DIGITAL INSIGHT EDITION 1
IN THIS EDITION
TECHNOLOGY & DIGITAL FORENSICS:
> Technology & digital forensics > Thoughts for the month
THE PAST, THE PRESENT AND THE FUTURE by Rob Savage
> Where’s my data? Sources of electronic information for investigations & litigation > Big data: volume, variety & velocity > The real CSI: computer forensics > First response course > About CCL
Digital forensics is a constantly evolving field. The tools and techniques currently employed by CCL and other providers are almost unrecognisable to the way in which the industry operated just a decade ago. Digital forensics, perhaps more so than any other area of forensics, is under a constant pressure to evolve, with digital forensic practitioners attempting to hit a constantly moving target. Fingerprints have always been fingerprints and will continue to be fingerprints for the foreseeable future; mobile phones and their capabilities evolve on almost a weekly basis. We now live in an environment where more and more of our dayto-day lives are integrated with technology. Technology is no longer just a means to communicate or to create something, it is becoming the fulcrum upon which our existence revolves, managing both our public and private lives through one or more devices. For the field of digital
01789 261200
|
forensics this is both good and bad news. Users are storing more information digitally, meaning the potential to recover that key piece of evidence has never been greater. However, the huge consumer demand for technology is driving innovation at a blistering pace, making it harder and harder to keep up with the vast array of devices and applications entering the market. Back in 2003 the majority of consumer computing was done on desktop PCs; a beige tower sat beside a beige CRT monitor, often as deep as they were wide. Laptops were fairly common at this time, only being used as described by those with strong thighs and heat-proof trousers. These devices existed as a ‘box of components’, meaning that anybody with a screwdriver could remove and replace any components they wished. There was very little connectivity between devices; the files on your PC remained solely on your PC unless you took the deliberate step to copy them to
WWW.CCLGROUPLTD.COM
|
somewhere else. Mobile phones at this point in time were much more simple. A 2003 mobile phone might have had a primitive camera and a fairly pixelated colour screen, but for the vast majority of consumers it was a device to handle calls and SMS. These were simpler times for digital forensics, with typical analysis involving taking a forensic copy of everything on the device. This was usually straightforward and the component-based design meant that storage media could be physically removed and accessed directly. The consumer demand for smaller, faster, more energy efficient devices has meant that more devices now are ‘integrated’; meaning that storage media is often no longer removable. Consequently, the analysis of more and more devices now involves the use of the device itself, a process requiring greater skill and experience.
Continued on page 3…
INFO@CCLGROUPLTD.COM
1
ROB SAVAGE CIVIL E-DISCLOSURE & DIGITAL FORENSICS MANAGER Rob is an e-disclosure specialist with a background in digital forensics and forensic data analytics, and leads CCL’s E-Disclosure Team whilst providing technical support to CCL’s account managers. Rob has broad experience in managing a variety of projects, ranging from multi-million pound litigation utilising off-shore LPO review teams, to small-scale responses to subject access requests. Rob works directly with law firms and corporates assisting them with their disclosure obligations under Part 31 of the Civil Procedure Rules. He also regularly delivers CPD seminars on various areas of e-disclosure and digital forensics.
ROB’S THOUGHTS FOR THE MONTH It seems that more and more organisations are now looking toward cloud-based solutions to satisfy their IT requirements. When it was first suggested that cloud computing would be a ‘game changer’ it was widely dismissed. It was thought that organisations would bolt at the thought of their data being hosted elsewhere by an external party. While we are still some way off total centralisation of IT functions, we can see signs that CIOs and critically CFOs are warming to the idea. A good example is Office 365, which removes the need for an organisation to purchase, maintain, backup and administer the infrastructure. This offers a potentially
huge cost saving, and we have seen the likes of ABB, Toyota, and Dell go down this route. For us, this presents some new challenges: How do we go about preserving data from these sources? What happens if a user starts maliciously destroying data and we don’t have backup tapes to restore? None of the problems are insurmountable, but will require a more dynamic approach to digital forensic investigations and litigation support.
