CONSULTING
|
DIGITAL FORENSICS
|
E-DISCLOSURE
LEGAL NEWS Issue 14
www.cclgroupltd.com
SOCIAL MEDIA INVESTIGATION TOOLS by Rob Savage
It will come as no surprise to anyone that social media plays a central role in the world we live in today. For something that ten years ago was virtually unheard of, social media has grown almost exponentially to the point that almost two thirds of the UK population are regular users of Facebook. This is, as you would expect, not evenly distributed across all age ranges. Unsurprisingly, there are proportionally more 16-20 year old users, with 95% reporting to be regularly using Facebook; this falls to 74% for 21-24 year olds. Although the growth in the use of social media appears to be levelling off, it is nonetheless still growing year on year. What is intriguing however, is that the fastest growing demographic is the 55-64 year olds, perhaps suggesting a broadening of appeal.
Police forces, intelligence agencies, investigators and private detectives have for some time been using social media for intelligence. The first case of this I came across was back in 2007. A friend of mine was working in HR for a travel agency and was tasked with proving employee misconduct. There were suspicions that this employee who was on long term sick, was perfectly able to work and in fact on holiday himself. It did not take much effort to locate his page on Facebook and discover a trove of holiday photos (one even showed him on a jet-ski). This was back in 2007 when the number of global Facebook users was a fraction of what it is today. The more social media integrates into our lives, the more information (intentionally or unintentionally) we
IN THIS ED ITION... > Social m edia investigatio n tools > Though ts for the month > Costs ce iling increased > Cyber se curity what are yo u doing about it? > The real CSI > CPD co urse > About C CL
publish online about ourselves. Users are increasingly using mobile devices to access these platforms and many users are also uploading their location. Over the last five years there has been increasing public awareness of the risks of publishing information about yourself online, however we still see about 25% of social media users making no attempt to apply privacy settings to their profile. The 75% that do, quite often get it wrong. In addition, there are those platforms where the whole point is to publish to everyone. I have lost count of the number of cases where a user has posted something on Twitter that has had far-reaching consequences.
Continued on page 6...
1
STUART BECK, Senior Digital Forensic Analyst - Research & Development Stuart joined CCL in 2008 as a Digital Forensic Analyst before moving into the Research & Development team. Prior to working for CCL, Stuart was employed by Strathclyde Police where he worked on a number of high-profile cases including the Glasgow Airport attack. Stuart holds a BSc (Hons) in Computer Science and is in the process of completing a Masters in Forensic Computing from Cranfield University. As a member of the R&D team Stuart focuses on the automation of tasks and presentation of data, while also reverse engineering proprietary data structures. He has developed a number of applications CCL uses to track exhibits, generate statements, create reports and produce evidential discs.
Stuart’s thoughts for the month Swift and Sure Justice, published in 2012, outlined the proposals that the government are making in order to reform the Criminal Justice System. A large portion of the paper focused on the use of technology in modernising the Criminal Justice System. By 2016 courts are expected to be ‘fully digital’, however, little mention was made of Electronic Presentation of Evidence (EPE). The Justice Minister seemed more concerned with how much paper is used by UK courts; 160 million sheets each year if you are interested, which we are told is the equivalent of 15 Mount Snowdons. The production and presentation stages of a case are vital to its outcome. If a case is not presented to the court in a clear, concise manner then its chance of success decreases dramatically. The data that has to be presented is becoming increasingly complex; a print out of a spreadsheet is no longer sufficient when such large datasets are being generated as evidence. It is much easier to display a chat session on a screen than wade through a massive jury bundle. At CCL we already produce a lot of our output electronically. Our research team have developed presentation platforms which allow dynamic searching and sorting of the data. We have previously worked with clients to produce bespoke electronic presentations, which can convey our analysis better than conventional paper reports. Our aim is to always make the analysis clear and simple to understand for everyone involved with the case. I recently attended court as a witness and was dismayed to find a lot of my electronic evidence had been printed. Are we any closer to having EPE utilised in today’s courtrooms thanks to Swift and Sure Justice? Progress is being made, but I would say we are still a million miles away. That’s almost 15,504,278 Mount Snowdons!
