DIGITAL INSIGHT EDITION 4
IN THIS EDITION > Forensic first response
FORENSIC FIRST RESPONSE
> Thoughts for the month > DPAs: Cutting down on corporate crime in a ‘Peculiarly British’ way > Information security governance > Q&A with Kinetic Partners > The Real CSI > First response course > About CCL
In 2011, the UK Cabinet Office published a paper (The Cost of Cyber Crime), which quantified the cost to UK businesses of intellectual property theft as £9.2bn, and industrial espionage as £7.6bn. Whilst these figures have since been challenged and the true cost of cybercrime in 2014 is difficult to estimate, its impact on UK industry cannot be ignored. CCL is increasingly being asked to help investigate cyber-based crime on behalf of UK private companies and public sector organisations. Incidents range from ‘simple’ misuse of computer resources to more complex computer based intellectual property theft and organised fraud. When cybercrime is first suspected, its seriousness and full extent is often unknown. It is also difficult to judge how the suspect is going to react when confronted. Will they admit to their misdemeanour and take their punishment, or will they protest their innocence and seek legal representation in court? The great majority of computer security incidents will never be taken
01789 261200
|
to court, but the possibility still exists that they might, and thus proper precautions should be taken to collect and preserve digital evidence from the outset. In contrast with typical crime scene evidence, digital evidence can be very fragile. Also, the very existence of evidence may not be obvious upon initial examination. Performing such an analysis is a slow and difficult process that begins with first seizing the computer as evidence. Upon that seizure, however, the computer is usually turned off and taken back to a laboratory. When that happens, all of the data on the computer that has not been saved to the hard drive can be lost forever. In modern systems, that can be a substantial amount of data and can be comprised of several parts. Even without the power being turned off, evidence can still be destroyed. If the computer is still connected to a network, evidence such as log files could be accidently or deliberately deleted or overwritten by other network users. In addition, the programmable nature of computers allows an
WWW.CCLGROUPLTD.COM
|
individual to instruct the computer to erase information without any human interaction. For example, an intruder could use a compromised machine to launch another attack and then automatically erase all evidence of the attack and initial intrusion upon completion. Beyond outright destruction, an investigator must also be careful that digital evidence is not tainted before it can be secured. Most often tainting occurs because of the good intentions of a first responder. That is, the first people to discover the crime look around to determine what happened, and unwittingly, alter data on the system. For these reasons, CCL recommends its clients put in place First Response processes and procedures that allow them to find out if an incident has occurred, determine the nature of the incident, and the correct steps to follow to ensure evidence is sound enough to be taken to court if necessary. Leaving it until after the event may result in the loss of vital evidence and an unsuccessful, yet costly, outcome.
INFO@CCLGROUPLTD.COM
1
GARY JAMES SENIOR CONSULTANT Gary joined CCL in 2012 as Senior Consultant, and brought with him a wealth of experience in IT management. Gary started his career as a software developer, and whilst at Hasbro was asked to manage the IT office in Milan. This sparked Gary’s interest in management, which then saw him move to Warnaco as European Systems Manager, responsible for the company’s brands in Europe, which included Calvin Klein. Gary was then seconded onto a team implementing SAP globally in 168 locations. From here, Gary moved to Courtaulds Textiles as Group IT Manager with global responsibility for infrastructure, networks and service delivery for 128 locations globally. Gary’s subsequent move to Homeserve was a career departure into the insurance and financial services area. Gary led a number of projects, with a focus on service delivery, and also sat on the technical design authority board for the whole of Homeserve. Gary then moved to Senoble to help them align
the UK business with the rest of the European operation. One of Gary’s areas of focus at CCL is cyber security, and he is currently engaged on a project with a FTSE 350 organisation, helping them to develop and define their approach to security. GARY’S THOUGHTS FOR THE MONTH Whilst I am busy working on several projects, my main focus is on my upcoming Certified Information Security Professional exam (CISSP). There is a lot to cover in the exam; it’s 1000 questions in six hours so there’s lots of reading and revision. The odd thing I am finding though, is that I keep saying to myself: I suppose over 30 years you absorb a lot of information that you probably don’t realise you have. By taking this exam, it is enabling me to combine the commercial experience that I have gained with the IT consultancy and the security exposure that I have had at CCL.
