Forensic. Advisory.

Fraud

Understanding eDiscovery & digital forensics

Uganda Law Society
24 May 2012

Mustapha Mugisa, CFE, MBA, CISA, CPA, CrFA ICT Fraud Seminar, JULY,28th , 2011 know what you did last year! Specialist Improving condition The ICT Fraud Investigator s File Page 1your We Forensic

Contents
1. Why care? 2. eDiscovery explained 3. Digital forensic investigation process 4. Forensic tools available 5. Challenges in litigation 6. Cross examination of a computer forensic expert

Perspective why care?

Digital information is a lot. Very valuable Over 95% of all documents are created using computers All organizations rely on IT for survival About 2/3 leaving employees steal data, IP

Perspective why care?

o o o o o In 2011, 210 billion eMails sent daily > 80% business records stored in electronic form > 95% information first generated in digital format Only 30% are ever printed to paper Direct and indirect costs of eDiscovery keep rising
Source: http://www.statisticbrain.com

Perspective, why care?

Source: Norton

cybercrime report, 2011

Current cyber crime

IP Theft Spam Spy ware / Virus / Malware / Bots IT related sex offenses

Current cyber crime

Bandwidth theft Information warfare DOS Key Infrastructure Organized crime Piracy Credit Card Fraud

Perspective ESI
eDiscovery:
The legal discovery (disclosure) of all electronic documents and data relevant to a case

Perspective ESI
Email with attachments (all kinds) Text files, powerpoint, spreadsheets Voice mail, instant and text messaging Databases, proprietary applications Internet, intranet, wikis, blogs, RSS feeds (plus cache files, slack space data, cookies) Data on PDAs, cellphones Videoconferencing & webcasting Metadata

Perspective common sources ESI Mainframes, network servers, local drives (including network activity logs) DVDs, CD ROMs, floppy disks, laptops, PDAs, phones Backup tapes External hard drives Third party storage, cloud.

Perspective common sources ESI

Demo inside the computer

Perspective eDiscovery
collection, preservation and validation of evidence investigation and analysis of the data, and the preparation of an objective report of findings

Digital forensic investigation Answer questions about digital events so the results are admissible in court.

Why a forensic analysis?

ID the perpetrator. ID the method/vulnerability Conduct a damage assessment Preserve the evidence for legal action What, when, where, who, how and why.

Why a forensic analysis?

Suspects Hide Evidence
Forensics uncover it 1. Restore deleted files 1. Delete their files and and emails emails 2. Find the hidden files 2. Hide their files by through complex encryption, password password, encryption protection, or programs, and embedding them in searching techniques unrelated files (dll, os 3. Track them down etc.) through the digital trail 3. Use Wi-Fi networks and - IP addresses to ISPs cyber cafes to cover to the offender their tracks

The computer crime scene

Similar to traditional crime scenes
Must acquire the evidence while preserving the integrity of the evidence

o No damage during collection, transportation, or storage

o Document everything o Collect everything the first time Establish a chain of custody

Regulatory landscape
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. The Constitution of the Republic of Uganda, 1995 (as amended) The Computer Misuse Act, 2011 The Electronic Transactions Act, 2010 The Electronic (Digital) Signature Act, 2010 The PPDA Act, 2003 (as amended ) The Electronic Media Act, 1996 (Cap 104) The Communications Act, 1997 Access to Information Act, 2004 The Copyrights and Neighbouring Rights Act. 2006 The Penal Code Act Cap 120 (Causing Financial Loss)

Criminalization of ICT Fraud

The Computer Misuse Act, 2011

Sec.12 Unauthorized Access (hacking, interception, Man-In-The-Middle) Sec.14 Unauthorized modification of electronic content Sec.16 Unauthorized obstruction of use of computer System (Denial of Service) Sec.17 Unauthorized disclosure of access code (password leakage) Sec.18 Unauthorized disclosure of Information (breach of confidentiality) Sec. 26 cyber stalking.

The forensic investigation process

The investigation process

1. Triggering event 2. First responders perform triage
May or may not terminate incident Perform no damage to evidence

3. Acquire authorization to obtain evidence

E.g., search warrant

4. Document scene, search for evidence

The investigation process (continued)

5. Acquisition, storage, and handling of evidence
In digital investigations, this means imaging disks. It may also mean copying the contents of memory.

6. Analyze the evidence

In digital investigations, this means searching all obtained evidence for clues and real evidence.