PETER COGGER, New Business Manager Peter joined CCL in 2013, as Consulting Business Manager, to grow and expand CCL’s consulting services across the UK corporate sector. Originally starting out as a specialist software engineer in the defence industry, Peter’s passion for new challenges led him into client focused roles and, ultimately, business development. Having previously grown a successful IT management consulting business, Peter was drawn to CCL by its impressive client list and previous track record. Peter’s role also includes growing CCL’s cyber security practice and its ISO27001 governance and compliance consultancy services.
Peter’s thoughts for the month Being involved in CCL’s cyber security practice, I have seen first hand the need to protect information at an individual, corporate and state level. In today’s world of digital information and communications, do we always know who has access to our personal or corporate data and for what purposes, and how valuable that information might be to someone else unknown? I am still surprised by how lightly some companies treat these issues. Having previously worked for a FTSE 100 aeroengineering company and regularly being made aware of the cyber threats when travelling on business to the Far East, I have realised that every employee has an active part to play in protecting their employer’s corporate information, no matter how important or insignificant that data might be. The information contained on your mobile phone might give inadvertent access via other gateways to systems containing highly commercially sensitive information. And, at the end of the day, whether a security breach occurs by malice or by accident, or comes from within or externally, the potential loss to an organisation’s reputation and competitive advantage could be immeasurable. So, when talking about business, all employees should be made aware of the importance of security and their individual responsibilities in assuring it. Lawyers may increasingly see their clients turning to them for advice on this issue. CCL works with lawyers to provide advice to their clients on how they can better protect their corporate data.
2
COSTS CEILING INCREASED by Umar Yasin
The Civil Procedure Rules Committee (CPRC) has sent the strongest signal so far regarding raising the costs budgeting ceiling, which is currently set at £2 million. Minutes from the latest meeting of the CPRC, on 6th December 2013, suggest that the current £2 million threshold is to be raised, so that costs budgeting applies to all civil cases worth £10 million or less, from 22nd April 2014. Readers will be aware of the last-minute exemption to costs budgeting, which meant that it was not universally applied across the civil courts, leading to fears of forum-shopping by litigants. In Legal News Issue 6, I wrote in detail about the difficult but crucial balance that the CPRC has to strike between ensuring certainty and consistency on costs capping across the civil courts, and maintaining the attractiveness of London as the foremost forum of choice for foreign litigants. The Master of the Rolls, Lord Dyson, along with Lord Justice Richards, have now said that the current costs budgeting regime ‘does not provide a uniform regime and in our view sets too low a threshold for any general exclusion to costs management.’
CASE STUDY Illegal firearms – computer analysis THE CASE: A suspect had been arrested under suspicion of purchasing illegal firearms and importing them into the UK. The firearms were seized by the police in transit and during a subsequent search of the suspect’s house. However, further evidence was needed to link the suspect with the items seized and to identify if additional purchases had been made.
Despite some CPRC members being in favour of a higher threshold, the duo said that £10 million was a decent ‘starting point, subject to review.’ It is clear that the senior judiciary is acutely aware of the need to strike the right balance, saying that although universal costs budgeting with no exceptions at all was most in line with the Jackson Reforms, ‘we would have no hesitation in favouring it, were it not for the concerns expressed so strongly by so many consultees that a requirement for costs budgeting would risk deflecting highvalue cases away from London and the UK.’ As discussed back in Issue 6, London remains the forum of choice for foreign litigants, with research from Portland showing that out of all claims in the Commercial Court from 2009 to 2012, claims involving foreign litigants totalled 364, whereas only 159 cases involved UK-based litigants. Therefore, with new rules on the horizon from the CPRC, it seems that the vast majority of commercial disputes involving foreign litigants, which are usually significantly in excess of £10 million, will still be exempt from costs budgeting. However, we should bear in mind that with the changes to the overriding objective and the emphasis on proportionality affecting all civil cases, as well as the increased case management powers of the judge under CPR 3.1 and the accompanying power of sanctions under CPR 3.9, even if cases in the Admiralty, Commercial, Chancery, Mercantile, Technology and Construction Courts are currently exempt from costs budgeting, it is still important for litigators to now carefully project manage all cases. In fact, proper project management is arguably even more useful and advantageous for cases worth many multiples of the increased threshold of £10 million.