The FTSE 350 project is quite far reaching in that it touches every part of the business. We are currently designing security processes and procedures for dealing with Software-as-a-Service (SAAS), Bring Your Own Device (BYOD) and cloud computing. The starting point is really about getting the Board to agree what is most important to the business; confidentiality, integrity, availability. This is known as the Security Triad. Inevitably, every business will place a different priority on each of these, and for different assets. CCL’s cyber security practice can help an organisation strategically, tactically and operationally - I think this is unique within the security arena.
KAREN SABIN QUALITY MANAGER Karen is one of CCL’s longest serving members of staff. She has been with the company since 1991, starting in the IT consultancy division of the business.
procedures, ensuring staff are trained and competent to undertake their roles and continuously improving the CCL Quality Management System.
As Quality Manager at CCL, Karen is responsible for implementing and maintaining systems and procedures to ensure that CCL achieves, and maintains, industry-leading quality standards. Over the last few years, Karen has set up the processes and business operations required for CCL to achieve ISO9001 and ISO27001 certification. These certifications ensure that CCL adheres to the highest information security and quality management standards throughout.
KAREN’S THOUGHTS FOR THE MONTH
Karen is now also responsible for the maintenance of CCL’s ISO17025 accreditation for the digital analysis of computers, mobile devices and satellite navigation equipment. This involves writing, reviewing and updating standard operating procedures, ensuring that our tools are validated, conducting internal audits of CCL’s processes and
2
I am proud to be associated with the implementation and maintenance of the ISO17025 standard at CCL. Achieving this accreditation has added structure to the way we conduct our examinations and improved the way we run our laboratories. In a nutshell, being accredited means that we have documented procedures which everyone has to follow. We have structured training paths for our analysts – who must be competent before they are allowed to commence live casework and our tools must be validated to ensure they are functioning properly. This all results in a guarantee of evidential integrity for our clients, which is crucial when the data we recover, analyse and present could potentially be relied upon in court.
CONSULTING
|
DIGITAL FORENSICS
|
CCL is now seeking accreditation for our e-disclosure services, and we are currently implementing the necessary procedures and competencies to ensure this will be completed smoothly during the next few months. A key aspect of this accreditation will be the development of high quality, standardised and repeatable processes. This accreditation will ensure that our e-disclosure services are efficient and cost-effective, making them defensible to both clients and the court.
E-DISCLOSURE
DPAs: CUTTING DOWN ON CORPORATE CRIME IN A ‘PECULIARLY BRITISH’ WAY
CASE STUDY CORPORATE BLACKMAIL
by Umar Yasin
THE CASE: The Managing Director of a large professional services institution had received anonymous letters alleging financial mismanagement and demanding sums of money in return for keeping quiet.
From 24th February 2014, Deferred Prosecution Agreements (DPAs) formally became part of the prosecutorial toolkit here in the UK. Available to both the Serious Fraud Office and the Crown Prosecution Service, DPAs are now formally enshrined in statute, under Section 45 and Schedule 17 of the Crime and Courts Act 2013, which received Royal Assent back in April 2013. DPAs can be entered into for a wide variety of economic crimes, ranging from bribery, theft and money laundering offences, to false accounting and fraud offences. According to the former Attorney General, Dominic Grieve QC, DPAs ‘will enable prosecutors to take appropriate action against commercial organisations involved in economic crime, and they will work well alongside existing methods’.
