Forensic IT Chartered Institute of Management Accountants (CIMA) - - PowerPoint PPT Presentation

forensic it chartered institute of management accountants
SMART_READER_LITE
LIVE PREVIEW

Forensic IT Chartered Institute of Management Accountants (CIMA) - - PowerPoint PPT Presentation

Jan 17, 2023 372 likes •552 views

Forensic IT Chartered Institute of Management Accountants (CIMA) IS YOUR FIRM A RISK? Enhancing the usefulness of Investigations with Computer Forensics August 2014 Michael Khoury Clear Wealth Pty Ltd v Kwong (No 2) [2012] NSWSC 1233

slide-1
SLIDE 1

Forensic IT – Chartered Institute of Management Accountants (CIMA)

IS YOUR FIRM A RISK? Enhancing the usefulness of Investigations with Computer Forensics August 2014 Michael Khoury

slide-2
SLIDE 2

Forensic IT Page 2

Clear Wealth Pty Ltd v Kwong (No 2) [2012] NSWSC 1233 “ Whilst I accept t hat Mr Kwong want ed t o delet e personal files of his own from t he Clear Wealt h Comput er, I am unable t o accept t hat Mr Kwong removed t he Clear Wealt h client list s because t hey were

  • bsolet e and accident ally loaded client list s on t o his US

B drive and t hen loaded t hem ont o his home comput er and / or ext ernal hard

  • drives. I find, on t he balance of probabilit ies, t hat he loaded t he

client list s wit h t he int ent of assist ing his new business t o gain client s.” Justice Rein, S upreme Court of NS W

slide-3
SLIDE 3

What is Forensic IT

Forensic IT Page 3

Forensic IT is the identification, acquisition, preservation and investigation of data held on electronic media.

We do this while ensuring:

The data we acquire is complete and valid.

The evidence we examine is not modified or damaged by the process.

The processes we undertake are ‘ best practice’ .

The conclusions that we reach are supported by the evidence.

All of our actions are conducted with the intention that the data may need to be presented to a court as evidence. Correct preservation is the key!

slide-4
SLIDE 4

Forensic IT

Forensic IT Page 4

When is Forensic IT used?

Departing employees - Theft of Intellectual Property

Proving / disproving the existence of certain documents, their author, time of creation and last modified etc.

Unfair dismissal, bullying or discrimination cases.

Inappropriate internet usage.

Employee and executive fraud.

By the police in criminal investigations.

By AS IC when investigating corporate wrongdoing.

To create a repository for both hard copy and electronic documents that can be searched or filtered using key terms.

Forensic backup of company documents for receivers, administrators and liquidators.

slide-5
SLIDE 5

What we can look for – computers and S ervers

Forensic IT Page 5

Time and date analysis.

Evidence of US B drive activity.

Link File Analysis – When, Where, How.

Deleted files and folders – US N Journals.

Deleted email messages.

Whether software capable of permanent deletion has been used.

Listing of websites visited by employee.

Historical searches performed by employee – Google history

Evidence of file copying.

Historical images stored on Photocopiers.

Evidence of printing activity - hidden spool files and document metadata; and

Evidence of malicious activity through remote access or malware.

slide-6
SLIDE 6

Malicious Destruction of Evidence

Forensic IT Page 6

  • Digit al foot print s –

A pat h of dest ruct ion!

  • Remnant art efact s
  • Court percept ion is never a good one

Moody Kiddell Partners v David Brooke

  • Former Police officer t urned financial broker
  • Allegat ions of t heft of IP
  • Court ordered discovery obligat ions
  • Dest ruct ion of evidence, concealment , non-

corroborat ive excuses = CONTEMPT!!

slide-7
SLIDE 7

Moody Kiddell & Part ners Pt y Lt d v Arkell [2013] FCA 1066

Forensic IT Page 7

Judge Jane Jagot – Federal Court of Australia – Oct 2013

Order sought for defence to be struck out as an abuse of process FACTS

“ I do not accept his evidence t hat he did not know t hat t he file shredding soft ware erased informat ion from t he hard drives so it could not be recovered by forensic comput er analysis. The Google search he did about Gut t man 35 shredding compared t o Depart ment

  • f defence shredding indicat es he knew very well t hat if he delet ed

an email and t hen delet ed it from his comput er’s t rash folder it would very likely st ill be able t o be recovered” “ Ot her ret rieved Google searches from t his comput er include “ what happens if you don’t comply with a Federal court order” on 1 April 2012.”

