Professional Documents
Culture Documents
Fraud
Mustapha Mugisa, CFE, MBA, CISA, CPA, CrFA ICT Fraud Seminar, JULY,28th , 2011 know what you did last year! Specialist Improving condition The ICT Fraud Investigator s File Page 1your We Forensic
Contents
1. Why care? 2. eDiscovery explained 3. Digital forensic investigation process 4. Forensic tools available 5. Challenges in litigation 6. Cross examination of a computer forensic expert
Perspective ESI
eDiscovery:
The legal discovery (disclosure) of all electronic documents and data relevant to a case
Perspective ESI
Email with attachments (all kinds) Text files, powerpoint, spreadsheets Voice mail, instant and text messaging Databases, proprietary applications Internet, intranet, wikis, blogs, RSS feeds (plus cache files, slack space data, cookies) Data on PDAs, cellphones Videoconferencing & webcasting Metadata
Perspective common sources ESI Mainframes, network servers, local drives (including network activity logs) DVDs, CD ROMs, floppy disks, laptops, PDAs, phones Backup tapes External hard drives Third party storage, cloud.
Perspective eDiscovery
collection, preservation and validation of evidence investigation and analysis of the data, and the preparation of an objective report of findings
Digital forensic investigation Answer questions about digital events so the results are admissible in court.
Regulatory landscape
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. The Constitution of the Republic of Uganda, 1995 (as amended) The Computer Misuse Act, 2011 The Electronic Transactions Act, 2010 The Electronic (Digital) Signature Act, 2010 The PPDA Act, 2003 (as amended ) The Electronic Media Act, 1996 (Cap 104) The Communications Act, 1997 Access to Information Act, 2004 The Copyrights and Neighbouring Rights Act. 2006 The Penal Code Act Cap 120 (Causing Financial Loss)
Sec.12 Unauthorized Access (hacking, interception, Man-In-The-Middle) Sec.14 Unauthorized modification of electronic content Sec.16 Unauthorized obstruction of use of computer System (Denial of Service) Sec.17 Unauthorized disclosure of access code (password leakage) Sec.18 Unauthorized disclosure of Information (breach of confidentiality) Sec. 26 cyber stalking.
Forensic evidence
1. Authentic
o Can we explicitly link files, data to specific individuals and events?
o access control o logging, audit logs o collateral evidence o crypto -based authentication o Steganographic evidence
Forensic evidence
3. Complete
o tells within its own terms a complete story of particular circumstances or flow of events.
4. Convincing
o have real informative value o a subjective, practical test of presentation o Can be reproduced/re-played
Challenges in litigation
Challenges
Judges, and prosecutors must have confidence in tools and techniques used in digital crime cases.
Preservation order
"Documents, data, and tangible things" is to be interpreted broadly to include writings; records; files; correspondence; reports; memoranda; calendars; diaries; minutes; electronic messages; voicemail; E-mail; telephone message records or logs; computer and network activity logs; hard drives; backup data; removable computer storage media such as tapes, disks, and cards; printouts; document image files; Web pages; databases; spreadsheets; software; books; ledgers; journals; orders; invoices; bills; vouchers; checks; statements; worksheets; summaries; compilations; computations; charts; diagrams; graphic presentations; drawings; films; charts; digital or chemical process photographs; video; phonographic tape; or digital recordings or transcripts thereof; drafts; jottings; and notes. Information that serves to identify, locate, or link such material, such as file inventories, file folders, indices, and metadata, is also included in this definition. --Pueblo of Laguna v. U.S. 60 Fed. Cl. 133 (Fed. Cir. 2004).
Tool addicts
o Poorly trained experts rely on tools without understanding how they work! o An expert should explain how tool performs the task o Give tool is not on trial excuses
Press the witness to either explain how the tool achieves its results or admit they dont know.
Sampling
o Digital data is massive o Examiners often use key words to search, this is not good enough
Let the witness admit that all data was not searched
Mindset
o Good expert provides objective findings or observations Does not hide under cover of technical jargon
Fear nothing...
mmugisa@summitcl.com +256712984585
www.summitforensics.com