forensic data and discovery deloitte forensic noble ok to... · 1. preliminary forensic analysis to...
TRANSCRIPT
Deloitte Forensic
Forensic Data and Discovery
National Investigation Symposium
9 November 2012
Data and Discovery
Today’s business environment generates
vast amounts of data, which can be a
burden during the course of an
investigation, but also of critical value if
the right data is discovered.
© 2012 Deloitte Global Services Limited 3
• Definition
• What is Forensics in the context of data
• Defining the value of Forensic Technology
• Data sources
• Data analytics
• Computer Forensics scenarios
• Theft of IP Investigation
• Anton Pillar Orders
• Email & smartphone investigation
• Questions
Agenda
© 2012 Deloitte Global Services Limited 4
The process of identifying, preserving,
analysing and presenting digital evidence in
a manner that is legally acceptable in any
judicial or administrative hearing
Source: “What is Forensic Computing?”, Australian Institute of Criminology, Trends &
Issues No. 118, June 1999.
What is Forensics in the context of data?
© 2012 Deloitte Global Services Limited 5
Value of Forensic Data
Workplace
relations issues Theft of IP Misuse of
IT resources
Fraud & contract
disputes Insolvency
assistance
6 Deloitte Forensic © 2012 Deloitte Touche Tohmatsu
Value of Forensic Data?
Forensic
Collections
Data
Processing
and Analysis
Electronic Review…
Data size approximations…
1TB = pile of paper 50 kilometres high!
200GB = pile of paper 10,000m high
(~ Mt Everest)
40GB = pile of paper 2,000m high
DVD = pile of paper 235 m high
CD = pile of paper 33m high
2GB = pile of paper 100m high
(~ Statue of Liberty)
20MB = pile of paper 1m high
1MB = 1 ream of paper = 50mm high
© 2012 Deloitte Global Services Limited 7
Data Sources
Servers Backup tapes Databases Laptops Desktops
© 2012 Deloitte Global Services Limited 8
The Value of Forensic technology and key assumptions
arising from this relationship • The examination results will be tendered in evidence
• The forensic methodology and technology will be tested
• The computer forensic examiners credibility will be challenged
• The computer is potentially a crime scene
• Majority of documents and records now stored in electronic form
• No investigation/litigation can be complete without the examination of all
evidence
• Computers record many actions ….without the knowledge of the user
• Allows recovery of deleted and hidden documents
• Provides evidence which is accepted in court
Why Forensics?
© 2012 Deloitte Global Services Limited 9
Data Analysis
is about…knowledge discovery in data
Powered by Viscovery ™
2 different types of fraud
are observed
One has an existing claims
history the other is new Frequency of a particular
identifier being observed
Frequency of a particular identifier being
observed. These are both seen to be (partially)
related to both types of fraud
This different claims
amount velocity
measure shows a
positive correlation of
a different sort
This drivers licence has been seen
in many other places throughout
the book However this other claims amount
velocity measure shows a positive
correlation with one type of fraud
This claims amount
velocity measure (one of
hundreds employed at
some phase) doesn’t
show much relationship
with fraud
10 Deloitte Forensic © 2012 Deloitte Touche Tohmatsu
Processing & Analysis
Process and analyse TBs of data
Pre-culling (de-NIST)
Optical character recognition
Decryption
Deleted data recovery
Advanced keyword searching
Date range filtering
Deduplication
Data Visualisation
Industry leading data processing technology
Pre-processing analysis to understand data volumes Understanding your data
reduction efficiencies to refine
further and scope the required
review effort
© 2012 Deloitte Global Services Limited
Scenario 1: Theft of IP Investigation
11
An organisation has lost a senior employee to a competitor, and suspect the person has taken
confidential business information upon leaving.