Meanwhile, the SFO is hoping that this new tool at their disposal will help them to investigate and tackle corporate crime more effectively, particularly those offences that predate the 2010 Bribery Act. Throughout the consultation period that ran until September 2013, it became clear that both the CPS and the SFO are also hoping that the availability of DPAs leads to increased self-reporting by corporates. Despite corporates not being able to request a DPA themselves, a prosecuting agency can be alerted to a potential corporate crime that can be dealt with by a DPA, through three main ways: either through self-reporting by the corporate or a whistle blower, or where the SFO or CPS are made aware of a potential crime through sharing intelligence and information with agencies, such as the National Crime Agency or the Security Services. Another pertinent issue when it comes to DPAs is the seeming lack of incentive for corporates to self-report, which the Guidelines and Code of Practice on DPAs seem to suggest. For example, if DPA discussions fail, and the corporate has already disclosed documents, including internal reports, these documents can still be used by the prosecutor in any subsequent proceedings or prosecutions. Similarly, the fact that the Guidelines state that even after a successful DPA has been entered into, any financial penalty imposed should be comparable with the fine likely to have been imposed following an early guilty plea, which seems to provide little incentive for corporates.
01789 261200
|
WWW.CCLGROUPLTD.COM
|
The MD approached CCL and requested the analysis of two workstations, belonging to two members of staff whom he suspected. The IT Manager advised that if the documents had been created at work, they probably had been stored, under passwords, on the server rather than on the workstations – but he wanted to try the workstations first.
WHAT CCL DID: CCL suggested conducting keyword searches to see if the documents could be traced to those workstations. This was to be done in a covert manner, so as not to alert the employees under suspicion. Two CCL analysts attended during the night, such was the concern for secrecy that they had to work by torchlight! They took a forensic image of both workstations and securely transported them back to CCL for analysis. THE OUTCOME: As expected, no record of the documents was found on the workstations, so a return visit was made in order to image the servers. This time an analysis of ‘unallocated clusters’, for an EMF image showed that the document had been printed. It was able to be recovered, along with information of the instruction to print. This provided the client with the information he needed to take action against the members of staff under suspicion.
INFO@CCLGROUPLTD.COM
3
INFORMATION SECURITY GOVERNANCE
Information can have great value as an organisational asset but can be a toxic liability if not handled properly Richard Thomas, Former Information Commissioner
The rapid pace of new technology is making it increasingly easier for organisations to collect personal data and provide more targeted services to their customers. However, these technologies, and the data that is being used, are causing concern about privacy, especially regarding retention of personal information and the insights this can provide into people’s private lives. Corporate data breaches are being reported almost daily by the media at the moment. But it is interesting to observe that most of the high-profile cases are not caused by hackers or thieves, but by bad business processes and policies. Nonetheless, no matter what the origin of the breach, all companies (whether in the private, public or not-for-profit sector) are exposed to the risk of substantial fines, negative impact on corporate image and loss of important customers and revenues.
4
CONSULTING
|
DIGITAL FORENSICS
|
E-DISCLOSURE
All UK organisations should be aware of the following legislations when it comes to information governance:
throughout the organisation, and how it is governed by policies for security, privacy, records and information lifecycle management, and records retention. To share information across the enterprise while managing the associated cost and risk, you need to:
•
Data Protection Act 1998
•
Regulation of Investigatory Powers Act 2000
• Develop an enterprise wide core set of master information standards and guidelines
•
Environmental Information Regulations 2004
• Implement and oversee effective processes for managing and ensuring the quality of these standards and guidelines • Build information quality into stewardship processes
•
Freedom of Information Act 2000
•
Re-use of Public Sector Information Regulations 2005
The Data Protection Act, for example, applies to all companies that hold data of a personal nature, with the Information Commissioner’s Office having the power to issue fines of up to £500,000 for data security breaches. Information governance is increasingly being seen as a critical component of corporate governance – and it is not just about ensuring information is secure. Good information governance covers the management, sharing and retention of information, so that an organisation can meet its corporate objectives, customer needs and regulatory obligations. It provides a framework that brings together legal, ethical and quality standards that apply to the handling of all sensitive and personal information relating to employees and customers (including patients, practitioners, members, researchers, etc.).
