DIGITAL INSIGHT EDITION 2
IN THIS EDITION
SOCIAL MEDIA INVESTIGATION TOOLS by Rob Savage
It will come as no surprise to anyone that social media plays a central role in the world we live in today. For something that ten years ago was virtually unheard of, social media has grown almost exponentially, to the point that almost two thirds of the UK population are regular users of Facebook. This is, as you would expect, not evenly distributed across all age ranges. Unsurprisingly, there are proportionally more 16-20 year old users, with 95% reporting to be regularly using Facebook, and 74% of 21-24 year olds. Although the growth in use of social media appears to be levelling off, it is nonetheless still growing year on year. What is intriguing is that the fastest growing demographic is the 55-64 year olds, perhaps suggesting a broadening of appeal. Police forces, intelligence agencies, investigators and private detectives have for some time been using social media for intelligence. The first case of this that I came across was back in 2007; a friend of mine was working in HR for a travel agency and was
01789 261200
|
tasked with proving employee misconduct. There were suspicions that this employee who was on long term sick, was perfectly able to work and, in fact, was on holiday himself. It did not take much effort to locate his page on Facebook and discover a trove of holiday photos (one even showed him on a jet-ski). This was back in 2007 when the number of global Facebook users was a fraction of what it is today. The more social media integrates into our lives, the more information (intentionally or unintentionally) we publish online about ourselves. Users are increasingly using mobile devices to access these platforms and many users are also uploading their location. Over the last five years there has been increasing public awareness of the risks of publishing information about yourself online, however we still see that about 25% of social media users make no attempt to apply privacy settings to their profile. The 75% that do, quite often get it wrong. In addition, there are those platforms where the whole
WWW.CCLGROUPLTD.COM
|
> Social media investigation tools > Thoughts for the month > IT department transformation > Cyber security – what are you doing about it? > The real CSI > First response course > About CCL point is to publish to everyone. I have lost count of the number of cases where a user has posted something on Twitter that has had far-reaching consequences. I am sure that most people are familiar with the high-profile news stories about people who have caused a stir using social media; examples such as Paul Chambers who in 2010 was convicted for sending what he thought would be a humorous threat to Robin Hood Airport. And the numerous examples of teenage parties that have gone ‘viral’ and spiralled out of control. During my career, requests from clients for us to investigate social media have been few and far between. However, in the last six months we have begun to see a shift in this trend which has motivated us to invest in technology that will allow us to undertake these investigations securely and defensibly.
Continued on page 6...
INFO@CCLGROUPLTD.COM
1
JON BLOWS GROUP OPERATIONS DIRECTOR As Group Operations Director at CCL, Jon’s role covers the management of all the laboratory functions in the forensics and e-disclosure divisions of the business, together with all the administrative departments across the group. Jon also leads the account management strategy across law enforcement, supported by the internal and external customer teams. R&D is central to CCL’s philosophy and Jon has brought this team into a close liaison with sales and operational teams to transform CCL’s offerings and operational practices.
at Twitter or Facebook tells you that finding what is interesting or relevant is an extremely difficult task. Being able to narrow down the data by keywords, user profile, themes, geographic areas etc. is essential, or you will be overloaded with data. The cases behind these stories clearly require technical tools to tackle them.
JON’S THOUGHTS FOR THE MONTH
Having scoured the globe we have found two key technologies to tackle this area. Signal is a New Zealand based social media monitoring solution which permits the user to refine a search on multiple social media formats to look for items of interest in a specific geographic area. The tool filters the mass of data down by general themes, to keywords, local areas or individuals, giving clear insight into what is being said about a story or item in a geographic area. CCL provides this tool as a solution or as a service.
Every day we see a news story with a social media element. Social media gives a wealth of information about current day events in all contexts, with over 70% of social media being geo-tagged. However, a simple look
X1 works in all social media formats and webmail, and provides many of Signal’s features, but is primarily used in after event analysis, filtering and searching. However, X1 is a forensic level tool providing a forensic standard insight into
Jon has extensive experience in operations and finance, based across the whole of Europe. Jon has worked at CCL for over two years and is currently implementing a new business system and a programme of transformational technologies to offer to CCL’s client base.
the information found. It is unique in the marketplace. These technologies were at the core of a change in thinking about transforming the technology used to tackle modern day crimes. With data growing at such a phenomenal rate, and new devices and applications hitting the market daily or hourly, traditional forensic tools had to be transformed to whole investigation solutions. Putting together some of CCL’s tools, creating new technologies in mobile, cell site, sat nav and PC disciplines, together with best of breed review platforms and early case assessment solutions, means that handling these issues and tackling crime faster and more effectively, is a reality and not just a pipe dream.