7. Presentation of evidence and analysis

The investigation process

7. Review and improve
For digital investigations, we need to sanitize and share the results of investigations, especially the preparations and methodologies that work and the lessons learned.

Golden rules of digital investigations

No two investigations are identical. Preparation is critical.
Preparation enables success. Lack of preparation guarantees failure.

Follow a consistent methodology. Document everything. Invest wisely.

Forensic tools available

Vendors of digital investigation tools

o Host-based forensic tools
EnCase from Guidance Software Forensic Toolkit (FTK) from AccessData ProDiscover from Technology Pathways P2 and P3 from Paraben Vogon investigation software from Vogon International o Open source projects:
The Coroners Toolkit (TCT) The Sleuth Kit and the Autopsy Browser Assorted tools

What forensics is not

1. 2. 3. 4. IT Audit Security Risk Assessment Security Policy Formulation Search for Systems Weakness for purposes of presenting recommendations to management 5. COBIT/ ITGC benchmarking

Forensic evidence

1. Authentic
o Can we explicitly link files, data to specific individuals and events?
o access control o logging, audit logs o collateral evidence o crypto -based authentication o Steganographic evidence

Forensic evidence 2. Accurate

reliability of computer process not data content can we explain how an exhibit came into being? o what does the computer system do? o what are its inputs? o what are the internal processes? o what are the controls

Forensic evidence
3. Complete
o tells within its own terms a complete story of particular circumstances or flow of events.

4. Convincing
o have real informative value o a subjective, practical test of presentation o Can be reproduced/re-played

Challenges in litigation

Digital evidence, challenges

o Preserving evidence o Retrieving and processing massive amounts of data o Providing support to help vindicate claims and defenses

Digital evidence, challenges

o Not a simple off switch o Ever-changing electronic records o Self-purging e-mail systems o Dynamic databases o Collaborative work spaces o Routine recycling of backup media.

Digital evidence, challenges

o Chain-of-custody o Prevent cross contamination during exam o Wide acceptance of investigative techniques? o Can the findings be duplicated?

Challenges
Judges, and prosecutors must have confidence in tools and techniques used in digital crime cases.

What can go wrong?

o Without a plan, everything o Courts look at spoliation of evidence -- an assessment of the loss of relevant evidence and the identification of who, if anyone, should bear a consequence, as well as what that consequence should be.

Spoliation lessons from elsewhere

o No one not even the Uganda government is above the dutyto ensure, through its agents, that documents relevant to a case are preserved. o Have a reasonable, defensible and effective litigation hold program Update and enforce communication and compliance with document retention and preservation policies Follow-up regarding preservation (litigation hold) notices

Preservation order
"Documents, data, and tangible things" is to be interpreted broadly to include writings; records; files; correspondence; reports; memoranda; calendars; diaries; minutes; electronic messages; voicemail; E-mail; telephone message records or logs; computer and network activity logs; hard drives; backup data; removable computer storage media such as tapes, disks, and cards; printouts; document image files; Web pages; databases; spreadsheets; software; books; ledgers; journals; orders; invoices; bills; vouchers; checks; statements; worksheets; summaries; compilations; computations; charts; diagrams; graphic presentations; drawings; films; charts; digital or chemical process photographs; video; phonographic tape; or digital recordings or transcripts thereof; drafts; jottings; and notes. Information that serves to identify, locate, or link such material, such as file inventories, file folders, indices, and metadata, is also included in this definition. --Pueblo of Laguna v. U.S. 60 Fed. Cl. 133 (Fed. Cir. 2004).

Cross examination of a computer forensic expert

Tool addicts
o Poorly trained experts rely on tools without understanding how they work! o An expert should explain how tool performs the task o Give tool is not on trial excuses
Press the witness to either explain how the tool achieves its results or admit they dont know.

Chain of custody issues

o If witness botched a chain of custody, their evidence will be shaken
Sloppy chain of custody suggests inexperience. Attack it!

Limits of computer forensics

o Cast doubt on the witness. o Make them admit some things an examiner cannot ascertain about who and when a computer was used
It is difficult to ascertain that a user altered the time on their computer! A computer cant identify its user

Sampling
o Digital data is massive o Examiners often use key words to search, this is not good enough
Let the witness admit that all data was not searched

Mindset
o Good expert provides objective findings or observations Does not hide under cover of technical jargon

Fear nothing...
mmugisa@summitcl.com +256712984585

www.summitforensics.com