forensic data and discovery deloitte forensic noble ok to... · 1. preliminary forensic analysis to...

Deloitte Forensic

Forensic Data and Discovery

National Investigation Symposium

9 November 2012

Data and Discovery

Today’s business environment generates

vast amounts of data, which can be a

burden during the course of an

investigation, but also of critical value if

the right data is discovered.

© 2012 Deloitte Global Services Limited 3

• Definition

• What is Forensics in the context of data

• Defining the value of Forensic Technology

• Data sources

• Data analytics

• Computer Forensics scenarios

• Theft of IP Investigation

• Anton Pillar Orders

• Email & smartphone investigation

• Questions

Agenda


The process of identifying, preserving,

analysing and presenting digital evidence in

a manner that is legally acceptable in any

judicial or administrative hearing

Source: “What is Forensic Computing?”, Australian Institute of Criminology, Trends &

Issues No. 118, June 1999.

What is Forensics in the context of data?


Value of Forensic Data

Workplace

relations issues Theft of IP Misuse of

IT resources

Fraud & contract

disputes Insolvency

assistance

6 Deloitte Forensic © 2012 Deloitte Touche Tohmatsu

Value of Forensic Data?

Forensic

Collections

Data

Processing

and Analysis

Electronic Review…

Data size approximations…

1TB = pile of paper 50 kilometres high!

200GB = pile of paper 10,000m high

(~ Mt Everest)

40GB = pile of paper 2,000m high

DVD = pile of paper 235 m high

CD = pile of paper 33m high

2GB = pile of paper 100m high

(~ Statue of Liberty)

20MB = pile of paper 1m high

1MB = 1 ream of paper = 50mm high


Data Sources

Servers Backup tapes Databases Laptops Desktops


The Value of Forensic technology and key assumptions

arising from this relationship • The examination results will be tendered in evidence

• The forensic methodology and technology will be tested

• The computer forensic examiners credibility will be challenged

• The computer is potentially a crime scene

• Majority of documents and records now stored in electronic form

• No investigation/litigation can be complete without the examination of all

evidence

• Computers record many actions ….without the knowledge of the user

• Allows recovery of deleted and hidden documents

• Provides evidence which is accepted in court

Why Forensics?


Data Analysis

is about…knowledge discovery in data

Powered by Viscovery ™

2 different types of fraud

are observed

One has an existing claims

history the other is new Frequency of a particular

identifier being observed

Frequency of a particular identifier being

observed. These are both seen to be (partially)

related to both types of fraud

This different claims

amount velocity

measure shows a

positive correlation of

a different sort

This drivers licence has been seen

in many other places throughout

the book However this other claims amount

velocity measure shows a positive

correlation with one type of fraud

This claims amount

velocity measure (one of

hundreds employed at

some phase) doesn’t

show much relationship

with fraud

10 Deloitte Forensic © 2012 Deloitte Touche Tohmatsu

Processing & Analysis

Process and analyse TBs of data

Pre-culling (de-NIST)

Optical character recognition

Decryption

Deleted data recovery

Advanced keyword searching

Date range filtering

Deduplication

Data Visualisation

Industry leading data processing technology

Pre-processing analysis to understand data volumes Understanding your data

reduction efficiencies to refine

further and scope the required

review effort

© 2012 Deloitte Global Services Limited

Scenario 1: Theft of IP Investigation

11

An organisation has lost a senior employee to a competitor, and suspect the person has taken

confidential business information upon leaving.

Forensic Activities

1. Recovering email (corporate/webmail) correspondence from multiple available sources

2. Searching email for unauthorised distribution of sensitive data

3. Review of USB devices and external storage

Results

• Confirmation that sensitive files have been emailed to a ‘home’ account

• Identification of additional parties involved in the disclosure (further proceedings)

• Corroboration of computer forensic evidence found at other sources

• Confirmation of the possible presence of evidence held by the person (Anton Pillar)


Scenario 2: Anton Pillar Orders

12

It is believed that evidence is present at the home and office of a person, and lawyers are seeking an Anton Pillar court order allowing them to secure this evidence.

Forensic Activities

1. Preliminary forensic analysis to support Anton Pillar applications

2. Provision of correct and effective technical wording for Anton Pillar orders

3. Computer forensic practitioners and equipment for execution of Anton Pillar orders

4. Further analysis and expert reports for further applications or injunctions

Results

• Anton Pillar orders successfully obtained from the court

• Forensic wording allowed “best form of evidence” to be collected

• Confirmed the evidence was present at the locations being searched

• Client’s case significantly strengthened by the technical evidence collected

• Successful injunction obtained for destruction of stolen information


Scenario 3: Email & smartphone Investigation

13

An organisation has lost a senior employee to a competitor, and suspect the person has

taken confidential business information upon leaving

Forensic Activities

1. Recovering email correspondence from multiple available sources

2. Searching email & smartphone for unauthorised distribution of sensitive data

3. Reviewing conversations to identify the context of communications

Results

• Confirmation that sensitive files have been emailed to a ‘home’ account

• Identification of additional parties involved in the disclosure

• Corroboration of computer forensic evidence found at other sources

• Confirmation of the possible presence of evidence held by the person


Today’s business environment generates

vast amounts of data, which can be a burden

during the course of an investigation, but

also of critical value if the right date is

discovered.

Conclusion


General information only

This presentation contains general information only, and none of Deloitte Touche Tohmatsu Limited, Deloitte Global

Services Limited, Deloitte Global Services Holdings Limited, the Deloitte Touche Tohmatsu Verein, any of their member

firms, or any of the foregoing’s affiliates (collectively the “Deloitte Network”) are, by means of this presentation, rendering

accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a

substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may

affect your finances or your business. Before making any decision or taking any action that may affect your finances or

your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible

for any loss whatsoever sustained by any person who relies on this publication.

Confidential This document and the information contained in it is confidential and should not be used or disclosed in any

way without our prior consent.

About Deloitte

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company

limited by guarantee, and its network of member firms, each of which is a legally separate

and independent entity. Please see www.deloitte.com/au/about for a detailed description of

the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Deloitte

provides audit, tax, consulting, and financial advisory services to public and private clients

spanning multiple industries. With a globally connected network of member firms in more

than 150 countries, Deloitte brings world-class capabilities and deep local expertise to help

clients succeed wherever they operate. Deloitte’s approximately 170,000 professionals are

committed to becoming the standard of excellence.

About Deloitte Australia

In Australia, the member firm is the Australian partnership of Deloitte Touche Tohmatsu. As

one of Australia’s leading professional services firms. Deloitte Touche Tohmatsu and its

affiliates provide audit, tax, consulting, and financial advisory services through

approximately 5,700 people across the country. Focused on the creation of value and

growth, and known as an employer of choice for innovative human resources programs, we

are dedicated to helping our clients and our people excel. For more information, please visit

our web site at www.deloitte.com.au. Liability limited by a scheme approved under

Professional Standards Legislation.

Member of Deloitte Touche Tohmatsu Limited © 2012 Deloitte Touche Tohmatsu

http://www.deloitte.com.au/

forensic data and discovery deloitte forensic noble ok to... · 1. preliminary forensic analysis to...

Documents