PETER COGGER NEW BUSINESS MANAGER Peter joined CCL in August 2013, as Consulting Business Manager, to grow and expand CCL’s consulting services across the UK corporate sector. Originally starting out as a specialist software engineer in the defence industry, Peter’s passion for new challenges led him into client focused roles and, ultimately, business development. Having previously grown a successful IT management consulting business, Peter was drawn to CCL by its impressive client list and previous track record.
PETER’S THOUGHTS FOR THE MONTH
We all fear our bank details falling into the wrong hands or our children being exposed to untoward internet predators; global companies need to protect their business investments from intellectual property theft and industrialised fraud, and governments need sophisticated surveillance to accurately identify those that would harm their country and citizens.
Being involved in CCL’s cyber security practice, I can’t help but reflect upon the fine line drawn between the importance of civil liberty and personal privacy, and the need for security and protection of the state, society, employers and vulnerable individuals. The arguments on both sides can be equally compelling with the frontrunner often being determined by the degree of sensationalism and indignation
But, I am still surprised by how lightly some companies treat these issues. Having previously worked for a FTSE100 aero-engineering company and regularly being made aware of the cyber threats when travelling on business to the Far East, I have realised that every employee has an active part to play in protecting their employer’s corporate information, no matter how important or insignificant that data might be.
Peter’s role also includes growing CCL’s cyber security practice and its ISO27001 governance and compliance consultancy services.
2
attributed to topical events by the press. But whatever one’s own personal view, the need to protect information at an individual, corporate and state level will always be with us. In today’s world of digital information and communications, do we always know who has access to our personal or corporate data and for what purposes, and how valuable that information might be to someone else unknown?
CONSULTING
|
DIGITAL FORENSICS
|
The information and apps contained on your mobile phone might give inadvertent access via other gateways to systems containing highly commercially sensitive information. And, at the end of the day, whether a security breach occurs by malice or by accident, or comes from within or externally, the potential loss to an organisation’s reputation and competitive advantage could be immeasurable. So, when talking about business, no matter where one sits in the debate about security versus liberty, all employees should be made aware of the importance of security and their individual responsibilities in assuring it. And that’s what I like about ISO27001! It provides a governance framework to ensure everyone understands the importance of their own actions and those of their colleagues in preserving an organisation’s security and ultimately protecting their jobs.
E-DISCLOSURE
…continued from page 1 Technology manufacturers are always looking for ways to weave their products and services into our daily lives. A means of doing this is to increase the connectivity between devices, allowing you to access everything from any device (some may even say ‘Everything Everywhere’). For digital forensics, this means that we may find the same information across multiple devices, we may find that not all devices need analysing or perhaps most frightening, when stored on the cloud, we may find ourselves in a situation where we are unable to secure the information to prevent loss or tampering.
SO WHAT ABOUT THE FUTURE? I think we are going to continue to see greater integration of technology into our lives. In the last few months I have started to see adverts for heating systems that can be controlled via smartphones. There is more talk now than ever on the ‘internet of things’, with our fridges, washing machines, alarm clocks, etc. all interconnected and controllable from a single device. I can see the roles of smartphones becoming more pivotal, with our entire lives being funnelled through this single point. That being said, going forward I do not believe that the smartphone will be the single point of failure it currently is. We are already seeing the trend in centralisation of information; take for example Spotify and Netflix. It is not a massive leap to imagine that, at some point, all of our data will be stored in the cloud, making our smartphones simply a method of accessing our ‘online profile’ allowing devices to become smaller and more ergonomic. This integration of technology also represents a potential bridging of the gap between personal and business data, which has already started to a degree, with the growth of the bring your own device (BYOD) phenomenon. This is something that commercial organisations will need to be aware of and ready for.