UMAR YASIN COUNSEL Umar works with our legal and corporate clients across a range of matters, whether litigation or an internal investigation. Umar also works directly with our corporate clients on matters ranging from dawn raids to internal fraud or employee investigations, as well as helping CCL’s corporate clients to use our services and solutions for risk and compliance purposes, from processing subject access requests to improving information governance. Umar was Called to the Bar by Lincoln’s Inn in March 2008, and then spent over four years at Thomson Reuters Legal. Umar has worked on a number of challenging cases at CCL; recent cases have involved a crossjurisdictional dispute worth over £110 million, assisting a blue-chip client with a complex cross-border internal investigation and a breach of warranty dispute worth £35 million.
2
UMAR’S THOUGHTS FOR THE MONTH Now, more than ever before, there seems to be a certain convergence of different drivers and factors that influence information governance across a business. Take traditional drivers such as litigation or subject access requests, relatively recent drivers such as cyber security concerns or factors such as the move towards cloud-based IT solutions, and the prevalence of social media usage and BYOD within the workplace. What all this means is that corporate and public organisations of all sizes are becoming increasingly cognisant about the need for effective information governance. No longer is information governance seen as an issue just for the IT or Compliance team within a business; all organisations, regardless of size or sector, are now recognising that information governance is actually a critical business issue. Every single
CONSULTING
|
DIGITAL FORENSICS
|
organisation needs to have an effective and efficient way of dealing with such issues. Throw into the mix the ever-increasing array of electronic devices and sources of electronic data within an average IT landscape, and it is hardly surprising that we at CCL have seen a huge increase in the number of enquiries coming to us directly from organisations rather than law firms. This is a trend that will not abate, so we hope that Digital Insight helps keep you informed of relevant developments over the coming months and editions.
E-DISCLOSURE
HELPING IT DIRECTORS TO HELP THEMSELVES: IT DEPARTMENT TRANSFORMATION by Peter Cogger
CASE STUDY
The role of the IT department is rapidly changing, with the end of the global recession hopefully(!) in sight. Historically the bastion of back-office services such as network operations, computer management, data storage and email administration, and once the company ridicule for delayed projects and poor service, the strategic and competitive advantages to the business of ‘good’ IT is being increasingly recognised at executive board level. Traditionally reserved IT departments and their staff are gradually being prised away from their electronic security blankets and encouraged to engage more proactively with the business users in order to understand and better deliver their needs.
THE CASE: A number of employees within the IT department of an SME were under suspicion following a decline in productivity. Due to the relatively small size of the company, there was no web monitoring or filtering technology installed. Managers suspected that they were wasting time by visiting social networking and internet auction sites during working hours.
INTERNET MISUSE
For many IT departments, moving from a largely back-office role to being an enabler of business growth and change requires a complete review of the current role and function of IT – e.g. organisational structure, personnel and skills, processes, systems and network infrastructure, and resources - as well as a review of the ways in which those services are delivered and maintained.
WHAT CCL DID: CCL was called in to investigate the computers of the three suspects, paying particular attention to internet history and chat logs.
IT is often regarded as a thankless task. But IT can help itself by ring-fencing the routine and spending more time forging closer ties with the business, in order to understand the likely future demands on IT, and transforming itself to better meet them. And whilst IT cost effectiveness remains a priority, MDs and CFOs are beginning to look to IT to help gain a competitive edge by changing the mix of expenditure away from maintenance and into new IT investments. This can often translate to painful, but essential, change in the way IT is sourced, organised, and operated. Getting there is not easy, but such complex change must be managed in a deliberate and multidimensional manner. Having a clear and straightforward IT strategy is essential, as is an IT transformation plan. No one answer or approach suits all and it is equally important to have the business, managerial and personnel skills as well as IT skills to effect the necessary changes. CCL recommends that change must start with the CFO and CIO, and their managers, engaging in collaborative discussions concurrently across the business and with the IT team. And, as the impact of the change will be experienced by almost everyone, setting expectations and getting as many people as possible bought into the strategy at the outset is essential. An IT transformation will be tough, but it will go smoother and will be better understood and accepted when leadership has won hearts and minds.
CCL found that the employees had been using both online auction sites and their own websites to sell not only personal items but also goods belonging to the company, such as used laptops, electrical cables and CDs. This evidence backed up the testimony of witnesses within the department and gave the company everything it needed to suspend the employees pending a further enquiry. The management asked CCL to investigate all other computers within the department to determine exactly which members of staff took part in – or helped to cover up – the misuse. THE OUTCOME: The three original suspects were eventually permanently dismissed, with one junior member of staff receiving a warning for failing to inform management of the situation.
