1 / 29

L EE & A LLEN F ORENSIC C OMPUTING S ERVICES

L EE & A LLEN F ORENSIC C OMPUTING S ERVICES. A CAREER IN FORENSIC COMPUTING CRAIG G EARNSHAW. L EE & A LLEN F ORENSIC C OMPUTING S ERVICES. Topics Covered. Myself and Lee & Allen What is forensic computing? The anatomy of an investigation Types of work performed

naida
Download Presentation

L EE & A LLEN F ORENSIC C OMPUTING S ERVICES

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. LEE&ALLEN FORENSIC COMPUTING SERVICES A CAREER IN FORENSIC COMPUTING CRAIG G EARNSHAW LEE& ALLEN FORENSIC COMPUTING SERVICES

  2. Topics Covered • Myself and Lee & Allen • What is forensic computing? • The anatomy of an investigation • Types of work performed • Examples of FCS cases • A career in forensic computing LEE& ALLEN FORENSIC COMPUTING SERVICES

  3. Personal background • Graduated in 1997 in Computer Science • First dedicated forensic computing employee • Currently Head of the Forensic Computing Services Group • Responsible for all FCS Group activities in each of the three offices LEE& ALLEN FORENSIC COMPUTING SERVICES

  4. The background to Lee & Allen • Formed in 1994 by David Lee & Tim Allen • Initially four staff - now sixty • Offices in major business centres of London, New York, and Hong Kong LEE& ALLEN FORENSIC COMPUTING SERVICES

  5. The background to the FCS Group • Lee & Allen involved in forensic computing for eight years • Increasingly, relevant information is stored on computer systems • Dedicated internal forensic computing function set up in 1997 • FCS Group specific cases in addition to assisting Forensic Accounting cases LEE& ALLEN FORENSIC COMPUTING SERVICES

  6. Requirement for Forensic Computing • Computers are a valuable source of information • Volume of data resident on a computer • Type of information resident on a computer • Difficulty of investigation • Fragility of computer data • Destruction of vital evidence • Vast volume of data being examined • Diversity of software and hardware • Admissibility of findings LEE& ALLEN FORENSIC COMPUTING SERVICES

  7. Requirement for Forensic Computing • 92% of all information generated worldwide is in electronic rather than paper form • Approximately 30% of information stored electronically is thought never to be converted into paper form • 31 billion e-mail messages sent every day • 800Mb of data is produced and stored each year for every human being on the planet LEE& ALLEN FORENSIC COMPUTING SERVICES

  8. What is Forensic Computing? • Relatively new field • Initially appeared in the early 1990’s • Rapidly expanding area • Constant requirement to stay one step ahead of current technology LEE& ALLEN FORENSIC COMPUTING SERVICES

  9. What is Forensic Computing? • Preservation, identification, extraction, and interpretation of computer data • Forensic computing investigations might be carried out internally within a corporation, by an external consultant, or by government bodies such as the Inland Revenue or Customs and Excise • Securing and identifying electronic evidence which can be presented within a Court of Law or other forum LEE& ALLEN FORENSIC COMPUTING SERVICES

  10. Forensic Computing Expert • What can a Forensic Computing expert do? • Vital link between legal, accounting, and IT fields • Secure computer and other electronically resident data • Interpret the data resident on electronic devices • Rapidly search vast volumes of data • Recover deleted material and defeat security LEE& ALLEN FORENSIC COMPUTING SERVICES

  11. Anatomy of an investigation • What are the main steps in the examination of a computer? • Identify • Preserve • Analyse • Interpret • Report LEE& ALLEN FORENSIC COMPUTING SERVICES

  12. Identify • Identify the computer used by the suspect (and those used by their support staff) • Ensure that all computers used are located • Locate are portable devices (PDAs, mobile phones) • Search for all removable media (floppy disks, handheld computer memory cards, digital camera memory) • Obtain access to user data on any servers • Locate appropriate backup tapes LEE& ALLEN FORENSIC COMPUTING SERVICES

  13. Preserve • Original computers must NEVER be examined • Produce an exact copy of the hard disk (an “image”) • Images generated by “bit-stream copying” techniques data compressed • Verify the image using MD5 and CRC hash values • Ability to return source computer to use • Ability to re-restore the image LEE& ALLEN FORENSIC COMPUTING SERVICES

  14. Analysis and Interpretation • Active and deleted documents • Backup and temporary files • E-mail and Internet files • Faxes and voicemail • Peer 2 Peer data • Fragments of files LEE& ALLEN FORENSIC COMPUTING SERVICES

