1 / 51

The Forensic Approach to Complex Fraud

The Forensic Approach to Complex Fraud. Keith Foggon Head of Digital Forensics Unit Serious Fraud Office. What is the SFO Forensic Challenges DFU Technology Forensic Processes. Outline. Created by Criminal Justice Act 1987 Roskill Fraud Trials Report 1986 began April 1988

olina
Download Presentation

The Forensic Approach to Complex Fraud

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office

  2. What is the SFO Forensic Challenges DFU Technology Forensic Processes Outline

  3. Created by Criminal Justice Act 1987 Roskill Fraud Trials Report 1986 began April 1988 compulsory powers (defeat confidentiality) Investigates and prosecutes Serious or complex fraud Multi-disciplinary teams Referral, vetting and acceptance What is the SFO

  4. Reduce fraud and the cost of fraud Deliver Justice and rule of law Maintain confidence in UK business by: taking on appropriate cases investigating quickly prosecuting fairly communicating clearly to deter fraud Responsive – not reactive What is the SFO do

  5. s1: the director may investigate offences Criminal Justice Act 1987

  6. s1: the director may investigate offences s2(2): answer questions or furnish information s2(3): copies of documents & explanations s2(4): warrant to enter premises s2 available for mutual legal assistance Criminal Justice Act 1987

  7. s1: the director may investigate offences s2(2): answer questions or furnish information s2(3): copies of documents & explanations s2(4): warrant to enter premises s2 available for mutual legal assistance s3: disclosure to other authorities Criminal Justice Act 1987

  8. Prosecutor leads the investigation team unique effective (if the product is a prosecution) Team formed with: Internal investigators, law clerks, etc. Police (one or more forces) Counsel External accountants etc. Investigate & Prosecute

  9. Direction of the investigation should be in the hands of the prosecutor Sum at risk > £1m Public concern / interest International dimension Specialisms / multi-disciplinary teams Use of s2 appropriate Criteria for Acceptance

  10. Case Controller (dual function + maybe “disclosure officer”), leads overall investigation separate from the case - he is the arbiter in relation to the way it will be prosecuted Roles and Responsibilities • Case Lawyer • investigator • involved closely in all aspects of the investigation • Support Staff • Law clerks / IT / analysts / DOCMAN • Digital Forensics Unit

  11. What’s it all about Why does the SFO need a Forensics Unit? Computer Forensics Student Participation Time

  12. Every case involves digital evidence Seizing server farms Work volume increasing each year Encryption built in to MS products Email, increasing volume & value Anti-Forensics tools on the increase All fraud investigators need awareness Massive amount of data – too much – far too much Digital Forensics Unit

  13. So how do we cope ? • Forensics is such a linear process • It does not cope well with multiple dimensions • It confuses data and information • It finds the useless and ignores the useful • Imaging blank space (75% - 80% of image is of no use) • Investigators need knowledge but forensics creates a mist of confusion

  14. Queries find data  Data finds queries  Data finds data  Queries find queries!  Consider: Data and Query Equality Intelligent Forensics Traditional Forensics

  15. Treat all Data as a Query If you don’t process every new piece of data like a query … then you will not know if it matters … until you ask!

  16. All single parameter forensic processes will fail. An investigator sitting at an EnCase machine will fail! The best, most reliable & useful results for large and complex fraud will be realized using a multiple, & simultaneous, approach Pause for thought

  17. The Technology behind the process: Using intelligence in forensic IT The route forward • Hardware • Environment • Network • Processes • Databases • Software

  18. Our new Desktop Environment HP xw8600 Workstation (2 x quad-core 64-bit, 16Gb RAM, 1.5TB HD, Win XP Pro 64) Dell XPS 700 series

