Forensic IT Chartered Institute of Management Accountants (CIMA) - - PowerPoint PPT Presentation

forensic it chartered institute of management accountants
SMART_READER_LITE
LIVE PREVIEW

Forensic IT Chartered Institute of Management Accountants (CIMA) - - PowerPoint PPT Presentation

Aug 27, 2022 239 likes •418 views

Forensic IT Chartered Institute of Management Accountants (CIMA) Enhancing the usefulness of Investigations with Computer Forensics April 2014 Michael Khoury Clear Wealth Pty Ltd v Kwong (No 2) [2012] NSWSC 1233 Whilst I accept that Mr

slide-1
SLIDE 1

Forensic IT – Chartered Institute of Management Accountants (CIMA)

Enhancing the usefulness of Investigations with Computer Forensics April 2014 Michael Khoury

slide-2
SLIDE 2

Forensic IT Page 2

Clear Wealth Pty Ltd v Kwong (No 2) [2012] NSWSC 1233 “Whilst I accept that Mr Kwong wanted to delete personal files of his own from the Clear Wealth Computer, I am unable to accept that Mr Kwong removed the Clear Wealth client lists because they were

  • bsolete and accidentally loaded client lists on to his USB drive and

then loaded them onto his home computer and / or external hard

  • drives. I find, on the balance of probabilities, that he loaded the

client lists with the intent of assisting his new business to gain clients.” Justice Rein, Supreme Court of NSW

slide-3
SLIDE 3

What is Forensic IT

Forensic IT Page 3

Forensic IT is the identification, acquisition, preservation and investigation of data held on electronic media.

We do this while ensuring:

The data we acquire is complete and valid.

The evidence we examine is not modified or damaged by the process.

The processes we undertake are ‘best practice’.

The conclusions that we reach are supported by the evidence.

All of our actions are conducted with the intention that the data may need to be presented to a court as evidence. Correct preservation is the key!

slide-4
SLIDE 4

Forensic IT

Forensic IT Page 4

When is Forensic IT used?

Theft of Intellectual Property

Proving / disproving the existence of certain documents, their author, time of creation and last modified etc.

Unfair dismissal, bullying or discrimination cases.

Inappropriate internet usage.

Employee and executive fraud.

By the police in criminal investigations.

By ASIC when investigating corporate wrongdoing.

To create a repository for both hard copy and electronic documents that can be searched or filtered using key terms.

Forensic backup of company documents for receivers, administrators and liquidators.

slide-5
SLIDE 5

What we can look for – computers and Servers

Forensic IT Page 5

Time and date analysis.

Evidence of USB drive activity.

Link File Analysis – When, Where, How.

Deleted files and folders – USN Journals.

Deleted email messages.

Whether software capable of permanent deletion has been used.

Listing of websites visited.

Historical searches performed – Google history

Evidence of file copying.

Historical images stored on Photocopiers.

Evidence of printing activity - hidden spool files and document metadata; and

Evidence of malicious activity through remote access or malware.

slide-6
SLIDE 6

Moody Kiddell & Partners Pty Ltd v Arkell [2013] FCA 1066

Forensic IT Page 6

Judge Jane Jagot – Federal Court of Australia – Oct 2013

Order sought for defence to be struck out as an abuse of process FACTS

“I do not accept his evidence that he did not know that the file shredding software erased information from the hard drives so it could not be recovered by forensic computer analysis. The Google search he did about Guttman 35 shredding compared to Department

  • f defence shredding indicates he knew very well that if he deleted

an email and then deleted it from his computer’s trash folder it would very likely still be able to be recovered” “Other retrieved Google searches from this computer include “what happens if you don’t comply with a court order” on 1 April 2012, as well as “what happens if you don’t comply with a federal court

  • rder””
slide-7
SLIDE 7

Moody Kiddell & Partners Pty Ltd v Arkell [2013] FCA 1066

Forensic IT Page 7

DECISION “I do not accept that he carried out this action only to delete

  • pornography. I infer that he also did so to ensure that documents he

did not wish to discover were permanently erased.” “The circumstances are exceptional and the draconian remedy of strike out is necessary to ameliorate that prejudice and ensure a fair hearing for both parties is possible.”

slide-8
SLIDE 8

People still make careless mistakes

Forensic IT Page 8

Despite continued news stories and coverage of forensic IT practices, we still see people:

Committing acts of fraud via company systems

Download client lists on their way out the door

Send emails and texts that they shouldn’t

Think using a hotmail or gmail account makes them untraceable

Think that once they hit the delete button their message / text is irrecoverable

Sending instant messages via Skype, MSN Messenger etc

Think that damaging the hardware makes the data irrecoverable.

slide-9
SLIDE 9

What’s on my smartphone e.g iPhone?