FOR MORE INFORMATION ON CCL’S IT DEPARTMENT TRANSFORMATION SERVICES, PLEASE CALL US ON 01789 261200, EMAIL INFO@CCLGROUPLTD.COM OR VISIT WWW.CCLGROUPLTD.COM
01789 261200
|
WWW.CCLGROUPLTD.COM
|
INFO@CCLGROUPLTD.COM
3
CYBER SECURITY – WHAT ARE YOU DOING ABOUT IT? by Peter Cogger In July 2013, GCHQ and MI5 backed a letter sent by the Department of Business, Innovation and Skills (BIS) to the UK’s FTSE Top 350 companies, advising them not to underestimate nor be complacent about the commercial threats to their business arising from an IT security breach.
attacks. But, it is often harder to safeguard them from people within your firewalls, who already have authorised (or even unknown) access to your data. More worryingly, many such incidents go unnoticed by management or IT until an incident is unearthed for some other reason.
Since then we have seen numerous press articles highlighting cyber security incidents at high street banks, loss of public records and personal data held by government agencies, and attempts of IP theft at many leading UK research companies.
Before we become paranoid about the intent of our staff or external managed service providers, we should state that many internal security breaches happen inadvertently, because of poor internal security governance, systems and processes. No matter what the reason though, do you know who is accessing your IP, confidential communications and valuable client information, and for what reason?
The impact of cybercrime is not only financial; it can cause brand damage; loss of key customers; loss of competitive advantage and market share; black listing by payment service providers; reduction in shareholder value; and expensive lawsuits and large fines from regulatory bodies for non-compliance. Many companies are still only just waking up to the real impact of cybercrime on their business, and CCL has recently witnessed a surge in demand for its PCI/DSS compliance, cyber security review and incident response and management services. But if you think all attacks are external and that your organisation is secure; then think again... Today, many security incidents are as likely to originate from within a company as they are externally. Office and white-collar cybercrime is replacing blue-collar and shop floor misdemeanors, but the losses can be in the millions of pounds rather than the hundreds and thousands. Fighting external hackers is a constant war, but it is relatively straightforward to protect your information management systems and vital data from external cyber-
4
CONSULTING
|
CCL supports the Department of Business, Innovation and Skills (BIS) initiative and recommends all companies undertake, as a minimum, a review of their information security management systems against the requirements of ISO27001 to identify any shortcomings in their IT security arrangements. A competent cyber security specialist will review your security infrastructure and current level of protection against all potential threats to your data. As a minimum it should cover user access, systems and BYOD security policies and procedures, organisational structure and people, responsibilities and authorities, business processes and IT technologies, and internal and external supply chain interfaces. Once complete, you will then have a complete picture of what needs to be done to plug the gaps in your security policy and take the necessary remedial action to protect your business from fraud, loss of IP and fines for noncompliance.
DIGITAL FORENSICS
|
E-DISCLOSURE
SOME OF THE CASES RECENTLY UNCOVERED BY CCL INCLUDE:
TIPS: > Try to ensure you have adequate protection and policies in place
Loss of investment and IP to a competitor through unrestricted access and copying of market leading software designs and source code by a disgruntled employee
Irreparable supply chain damage caused by an employee electronically copying vital supplier information and passing it to a competitor
Unknown ‘backdoor’ access by an exemployee into the company’s complete online MS Sharepoint document library
> Improve your organisation’s ability to respond to threats quickly > Identify potential areas of weakness in your security infrastructure and look to address them before an incident occurs > It is important that information about who has access to what is readily available and that a procedure to revoke access is in place to allow immediate response should it be required > You should be aware of the volume of information that you hold as an organisation
Employee copying of market leading leisure company’s complete CRM database to take to a rival organisation
Access to all emails of the members of the company’s board of directors by an employee of an external IT service provider
Unauthorised access by a small group of employees to an organisation’s payroll information
01789 261200
|
WWW.CCLGROUPLTD.COM
|
FOR MORE INFORMATION OR ADVICE ON CYBER SECURITY AND HOW YOU CAN PROTECT YOUR DATA, CALL US ON 01789 261200, EMAIL INFO@CCLGROUPLTD.COM OR VISIT WWW.CCLGROUPLTD.COM
INFO@CCLGROUPLTD.COM
5
CASE STUDY
Social Media Investigation Tools … continued from page 1 by Rob Savage We have begun to see more cases arising from companies in relation to employee misconduct; the previous case with the travel agency being a prime example of that, as well as cases where an employer is seeking intelligence on what an employee has been doing outside of work. We are also seeing cases where an employer is seeking to establish what relationships exist between employees, whether that is to substantiate claims of bullying/harassment or whether favouritism has occurred.
