DIGITAL INSIGHT EDITION 3
IN THIS EDITION
SUBJECT ACCESS REQUESTS – WHAT WILL IT COST YOU TO RESPOND?
This right of subject access means an individual can make a request under the Data Protection Act to any organisation that they think is holding, using or sharing their personal information, to supply them with copies of both paper and computer records along with related information. Conversely, any organisation that controls data, whether public or private, large or small, may have to process subject access requests, and, depending upon the organisation and sector/industry, these requests may be regular commonplace occurrences or sporadic exercises. Responses to subject access requests must be ‘reasonable and proportionate’ and since the maximum amount that can be
01789 261200
|
> Rise of the cryptocurrencies
> About CCL
The sheer volume of electronic data held within a typical IT landscape, the variety of this data, including ever-increasing sources, from the cloud to social media, as well as the more common servers and laptops, plus the speed at which organisations are creating electronic data, throws up real challenges. These range from how best to identify the relevant sources of information, to how efficiently and effectively irrelevant data can be culled-down, to how deadlines can be met. And, perhaps the biggest challenge faced by every organisation is how to carry out a reasonable search for documents, whilst ensuring the costs of disclosure remain as proportionate as possible.
|
> IT benchmarking
> First Response course
charged to process a request is £10 (or up to £50 for education/health), it is important for data controllers to be able to respond to subject access requests as efficiently and costeffectively as possible.
WWW.CCLGROUPLTD.COM
> Thoughts for the month
> The real CSI
by Peter Cogger
All UK residents have the right to request a copy of any information that they believe a company may hold about them. This is known as a subject access request.
> Subject access requests
In our experience, many companies take a non-automated, manual approach when responding to a subject access request. An example of this being an email sent to all staff, asking them to disclose any information they have relating to the individual who has submitted the request. This is neither cost-effective nor efficient. There is a need for a clearly defined structure and process for dealing with subject access requests – considering the forty day timeframe for response. The clock starts ticking from the time that the data controller has also ascertained that the person making the request is indeed the data subject. Further, the data controller is also entitled to ask the data subject for any additional information that may assist in narrowing down their request for information, such as trying to understand exactly what information the data subject requires.
Continued on page 6…
INFO@CCLGROUPLTD.COM
1
CHRIS LINFOOT PRINCIPAL CONSULTANT Chris has been a Principal Consultant with CCL since 2010, having joined after a lengthy and successful career in senior IT leadership, serving as both CIO and as IT Director in a number of complex, international and multinational organisations. He has led numerous consulting engagements for CCL across a wide range of client needs including: strategy and strategic alignment, governance, architecture, specification and selection of IT software, services and suppliers, mentoring and coaching, and expert witness. Chris graduated in Applied Physics at the University of Durham more years ago than he is happy to admit. He then spent several years in production management and delivery roles in the manufacturing industry, before moving into IT management. Chris’ approach to consulting engagements draws heavily on the resulting combination of scientific discipline and real world experience as an IT user. CHRIS’ THOUGHTS FOR THE MONTH In many respects we are living in a golden age for technology. There is more computing power on the average user’s desktop than existed in entire
companies not so long ago. A vast range of new devices has emerged, bringing new ways to interact with core services, and all of these technologies may be deployed to almost any location thanks to the availability, at relatively low cost, of modern, high performance networks. Good governance ensures strong alignments between IT delivery and the company’s strategic objectives, provides high-quality information to support business decisions, underpins operational excellence, contains risk at an appropriate level, optimises costs and supports legislative and regulatory compliance. A number of governance frameworks now exist which set out current best practice across each of these aspects including ISO/IEC 38500:2008 and COBIT.
The focus of many IT departments is shifting away from the old on-premises approach towards the selection and deployment of service based offerings including Software-as-a-Service (SaaS) and Infrastructure-as-a-Service (IaaS). Frequently, organisations continue to operate conventional, on-premises deployments for some applications while also adopting SaaS or IaaS for others. This increasing use of services brings with it a requirement for new expertise in procurement, usually supplementing rather than supplanting existing expertise in operations and support. While many benefits arise in this hybrid on-premises and service based model, it is inevitable that complexity increases as a result. In response to increased demand and complexity, companies need to develop robust governance around their IT operations.
