act What does the Act encompass? 1. A person who owns their business or has Director or Officer in their title; 2. Who provides advise to someone with Director or Officer in their title, even occasionally; 3. Who is a member of a Chartered firm No. 8
ACS Certified Professional Qualify for coverage under Professional Standards Act Liability limited under a scheme approved by the Professional Standards Act. ($1.5M) Need right level of insurance Need to stay current Continuing Professional Education In 2011, I advised on 6 negligence or misleading and deceptive conduct cases brought against computer expert s as individuals: Three cases settled: In one, plaintiff was asking $100M and defendant had offered $20M In another two, plaintiff was the insurance company of the defendant s employer One case the defendant has self-harmed and has been found unfit for trial he is now claiming compensation from his former employer Two cases are ongoing: In one, plaintiff has claimed $22M
COMPUTER FORENSIC DISCIPLINES 10
Disciplines and lifecycle AQUISITION ANALYSIS ANALYTICS PRESENTATION Computer/server (operating system) Handset Network (i.e. Non-telco) Telco/ISP Specialist device (e.g. SCADA, car, ATM, etc) Cloud (Acquire from 3 rd parties) Discovery 11
Telco 12
Cloud 3 rd -party providing a computing service Application and infrastructure Social media Challenges Jurisdiction Shared with others Contractual Biggest challenge is that everyone is still trying to understand the rules so the default answer is NO you can t have it Expert needs to navigate the major providers to legally acquire the data you are entitled to...and in a timely manner Like a chess tournament, each player has a different board. We don t know the rules and the players can arbitrarily changes them...as can governments 13
Analytics and Visualisation 1. Text reporting 2. Manually convert data for use with Anna-cappa tools Timeline Link analysis 3. Integrate with visualisation Complex link analysis Contextual view (incl. geospatial)
No. 15
ROLE OF THE COMPUTER FORENSIC EXPERT 17
Experts and other witnesses Lay witness: who is only permitted to give direct or sensual evidence i.e. I did, I saw, I smelt, etc. The lay witness is expected to give evidence to their best recollection (i.e. from memory) and is not expected to understand the process of giving evidence. Any documentary evidence (e.g. statement) is expected to be taken by an investigator; Investigator: is expected to find evidence, make a factual analysis and prepare factual reports. In many cases, an investigator is obligated to make reasonable efforts to discover both incriminating and exculpatory evidence. An investigator is only permitted to give factual evidence and when giving evidence is usually permitted to refresh their memory from contemporaneous notes; Expert witness : is allowed to provide opinion evidence so long as it is within their area of expertise. Whilst an expert witness may have an interest in a party involved in the matter (e.g. as an employee) they are obliged to act in the best interests of the Court and are expected to understand their other obligations as an expert witness as per the Expert Witness Code of Conduct and are expected to limit their opinion to the particular questions they have been instructed to answer. In some jurisdictions, expert witness reports are required to prepare reports that contain specific information and wording; Independent expert witness: in addition to the obligations of an expert, is expected to have no interest in the matter other than their instructions from an officer of the Court. The key difference between an expert and an independent expert is the presumption of bias. Independent experts are obligated to inform the Court if they acquire or are offered any interest. 18
Do you need and expert? In many cases, a person who is not an expert can produce evidence copies and present factual evidence about the copy. A non-expert is also able to present the measurements of so-called notoriously scientific instruments. Such instruments are presumed to be reliable and the onus is on the party claiming it is unreliable to prove that. Such instruments commonly used include clocks, cameras, video cameras, telephones and recently GPS. At the time of writing, some jurisdictions are considering whether or not forensic software should be included in this category. Further, the evidence copy is considered to be documentary evidence and certain classes of documents are presumed to be reliable i.e. the onus is on the party claiming it is unreliable to prove that. Such classes commonly used include: Official (i.e. government) documents Banking records Telecommunications records Business records (only for civil cases) 19
Criminal matters Standard of Proof The standard of proof for the prosecution is beyond reasonable doubt (e.g. 13.2 of the Criminal Code Act Cwth 1995) and for the defence is on the balance of probabilities (e.g. 13.5 of the Criminal Code Act Cwth 1995). Obligations The prosecution is obliged to make reasonable efforts to discover both incriminating and exculpatory evidence. Sensitive evidence Certain material is considered to be sensitive evidence (e.g. 281B of the Criminal Procedures Act NSW 1986) and cannot be provided to the defendant. A CFE instructed by the prosecution should understand what material contains sensitive evidence and ensure that it is not provided to the defendant. When sensitive evidence is co-mingled with other evidence, a CFE should be capable of excising the sensitive material from an evidence copy so the other material can be provided to the defendant. 20
Civil matters Standard of Proof The standard of proof in civil cases is consistent in all Australian jurisdictions. The standard of proof is beyond reasonable doubt (e.g. 140 of the Evidence Act Cwth 1995). Obligations According to 37M of the Federal Court of Australia Act (Cwth) 1976: The overarching purpose of the civil practice and procedure provisions is to facilitate the just resolution of disputes: a) according to law; and b) as quickly, inexpensively and efficiently as possible. This means that when determining if a particular method is appropriate, the CFE should consider if more cost effective or efficient method is available. Court s have become quick to criticise corporate litigants who might be perceived to be making unreasonable demands of their less affluent adversary. 21
BRIEFING THE COMPUTER FORENSIC EXPERT 22
Selecting an expert Advocacy 101: 1. Attack the evidence 2. Attack the process 3. Attack the witness Qualifications as an expert... in the relevant ICT field Specialism in the right ICT field. Consider aligning with SFIA (Skills For an Information Age) Experience in the process How many times have they done that particular examination before? Adverse judicial or other commentary Consider running background check Gather material published about the Expert (including self-published on Internet) Written versus oral communication i.e. In the witness box Can they explain technical concepts to lay person (i.e. lawyer, judge and jury) How do they react to always having to justify their actions or to personal attacks? Well versed in the theatre of the Courtroom 23
Letter of instruction 1. Briefing about the matter Avoid creating a perception of bias 2. Name of parties for conflict of interest Include any relevant 3 rd -parties (e.g. ICT provider) 3. Specific questions to be answered Clear and specific and not open to misinterpretation Final question: Any other matter the Expert believes is relevant 4. Material upon which the expert is to rely Balance probative value to your expert versus the adversary Be prepared for the adversary to resist production of materials or produce them in a way that is incomplete or frustrating 5. The relevant Expert Witness Code of Conduct 6. The expert is required to attach the letter to their report 24
Receiving materials Police Includes when briefed by prosecution Civil matters 20% 10% 10% 10% 20% Produced Incomplete Printed only Resisted 30% 40% Produced Incomplete Printed only Resisted Settled 50% 10% 25
Bias... I declare that I have made all enquires that I believe are desirable and appropriate and that no matters of significance which I regard as relevant have, to my knowledge, been withheld in this report (from the Court) Consider obligations (e.g. prosecutor is obliged to make all reasonable efforts to discover both incriminating and exculpatory evidence) Time is usually not an accepted explanation...but the expert must limit themselves to answering the specific question(s) they are asked in their letter of instruction Courts are not usually sympathetic to arguments of means e.g. A large corporation is expected to fund expensive examinations but a consumer is not Numerous precedents for email discovery, searching and data recovery 26
Thank you ajoy.ghosh@logica.com CGI GROUP INC. All rights reserved