IP THEFT THE CASE: A large recruitment agency became suspicious that their database of customer details had been stolen by a recently departed employee. A number of their customers had got in touch to explain that they had been contacted by their previous account manager to say that she had left and that their account had moved to a new company.
Use of social media is not simply restricted to current employees; many employers use open source investigation to help screen potential candidates. Making sure that they are not misrepresenting themselves or likely to bring the company into disrepute. Investigations do not just focus on what employees are saying, but also what competitors are saying. We have also been asked to help preserve posts on social media that may be considered libellous. The nature of social media is that it is often publicly available, meaning that in theory anyone can log in and do their own investigation. The power of the tools we have invested in lies in their ability to aggregate, search and defensibly preserve this information in a way that the average user cannot. As an example, there was a recent news story about an incident that took place at a location in London. We were not engaged in the investigation, but using just publicly available data we decided to see how much we could discover. All our analyst had to go on was the rough location of the property and the nature of the event. By searching for all Facebook posts and Tweets being sent from a five mile radius around the location, and by searching for keywords across the social networks, we were able to establish a lot of information. We were able to discover the exact address of the property, the owner’s name, names of family members and a list of his friends. We were able to establish his political attitudes and where he worked. We were even able to establish his girlfriend’s name and where she worked. None of this had any relevance to the incident but demonstrated the potential to harvest detailed information from a very vague starting point.
This recruitment agency contacted CCL to determine if it could be shown that this former employee had stolen their intellectual property, which in this case was their customer database. WHAT CCL DID: CCL analysed the former employee’s computer to look for evidence that the database had been downloaded onto removable media or mailed out. THE OUTCOME: CCL found that one hour before the employee handed in her notice, the customer accounts database had been downloaded onto a thumb drive. Using this information, the recruitment company, with their legal team, placed an injunction on this employee, preventing her from contacting any more clients and are considering instigating criminal proceedings.
6
FOR MORE INFORMATION ON SOCIAL MEDIA INVESTIGATIONS, OR ANY OF CCL’S PRODUCTS AND SERVICES, CALL US ON 01789 261200, EMAIL INFO@CCLGROUPLTD.COM OR VISIT WWW.CCLGROUPLTD.COM
CONSULTING
|
DIGITAL FORENSICS
|
E-DISCLOSURE
THE REAL CSI: MOBILE PHONE FORENSICS by Sarah Turner PICTURE THE SCENE: 4am in a sleepy West Miami suburb. The peace is suddenly broken by a well-dressed man sprinting through the streets. Sweating profusely, he dodges past dustbins and vaults over picket fences. Three Detectives are hot on his heels.
One of the Detectives spots something glinting in the streetlight…
It seems he’s lost something too. We’ve got his phone! Let’s get it to the lab. Back at the lab, in the modern, glass-partitioned office in Miami, the tanned investigator turns on the phone and searches for that all important evidence…calls, texts, chat logs… As exciting as this is, and while perfect for an episode of CSI: Miami, this represents a rather simplistic approach to mobile phone analysis. Examining a mobile phone for potential evidence is not as straightforward as simply turning it on and having a look… With the growth of BYOD, and increased remote working, mobile phones are a valuable source of data in corporate investigations. There tends to be perceived privacy amongst employees when it comes to user-issued devices such as these, which can make them a very rich source of information.
Give it up, Diaz! We know all about the money laundering!
When analysing a phone, it is important not to just turn the device on. If the phone being examined is live, it will connect to a network cell and start downloading data as soon as it is switched on. This can alter or overwrite any potentially incriminating data that may be stored on the device, and so is a crucial mistake our friends in Miami have made in the story above. At CCL we use a Faraday box to minimise the risk of any potentially useful data such as texts and contacts being altered by switching the phone on.
shouts one of the Detectives. Diaz turns his head as he continues to make his escape:
Prove it! You haven’t got anything on me. There’s no evidence… CRASH! He hurtles into some dustbins left on the kerb and comes crashing to the ground scattering bins, lids and rubbish in all directions. Quickly picking himself up, he hops over another fence and disappears into a hedgerow. The Detectives arrive at the mess of bins and rubbish.