While frameworks are an essential starting point, at CCL we recognise that every client’s governance need is different. This is why we work with clients to understand their environment and business priorities, and then take the most appropriate elements of governance, combining best practice from diverse frameworks to deliver efficient governance without unwanted bureaucracy.
NIKKI BRITTON CLIENT PROJECTS OFFICE MANAGER – FORENSIC SOLUTIONS Nikki leads two of CCL’s project delivery teams as well as the IT department, with seven direct reports. She manages CCL’s Client Projects Office which co-ordinates all of CCL’s projects for corporate and civil law firm clients. She also leads CCL’s team of Case Co-ordinators, who administer all aspects of digital forensics cases for law enforcement and Legal Aid clients. Having been with CCL for over five years, Nikki has played an active role in the development of both departments. Nikki’s key priorities at CCL are project scoping, evidence management and delivery. Nikki’s team provide crucial communication links between the client and CCL’s technical departments. She also helps clients understand the details and progression of their cases.
2
NIKKI’S THOUGHTS FOR THE MONTH While evidence handling and chain of custody are an everyday part of my role at CCL, given the nature of the work we undertake for our clients, I cannot help but express the importance of it. Evidence management is an essential factor when dealing with digital data – especially when that data could potentially be relied upon in court – where cases can be won or lost on the integrity of the evidence. As such, evidential integrity is one of CCL’s top priorities. CCL’s in-house R&D team has developed a bespoke evidence tracking system, designed for the specific requirements of our laboratory. This system monitors and tracks the physical movement of evidence within CCL, in order to maintain an audit trail and ensure a fully defensible chain of custody.
CONSULTING
|
DIGITAL FORENSICS
|
We have also put a lot of work and investment into securing standards such as ISO17025 and ISO27001, which ensure that our standard operating procedures for evidence handling are adhered to, and that this process removes the risk of accidental contamination or deliberate tampering. Together, these systems and standards ensure the integrity of our clients’ data. They are also embedded in our everyday processes and procedures so all our clients benefit from the stringency, but not at the expense of efficiency.
E-DISCLOSURE
IT BENCHMARKING: MORE THAN A PRICE COMPARISON by Peter Cogger Information Technology is now at the heart of every modern business. Traditionally regarded as a back office function, IT is being viewed more and more as a key enabler for business change and increased competitiveness. As a result, Heads of IT and IT Directors are increasingly evaluated on their ability to enable business strategy, and they are being challenged in areas of innovation, agility, standardisation and quality of service. More and more of CCL’s clients are starting to look for the next evolution in IT service provision, and business as usual is no longer considered an option. But before embarking on any new initiative, it is as important as always to know where you are, in order to assess the size of the prize that can be achieved with transformation. Traditional IT benchmarking, aimed at optimising existing operations and ensuring market alignment of pricing within discrete service towers, still has an important part to play. Conducting traditional IT benchmarks is as important as it has always been if your organisation is facing: • Increasing competition in its industry sector • The need to understand how competitive your IT services are • Greater demands on IT to align with the business • The need to demonstrate economic value • The need to improve and optimise the delivery of IT services Building an IT-based competitive advantage has become a necessity. But for those organisations seeking to transform their business operating model, typical service versus costs benchmarking is no longer enough. Rather than a quantitative comparison against peer companies and industry ‘norms’, organisations now want to understand how best to achieve an optimal future state, and how to use it to better deliver value on key business initiatives.