WHAT CCL DID: CCL took a forensic image of the suspect’s hard drive, which allowed the analyst to work on an exact copy of the original, without it having to be switched on. THE OUTCOME: CCL’s analysis of the hard drive uncovered evidence of four transactions made during the period of one year and provided the additional evidence the police needed to secure a conviction.
3
CYBER SECURITY – WHAT ARE YOU DOING ABOUT In July 2013, GCHQ and MI5 backed a letter sent by the Department of Business, Innovation and Skills (BIS) to the UK’s FTSE Top 350 companies, advising them not to underestimate nor be complacent about the commercial threats to their business arising from an IT security breach. Law firms have similarly been advised by the Law Society to take their own cyber security seriously. Indeed, the Solicitors Regulation Authority itself suffered a cyber-hack very recently. The impact of cyber security breaches is not only financial; it can cause irreparable damage to the reputation of the law firm, loss of key clients and have immensely serious implications for client confidentiality, particularly where, these days, law firms are as likely to have terabytes of client data as well as rooms full of lever-arch files. Throw into the mix the possibility of a hefty fine from the Information Commissioner’s Office, an investigation by the SRA and a very awkward and difficult conversation with your insurers, and it is no surprise that law firms, from the largest City firms to the smallest corporate or litigation boutiques, are taking cyber security concerns extremely seriously. Many companies are still only just waking up to the real impact of cybercrime on their business, and CCL has seen a surge in demand for its cyber security review, incident response and management services from law firm CIOs, COFAs and COLPs alike.
4
Fighting external hackers is a constant war, but it is relatively straightforward to protect your information management systems and vital data from external cyber-attack. But, it is often harder to safeguard them from people within your firewalls who already have authorised (or even unknown) access to your data. More worryingly, many such incidents go unnoticed by management or IT until an incident is unearthed for some other reason. Before we become paranoid about the intent of our staff or external managed service providers, we should state that many internal security breaches happen inadvertently because of poor internal security governance, systems and processes. No matter what the reason though, do you know who is accessing your IP, confidential client information and valuable business information, and for what reason? CCL supports the Department of Business, Innovation and Skills (BIS) initiative as well as the Law Society Cyber Information Sharing Partnership initiative, and recommends all firms undertake, as a minimum, a review of their information security management systems against the requirements of ISO27001 to identify any shortcomings in their IT security landscape.
But if you think all attacks are external and that your firm is secure; then think again…
A competent cyber security specialist will review your security infrastructure and current level of protection against all potential threats to your data. As a minimum it should cover user access, systems and BYOD security policies and procedures, organisational structure and people, responsibilities and authorities, business processes and IT technologies, as well as internal and external supply chain interfaces.
Today, many security incidents are as likely to originate from within a company as they are externally. Office and whitecollar cybercrime is replacing blue-collar and shop floor misdemeanours, but the losses can reach into the millions of pounds rather than the hundreds and thousands.
Once complete, you will then have an overall picture of what needs to be done to plug the gaps in your security policy and take the necessary remedial action to protect your firm from fraud, loss of IP or client confidential information and potential fines.
T IT? by Peter Cogger and Umar Yasin SOME OF THE CASES RECENTLY UNCOVERED BY CCL INCLUDE: Loss of investment and IP to a competitor through unrestricted access and copying of market leading software designs and source code by a disgruntled employee
Irreparable supply chain damage caused by an employee electronically copying vital supplier information and passing it to a competitor
Unknown ‘backdoor’ access by an exemployee into the company’s complete online MS Sharepoint document library
TIPS
You and your clients should: > Ensure adequate protection and policies are in place > Improve ability to respond to threats quickly > Identify potential areas of weakness in the security infrastructure and look to address them before an incident occurs > Ensure that information about who has access to what is readily available and that a procedure to revoke access is in place to allow immediate response should it be required > Be aware of the volume of information that is held within the organisation
Employee copying of market leading leisure company’s complete CRM database to take to a rival organisation
Access to all emails of the members of the company’s board of directors by an employee of an external IT service provider
Unauthorised access by a small group of employees to an organisation’s payroll information
For more information or advice on cyber security and how you can protect your data, call us on 01789 261200, email edisclosure@cclgroupltd.com or visit www.cclgroupltd.com
5
CASE STUDY Assault – cell site analysis THE CASE: CCL’s cell site call department received a from a criminal defence solicitor in the south of d England. Their client ha lt au ass h wit ed arg been ch en at but claimed to have be ay, home, some 20 miles aw d at the time of the allege nt. incide
t The prosecution had no sis instructed a cell site analy expert, but the defence site believed that using cell s analysis with their client’ uld mobile phone records wo t no confirm that they could of have been at the scene the alleged crime. CCL advised the solicitor uld what information they wo need from the network provider and that they the would need to apply to er ord courts for a production y an to get the phone comp to release the data. the WHAT CCL DID: Using , ed call data records suppli CCL’s cell site specialists rain were able to conduct ter ich wh analysis and mapping, d proved that the accuse could not have been at the scene of the alleged assault at the time stated s wa as their mobile phone t connected to masts tha at were near to their home the time in question. one THE OUTCOME: The ph d ute was proven to be attrib to the defendant.