Forensic IT Page 9

Call activity including deleted.

Phonebook directory information including deleted.

Stored voicemails and text messages.

Photos and videos (with GPS data if available).

Deleted emails, text messages and instant chats etc.

Hidden screenshots – the magic ‘home’ button.

Applications.

Websites visited.

WiFi connections made.

Passwords.

GPS co-ordinates – (to within 10 metres).

slide-10
SLIDE 10

Current Issues in Forensic IT

Forensic IT Page 10

Evidence is being increasingly challenged (e.g Baden-Clay phone)

Virtual Machines

Cloud-based and remotely accessible data

Skydrive, Dropbox, iCloud, Google Drive

Content duplication (web browsers)

Data encryption

IP Obfuscation (Blind Routers, Tor service)

Rapid smart phone technology development

Software as a Service (SaaS) applications

Increase in data storage sizes

Challenging hardware (Tablets, SSDs, etc)

slide-11
SLIDE 11

False positives - Baden-Clay committal evidence

Forensic IT Page 11

The court hears evidence from a forensic electronics analyst responsible for downloading the ‘power log’ from Mr Baden-Clay’s mobile phone. Neil Robertson, from the Queensland Police Service’s Electronic Evidence Examinations unit, says the accused connected his iPhone to a charger hours after he claimed to have gone to bed on the night Allison disappeared. He admits an initial analysis, which found Mr Baden-Clay had made a “Face Time” call about 12.30am on 20th April 2012, was incorrect. “There was a false positive in the tests,” Mr Robertson says.

slide-12
SLIDE 12

What can we do with the data collected?

Forensic IT Page 12

Provide a forensically sound image – we work on a copy.

Quickly determine if electronic evidence of wrong doing exists.

Clear any innocent parties promptly.

Conduct forensic investigations.

Articulate findings in plain English.

Make documents and emails accessible – we know that you need to be able to look at documents directly.

We have the capacity to load data to review platforms (such as Clearwell), and to search and filter data for export directly to Ringtail.

slide-13
SLIDE 13

How can we help?

Forensic IT Page 13

Preserve now, analyse later:

Relatively inexpensive – imaging can be on a price per computer / phone or server basis.

By doing so, you provide your client with a choice on whether to litigate at a later date.

Know quickly – Preliminary assessment:

Is clear and obvious evidence of wrong doing available?

Validate the findings of opposing expert witnesses:

Ensure false positives such as the “Face Time” call in the Baden-Clay case, are discovered.

Evidence gathered without regards to forensic procedures in many cases may be struck out.

Want a second opinion? Talk to us about providing a review of a case in progress.

slide-14
SLIDE 14

About the presenter

Forensic IT Page 14

Michael Khoury Partner

Level 13, Grosvenor Place 225 George Street Sydney NSW 2000 T +61 2 9286 9864 E michael.khoury@fh.com.au

Michael is a partner in Forensic IT services with Ferrier Hodgson. His areas

  • f specialisation include computer forensic investigations for matters

pertaining to corporate fraud and financial crime, intellectual property theft, cyber-crime, employee and contractual disputes. Michael has supported a large number of civil and criminal investigations for various industry sector groups including government, private and corporate

  • clients. He has also assisted a number of law firms with their litigation and

commercial disputes, including executing live search warrants and Anton Pillar orders. Michael also appears as an expert witness in State and Federal courts.

slide-15
SLIDE 15

Questions for our team?

Forensic IT Page 15

Justin Geri Senior Manager

Level 29, 600 Bourke Street Melbourne VIC 3000 T +61 3 9604 5142 E justin.geri@fh.com.au

Michael Khoury Partner

Level 13, Grosvenor Place 225 George Street Sydney NSW 2000 T +61 2 9286 9864 E michael.khoury@fh.com.au

Peter Chapman Consultant

Level 13, Grosvenor Place 225 George Street Sydney NSW 2000 T +61 2 9286 9933 E peter.chapman@fh.com.au

Janine Cole Director

Level 7, 145 Eagle Street Brisbane QLD 4000 T +61 7 3834 9230 E janine.cole@fh.com.au

Jean Pierre Du Plesis Director

Level 6, 81 Flinders Street Adelaide SA 5000 P +61 8 8100 7696 E Jean-Pierre.DuPlessis@fh.com.au

Sean Powell Director

Level 26, BankWest Tower 108 St George‘s Terrace Perth WA 6000 T +61 8 9214 1409 E Sean.Powell@fh.com.au

slide-16
SLIDE 16