Today’s IT benchmark must provide a 360 degree view of IT performance and assess its capability and readiness to fully support the business’s current and future aspirations. It should consider: • Peer/industry comparisons • Customer satisfaction (internal and external to the organisation) • Support for industry best-practice business processes • IT effectiveness/value • IT efficiency/cost • Alignment of IT strategy with business strategy • IT agility and preparedness for change CCL has conducted IT benchmarks across many and varied industry sectors at the request of CEOs, CFOs and CIOs alike. Over the last few years, we have witnessed an increasing trend away from straightforward service/price benchmarking to more comprehensive IT effectiveness and performance reviews. Whilst IT cost competitiveness is still of concern, many boardroom executives are now concentrating on the fitness of IT to better enable their future growth plans rather than merely support it. Should you conduct an IT effectiveness and performance benchmark? The answer is ‘yes’ if: • The ‘value of IT’ is regularly questioned within your organisation • Demand for IT services continues to grow, but your IT budget doesn’t • There is a backlog of unresolved IT issues • The anticipated business benefits of recent IT investments have not been realised • You are considering a large IT investment • You are considering outsourcing all, or parts of, your IT • IT is perceived as a service rather than an enabler of business strategy
It is therefore time to consider a much broader approach to IT benchmarking than focusing on service and technology costs alone. Assessing the effectiveness and performance of your IT department and services (whether internal or outsourced), along with its ability to support and adapt quickly to your business strategy and evolving goals, is now just as critical. You may have just secured the best value for money for your IT, but if the service contracts are inflexible, if your technology stack cannot be scaled to meet future business growth, or if your business applications do not effectively support your operations, your business success is going to be much harder to achieve.
01789 261200
|
WWW.CCLGROUPLTD.COM
Business Strategy & Goals
Internal & External Customer Satisfaction
IT Effectiveness/ Performance Review & Recommendations
IT Assessment (current & strategy)
Peer/Industry Comparison & IT Cost Benchmarks
|
INFO@CCLGROUPLTD.COM
3
RISE OF THE CRYPTOCURRENCIES by Umar Yasin
issues, whether around money laundering, tax implications or data privacy issues. Reaching some sort of consensus on cryptocurrencies remains to be seen; regulators in different jurisdictions have taken varying views just on the tax position.
Bitcoins, Litecoins or Dogecoins; cryptocurrencies have hardly been out of the news in recent months, with a high-profile attack on Mt.Gox, a main Bitcoin exchange, and its subsequent bankruptcy attracting the increasing glare of regulators across the globe. A few months ago the main media association with Bitcoins was their use for various criminal activities on the online underworld marketplace, Silk Road. On a much more positive note, these cryptocurrencies have seen an increasing acceptance by major global businesses, with the likes of Virgin Galactic, WordPress, Overstock and Zynga already accepting Bitcoin payments. Earlier this year, the leading London media law firm Sheridans also announced that it would accept Bitcoins.
Aside from any economic arguments for and against a non-fiat, digital, deflationary currency (Dogecoins aren’t deflationary, but both Bitcoins and Litecoins are) that is not controlled centrally, cryptocurrencies also throw up a plethora of legal and regulatory
4
CONSULTING
|
Take the recent decision by the IRS in the United States to treat cryptocurrencies as property rather than currency, thus meaning that they are treated as taxable income if used to pay wages, and subject to capital gains tax in the same way as other assets. Contrast this with the recent Danish decision not to treat gains and losses from Bitcoin trading as being subject to taxation. HMRC has also recently revised its taxation treatment of cryptocurrencies, removing VAT from income received from Bitcoin mining activities, and exempting VAT on the value of any Bitcoins exchanged for Sterling or other foreign currencies, which brings HMRC’s approach towards cryptocurrencies much closer to the way in which other foreign currencies are dealt with. In Singapore, cryptocurrencies are classed as goods, so are subject to the usual goods service tax. The taxation treatment for cryptocurrencies in various countries seems to be progressing, as compared with the legal and regulatory frameworks, which must catch up and provide a comparable framework for dealing with cryptocurrencies. From Bitcoin ATMs mooted in Dubai to news of a US-based derivatives exchange exploring the creation of a Bitcoin swap (which would certainly be attractive to investors that are otherwise deterred by the massive fluctuations in price), cryptocurrencies are rising in popularity amongst consumers and there is even increasing acceptance amongst regulators. These issues and questions around the legality of cryptocurrencies, and the kind of regulatory environment that is needed, show no signs of going away. We will continue to explore the issues raised by the rise of the cryptocurrencies in upcoming editions of Digital Insight.