• Set objective metrics and reasonable targets for managing information quality It is important to develop a cohesive approach to information governance so you can: • Ensure that information is managed by the right owners, at the right time, and in accordance with the right policies • Protect against information breaches through welldefined controls for hardening technical storage devices Excellent corporate reputation, reliability and brand image are key to gaining a competitive advantage in today’s world. Protecting these is proving increasingly challenging. So, make sure you have the right information governance in place to ensure your organisation succeeds.
In practice, information governance consists of a set of multi-disciplinary structures, policies, procedures, processes and controls implemented to manage information at a corporate wide level, supporting an organisation’s immediate and future regulatory, legal, risk, environmental and operational requirements. And whilst information governance tends to concentrate on technology, organisations should not forget the human or physical ‘factor’. Restricting access to electronic records to authorised individuals is readily undone if printed student visa application information or patient care records are left on desktops in unrestricted offices overnight. CCL helps organisations identify gaps in their information governance policies and processes, and our approach encompasses more than electronic information and records management. It covers all aspects of privacy attributes, electronic disclosure requirements, storage optimisation, and electronic and physical data management. Information governance can be complex. You need to understand where information moves, how it is used
01789 261200
|
FOR MORE INFORMATION ON INFORMATION SECURITY GOVERNANCE OR ANY OF CCL’S PRODUCTS OR SERVICES, CALL US NOW ON 01789 261200, EMAIL INFO@CCLGROUPLTD.COM OR VISIT WWW.CCLGROUPLTD.COM
WWW.CCLGROUPLTD.COM
|
INFO@CCLGROUPLTD.COM
5
Q&A SESSION WITH KINETIC PARTNERS The complex challenges thrown up by digital investigations are best solved by reliable and efficient teams with the right mix of skills and experience. This tailored and collaborative approach is what underpins CCL’s partnership with Kinetic Partners - an award-winning and leading provider of tailored consulting, advisory and assurance services to the global financial services industry. Together, both businesses can offer clients a seamless and integrated approach to all engagements. CCL conducted a short Q&A session with the Global Head of Forensic and Dispute Services at Kinetic Partners, Nick Matthews, to discuss the challenges facing their clients and how a combination of forensic accounting and digital forensics can be used together to help meet these challenges head on: 1. WHAT CHALLENGES HAVE YOUR CLIENTS BEEN MOST CONCERNED ABOUT OVER THE LAST SIX MONTHS? Until recently, clients have been most concerned about the economic climate. Although sentiment and, to some extent, the economy have recovered, clients remain understandably concerned about costs generally. Given that case costs and the cost of regulation are to a large extent unavoidable, what clients really want is value for money. Clients are also rightly concerned about regulatory compliance and the pace of change in the European and global regulatory landscapes. There is a general feeling that it is all becoming quite overwhelming. Finally, some of our clients are facing the consequences of governance and financial crime failings and the ensuing shareholder or investor legal action, as well as regulatory censure and the risk of reputational damage.
everything he or she needs to know. We make it our job to know and understand our clients’ obligations in relation to their respective regulatory authorities. We also see a need for ‘forensic readiness’, where a firm has robust audit trails, key risk indicators and management information, and knows what is going on in their different operations. With any internal investigation, management, digital forensic specialists and forensic accountants alike need to be able to access efficiently the data held within a business. 3. HAVE YOU SEEN MANY INVESTIGATIONS AS A RESULT OF THE BRIBERY ACT? Not yet, but we are advising clients on the FCA’s expectations of firms to put in place adequate systems and controls to prevent bribery and corruption. Whilst the FCA has taken, and will continue to take, action against financial services firms that have inadequate prevention measures, even though no bribery or corruption may have taken place, firms in all sectors should have adequate procedures in place, as a defence against prosecution if problems do arise. 4. WHY DO YOU THINK WE HAVE NOT SEEN THE FULL EXTENT OF THE BRIBERY ACT TO DATE? Quite simply, it will take time for cases to filter through. Instances of bribery and corruption that occurred prior to the Bribery Act coming into force will not be prosecuted under the Act. Bribery or corruption can take place over a long period of time and it can also take several years for the issue to come to light, be investigated and then be prosecuted. 5. WHAT RECOMMENDATIONS ARE YOU MAKING TO YOUR CLIENTS AT THE MOMENT? Some advice never changes – businesses make false economies if they fail to implement adequate governance, systems and controls in order to prevent or detect financial crime and mitigate regulatory, financial, reputational or legal risk in the event that problems arise.