slide-8
SLIDE 8

Moody Kiddell & Part ners Pt y Lt d v Arkell [2013] FCA 1066

Forensic IT Page 8

DECISION “ I do not accept t hat he carried out t his act ion only t o delet e

  • pornography. I infer t hat he also did so t o ensure t hat document s he

did not wish t o discover were permanent ly erased.” “ The circumst ances are except ional and t he draconian remedy of strike out is necessary t o ameliorat e t hat prej udice and ensure a fair hearing for bot h part ies is possible.”

slide-9
SLIDE 9

People still make careless mistakes

Forensic IT Page 9

Despite continued news stories and coverage of forensic IT practices, we still see people:

Committing acts of fraud via company systems

Download client lists & other confidential information on their way out the door

S end emails and texts that they shouldn’ t

Think using a Hotmail or Gmail account makes them untraceable

Think that once they hit the delete button their message / text is irrecoverable

S ending instant messages via S kype, MS N Messenger etc

Think that damaging the hardware makes the data irrecoverable.

slide-10
SLIDE 10

What’s on my smartphone e.g iPhone?

Forensic IT Page 10

Call activity including deleted.

Phonebook directory information including deleted.

S tored voicemails and text messages.

Photos and videos (with GPS data if available).

Deleted emails, text messages and instant chats etc.

Hidden screenshots – the magic ‘ home’ button.

Applications.

Websites visited.

WiFi connections made.

Passwords.

GPS co-ordinates – (to within 10 metres).

slide-11
SLIDE 11

Current Issues in Forensic IT

Forensic IT Page 11

Evidence is being increasingly challenged (e.g Baden-Clay phone)

Virtual Machines

Cloud-based and remotely accessible data

S kydrive, Dropbox, iCloud, Google Drive

Content duplication (web browsers)

Data encryption

IP Obfuscation (Blind Routers, Tor service)

Rapid smart phone technology development

S

  • ftware as a S

ervice (S aaS ) applications

Increase in data storage sizes

Challenging hardware (Tablets, S S Ds, etc)

slide-12
SLIDE 12

False positives - Baden-Clay committal evidence

Forensic IT Page 12

The court hears evidence from a forensic electronics analyst responsible for downloading the ‘ power log’ from Mr Baden-Clay’s mobile phone. Neil Robertson, from the Queensland Police S ervice’s Electronic Evidence Examinations unit, says the accused connected his iPhone to a charger hours after he claimed to have gone to bed on the night Allison disappeared. He admits an initial analysis, which found Mr Baden-Clay had made a “ Face Time” call about 12.30am on 20t h April 2012, was incorrect. “ There was a false positive in the tests,” Mr Robertson says.

slide-13
SLIDE 13

What can we do with the data collected?

Forensic IT Page 13

Provide a forensically sound image – we work on a copy.

Quickly determine if electronic evidence of wrong doing exists.

Clear any innocent parties promptly.

Conduct forensic investigations.

Articulate findings in plain English.

Make documents and emails accessible – we know that you need to be able to look at documents directly.

We have the capacity to load data to review platforms (such as Clearwell), and to search and filter data for export directly to Ringtail.

slide-14
SLIDE 14

How can Forensic IT help?

Forensic IT Page 14

Preserve now, analyse later:

Relatively inexpensive – imaging can be on a price per computer / phone or server basis.

For law firms: by doing so, you provide your client with a choice on whether to litigate at a later date.

Know quickly – Preliminary assessment:

Does clear and obvious evidence of wrong doing exist?

Validate the findings of opposing expert witnesses:

Ensure false positives such as the “ Face Time” call in the Baden-Clay case, are discovered.

Evidence gathered without regards to forensic procedures in many cases may be struck out.

Want a second opinion? Talk to us about providing a review of a case in progress.

slide-15
SLIDE 15

Questions?

Forensic IT Page 15

Justin Geri Senior Manager

Level 29, 600 Bourke Street Melbourne VIC 3000 T +61 3 9604 5142 E justin.geri@fh.com.au

Michael Khoury Partner

Level 13, Grosvenor Place 225 George Street Sydney NSW 2000 T +61 2 9286 9864 E michael.khoury@fh.com.au

Peter Chapman Consultant

Level 13, Grosvenor Place 225 George Street Sydney NSW 2000 T +61 2 9286 9933 E peter.chapman@fh.com.au

Jean Pierre Du Plesis Director

Level 6, 81 Flinders Street Adelaide SA 5000 P +61 8 8100 7696 E Jean-Pierre.DuPlessis@fh.com.au

Sean Powell Director

Level 26, BankWest Tower 108 St George‘s Terrace Perth WA 6000 T +61 8 9214 1409 E Sean.Powell@fh.com.au

Matthew Ashby Director

Level 7, 145 Eagle Street Brisbane QLD 4000 T +61 7 3834 9297 E matthew.ashby@fh.com.au

slide-16
SLIDE 16