DIGITAL FORENSICS
|
E-DISCLOSURE
CASE STUDY IP THEFT THE CASE: The sales manager of a large IT company handed in his notice claiming that he was going to set up his own business in direct competition with his current employer. He took three months garden leave as per the terms of his contract.
BLOCKCHAIN Blockchain is a shared public ledger on which the entire Bitcoin network relies. All confirmed transactions are included in Blockchain. This way, Bitcoin wallets can calculate their spendable balance and new transactions can be verified to be spending Bitcoins that are actually owned by the spender. The integrity and the chronological order of Blockchain is enforced with cryptography.
Several months later, the company became aware of a gradual fall in revenues. Further analysis revealed that an increasing amount of business was lost to their former sales manager’s new company. The risk manager, who had experience of digital forensic examinations, prevented the IT department from examining the suspect’s laptop. This is because any attempt by an individual, who is not a qualified digital forensic examiner, to investigate the device can potentially destroy vital evidence. Even the act of turning on a laptop can compromise the data contained within it, and contaminate the ‘digital trail’.
21 million
WHAT CCL DID: The risk manager contacted CCL, and was given advice on the best way to handle the device. A security-cleared driver from CCL was dispatched to collect the laptop, which was immediately placed in a sealed evidence bag to begin the process of maintaining the integrity of the evidence.
FINITE SUPPLY There will only ever be 21 million Bitcoins produced and it will take until about the year 2140 to get them all.
CCL took a forensic image of the laptop, which allows the analyst to work on an exact copy of the original device without it having to be switched on. The forensic image contains data about installed programs, live and deleted files, metadata, internal log files, registry entries – in short, there is the potential to recover records of almost any activity that took place on the device.
BITCOIN BLOCKS Every 210,000 blocks the number of new Bitcoins released by mining a block is halved. From January 2009 to November 2012 it was 50 Bitcoins per block, now it is 25. Around September 2016 it will be 12.5 and so on.
01789 261200
|
WWW.CCLGROUPLTD.COM
THE OUTCOME: CCL’s analyst was able to determine that approximately 30 minutes before the former employee resigned, he copied tens of thousands of records from the CRM system onto a memory stick.
|
INFO@CCLGROUPLTD.COM
5
CASE STUDY
SUBJECT ACCESS REQUESTS
MOBILE DEVICE WITH ADVANCED PASSCODE LOCK
…continued from Page 1
by Peter Cogger
THE CASE: CCL received a device that, upon initial inspection, was secured with an advanced passcode, which could be up to 32 alphanumeric characters long. It is currently impossible to try and guess a passcode this long, as current computers are not powerful enough to do this in our lifetime. The suspect was not co-operating and would not provide the lock code. WHAT CCL DID: Despite this, CCL was able to bypass the lock and recover a full chiplevel read from the phone using JTAG. This method did not require the flash chip to be de-soldered and was nondestructive. Once a full read of the phone had been recovered, internally developed scripts were used to recover and present the most pertinent data in an easy to understand format. The internet history was recovered, which showed significant changes in the suspect’s searching and browsing activity immediately after the incident was suspected of occurring. Along with this data, deleted text messages were also recovered using epilog, one of CCL’s proprietary forensic tools. These deleted messages contradicted the suspect’s version of events leading up to the timeframe in question. THE OUTCOME: The combination of bypassing secure lock codes and recovering hard to find and deleted data meant CCL was able to provide a full picture of the suspect’s activities, which showed he was trying to hide evidence and hinder the police investigation.
6
CONSULTING
From our experience, organisational structure greatly affects how an organisation responds to a subject access request – disjointed and siloed departments make it more difficult to respond effectively by the deadline. Co-operation and joined up processes and procedures for dealing with these requests can help to ensure that whoever in the business receives the subject access request, knows the process for dealing with it promptly.
As ever the key is to be prepared. Effective information governance (having your house in order), before a request is even made will make it so much easier to respond when a subject access request, freedom of information request, or regulatory request does arrive. Over the last six months, CCL has seen an increase in the number of companies approaching us for advice and guidance on how they can improve their information governance ready for such a request.