  19. Our new Storage Environment Nexsan SATABeast 4 x 42TB Raided to 8 x 16.3TB Volumes

  20. Our new Network Environment Blades Silos

  21. Our new Network Environment Satabeasts Closeup of Satabeasts

  22. One for the Techies Rear View Full Frontal

  23. New Work Area

  24. New Work Area

  25. New Work Area

  26. New Work Area

  27. New Work Area

  28. Silo-based structure Enhanced security Dedicated dirty network 64-bit workstations Optimised processing ‘RESTRICTED’ Improved throughput Hardware / Network

  29. Hardware

  30. Hardware

  31. Hardware

  32. Network

  33. Network

  34. Northumbria Police Services of Northern Ireland Durham Cleveland Cumbria PSNI North Yorkshire B Humberside A West Yorkshire Lancashire Gtr. Man S. Yorks Merseyside Lincolnshire Cheshire Derby Notts. North Wales Stafford Norfolk Leicestershire E W. Mids. Cambs. West Mercia Northants. Suffolk Warwick Dyfed-Powys Beds. Essex Herts. Gloucester Thames Valley Gwent South Wales London Surrey Wiltshire Kent Avon & Somerset Hampshire Sussex Dorset Devon & Cornwall D Police Forces in England & Wales Avon & Somerset Devon & Cornwall Dorset Gloucestershire (Gloucester) Hampshire Kent Sussex Wiltshire Cambridgeshire (Cambs.) Cleveland Durham Essex Humberside Lincolnshire Norfolk Northumbria North Yorkshire South Yorkshire (S. Yorks) Suffolk West Yorkshire Derbyshire (Derby) Dyfed-Powys Gwent Leicestershire Northamptonshire (Northants.) North Wales Nottinghamshire (Notts.) South Wales Staffordshire (Stafford) Surrey Thames Valley Warwickshire (Warwick) West Mercia West Midlands (W. Mids.) PSNI (Police Service of Northern Ireland) Bedfordshire (Beds.) Cheshire Cumbria Greater Manchester (Gtr Man) Hertfordshire Lancashire Merseyside City of London Metropolitan

  35. Domains of Investigation INDIVIDUAL & INVESTMENT FRAUD MUTUAL LEGAL ASSISTANCE CORRUPTION CORPORATE, CITY & PUBLIC SECTOR FRAUD DIGITAL FORENSIC UNIT

  36. General offence of fraud (Fraud Act 2006) False representation Failure to disclose information Abuse of position Processes Seizure Imaging Analysis Extraction Sanitisation PM Material LPP Material Staging Extraction Presentation

  37. Content extraction for defined data types Comparison against known data Transaction analysis (sequence of events) Extraction of data Deleted files recovery Format conversion Keyword searching Decryption / Cracking Storage Media types Rebuild Processes

  38. Procedures 2008

  39. Procedures 2009

  40. Databases SFO-generated Microsoft Hashkeeper NSRL Police Operations Civil Operations Operation Ore Some others – looking at Bit9

  41. Most Imaging / Analysis iLook FTK FTK2? EnCase Paraben P2 Mobiles / PDAs CellDeck / Neutrino / PDA Seizure / Cellebrite Write Blocking Tableau / FastBloc / Wiebetech Tapes TapeCat / MMPC / eMAG Software

  42. And these others: Software

  43. Electronic Presentation of Evidence Screen displays of: Documents Graphics Animations Virtual Reality Electronic Presentation of Evidence

  44. Cases take a long time To analyse, investigate, and prosecute Computer Forensics is a slow process Rules and procedures Triage Processes Time

  45. iPods iPhones PSP X-Box PS3 / Wii SatNav Sky+ Box BlackBerry and don’t forget about these

  46. Palm Foleo (linux-based) or these Nokia N8000 (proprietary) Fujitsu (??) Sony VGN (XP home) Samsung Q1 (Vista)

  47. or even these

  48. Final word Conventional computer forensics is struggling to keep pace with potential sources of electronic evidence. We need to apply intelligence to our forensics as simply too much data to analyse. Re-examine standard forensic procedures to adapt to advances in technology.

  49. Questions Thanks

More Related