CASE STUDY CORPORATE-WIDE INVESTIGATION THE CASE: CCL was instructed by a multinational organisation to collect and analyse several mailboxes used by specific employees, who the company suspected were passing corporate data to competitors. The relevant individuals were mobile workers who used their company issued laptops to remotely access the corporate network on an ad hoc basis. The organisation’s enterprise wide email system only held the most recent email messages and it was thought that the laptops may still hold archived emails of relevance. The client’s key requirement was to collect the data in a covert fashion, in order to avoid false accusations and the reputational damage that these can cause. Therefore, any significant changes to the user’s computer system or its operation during collection could alert the user and thus hinder the investigation. WHAT CCL DID: In order to provide the customer with some assurance that the investigation could indeed be conducted in a discreet and unobtrusive manner, CCL’s analysts initially created a simulation within a test laboratory network to demonstrate that the relevant data could be collected and analysed without alerting the user. This allayed the client’s concerns, and the investigation continued. THE OUTCOME: CCL was able to identify and collect the relevant files remotely, via the corporate network whilst the users where logged in. The logical evidence files were then analysed, and emails within the relevant period containing keywords of interest were produced for the investigators to review. This approach meant that all the data required for the investigation was collected in a forensically sound manner, while ensuring that the users were not disturbed or alerted. The covert nature of this investigation also kept disruption to a minimum, allowing business to continue as usual.
However, what we are currently lacking is the infrastructure to support a completely centralised set up. We now have 4G, offering a theoretical limit of 100MB/sec (in contrast to the current average home broadband speed of 15MB/sec) however coverage is by no means ubiquitous. There is some speculation that ‘High Altitude Platforms’ could provide the basis for delivering greater coverage but this is still some way off. Assuming technology develops as described above, this is going to present challenges for the world of digital forensics. If no data exists on end devices, and it is instead all stored in the cloud, what is there left to analyse? A possible route is that digital forensics will shift away from ‘retrospective analysis’ in favour of ‘proactive monitoring’. If anything, having all of your data stored in the cloud makes it more readily accessible to third parties. Failing that, there are some scarier predictions. In 2012 the ‘FAA Reauthorization Act’ was passed in the US, which some have stated will make it easier for agencies to deploy drones - drones that carry the potential to interrupt wireless communications and as a result, everything you do… FOR MORE INFORMATION ON CCL’S DIGITAL FORENSICS AND INVESTIGATIONS SERVICES, PLEASE VISIT WWW.CCLGROUPLTD.COM. FOR MORE INSIGHTS ON TECHNOLOGY AND THE FUTURE OF DIGITAL FORENSICS, CHECK OUT OUR BLOG: WWW.CCLGROUPLTD.COM/BLOG
01789 261200
|
WWW.CCLGROUPLTD.COM
|
INFO@CCLGROUPLTD.COM
3
WHERE’S MY DATA? SOURCES OF ELECTRONIC INFORMATION FOR INVE THE CORPORATE NETWORK
OUTSIDE THE CORPORATE NETWORK – TH More and more companies are outsourcing their IT infrastructure into cloud-based services. An example of this is Office 365, which removes the need for organisations to purchase and maintain IT hardware to run their email system. This can be a quick and cost-effective way of satisfying the organisation’s IT requirements.
Historically, all company information would have been stored on the corporate network. In more modern times we are seeing less and less information stored ‘in house’. This is down to two reasons: the first being the increased availability of costeffective off-site storage, commonly referred to as ‘the cloud’, and secondly the increase in ‘remote working’, meaning that more employees are assigned laptops and mobile devices. That being said, we still see significant volumes of information stored on-site, and this is also where the more complex data sources tend to exist.
RISKS:
When dealing with a cloud-based environment it is important to appreciate that the data may not be under your control. Firstly, it is worth exploring exactly where your data is being held. If it is on non-EU based servers, there may be data protection and data privacy issues to be considered. Also, appreciate that it will not be possible to ‘turn off’ the
RISKS:
Organisations should be aware of the volume of information that they hold. A recent exercise to scope the IT infrastructure at one of our clients revealed that they had over 100 IT systems running, each capable of creating and storing potentially relevant information. Most organisations do not fully understand the extent of the information they are holding. This is a risk, as it would be quite easy to miss information pivotal to an investigation or required for disclosure as part of litigation.