2. WHAT DOES KINETIC PARTNERS DO TO RESPOND TO THESE CHALLENGES? For most of Kinetic’s clients across the world, keeping on top of the ever-increasing complexity and volume of financial regulation is an enduring problem. It is no longer realistic for a compliance officer to know
6
CONSULTING
|
When problems do arise, investigate them properly – where necessary, call upon outside expertise and resources, such as lawyers, digital forensic specialists and forensic accountants, to ensure a thorough yet targeted response with an output that can be disclosed to the authorities if required. Finally, when contemplating a corporate transaction, especially cross-border, financial crime should not be overlooked in the due diligence process. Adverse findings may delay a deal while they are investigated and can have a significant effect on price.
DIGITAL FORENSICS
|
E-DISCLOSURE
THE REAL CSI: CCTV ANALYSIS by Sarah Turner
13:25: The midday sun is beating down on Miami-Dade County. The Lieutenant leads a chase through the busy streets of central Miami – shades on, gun in holster, barely breaking into a sweat. Three of his officers follow close behind. The suspect dodges between shoppers and hurried workers out for lunch. Sweating profusely, he dives down a side street and then back out into the main shopping street. Suddenly he dashes over to a waiting car and jumps in as the vehicle speeds off with the passenger door still open. The Lieutenant slows to a jog and then stops, gasping for breath as the suspect speeds away:
An accomplice! Find out who was driving that car!
Let’s check CCTV of the area shouts one of the officers. Luckily, one of Miami’s CCTV cameras had captured the face of the getaway driver moments before, when he quickly stepped out of his car to check a tyre, unaware that he was recorded on one of
01789 261200
|
the many CCTV cameras around the city. Back at the modern, glass-partitioned lab the large wall-mounted monitor lights up as the glossy-haired, excessively tanned Technical Specialist rewinds the footage back to a few moments before the suspect reached the vehicle. As the driver steps out of the vehicle, the Specialist pauses the video on a shot of his face and zooms in. The monitor flickers as he keys in the instructions for the computer to enhance the image. The computer whirrs as previously blurry pixels become sharper and begin to form a more detailed, recognisable face. The computer then cross-references this with its database of thousands of photos. It flashes through image after image, until it spots a match. The Lieutenant dispatches his officers to the address on screen… As entertaining as this is, how does it compare to the reality of CCTV analysis? In reality, there is only so much that ‘enhancement’ of CCTV footage can achieve. Enhancement can only work with the pixels that already exist within the footage; it cannot add extra detail or pixels that are not already there, as is commonly portrayed in cop shows. What it can do however, is to improve aspects of the footage like the brightness, contrast or clarification. These can help to improve the clarity and quality of the CCTV footage, making details easier to view and potentially highlighting new, previously unseen information as well. Also, there is a lot more intelligence available from CCTV analysis than just image enhancement and facial identification, which features prominently in the majority of cop dramas. CCTV analysis can also be used
WWW.CCLGROUPLTD.COM
|
for clothing or object comparisons, height estimation, establishing the time of an offence, vehicle comparison, voice comparison, and even gait analysis; all of which can provide useful intelligence for a variety of matters. For example, CCL was involved in a case where CCTV footage was being used to identify a suspect by his facial features – as our friends in Miami did above. Unfortunately, the images were too low resolution to be used to identify the suspect. However, CCL was able to use other information contained within the footage to achieve the same objective. CCL’s experts re-examined some known footage of the suspect and noticed that he had an unusual and distinctive gait. The analysts took frames from the known footage that highlighted the suspect’s legs and feet, and did the same with the CCTV exhibit footage. In this way, the analysts provided comparative still images to show the similarities between the legs and feet of the known footage and in the CCTV footage. CCL’s analysts also edited several sequences to show side-byside, to highlight the similarities of the unusual gait between the films, which enabled the suspect to be identified. The truth behind the forensic analysis and enhancement of CCTV footage may not be quite as quick and spectacular as police dramas may lead us to believe. But with the wide range of analysis and enhancement tools and techniques available, CCTV footage can still be a valuable source of information during an investigation.