  15. Report • Providing thorough expert reports • - Written with clear and concise language for non-technical readership • Witness statements recording “Search and Seize” Orders • Giving evidence in Court to support the evidence obtained LEE& ALLEN FORENSIC COMPUTING SERVICES

  16. Types of engagement • Expert witness • Electronic discovery • Employee activity investigation • Multi-disciplinary investigations • Internet investigations • Execution of Court Orders LEE& ALLEN FORENSIC COMPUTING SERVICES

  17. Expert witness • Usually a detailed examination of a small number of computers • Involves issues such as dating of files and events and identifying user actions • Required to ascertain the actions of a user • Image each computer involved • Identify pertinent information • Provision of expert report and evidence LEE& ALLEN FORENSIC COMPUTING SERVICES

  18. Electronic Discovery • The identification and production of relevant material from large volumes of data stored in many different format in diverse locations. • Network file servers, e-mail servers, backup tapes, and individual computers • Assistance in drafting discovery requests • Collection of diverse data sources • Collation and conversion of data • Identification of relevant data utilising a number of different techniques • Production of data in the most appropriate format LEE& ALLEN FORENSIC COMPUTING SERVICES

  19. Employee activity investigations • Very similar to expert witness engagements • Identify the computers and other media used by the individual or group of employees • Covertly image the individual’s computer • Perform a review of the data on the computer, including Internet and e-mail activity • Produce a report with supporting evidence LEE& ALLEN FORENSIC COMPUTING SERVICES

  20. Multi-disciplinary investigations • Use Forensic Computing techniques to identify pertinent information as part of a wider investigation process involving lawyers, investigators, accountants etc • Combination of the techniques used for expert witness and electronic discovery type engagements • Flow of knowledge between the various disciplines involved • Iterative nature of this type of engagement • Provision of expert report and evidence where required LEE& ALLEN FORENSIC COMPUTING SERVICES

  21. Internet investigations • The identification of individuals posting to Internet message boards • Obtaining subscriber information from ISPs and telephone companies with Court Orders • Seizure of the computers involved • Forensic examination of the computers involved to identify postings • Provision of expert report and evidence where required LEE& ALLEN FORENSIC COMPUTING SERVICES

  22. Execution of Court Orders • Required to ascertain, or ensure, that Court Orders have been carried out • Identification and removal of data from computer networks • Civil court orders such as “Search and Seize” orders and “Delivery Up” orders LEE& ALLEN FORENSIC COMPUTING SERVICES

  23. A career in forensic computing • Private sector • Lee & Allen • Specialist forensic computing firms • IT Security and corporate investigations companies • Big Four, and middle tier, accounting firms • Public sector • Police forces • Government agencies such as Customs & Excise, the DTi, and the Serious Fraud Office LEE& ALLEN FORENSIC COMPUTING SERVICES

  24. A career in forensic computing • Private sector • Commercial focused • Close contact with lawyers, commercial organisations and investigation agencies • Greater focus on reporting than analysis • High level of inter-personal skills required • Criminal defence work • Less attendance in Court • Better paid but less variety LEE& ALLEN FORENSIC COMPUTING SERVICES

  25. A career in forensic computing • Public sector • Criminal focus • Child pornography/terrorism/ID theft • Greater focus on analysis than reporting • Higher turnover of cases • More attendance in Court • Not as well paid but greater variety LEE& ALLEN FORENSIC COMPUTING SERVICES

  26. A career in forensic computing • Types of skills sought by Forensic Computing departments • In-depth knowledge of operating systems, file systems and applications • Ability to explain technical situations to the layman • Training provided by employers due to specialist nature of the field • New entrants to the field usually enter via larger companies or government bodies LEE& ALLEN FORENSIC COMPUTING SERVICES

  27. A career in forensic computing • Due to the growth of this field there are now Forensic Computing components to a number of computer science degrees • Specialist Masters and post-graduate diploma programmes • Due to the rise in awareness a number of books have been published concerning good practise, structured investigation and other elements of the forensic computing process LEE& ALLEN FORENSIC COMPUTING SERVICES

  28. A career in forensic computing • Imaging computers and media • Restoration of backup tapes • Perform and review searches of data • Technical research (including identification of software) • Format conversion (e-mail, documents etc) • Development of methodology LEE& ALLEN FORENSIC COMPUTING SERVICES

  29. Contact Details • Craig G Earnshaw • Lee & Allen Forensic Computing Services 1 New Fetter Lane London EC4A 1AN • CEarnshaw@Lee-And-Allen.Com • Telephone +44 020 7353 5600 • Fax +44 020 7353 5252 LEE& ALLEN FORENSIC COMPUTING SERVICES

More Related