Forensic Activities
1. Recovering email (corporate/webmail) correspondence from multiple available sources
2. Searching email for unauthorised distribution of sensitive data
3. Review of USB devices and external storage
Results
• Confirmation that sensitive files have been emailed to a ‘home’ account
• Identification of additional parties involved in the disclosure (further proceedings)
• Corroboration of computer forensic evidence found at other sources
• Confirmation of the possible presence of evidence held by the person (Anton Pillar)
© 2012 Deloitte Global Services Limited
Scenario 2: Anton Pillar Orders
12
It is believed that evidence is present at the home and office of a person, and lawyers are seeking an Anton Pillar court order allowing them to secure this evidence.
Forensic Activities
1. Preliminary forensic analysis to support Anton Pillar applications
2. Provision of correct and effective technical wording for Anton Pillar orders
3. Computer forensic practitioners and equipment for execution of Anton Pillar orders
4. Further analysis and expert reports for further applications or injunctions
Results
• Anton Pillar orders successfully obtained from the court
• Forensic wording allowed “best form of evidence” to be collected
• Confirmed the evidence was present at the locations being searched
• Client’s case significantly strengthened by the technical evidence collected
• Successful injunction obtained for destruction of stolen information
© 2012 Deloitte Global Services Limited
Scenario 3: Email & smartphone Investigation
13
An organisation has lost a senior employee to a competitor, and suspect the person has
taken confidential business information upon leaving
Forensic Activities
1. Recovering email correspondence from multiple available sources
2. Searching email & smartphone for unauthorised distribution of sensitive data
3. Reviewing conversations to identify the context of communications
Results
• Confirmation that sensitive files have been emailed to a ‘home’ account
• Identification of additional parties involved in the disclosure
• Corroboration of computer forensic evidence found at other sources
• Confirmation of the possible presence of evidence held by the person
© 2012 Deloitte Global Services Limited 14
© 2012 Deloitte Global Services Limited 15
© 2012 Deloitte Global Services Limited
© 2012 Deloitte Global Services Limited
© 2012 Deloitte Global Services Limited
© 2012 Deloitte Global Services Limited © 2006 Deloitte Touche Tohmatsu
© 2012 Deloitte Global Services Limited 20
Today’s business environment generates
vast amounts of data, which can be a burden
during the course of an investigation, but
also of critical value if the right date is
discovered.
Conclusion
© 2012 Deloitte Global Services Limited 21
General information only
This presentation contains general information only, and none of Deloitte Touche Tohmatsu Limited, Deloitte Global
Services Limited, Deloitte Global Services Holdings Limited, the Deloitte Touche Tohmatsu Verein, any of their member
firms, or any of the foregoing’s affiliates (collectively the “Deloitte Network”) are, by means of this presentation, rendering
accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a
substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may
affect your finances or your business. Before making any decision or taking any action that may affect your finances or
your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible
for any loss whatsoever sustained by any person who relies on this publication.
Confidential This document and the information contained in it is confidential and should not be used or disclosed in any
way without our prior consent.
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company
limited by guarantee, and its network of member firms, each of which is a legally separate
and independent entity. Please see www.deloitte.com/au/about for a detailed description of
the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Deloitte
provides audit, tax, consulting, and financial advisory services to public and private clients
spanning multiple industries. With a globally connected network of member firms in more
than 150 countries, Deloitte brings world-class capabilities and deep local expertise to help
clients succeed wherever they operate. Deloitte’s approximately 170,000 professionals are
committed to becoming the standard of excellence.
About Deloitte Australia
In Australia, the member firm is the Australian partnership of Deloitte Touche Tohmatsu. As
one of Australia’s leading professional services firms. Deloitte Touche Tohmatsu and its
affiliates provide audit, tax, consulting, and financial advisory services through
approximately 5,700 people across the country. Focused on the creation of value and
growth, and known as an employer of choice for innovative human resources programs, we
are dedicated to helping our clients and our people excel. For more information, please visit
our web site at www.deloitte.com.au. Liability limited by a scheme approved under
Professional Standards Legislation.
Member of Deloitte Touche Tohmatsu Limited © 2012 Deloitte Touche Tohmatsu