CONSULTING
|
DIGITAL FORENSICS
|
E-DISCLOSURE
LEGAL NEWS Issue 5
www.cclgroupltd.com
DIGITAL DATA INVESTIGATIONS AND FORENSIC ACCOUNTING – STRIKING THE RIGHT BALANCE AT THE RIGHT TIME
Co-written by Nick Matthews, Kinetic Partners & Umar Yasin, CCL Group
Capturing the right data in complex banking litigation and related regulatory proceedings has never been more critical. In recent and on-going action including, for example, in relation to alleged misleading offering circulars, or the current claims against banks in relation to the mis-selling of interest rate hedging products or swaps, an efficient and targeted data collection process followed by effective interpretation of the information obtained will be of central importance. This is an area where Digital Data Investigations and forensic accounting complement each other perfectly to assist litigators. Currently, we are seeing a raft of financial litigation ranging from financial mis-selling to investment management misconduct and more complex securities litigation. We are also seeing some high-profile investigations by the SFO into alleged bribery and corruption, whether at Rolls Royce or ENRC PLC. In assisting clients with such cases, it is important to know what information might be available and where it is likely to be located. Putting in the hard work at the beginning to ensure effective and efficient data capture will pay dividends. It is easy to capture too much data and then face expensive and protracted processing and review exercises, but capture too little, through an overly targeted collection, and you run the risk of missing crucial evidence. Expert and early planning is crucial. Once the
appropriate information is captured, it is essential that individuals with the necessary financial acumen and sufficient industry experience go through this information to assess its implications. One recent issue, which we certainly have not heard the last of, is that of loan loss impairment provisioning, or assessing the recoverable value of a loan portfolio. This important, but judgemental area of accounting is notoriously easy to manipulate, giving a false or misleading representation of the health or performance of a firm. When investigating technical matters such as loan loss impairment provisioning, both financial and non-financial information can be highly significant. Relevant data could be held within the firm’s email server, on shared work drives, in the firm’s mainframe accounting system, on its employees’ computers and mobile devices, or even, of course, on paper. Hints from the CFO to the CEO as to why the actual provision should be higher than is disclosed would be a ‘smoking gun’, provided that they can be located, recognised and properly interpreted. The interplay between the forensic accountant and the digital forensics expert early in the investigation is vital. The key information may be contained, for example, in preparatory notes for a meeting regarding capital requirements on an employee’s iPad or smartphone. This relevant data will also
IN THIS
E
DITIO > Dig N... ital Da ta Investi gation s and fore > Tho nsic accounti ng u g h ts o > Q& A with f the month K in etic Part > Fo ners rensic R eadine Is yo s > Fo ur client read s – rensic y? c o ll e The pe c rils of lo tions – meta sing > Pho data ne pate nt wars pred > Ab ictive coding and out CC > Firs L t respo nse co urse
be crucial in proving or defending any allegations of fraudulent misrepresentation, as email correspondence or other internal communication could shed more light on the intentions or motivations behind certain decisions. Locating and extracting this information is often easier said than done and it is the digital forensics practitioners and the forensic accountants, in conjunction with the firm’s internal and external legal counsel, who are best placed to perform the work. This gives the firm and its lawyers the best chance of being able to demonstrate to the claimants or the regulator that a course of action, or indeed the contents of a prospectus, were justifiable, accurate and appropriate. It is, of course, important to understand the extent of the issue as early as possible in order to make the appropriate decision, whether it be a robust defence or an early disclosure or settlement. There are myriad factors to consider, whether it be a view from the digital forensics professionals regarding the volume of relevant data or a consultation with an industry/technical expert on the key issues in the case. In future issues of Legal News we will look into different issues facing businesses today and how Digital Data Investigations and forensic accounting services can assist in addressing them.