TIPS:
• Take steps to become ‘forensic’ and ‘litigation’ ready. By being proactive and mapping the data that you hold, you will be equipped to respond to any investigation or litigation quickly and costeffectively. • Understand your data retention and backup policies, ensure that these are sufficient and that processes are in place to prevent useful data being overwritten.
4
CONSULTING
FILE SERVERS
ERP
FIREWALL & SECURITY LOGGING SYSTEMS
MANUFACTURING SYSTEMS
BI SYSTEMS
DESKTOPS
THE CORPORATE NETWORK TIMEKEEPING SYSTEMS
BACKUP/DR SYSTEMS
EMAIL SERVER
|
DIGITAL FORENSICS
|
CRM
E-DISCLOSURE
ESTIGATIONS AND LITIGATION by Rob Savage
HE CLOUD device to ensure preservation. There is a risk that the data could be remotely accessed and tampered with.
OUTSIDE OF THE CORPORATE NETWORK – EMPLOYEE CONTROLLED DEVICES
is readily available and that a procedure to revoke access is in place to allow immediate response should it be required. • It can be difficult to acquire data from cloud storage in a forensic manner. However, there are tools and expertise available out there which can assist. Simply copying this information in the traditional way may not be sufficient.
TIPS:
• Have a response plan in place so that your IT team are able to respond to incidents quickly. • It is important that information about who has access to what
The evolution of technology and connectivity has driven an increase in the number of users working remotely. While this may have cost and other benefits to employers, it is inevitable that organisations will have to sacrifice a degree of control over their information. There tends to be perceived privacy amongst employees when it comes to user-issued devices, such as laptops and mobile phones. As a result of this, these are often a very rich source of information.
VIDEOS SHARE PICTURES
CRM DATA
DOCUMENTS
CONTACTS
FILES
EMAILS
RISKS:
Assigning devices to users is often a necessary step in order for them to do their jobs effectively. However, any such allocation should be accompanied by a robust IT policy, making it clear that any data stored on the device is the property of the employer. Giving users control of devices does make a covert investigation more challenging, as it may not be possible to gain access to the devices without the knowledge of the employee.
THE CLOUD
LAPTOP MOBILE PHONES
REMOVABLE MEDIA
TIPS:
SAT NAV
MOBILE DEVICES
• A remote forensics tool will allow an organisation to collect and analyse data from their devices, even if they are not located in the building.
EMPLOYEE CONTROLLED DEVICES
01789 261200
|
WWW.CCLGROUPLTD.COM
• Investment in a remote forensics tool can often be worthwhile, especially for high risk industries and job functions.
|
INFO@CCLGROUPLTD.COM
5
BIG DATA: VOLUME, VARIETY AND VELOCITY by Umar Yasin
CASE STUDY IP THEFT THE CASE: The sales manager of a large IT company handed in his notice claiming that he was going to set up his own business in direct competition with his current employer. He took three months gardening leave as per the terms of his contract. Several months later, the company became aware of a gradual fall in revenues. Further analysis revealed that an increasing amount of business was lost to their former sales manager’s new company. The risk manager, who had experience of digital forensic examinations, prevented the IT department from examining the suspect’s laptop. This is because any attempt to investigate the device, by an individual who is not a qualified digital forensic examiner, can potentially destroy vital evidence. Even the act of turning on a laptop can compromise the data contained within it, and contaminate the ‘digital trail’ which can prove vital. WHAT CCL DID: The risk manager contacted CCL, and was given advice on the best way to handle the device. A security-cleared driver from CCL was dispatched to collect the laptop, which was immediately placed in a sealed evidence bag to begin the process of maintaining the integrity of the evidence. CCL took a forensic image of the laptop, which allows the analyst to work on an exact copy of the original device without it having to be switched on. The forensic image contains data about installed programs, live and deleted files, internal log files, registry entries – in short, there is the potential to recover records of almost any activity that took place on the device. THE OUTCOME: CCL’s analyst was able to determine that approximately 30 minutes before the former employee resigned, he copied tens of thousands of records from the CRM system onto a memory stick.