An ICO spokesperson said: ‘At a time when organisations are collecting more and more information about us, whether online or offline, subject access requests play an increasingly important role in helping us take control of our personal information. They can also benefit organisations by highlighting inaccuracies in their records and giving them the opportunity to update the information they keep about us. Our subject access code of practice will help organisations deal with these types of requests in a timely and efficient manner, allowing them to demonstrate that they are looking after their customers’ data and being open and transparent about the information they collect. This can only be a good thing for organisations and consumers.’ We have also published ten simple steps that organisations should consider when responding to subject access requests. 1.
Identify whether a request should be considered as a subject access request 2. Make sure you have enough information to be sure of the requester’s identity 3. If you need more information from the requester to find out what they want, then ask at an early stage 4. If you’re charging a fee, ask for it promptly 5. Check whether you have the information the requester wants 6. Don’t be tempted to make changes to the records, even if they’re inaccurate or embarrassing… 7. But do consider whether the records contain information about other people 8. Consider whether any of the exemptions apply 9. If the information includes complex terms or codes, then make sure you explain them 10. Provide the response in a permanent form, where appropriate FOR MORE INFORMATION OR ADVICE ON INFORMATION GOVERNANCE OR ANY OF CCL’S PRODUCTS AND SERVICES, CALL US ON 01789 261200, EMAIL INFO@CCLGROUPLTD.COM OR VISIT WWW.CCLGROUPLTD.COM
|
DIGITAL FORENSICS
|
E-DISCLOSURE
THE REAL CSI: TABLET COMPUTER FORENSICS by Sarah Turner 06:37: The Lieutenant sits in his black Hummer, across the road from a seedy café in central Miami. The early morning sun rises over the tall city tower blocks and office buildings, as smartly dressed executives and other early birds make their way to work. Gazing through his shades, the Lieutenant watches as his suspect - one of these smartly dressed executive-types, fitting in perfectly with the early morning commuters - walks into the café, sits down, takes out his tablet computer and starts to work.
in this way is generally the same process every time. Tablet computers, by contrast, do not have a hard drive which can be removed and imaged. Instead tablets use flash memory and there are different methods of extracting a full image of the disk depending on the make and model of tablet. This can range from the JTAG method (connecting pins directly to the circuit board), a bootloader method or it may just be limited to a logical extraction via the operating system where a full image of the disk is not possible.
The Lieutenant gets on the walkie-talkie to his lead officer who is waiting just around the corner:
One crucial mistake our friends in Miami made in the story above was not switching off the device as soon as they got hold of it. By leaving the device on, there is the potential for it to remain connected to a network and continue receiving new data, which could potentially overwrite any useful or potentially incriminating evidence. In addition, if the suspect is particularly tech-savvy, he or one of his accomplices could remotely wipe the memory of the device if it is still connected to the network, deleting all data, including anything incriminating.
He’s in the café. We’ve been onto this guy for months, he’s embezzled over $1 million – we know he’s the guy behind this, we just need to get the evidence. Another transaction has just gone into the bank account! Storm the café! The officer and three of his team charge into the small café sending tables, chairs and crockery crashing to the floor. Pinning the suspect to the ground, they handcuff him and grab his tablet. One of the officers starts looking through the device: I can’t find anything obvious on here boss, let’s take it back to the lab. Back at the glass-partitioned lab, the excessively tanned Technical Specialist plugs the tablet into his computer and watches as various files and documents appear on the large wall-mounted monitor – neatly ordered into emails, documents, bank transactions, etc. The Technical Specialist effortlessly moves them around the screen by swipes of his hand, zooming in on potential evidence… As tablets are becoming increasingly commonplace in the corporate environment, favoured by both remote and office-based workers alike, they can be a useful source of information during an internal investigation. But, how does the depiction above compare to the reality of the forensic analysis of tablet computers? While entertaining, rather unsurprisingly, the analysis of a tablet is not quite this simple.