1
KAREN SABIN, Quality Manager Karen is one of CCL’s longest serving members of staff. She has been with the company since 1991, starting in the IT consultancy division of the business. As Quality Manager at CCL, Karen is responsible for implementing and maintaining systems and procedures to ensure that CCL achieves, and maintains, industry-leading quality standards. Over the last few years, Karen has setup the processes and business operations required for CCL to achieve and maintain ISO9001 and ISO27001 certification. These certifications ensure that CCL adheres to the highest information security and quality management standards throughout. Karen is now also responsible for the maintenance of CCL’s ISO17025 accreditation for the digital analysis of computers, mobile devices and satellite navigation equipment. This involves writing, reviewing and updating standard operating procedures, ensuring that our tools are validated, conducting internal audits of CCL’s processes and procedures, ensuring staff are trained and competent to undertake their roles and continuously improving the CCL Quality Management System.
Karen’s Thoughts for the Month Achieving the ISO17025 accreditation has added structure to the way CCL conducts investigations and improved the way we run our laboratories. Being accredited means that we have documented procedures which everyone has to follow. We have structured training paths for our analysts – who must be competent before they commence live casework and our tools must be validated to ensure they are functioning properly. This all results in a guarantee of evidential integrity for our clients, which is crucial when the data we recover, analyse and present could potentially be relied upon in court. CCL is now seeking accreditation for our e-disclosure services and we are currently implementing the necessary procedures and competencies to ensure this will be completed smoothly during the next few months. A key aspect of this accreditation will be the development of high quality, standardised and repeatable processes. The Jackson Reforms have put the spotlight on e-disclosure costs – with proportionality and defensibility being the watchwords. This accreditation will ensure that our e-disclosure services are efficient and cost-effective, making them defensible to both clients and the court.
RICCI LAWLESS, e-Disclosure Analyst Ricci is an e-Disclosure Analyst at CCL and has four years’ experience in conducting Digital Data Investigations. Since joining CCL, Ricci has completed the analysis for over six hundred cases and has given evidence in court on numerous occasions. As an e-Disclosure Analyst, Ricci plays a central role in many of CCL’s e-disclosure exercises, from conducting data collections and helping clients to reduce the volume of reviewable data through intelligent keyword searching, concept searching and other technology, through to analysis and production. He also provides technical input to CCL’s proposal documents for potential clients and demonstrates CCL’s e-disclosure platforms. Prior to joining CCL, Ricci spent over four years working alongside law enforcement agencies, adhering to PACE 1984 and RIPA 2000 standards. Ricci has experience of working in a number of specialist areas including telecommunications, loss prevention and CCTV.
Ricci’s Thoughts for the Month In my experience of Digital Data Investigations, I have dealt with the need for social media recovery within cases for many years. Social media is now becoming an increasingly common source of evidence in both criminal and civil litigation, which needs to be addressed during the e-disclosure process. Over recent months the requirement to disclose social media has been commonly requested in personal injury litigation and employment claims, however, the process of collecting and preserving social media content from sites such as Facebook, Twitter and LinkedIn is still in its infancy. Even though many e-disclosure providers have acknowledged an increase in the need to collect this type of content, innovation is slow. With social media sites still rapidly growing in popularity, the need to preserve social media information is an increasingly likely scenario for all parties involved in litigation. However, social media data is not only difficult to identify but equally problematic to preserve when litigation is reasonably foreseeable. It is therefore important for parties to be proactive in identifying and requesting social media data before alteration or deletion occurs. So what is the best solution to manage this? The ideal approach for e-disclosure of this content is for corporations to introduce watertight social media usage policies and put in place an e-disclosure collection and preservation plan to prevent spoliation claims, disproportionate collections or privacy infringements to name but a few.