6
SOCIAL MEDIA INVESTIGATION TOOLS by Rob Savage
…continued from page 1 I am sure most people are familiar with the high-profile news stories about people who have found themselves in hot water due to their social media activities. Examples such as Paul Chambers who in 2010 was convicted for sending what he thought would be a humorous threat to Robin Hood Airport. Then there are the numerous examples of teenage parties that have gone ‘viral’ and spiralled out of control. During my career, requests from clients for us to investigate social media have been few and far between. However, in the last six months we have begun to see a shift in this trend, which has motivated us to invest in technology that will allow us to undertake these investigations securely and defensibly. We have begun to see cases arising from companies in relation to employee misconduct. The previous case with the travel agency being a prime example of that. We are also seeing cases where an employer is seeking to establish what relationships exist between employees, whether that is to substantiate claims of bullying/harassment or whether favouritism has occurred. We are also seeing cases of libellous remarks being made over Twitter, the evidential preservation of which is required for court. The nature of social media is that it is often publicly available, meaning that, in theory, anyone can log in and do their own investigation. The power of the tools we have invested in lies in the ability to aggregate, search and defensibly preserve this information in a way that the average user cannot. As an example, there was a recent news story about an incident happening at a location in London. We were not engaged in the investigation but using just publicly available data, we decided to see how much we could discover. All our analyst had to go on was the rough location of the property and the nature of the event. By searching for all Facebook posts and Tweets being sent within a five mile radius of the location and by searching for keywords across the social networks, we were able to establish quite a lot of information. We were able to discover the exact address of the property, the owner’s name, the names of his family members and a list of his friends. We were able to establish his political attitudes and where he worked. We were even able to establish the name of his girlfriend and where she worked. None of this had any relevance to the incident but demonstrated the potential to harvest detailed information from a very vague starting point.
For more information on CCL’s social media investigation tools and services, call us on 01789 261200, email edisclosure@cclgroupltd.com or visit www.cclgroupltd.com
THE REAL CSI: CELL SITE ANALYSIS by Sarah Turner Picture the scene:
The Lieutenant dispatches a team of burly, tanned officers to go and arrest the crook. Is forensic cell site analysis really this simple? Or have they fallen into one of the many potential pitfalls of cell site analysis?
19:42: The early evening sun glints off the modern glasspartitioned offices in Miami. The Lieutenant sits in his large air-conditioned office; he sighs, leans back in his chair and places his shades on the desk. A mugshot of his current suspect fills the large wall-mounted monitor.
We think he led the heist at the docks, but we can’t pin him down. He claims he was in Florida on that date One of his Officers rushes in, sending papers floating off the desk…
Boss, we’ve finally got his call data records! His mobile phone usage should be able to shed some light on his whereabouts on that date With a few swipes of his hand across the screen, a map pops up with a number of red dots indicating the locations where the mobile has connected to a cell tower. The dots appear in date/time order, one after the other, neatly showing the movements of the suspect during the date in question.
Looks like he was definitely there when the heist took place – let’s bring him in!
