520 likes | 722 Views
The Forensic Approach to Complex Fraud. Keith Foggon Head of Digital Forensics Unit Serious Fraud Office. What is the SFO Forensic Challenges DFU Technology Forensic Processes. Outline. Created by Criminal Justice Act 1987 Roskill Fraud Trials Report 1986 began April 1988
E N D
The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office
What is the SFO Forensic Challenges DFU Technology Forensic Processes Outline
Created by Criminal Justice Act 1987 Roskill Fraud Trials Report 1986 began April 1988 compulsory powers (defeat confidentiality) Investigates and prosecutes Serious or complex fraud Multi-disciplinary teams Referral, vetting and acceptance What is the SFO
Reduce fraud and the cost of fraud Deliver Justice and rule of law Maintain confidence in UK business by: taking on appropriate cases investigating quickly prosecuting fairly communicating clearly to deter fraud Responsive – not reactive What is the SFO do
s1: the director may investigate offences Criminal Justice Act 1987
s1: the director may investigate offences s2(2): answer questions or furnish information s2(3): copies of documents & explanations s2(4): warrant to enter premises s2 available for mutual legal assistance Criminal Justice Act 1987
s1: the director may investigate offences s2(2): answer questions or furnish information s2(3): copies of documents & explanations s2(4): warrant to enter premises s2 available for mutual legal assistance s3: disclosure to other authorities Criminal Justice Act 1987
Prosecutor leads the investigation team unique effective (if the product is a prosecution) Team formed with: Internal investigators, law clerks, etc. Police (one or more forces) Counsel External accountants etc. Investigate & Prosecute
Direction of the investigation should be in the hands of the prosecutor Sum at risk > £1m Public concern / interest International dimension Specialisms / multi-disciplinary teams Use of s2 appropriate Criteria for Acceptance
Case Controller (dual function + maybe “disclosure officer”), leads overall investigation separate from the case - he is the arbiter in relation to the way it will be prosecuted Roles and Responsibilities • Case Lawyer • investigator • involved closely in all aspects of the investigation • Support Staff • Law clerks / IT / analysts / DOCMAN • Digital Forensics Unit
What’s it all about Why does the SFO need a Forensics Unit? Computer Forensics Student Participation Time
Every case involves digital evidence Seizing server farms Work volume increasing each year Encryption built in to MS products Email, increasing volume & value Anti-Forensics tools on the increase All fraud investigators need awareness Massive amount of data – too much – far too much Digital Forensics Unit
So how do we cope ? • Forensics is such a linear process • It does not cope well with multiple dimensions • It confuses data and information • It finds the useless and ignores the useful • Imaging blank space (75% - 80% of image is of no use) • Investigators need knowledge but forensics creates a mist of confusion
Queries find data Data finds queries Data finds data Queries find queries! Consider: Data and Query Equality Intelligent Forensics Traditional Forensics
Treat all Data as a Query If you don’t process every new piece of data like a query … then you will not know if it matters … until you ask!
All single parameter forensic processes will fail. An investigator sitting at an EnCase machine will fail! The best, most reliable & useful results for large and complex fraud will be realized using a multiple, & simultaneous, approach Pause for thought
The Technology behind the process: Using intelligence in forensic IT The route forward • Hardware • Environment • Network • Processes • Databases • Software
Our new Desktop Environment HP xw8600 Workstation (2 x quad-core 64-bit, 16Gb RAM, 1.5TB HD, Win XP Pro 64) Dell XPS 700 series
Our new Storage Environment Nexsan SATABeast 4 x 42TB Raided to 8 x 16.3TB Volumes
Our new Network Environment Blades Silos
Our new Network Environment Satabeasts Closeup of Satabeasts
One for the Techies Rear View Full Frontal
Silo-based structure Enhanced security Dedicated dirty network 64-bit workstations Optimised processing ‘RESTRICTED’ Improved throughput Hardware / Network
Northumbria Police Services of Northern Ireland Durham Cleveland Cumbria PSNI North Yorkshire B Humberside A West Yorkshire Lancashire Gtr. Man S. Yorks Merseyside Lincolnshire Cheshire Derby Notts. North Wales Stafford Norfolk Leicestershire E W. Mids. Cambs. West Mercia Northants. Suffolk Warwick Dyfed-Powys Beds. Essex Herts. Gloucester Thames Valley Gwent South Wales London Surrey Wiltshire Kent Avon & Somerset Hampshire Sussex Dorset Devon & Cornwall D Police Forces in England & Wales Avon & Somerset Devon & Cornwall Dorset Gloucestershire (Gloucester) Hampshire Kent Sussex Wiltshire Cambridgeshire (Cambs.) Cleveland Durham Essex Humberside Lincolnshire Norfolk Northumbria North Yorkshire South Yorkshire (S. Yorks) Suffolk West Yorkshire Derbyshire (Derby) Dyfed-Powys Gwent Leicestershire Northamptonshire (Northants.) North Wales Nottinghamshire (Notts.) South Wales Staffordshire (Stafford) Surrey Thames Valley Warwickshire (Warwick) West Mercia West Midlands (W. Mids.) PSNI (Police Service of Northern Ireland) Bedfordshire (Beds.) Cheshire Cumbria Greater Manchester (Gtr Man) Hertfordshire Lancashire Merseyside City of London Metropolitan
Domains of Investigation INDIVIDUAL & INVESTMENT FRAUD MUTUAL LEGAL ASSISTANCE CORRUPTION CORPORATE, CITY & PUBLIC SECTOR FRAUD DIGITAL FORENSIC UNIT
General offence of fraud (Fraud Act 2006) False representation Failure to disclose information Abuse of position Processes Seizure Imaging Analysis Extraction Sanitisation PM Material LPP Material Staging Extraction Presentation
Content extraction for defined data types Comparison against known data Transaction analysis (sequence of events) Extraction of data Deleted files recovery Format conversion Keyword searching Decryption / Cracking Storage Media types Rebuild Processes
Databases SFO-generated Microsoft Hashkeeper NSRL Police Operations Civil Operations Operation Ore Some others – looking at Bit9
Most Imaging / Analysis iLook FTK FTK2? EnCase Paraben P2 Mobiles / PDAs CellDeck / Neutrino / PDA Seizure / Cellebrite Write Blocking Tableau / FastBloc / Wiebetech Tapes TapeCat / MMPC / eMAG Software
And these others: Software
Electronic Presentation of Evidence Screen displays of: Documents Graphics Animations Virtual Reality Electronic Presentation of Evidence
Cases take a long time To analyse, investigate, and prosecute Computer Forensics is a slow process Rules and procedures Triage Processes Time
iPods iPhones PSP X-Box PS3 / Wii SatNav Sky+ Box BlackBerry and don’t forget about these
Palm Foleo (linux-based) or these Nokia N8000 (proprietary) Fujitsu (??) Sony VGN (XP home) Samsung Q1 (Vista)
Final word Conventional computer forensics is struggling to keep pace with potential sources of electronic evidence. We need to apply intelligence to our forensics as simply too much data to analyse. Re-examine standard forensic procedures to adapt to advances in technology.
Questions Thanks