2
Q&A SESSION WITH KINETIC PARTNERS The complex challenges thrown up by Digital Data Investigations are best solved by reliable and efficient teams with the right mix of skills and experience. This tailored and collaborative approach is what underpins CCL’s partnership with Kinetic Partners - an award-winning and leading provider of tailored consulting, advisory and assurance services to the global financial services industry. Together, both businesses can offer clients a seamless and integrated approach to all engagements. CCL conducted a short Q&A session with Partner and Global Head of Forensic and Dispute Services at Kinetic Partners, Nick Matthews, to discuss the challenges facing their clients and how a combination of forensic accounting and Digital Data Investigations can be used together to help meet these challenges head on. 1. What challenges have your clients been most concerned about over the last six months? At the top of the list would have to be the current economic environment. Clients are understandably concerned about costs generally, but given that case costs and the cost of regulation are to a large extent unavoidable, what clients really want is value for money. Clients are also concerned about regulatory compliance and the pace of change in the european and global regulatory landscapes. There is a general feeling that it is all becoming quite overwhelming. Finally, some of our clients are facing the consequences of governance and financial crime failings and the ensuing shareholder or investor legal action, as well as regulatory censure and the risk of reputational damage. 2. What does Kinetic Partners do to respond to these challenges? For most of Kinetic’s clients across the world, keeping on top of the ever-increasing complexity and volume of financial regulation is an enduring problem. It is no longer possible for a compliance officer to know everything he or she needs to know. We make it our job to know and understand our clients’ obligations in relation to their respective regulatory authorities. We also see a need for ‘forensic readiness’, where a firm has robust audit trails, key risk indicators and management information, and knows what is going on in their different operations. With any internal investigation, management and forensic accountants alike need to be able to access efficiently the data held within a business. Clients increasingly expect us to go through a rigorous budgeting process and then to monitor those budgets closely. Indeed, we are always conscious of case costs and the need to put in place efficient team structures. This was one of the key driving principles behind our partnership with CCL. 3. Have you seen many investigations as a result of the Bribery Act?
4. Why do you think we have not seen the full extent of the Bribery Act to date? Quite simply, it will take time for cases to filter through. Instances of bribery and corruption that occurred prior to the Bribery Act coming into force will not be prosecuted under the Act. Bribery or corruption can take place over a long period of time and it can also take several years for the issue to come to light, be investigated and then be prosecuted. 5. What do you see as the main similarities and differences between the FCPA regime and the Bribery Act? The FCPA has been around since 1977 but has also enjoyed a resurgence of prosecutorial popularity in recent years; it is widely regarded as a global standard that is actively, very robustly and successfully enforced. There is also a well-established culture of whistleblowing (where whistleblowers can be rewarded handsomely). Lastly, but by no means least, there is a culture of self-reporting fostered by the non-prosecution and deferred prosecution tools. All of this means that there is motivation to self-report for fear of the worst. In the UK, we are not yet there. 6. What recommendations are you making to your clients at the moment? Some advice never changes – businesses make false economies if they fail to ensure adequate governance, systems and controls in order to prevent or detect financial crime and mitigate regulatory, financial, reputational or legal risk in the event that problems arise. When problems do arise, investigate them properly - call upon outside expertise and resources, such as digital forensics specialists and forensic accountants where necessary, to ensure a thorough yet targeted response with an output that can be disclosed to the authorities if required. Finally, when contemplating a corporate transaction, especially cross-border, financial crime should not be overlooked in the due diligence process. Adverse findings may delay a deal while they are investigated and can have a significant effect on price.
Not yet, but we are advising clients on the FCA’s expectations of firms to put in place adequate systems and controls to prevent bribery and corruption. Whilst the FCA will take action against financial services firms that have inadequate prevention measures, even though no bribery or corruption may have taken place, firms in all sectors should have adequate procedures in place, as a defence against prosecution if problems do arise.
3
FORENSIC READINESS – IS YOUR CLIENT READY? There are commercial opportunities for lawyers who have an understanding of the issues surrounding forensic readiness. Being able to advise your client about the need to be forensically ready is crucial in today’s business environment, where most will have to face issues ranging from data protection, employee contracts and regulatory compliance to freedom of information and anti-bribery amongst others.
In contrast to 10 years ago, today users have significantly more IT at their fingertips. It is not uncommon for a user to have a laptop, a mobile phone and maybe even a tablet, in addition to the server-side systems they access.
What is
Forensic Readiness is the achievemen order for it to be able to collect, preser can be effectively used in any le tribunal or in a court of law. (CE
Being forensically ready varies from organisation to organisation, and depends largely on their size and what IT systems are in place. In an ideal world there would be documentation and legal frameworks that could enable each of the phases below to be undertaken quickly:
How these huge data sets are managed and stored not only adversely affects the running of the organisation on a dayto-day basis, but can dramatically affect the costs associated with responding to incidents where electronically stored information is a factor. The impact is that defensibly finding the needle in the tangled web of outdated, duplicated and irrelevant hay is a complex task. It is not just technological factors that are tripping up investigations. As technology and business culture evolve, so must employee contracts and policies. A prime example of this is Bring Your Own Device (BYOD). Should an organisation allow employees to use their own laptop, mobile phone or tablet for work purposes but fail to update their employee contracts, the organisation may find itself struggling to get access to employee-owned devices containing work related data, or worse, intellectual property. So what is the solution, and what sort of proactive steps can an organisation - your client - take to ensure that when they need to access their data they can do so quickly, defensibly and cost-effectively?