FOR MORE INFORMATION ON CCTV ANALYSIS OR CCL’S OTHER PRODUCTS AND SERVICES PLEASE CALL US ON 01789 261200, EMAIL INFO@CCLGROUPLTD.COM OR VISIT WWW.CCLGROUPLTD.COM
INFO@CCLGROUPLTD.COM
7
CCL’S ONE-DAY FIRST RESPONSE COURSE EMC revealed in a recent survey that 29% of organisations reported data loss in 2013.* How can you make sure you don’t become one of them in 2014? Data breaches and IP theft are just some of the reasons your company may need a forensic response. Other issues include: computer misuse, bullying and harassment, internal sabotage, breach of policies and employee productivity. CCL’s First Response course covers what key personnel need to know: how digital forensics can help you, what it can be used for, and the steps to follow.
ABOUT CCL CCL is the UK’s largest digital forensics laboratory, and a leading provider of e-disclosure and IT consultancy services. From our beginnings as an independent IT consultancy in 1986, we have developed our services to respond to advances in new technology, the increasing importance of data, and the need to manage, recover and protect it. In 2001, we set up our digital forensics laboratory. CCL is now the largest digital forensics provider in the UK, and the only one accredited to the ISO17025 standard for our computer, mobile phone and Sat Nav laboratories. We provide digital forensics and investigation services to a broad range of organisations, ranging from corporate clients, civil and criminal law firms, to law enforcement agencies. CCL has been in the e-disclosure market since 2009 and to date, has completed over 220 e-disclosure cases.
Course agenda includes: • What is digital forensics? • Why might I need a forensic response?
OUR SERVICES
• Where data can be retrieved from • Case studies and examples
• Digital forensics and investigations
• Handling digital evidence • Forensic readiness
-
All operating systems
• Forensic requirements, warning signs and how to respond
-
Smartphones/mobile phones
-
Tablets
• Minimising impact and disruption
-
Sat Nav analysis
-
Cell site analysis
-
CCTV analysis
-
Remote forensics
-
Social media forensics
COURSES ARE HELD AT CCL’S OFFICES IN STRATFORD-UPON-AVON AT A COST OF £300 + VAT PER DELEGATE. PLEASE CALL US ON 01789 261200 OR EMAIL TRAINING@CCLGROUPLTD.COM *EMC IT Trust Curve 2013 Global Study
• E-Disclosure services • IT consultancy • Digital forensics hardware and software • Early case assessment tools
THE NUMBERS
• Data collections
CCL employs over 100 full-time members of staff, including 65 consultants and analysts who have completed:
• Training • Search and seizure orders • Expert witness services
• 220+ e-disclosure cases • 4,250+ digital forensic (PC) cases
FOR MORE INFORMATION:
• 55,000+ mobile phone cases • 2,200+ consultancy engagements
Call us on 01789 261200 email info@cclgroupltd.com or visit www.cclgroupltd.com
• 750+ civil and criminal cases • 475+ expert witness assignments
8
CONSULTING
|
DIGITAL FORENSICS
|
E-DISCLOSURE