Forensic cell site analysis relies on information from call data records. Often these are provided in different formats depending on the network. For example, a call data record from Orange looks very different from a call data record from Vodafone. So it is not quite as simple and straightforward as a few simple swipes of your finger (or clicks of the mouse) to take all that differently formatted information, analyse it and then plot it onto a map, as our friends in Miami did so effortlessly in the story above. At CCL, we have developed our own in-house tools to assimilate the data from differently formatted call data records into one standardised format. This enhances the interrogation of the data and enables the evidence to be presented in a more meaningful and impactful way. Expertise also lies in interpreting the data and taking into account factors such as terrain and structures that will distort the service area of the cell towers – all of which has to be done in a defensible, documented and repeatable manner. This isn’t something that is done in the swipe of a hand, and may be something the team in Miami have overlooked. There is also more intelligence to be gained from call data records than just which cell towers a mobile phone connected to and at what time. It can potentially provide intelligence on who else may be involved in a criminal activity, from both the numbers the suspect has called or text, and the numbers from which the suspect has received calls or texts. This all helps to build a bigger picture of the user’s activity and their accomplices. Another way of gaining more intelligence from cell site data is to look at call data records from over a longer period of time than just around the time of a crime. While this may be the best place to start, it can be useful to look at the patterns of usage within the data as a whole, rather than just focusing on a small piece of evidence. This data from over a longer period of time can give great insights into someone’s day-today activities and pattern of mobile phone usage, which can make it easier to spot things that are out of the norm e.g. behaviour patterns where the time in question shows some deviation from the norm, or evidence of someone ‘casing the joint’ before a crime. If the team in Miami looked into this kind of data, they might be able to arrest others involved in the criminal activity too. But of course, this does involve a bit more groundwork, experience and expertise than just punching a few commands into a smart computer.
For more information on cell site analysis or CCL’s other products and services, please call 01789 261200, email edisclosure@cclgroupltd.com or visit www.cclgroupltd.com
7
ic n o r t c e l E ‘ E S CPD COUR e-disclosure’ d n a e c n rything e d i v e e cover eve s e h T . rs e y for law closure of
rses nd dis es CPD cou evidence a ic n o tr c le CCL provid e t know abou tion. you need to red informa to ou an s y ll a ic n e will give y rs electro u o c D P C r you el, our plications fo ouse couns im -h s in it r u d o n a y b e evidenc Delivered f electronic o g in d n ta unders ents. overs: and your cli re’ course c u s lo c is -d e ce and sure onic eviden and e-disclo tr c e c le n ‘e e s id L’ v e C C tronic tion to elec Q • Introduc and the ED B 1 3 n o ti c Dire • Practice Missed an issue of Legal News? g costs in ll o tr n o C • Don’t worry, all issues are s d technique n a ls o o T available on our website at • s e s a c y e • K
www.cclgroupltd.com
ABOUT CCL CCL is the UK’s largest digital forensics laboratory, and a leading provider of e-disclosure and IT consultancy services. From our beginnings as an independent IT consultancy in 1986, we have developed our services to respond to advances in new technology, the increasing importance of data, and the need to manage, recover and protect it. In 2001, we setup our digital forensics laboratory. CCL is now the largest digital forensics provider in the UK, and the only one accredited to the ISO17025 standard for our computer, mobile phone and Sat Nav laboratories. We provide digital forensics services to a broad range of organisations, ranging from law enforcement agencies, civil and criminal law firms to corporate clients. CCL has been in the e-disclosure market since 2009 and has completed over 220 e-disclosure cases to date.
COMING UP NEXT MONTH: Rise of the cryptocurrencies Review accuracy – the risk in disclosing privileged information
For more information call Rob or Umar on
01789 261200
8
email edisclosure@cclgroupltd.com or visit: www.cclgroupltd.com
OUR SERVICES • Digital forensics and investigations - All operating systems - Smartphones/mobile phones - Tablets - Sat Nav analysis - Cell site analysis - CCTV analysis - Remote forensics - Social media forensics • E-Disclosure services • IT consultancy • Digital forensics hardware and software • Early case assessment tools • Data collections • Training • Search and seizure orders • Expert witness services
THE NUMBERS CCL employs over 100 full-time members of staff, including 65 consultants and analysts who have completed: • • • • • •
220+ 4250+ 55000+ 2200+ 750+ 475+
e-disclosure cases digital forensic (PC) cases mobile phone cases consultancy engagements civil and criminal cases expert witness assignments