1. Identification of sources of electronic information and their respective purposes, for example email, file server, locally stored files, ERP system, etc. This master list of information sources can then be compared to the objectives and scope of the exercise, in order to identify which systems are potentially relevant.
2. Locate all of the data from that source for the entire period in scope. For example, we may find historic emails on backup tapes, or archived locally to users’ laptops.
3. Acquire the identified data for the entire scope period. This may involve extraction of data from multiple sources.
Sources of data
4
MOBILE PHONES
FILE SERVERS
REMOVABLE MEDIA
MOBILE DEVICES
CRM
LAPTOPS
EMAIL SERVER
BACKUP/DR SYSTEMS
SAT NAV
FIREWALL & SECURITY LOGGING SYSTEMS
CASE STUD Y Corporate Blackmail
By Rob Savage
s forensic readiness?
nt of an appropriate level of capability by an organisation in rve, protect and analyse Digital Evidence so that this evidence egal matters, in disciplinary matters, in an employment ESG, Good Practice Guide No. 18, Forensic Readiness)
Uncertainty is one of the biggest drivers of cost in e-disclosure and Digital Data Investigations. Having clarity on scope and capability at an early stage, in other words, being forensically ready, enables more accurate budgets and project plans to be put together to the benefit of all parties involved.
THE CASE: The Managin g Director of a large profess ional services inst itution had re ceived anonymous letters alleg ing financial mis managemen t and demanding sums of mo n ey in return for ke eping quiet. The MD app roached CC L and requested th e analysis of two workstation s, belonging to two membe rs of staff wh om he suspecte d. The IT Mana ger advised that if the docum ents had be en created at w ork, they pro bably had been st ored, under passwords, on the serve r rather than on the work st ations – but he wa nted to try th e workstation s first.
CCL can also provide advice and guidance on how lawyers can benefit from being forensically ready, and develop a better understanding of the issues surrounding forensic readiness. Please call Rob or Umar on 01789 261 200 or email edisclosure@cclgroupltd.com
MANUFACTURING SYSTEMS
TIMEKEEPING SYSTEMS
DESKTOPS
ERP
BI SYSTEMS
HARD COPY
WHAT CCL DID: CCL su ggested conducting keyword sea rches to see if the documents could be traced to those workst ations. This was to b e done in a co vert manner, so a s not to alert the employees u nder suspicio n. Two CCL an alysts attend ed during the n ight, such w as the concern for secrecy that they had to work by torchligh t! They took a forensic ima ge of both workst ations and se curely transported them back to CCL for analysis. THE OUTCO ME: As exp ected, no record o f the docum e n ts was found on th e workstatio n s, so a return visit w as made in o rder to image the se rvers. This ti me an analysis of ‘u nallocated cl usters’, for an EMF image show ed that the docume nt had been printed. It was able to be recovere d, along with in formation o f instruction to print. This provided th e client with the information he needed to take action again st th staff under su e members of spicion.
5
FORENSIC COLLECTIONS – THE PERILS OF LOSING METADATA By Rob Savage Metadata is essentially ‘information about data’ and simply refers to the properties of files and documents. For example, a Microsoft Word file may have the following metadata attributes: • Author
• Last Printed Date/Time
• Created Date/Time
• Modified Date/Time
• Last Modified by Metadata can be pivotal to a case. In any investigation where dates and times of events are potentially relevant, or for any disclosure exercise where there is a scope timeframe, metadata is critical. One unfortunate characteristic of metadata (and the reason why it warrants an article all to itself) is that it can easily and inadvertently be altered. The mere action of copying a file from one place to another can alter the metadata.