Therefore, before any kind of investigation can be carried out on the device, even before switching it back on, it needs to be placed into a Faraday box. Switching the device on within a Faraday box prevents the device from connecting to a network cell and enables analysis to begin. In the story above, our friends in Miami focussed on files and emails as their likely sources of potentially incriminating information. However, there are many more potential sources of useful intelligence on a tablet, such as: web history, cookies, bookmarks, images and geo-tagged photos. CCL has worked on cases where these sources have provided useful evidence. The forensic analysis of tablet computers and the amount of data that can be extracted from them varies greatly according to the make and model of the device and how they store data. However, in every case it is the process and procedures by which the evidence is obtained that ensure it would withstand court scrutiny if required. As ever, this always means that the reality is a lot more complex and thorough than simply looking through the device or just ‘plugging it in’.
In reality, the forensic analysis of a tablet is actually more similar to the analysis of a smartphone, than a computer. Computers are forensically examined by removing the hard drive and taking a forensic image of it. It is this image that is then examined rather than the content of the machine itself, to ensure evidential integrity. Imaging a computer hard drive
01789 261200
|
WWW.CCLGROUPLTD.COM
FOR MORE INFORMATION ON TABLET FORENSICS OR CCL’S OTHER PRODUCTS AND SERVICES CALL US ON 01789 261200, EMAIL INFO@CCLGROUPLTD.COM OR VISIT WWW.CCLGROUPLTD.COM
|
INFO@CCLGROUPLTD.COM
7
CCL’S ONE-DAY FIRST RESPONSE COURSE EMC revealed in a recent survey that 29% of organisations reported data loss in 2013.* How can you make sure you don’t become one of them in 2014? Data breaches and IP theft are just some of the reasons your company may need a forensic response. Other issues include: computer misuse, bullying and harassment, internal sabotage, breach of policies and employee productivity. CCL’s First Response course covers what key personnel need to know: how digital forensics can help you, what it can be used for, and the steps to follow. Course agenda includes:
CCL is the UK’s largest digital forensics laboratory, and a leading provider of e-disclosure and IT consultancy services. From our beginnings as an independent IT consultancy in 1986, we have developed our services to respond to advances in new technology, the increasing importance of data, and the need to manage, recover and protect it. In 2001, we set up our digital forensics laboratory. CCL is now the largest digital forensics provider in the UK, and the only one accredited to the ISO17025 standard for our computer, mobile phone and Sat Nav laboratories. We provide digital forensics and investigation services to a broad range of organisations, ranging from corporate clients, civil and criminal law firms, to law enforcement agencies. CCL has been in the e-disclosure market since 2009 and to date, has completed over 220 e-disclosure cases.
FOR MORE INFORMATION: Call us on 01789 261200 email info@cclgroupltd.com or visit www.cclgroupltd.com
COMING UP NEXT MONTH:
CONSULTING
|
COURSES ARE HELD AT CCL’S OFFICES IN STRATFORD-UPON-AVON AT A COST OF £300 + VAT PER DELEGATE.
*EMC IT Trust Curve 2013 Global Study
ABOUT CCL
8
Where data can be retrieved from Case studies and examples Handling digital evidence Forensic readiness Forensic requirements, warning signs and how to respond • Minimising impact and disruption
PLEASE CALL US ON 01789 261200 OR EMAIL TRAINING@CCLGROUPLTD.COM
• What is digital forensics? • Why might I need a forensic response?
> Forensic First Response > ISM Governance > Disclosure demystified
• • • • •
THE NUMBERS CCL employs over 100 full-time members of staff, including 65 consultants and analysts who have completed: • • • • • •
220+ 4,250+ 55,000+ 2,200+ 750+ 475+
e-disclosure cases digital forensic (PC) cases mobile phone cases consultancy engagements civil and criminal cases expert witness assignments
OUR SERVICES • Digital forensics and investigations - All operating systems - Smartphones/mobile phones - Tablets - Sat Nav analysis - Cell site analysis - CCTV analysis - Remote forensics - Social media forensics • E-Disclosure services • IT consultancy • Digital forensics hardware and software • Early case assessment tools • Data collections • Training • Search and seizure orders • Expert witness services
DIGITAL FORENSICS
|
E-DISCLOSURE