6
CONSULTING
Big data and information governance. All those terabytes and petabytes within the average corporate IT environment. The explosion in the volume of electronic data that is being created and the much-vaunted three V’s of big data; volume, variety and velocity. What does this mean for information governance and investigating and disclosing your electronically stored information, whether the disclosure is in response to litigation or a regulatory investigation? Let’s take an average-sized business and its information technology and electronic data landscape as a typical example. With 2,000 employees, we’d expect at least 10 terabytes of emails floating around this business. There is likely to be some sort of file share system, totalling around three terabytes. Apart from this 13 terabytes of electronic information, most businesses will also have backup tapes in circulation, so, as a conservative average, there are likely to be a further 80 terabytes at least, stored on backup tapes. Asides from the above, even if just 1,500 employees from the 2,000 have work-issued laptops or desktops, and these devices are being utilised at around 35%, this would mean a further 60 terabytes of electronic data. Throw into the mix the fact that 500 of the most senior employees would also have a work-issued phone, and with smartphones being much more like computers these days, whether the latest BlackBerry or iPhone, would hold an additional 10 terabytes of information. As you can see from the above example, even within an average-sized business with moderate IT usage, there are around 160 terabytes of electronic information. If we consider cloud storage and cloud-based file shares and email systems, and also throw BYOD and removable media into the mix, then it is clear that businesses are creating and storing electronic information at an astonishing rate. All this means that corporates and other organisations, particularly those that operate in regulated sectors or are listed companies, are now becoming increasingly aware of the benefits of, and the need for, effective information
|
DIGITAL FORENSICS
|
governance. These corporates need to have effective and efficient information governance procedures, so that they can quickly and easily find and interrogate their electronic information, when needed. Throughout 2013 we saw a number of high-profile incidents of data loss during investigations, by corporates and even by regulators (e.g. the embarrassing episode with the SFO). This highlights both the need for robust information governance procedures and the way that information governance is actually a direct reflection of the standard of corporate governance within a business. Whether due to a mix of regulation and legislation, corporates, as well as local authorities/statutory bodies and charities etc., have always had the need to preserve certain information. Now, whether in response to a piece of litigation or an internal/regulatory investigation, the way in which the relevant information is collected, reviewed and produced, has also become a crucial consideration. Having good information governance in place from the outset provides the best environment from which to efficiently and effectively disclose documents. Even for run-of-the-mill subject access requests, let alone large-scale disclosure exercises during litigation, an internal investigation or in response to a regulatory request, effective information governance can make all the difference. Spiralling costs during disclosure exercises are much more likely when data is unstructured or, even worse, when the IT landscape is either obscure, fragmented and confusing, even to the apparently omniscient IT director. We will be exploring information governance in further detail across upcoming editions of Digital Insight. We will shed some light on the essential elements of good information governance, for all businesses or organisations, regardless of size or sector. We will also be delving deeper into the interplay between information governance and litigation and/or forensic readiness, as well as looking at certain sector or issue specific scenarios, from looking at an internal investigation, regulatory investigation/request and disclosure during litigation, as well as the implications for listed companies.
E-DISCLOSURE
THE REAL CSI: COMPUTER FORENSICS by Sarah Turner The Lieutenant stands on the docks, shades on, looking out to sea as the gang of drug dealers make their escape on a stolen luxury yacht, while their latest victim lies motionless on the ground at his feet.
SO WHAT WOULD CCL DO DIFFERENTLY?
With the sun setting behind him, the Lieutenant - hands on hips, oozing effortless cool, looks down at the victim, who with his last breath manages to whisper an address in downtown Miami.
In order for any evidence found on the computers to stand up in court, the first step is to take a forensic image of each of the computer hard-drives. It is those images that are then examined, rather than the content of the machines themselves. This ensures that evidential continuity is maintained and any information or crucial evidence that may be on the computer is not altered or affected by the forensic examination, and so will stand up to court scrutiny.
Within minutes a team of police cars screech to a halt outside the property in a flurry of smoke and sirens, and bash down the door. A number of computers have been left in the property. One of the crime scene investigators goes over and turns them on, then starts searching through email accounts and instant messages to see if there is any intelligence on the gang’s next move…
Also, while emails are a useful source of intelligence and potentially incriminating data – there are a lot of other avenues for investigation on a computer that non digital forensics specialists may not consider. These include: Skype messages, internet history, social media activity, chat messages and deleted content. We have worked on cases where all of these sources have provided evidence that supported a case.