While calls, contacts and SMS often contain crucial information and are always worth investigating, there are other potentially valuable sources of intelligence on a modern mobile phone that could also aid an investigation, which could
We’ve lost him!
01789 261200
|
WWW.CCLGROUPLTD.COM
|
be overlooked. These include social media content, third party applications and web history, all of which can provide useful intelligence. CCL has built up broad experience in extracting this more advanced data from mobile phones, and our R&D team can decode new applications as needed. Then there is deleted data to consider, as in many cases a suspect may attempt to hide any potentially incriminating data by deletion. This kind of data cannot usually be obtained by simply using commercial forensic tools. At CCL, where possible, our analysts will take a full read of a phone’s memory for a raw binary file, bypassing the phone’s operating system and taking as much data from the device as possible. We then use internally developed software to convert that data (which can include: contacts, calls, SMS, calendar events, emails, app data, etc.) from its database form into a more easily interpreted format. Data that is not stored in databases would be searched for using a script. Again, this is a capability that CCL has developed in-house, as it is not widely supported by commercial forensic tools – so our friends in Miami may struggle here. Developments in mobile technology are coming thick and fast, which presents increasing challenges for organisations who need to investigate them. The expertise lies not only in being able to access and present this ever-expanding range of information, but also in ensuring that the processes and methodology that define how this evidence is obtained would stand up in court if necessary. Unfortunately, this often means that the process is a lot less ‘Hollywood’ than TV would lead us to believe. FOR MORE INFORMATION ON MOBILE PHONE FORENSICS, OR ANY OF CCL’S PRODUCTS OR SERVICES, CALL US ON 01789 261200, EMAIL INFO@CCLGROUPLTD.COM OR VISIT WWW.CCLGROUPLTD.COM
INFO@CCLGROUPLTD.COM
7
CCL’S ONE-DAY FIRST RESPONSE COURSE EMC revealed in a recent survey that 29% of organisations reported data loss in 2013.* How can you make sure you don’t become one of them in 2014? Data breaches and IP theft are just some of the reasons your company may need a forensic response. Other issues include: computer misuse, bullying and harassment, internal sabotage, breach of policies and employee productivity. CCL’s First Response course covers what key personnel need to know: how digital forensics can help you, what it can be used for, and the steps to follow. Course agenda includes: • What is digital forensics? • Why might I need a forensic response? • Where data can be retrieved from • Case studies and examples • Handling digital evidence • Forensic readiness • Forensic requirements, warning signs and how to respond • Minimising impact and disruption
THE NUMBERS CCL employs over 100 full-time members of staff, including 65 consultants and analysts who have completed: • 220+
e-disclosure cases
• 4,250+
digital forensic (PC) cases
• 55,000+ mobile phone cases • 2,200+
consultancy engagements
• 750+
civil and criminal cases
• 475+
expert witness assignments
ABOUT CCL CCL is the UK’s largest digital forensics laboratory, and a leading provider of e-disclosure and IT consultancy services. From our beginnings as an independent IT consultancy in 1986, we have developed our services to respond to advances in new technology, the increasing importance of data, and the need to manage, recover and protect it. In 2001, we setup our digital forensics laboratory. CCL is now the largest digital forensics provider in the UK, and the only one accredited to the ISO17025 standard for our computer, mobile phone and Sat Nav laboratories. We provide digital forensics and investigation services to a broad range of organisations, ranging from corporate clients, civil and criminal law firms, to law enforcement agencies.
COURSES ARE HELD AT CCL’S OFFICES IN STRATFORD-UPON-AVON AT A COST OF £300 + VAT PER DELEGATE.
CCL has been in the e-disclosure market since 2009 and to date, has completed over 220 e-disclosure cases.
PLEASE CALL US ON 01789 261200 OR EMAIL TRAINING@CCLGROUPLTD.COM
OUR SERVICES
*EMC IT Trust Curve 2013 Global Study
FOR MORE INFORMATION: Call us on 01789 261200 email info@cclgroupltd.com or visit www.cclgroupltd.com
• Digital forensics and investigations - All operating systems - Smartphones/mobile phones - Tablets - Sat Nav analysis - Cell site analysis - CCTV analysis - Remote forensics - Social media forensics • E-Disclosure services • IT consultancy
COMING UP NEXT MONTH: > Subject Access Requests and the ICO > IT benchmarking
• Digital forensics hardware and software • Early case assessment tools • Data collections • Training • Search and seizure orders • Expert witness services
8
CONSULTING
|
DIGITAL FORENSICS
|
E-DISCLOSURE