CASE STUDY eized in Mobile Device S l Road relation to a Fata Traffic Accident ed to hone was submitt THE CASE: An iP t able to e force that was no CCL from a polic already raised by the data answer questions lice force e phone. The po recovered from th recovering rm an extraction was able to perfo cial tools that the commer the standard data ecialist r, they required sp support. Howeve stem in iPhone iOS file sy knowledge of the vice at the activity on the de order to identify ent. a road traffic accid reported time of e exhibit, Upon receipt of th WHAT CCL DID: loaded sk image and then CCL took a full di to ic ol. computer forens this image into a the files analyst examined From here CCL’s ported ified around the re that were last mod collision time. n of the After investigatio THE OUTCOME: le to ab device, CCL was tion file system on the ica pl e-loaded email ap s prove that the pr wa n before the collisio owner had updated just e th us to believe that iving, reported. This led dr t ils ing the device wh may have been us collision. which led to the
6
Assume for a moment I have a file called ‘Smoking_Gun.doc’ and the metadata states it was created on the 1st July. If this document was to contain market-sensitive information that was not publically available until the 2nd July, then the metadata of this file is very significant as it shows that I had this before I should have. Let’s now suppose that I copy and paste this onto a memory stick (in a non-forensic manner) so I can disclose it at a later date. The created date of the file will be the date it was copied, not the date it was originally created. Since 1st April there has been significantly more emphasis on adopting a targeted approach to e-disclosure. For example, if it was proportionate to only search data from 2009 onwards in a case, we could feasibly reduce the volumes of data we are interested in. This however, is reliant upon the metadata, and if the data has been collected in such a way that the metadata has been corrupted, we are unable to reduce data volumes with this approach. The preservation of metadata is an important aspect to consider when capturing data. This is why we advocate a forensic approach to data collection, as this ensures all of the metadata is maintained and fully defensible if it is required as evidence in court. As such, a specialist digital forensics firm should be instructed to undertake the data capture wherever possible. Unfortunately, budgetary restrictions mean this is not always possible, in which case a forensics firm should be consulted before any work is undertaken, in order to advise on best practice and an acquisition methodology that will protect the vital metadata.
THE PHONE PATENT WARS AND PREDICTIVE CODING By Umar Yasin I have, like many others on this side of the pond, been following the ‘Patent Wars’ between Apple and Samsung with close interest, for a variety of reasons. I intend to cover some of the other relevant and interesting issues thrown up by this, and the trail-blazing done by Judge Peck in the Da Silva case, over the forthcoming editions. For the purposes of this article, I want to continue a theme that Rob Savage started in Legal News issue 3: predictive coding. For many of the litigators that we at CCL work with, including those that deal with document-heavy multi-million pound disputes with a vast volume of electronic documents, predictive coding seems to be something of a ‘dark art’ or a ‘black box’ solution. We have yet to see any real use made of this technology, whether you call it predictive coding or computer-assisted review. One of the main barriers to a whole-hearted adoption of predictive coding seems to be a lack of how it actually works, or, in some cases, a degree of suspicion in using this ‘black box’ technology. Without delving into too much detail about predictive coding and the limitations and considerations, it strikes me as slightly strange that there is such recalcitrance around predictive coding. In our experience the one thing that seems to be surprising and scaring litigators in equal measures is the actual basis of predictive coding, which is, in essence, a form of artificial intelligence that actually learns from the human. Many lawyers seem reluctant to use artificial intelligence to assist them with reviewing documents, but are more than happy to rely on other forms of artificial intelligence during their day-to-day lives. Whether we use Google to search and suggest what we are looking for, or when our SatNav reroutes itself when we take the wrong exit or whenever we are tapping away at our latest smartphone and it automatically completes the word we have started to type, these are all forms of artificial intelligence. These actions, such as searching on Google, have almost become second nature to us, yet they all rely on an underlying computer algorithm somewhere, and some form of artificial intelligence. It is important for vendors and providers to demystify predictive coding as much as possible, so that lawyers are more comfortable and confident in using it. That is why we will continue to discuss predictive coding in future issues of Legal News, including: considering the potential use of predictive coding as a quality control tool as well as a review mechanism, whether it is a myth that manual review is the ‘gold standard’ that some lawyers may think it is, and how predictive coding or computer-assisted review compares to traditional manual review. If you are interested in learning more about the potential benefits of predictive coding, please call Rob or Umar on 01789 261200 or email edisclosure@cclgroupltd.com