While this scenario has all the drama and excitement of a Hollywood blockbuster, the investigator is making a crucial mistake that, in the real world, could jeopardise the case before it has even begun.
Computer evidence can be equally relevant to a range of corporate issues, such as data theft, breach of policies or internal sabotage. While in some cases it may be easy to find incriminating data on a computer, the processes and methodology that define the way this evidence is obtained, and ensure its integrity, are crucial. Although less cool than the Hollywood depiction, these can mean the difference between a successful case and an unsuccessful one.
We missed them by a few minutes. They won’t get far…
The first mistake was switching the machine on – this in itself can alter the data that is stored on the device, including any data which may support the case, and so could ruin the chances of a potential prosecution.
FOR MORE INFORMATION ON COMPUTER FORENSICS, OR ANY OF CCL’S PRODUCTS OR SERVICES, CALL US ON 01789 261200, EMAIL INFO@CCLGROUPLTD.COM OR VISIT WWW.CCLGROUPLTD.COM
01789 261200
|
WWW.CCLGROUPLTD.COM
|
INFO@CCLGROUPLTD.COM
7
ABOUT CCL CCL is the UK’s largest digital forensics laboratory, and a leading provider of e-disclosure and IT consultancy services. From our beginnings as an independent IT consultancy in 1986, we have developed our services to respond to advances in new technology, the increasing importance of data, and the need to manage, recover and protect it. In 2001, we setup our digital forensics laboratory. CCL is now the largest digital forensics provider in the UK, and the only one accredited to the ISO17025 standard for our computer, mobile phone and Sat Nav laboratories. We provide digital forensics and investigation services to a broad range of organisations, ranging from corporate clients, civil and criminal law firms, to law enforcement agencies.
THE NUMBERS CCL employs over 100 full-time members of staff, including 65 consultants and analysts who have completed: • 220+
e-disclosure cases
• 4,250+
digital forensic (PC) cases
• 55,000+ mobile phone cases • 2,200+
consultancy engagements
• 750+
civil and criminal cases
• 475+
expert witness assignments
CCL has been in the e-disclosure market since 2009 and to date, has completed over 220 e-disclosure cases.
CCL’S ONE-DAY FIRST RESPONSE COURSE
OUR SERVICES • E-Disclosure services
EMC revealed in a recent survey that 29% of organisations reported data loss in 2013.* How can you make sure you don’t become one of them in 2014?
• Digital forensics & investigations - All operating systems - Smartphones/mobile phones
Data breaches and IP theft are just some of the reasons your company may need a forensic response. Other issues include: computer misuse, bullying and harassment, internal sabotage, breach of policies and employee productivity.
- Tablets - Sat Nav analysis - Cell site analysis - CCTV analysis • Data collections
CCL’s First Response course covers what key personnel need to know: how digital forensics can help you, what it can be used for, and the steps to follow.
• Search and seizure orders
Course agenda includes:
- Remote forensics
• Expert witness services
• What is digital forensics? • Why might I need a forensic response?
FOR MORE INFORMATION:
• Where data can be retrieved from • Case studies and examples • Handling digital evidence
Call us on 01789 261200, email info@cclgroupltd.com or visit www.cclgroupltd.com
• Forensic readiness • Forensic requirements, warning signs and how to respond • Minimising impact and disruption
COMING UP NEXT MONTH: > Using social media tools in a corporate environment > Cyber security - are you secure? > IT department transformation
COURSES ARE HELD AT CCL’S OFFICES IN STRATFORD-UPON-AVON AT A COST OF £300 + VAT PER DELEGATE. PLEASE CALL US ON 01789 261200 OR EMAIL TRAINING@CCLGROUPLTD.COM *EMC IT Trust Curve 2013 Global Study
8
CONSULTING
|
DIGITAL FORENSICS
|
E-DISCLOSURE