CASE STUDY SAT NAV DATA SOLVES MURDER INVESTIGATION THE CASE: CCL re ceived a Sat Nav fro m a UK police force, who we re investigating a kid nap and suspected mur der. The police force ’s own High Tech Crime Un it had already extra cted data from the suspec t’s Sat Nav, but this did not provide any infor mation on the possi ble location of a body, to help focus search efforts. WHAT CCL DID: CC L examined both th e Sat Nav’s memory card and internal memor y, and found that data was stored on the devic e’s internal memory on ly. CCL extracted a file from the internal memor y, which contained crucial data relating to rece nt journeys made, tri p logs, entered locati ons and favourites. CCL also found addit ional trip logs in arc hived files, dating back se ven months. This da ta is easy to miss, howeve r CCL’s analysts were able to use their specialist knowledge to ident ify that the archived files may have contained valuable data and so bring them into the scope of the investigation . By using an in-hous e developed Python script, CCL automated the process of extracting the large amount of trip log data from the Sa t Nav, and plotted these tri ps onto a map. With out the Python script, it would not have been feasible to extract an d plot this informati on on a map manually with in the time constraint s of the investigation, du e to the sheer volum e of data. Using a script to automate this pr oc es s meant that this could be completed in a matter of hours, giv ing the police the da ta they needed swiftly. THE OUTCOME: Th e Sat Nav data that CCL extracted was key in bringing a pr ompt resolution to the inv estigation, which wo uld otherwise have cont inued for weeks, or even months. By se arching the points CC L plotted on the map , detectives found th at an unidentified body ha d already been foun d at one of these location s, later identified as the missing person. The suspect was subseq ue ntly found guilty of kidna p and murder at the Old Bailey, and sentence d to life imprisonmen t.
7
ABOUT CCL CCL is the UK’s largest digital forensics laboratory, and a leading provider of e-disclosure and IT consultancy services. From our beginnings as an independent IT consultancy in 1986, we have developed our services to respond to advances in new technology, the increasing importance of data, and the need to manage, recover and protect it. In 2001, we setup our digital forensics laboratory. CCL is now the largest digital forensics provider in the UK, and the only one to hold the ISO17025 standard for our computer, mobile phone and SatNav laboratories. We provide digital forensics services to a broad range of organisations, ranging from law enforcement agencies, civil and criminal law firms to corporate clients. CCL has been in the e-disclosure market since 2009 and to date, has completed over 200 e-disclosure cases.
OUR SERVICES • Part 31 e-disclosure services • Digital forensics - All operating systems - Smartphones/mobile phones - Tablets - SatNav analysis - Cell site analysis - CCTV analysis • Collections • Part 25 search and seizure orders • Part 35 expert witness services
THE NUMBERS Scan the QR code with your smartphone for more content.
CCL employs over 100 full-time members of staff, including 65 consultants and analysts who have completed: • 200+ e-disclosure cases
COMING UP NEXT MONTH: Digital data and swaps claims The FCA - twin peaks
• 2,500+ digital forensic (PC) cases • 50,000+ mobile phone cases • 2,000+ consultancy engagements • 700+ civil and criminal cases
FIRST RESPONSE COURSE CCL provides First Response training courses for HR and IT professionals. The course is designed to give you the information you need in order to respond to a suspected incident swiftly, and get the evidence you need, in a way that will ensure it withstands legal scrutiny. Incidents can include: computer misuse, bullying and harassment, internal sabotage, IP theft, breach of policies and employee productivity. CCL’s First Response course covers: • • • • • •
8
What is digital forensics? Why I might need a forensic response Where data can be retrieved from Case studies and examples Forensic requirement warning signs and how to respond Handling digital evidence
• 450+ expert witness assignments
Missed an issue of Legal News? Don’t worry, all issues are available on our website at
www.cclgroupltd.com
For more information call Rob or Umar on
01789 261200
email edisclosure@cclgroupltd.com or visit: www.cclgroupltd.com