LEE & ALLEN FORENSIC COMPUTING SERVICES

A CAREER INFORENSIC COMPUTING

CRAIG G EARNSHAW

LEE & ALLEN

FORENSIC COMPUTING SERVICES

LEE & ALLEN FORENSIC COMPUTING SERVICES

• Myself and Lee & Allen

• What is forensic computing?

• The anatomy of an investigation

• Types of work performed

• Examples of FCS cases

•A career in forensic computing

Topics Covered

LEE & ALLEN FORENSIC COMPUTING SERVICES

Personal background

• Graduated in 1997 in Computer Science

• First dedicated forensic computing employee

• Currently Head of the Forensic Computing Services Group

• Responsible for all FCS Group activities in each of the three offices

LEE & ALLEN FORENSIC COMPUTING SERVICES

The background to Lee & Allen

• Formed in 1994 by David Lee & Tim Allen

• Initially four staff - now sixty

• Offices in major business centres of London, New York, and Hong Kong

LEE & ALLEN FORENSIC COMPUTING SERVICES

• Lee & Allen involved in forensic computing for eight years

• Increasingly, relevant information is stored on computer systems

• Dedicated internal forensic computing function set up in 1997

• FCS Group specific cases in addition to assisting Forensic Accounting cases

The background to the FCS Group

LEE & ALLEN FORENSIC COMPUTING SERVICES

Requirement for Forensic Computing

• Computers are a valuable source of information

– Volume of data resident on a computer

– Type of information resident on a computer

• Difficulty of investigation

– Fragility of computer data

– Destruction of vital evidence

– Vast volume of data being examined

– Diversity of software and hardware

– Admissibility of findings

LEE & ALLEN FORENSIC COMPUTING SERVICES

Requirement for Forensic Computing

• 92% of all information generated worldwide is in electronic rather than paper form

• Approximately 30% of information stored electronically is thought never to be converted into paper form

• 31 billion e-mail messages sent every day

• 800Mb of data is produced and stored each year for every human being on the planet

LEE & ALLEN FORENSIC COMPUTING SERVICES

What is Forensic Computing?

• Relatively new field

• Initially appeared in the early 1990’s

• Rapidly expanding area

• Constant requirement to stay one step ahead of current technology

LEE & ALLEN FORENSIC COMPUTING SERVICES

What is Forensic Computing?

• Preservation, identification, extraction, and interpretation of computer data

• Forensic computing investigations might be carried out internally within a corporation, by an external consultant, or by government bodies such as the Inland Revenue or Customs and Excise

• Securing and identifying electronic evidence which can be presented within a Court of Law or other forum

LEE & ALLEN FORENSIC COMPUTING SERVICES

Forensic Computing Expert

• What can a Forensic Computing expert do?

– Vital link between legal, accounting, and IT fields

– Secure computer and other electronically resident data

– Interpret the data resident on electronic devices

– Rapidly search vast volumes of data

– Recover deleted material and defeat security

LEE & ALLEN FORENSIC COMPUTING SERVICES

Anatomy of an investigation

• What are the main steps in the examination of a computer?

1.Identify2.Preserve3.Analyse4.Interpret5.Report

LEE & ALLEN FORENSIC COMPUTING SERVICES

Identify

• Identify the computer used by the suspect (and those used by their support staff)

• Ensure that all computers used are located

• Locate are portable devices (PDAs, mobile phones)

• Search for all removable media (floppy disks, handheld computer memory cards, digital camera memory)

• Obtain access to user data on any servers

• Locate appropriate backup tapes

LEE & ALLEN FORENSIC COMPUTING SERVICES

Preserve

• Original computers must NEVER be examined

• Produce an exact copy of the hard disk (an “image”)

• Images generated by “bit-stream copying” techniques data compressed

•Verify the image using MD5 and CRC hash values

•Ability to return source computer to use

• Ability to re-restore the image

LEE & ALLEN FORENSIC COMPUTING SERVICES

Analysis and Interpretation

• Active and deleted documents

• Backup and temporary files

• E-mail and Internet files

• Faxes and voicemail

• Peer 2 Peer data

• Fragments of files

LEE & ALLEN FORENSIC COMPUTING SERVICES

Report

• Providing thorough expert reports

- Written with clear and concise language for non-technical readership

• Witness statements recording “Search and Seize” Orders

• Giving evidence in Court to support the evidence obtained

LEE & ALLEN FORENSIC COMPUTING SERVICES

Types of engagement

• Expert witness

• Electronic discovery

• Employee activity investigation

• Multi-disciplinary investigations

• Internet investigations

• Execution of Court Orders

LEE & ALLEN FORENSIC COMPUTING SERVICES

Expert witness

• Usually a detailed examination of a small number of computers

• Involves issues such as dating of files and events and identifying user actions

• Required to ascertain the actions of a user

• Image each computer involved

• Identify pertinent information

• Provision of expert report and evidence

LEE & ALLEN FORENSIC COMPUTING SERVICES

Electronic Discovery

• The identification and production of relevant material from large volumes of data stored in many different format in diverse locations.

•Network file servers, e-mail servers, backup tapes, and individual computers•Assistance in drafting discovery requests• Collection of diverse data sources• Collation and conversion of data• Identification of relevant data utilising a number of different techniques• Production of data in the most appropriate format

LEE & ALLEN FORENSIC COMPUTING SERVICES

Employee activity investigations

• Very similar to expert witness engagements

• Identify the computers and other media used by the individual or group of employees

• Covertly image the individual’s computer

• Perform a review of the data on the computer, including Internet and e-mail activity

• Produce a report with supporting evidence

LEE & ALLEN FORENSIC COMPUTING SERVICES

Multi-disciplinary investigations

• Use Forensic Computing techniques to identify pertinent information as part of a wider investigation process involving lawyers, investigators, accountants etc

• Combination of the techniques used for expert witness and electronic discovery type engagements•Flow of knowledge between the various disciplines involved• Iterative nature of this type of engagement• Provision of expert report and evidence where required

LEE & ALLEN FORENSIC COMPUTING SERVICES

Internet investigations

• The identification of individuals posting to Internet message boards

• Obtaining subscriber information from ISPs and telephone companies with Court Orders

• Seizure of the computers involved

• Forensic examination of the computers involved to identify postings

• Provision of expert report and evidence where required

LEE & ALLEN FORENSIC COMPUTING SERVICES

Execution of Court Orders

• Required to ascertain, or ensure, that Court Orders have been carried out

• Identification and removal of data from computer networks

• Civil court orders such as “Search and Seize” orders and “Delivery Up” orders

LEE & ALLEN FORENSIC COMPUTING SERVICES

A career in forensic computing

• Private sector– Lee & Allen– Specialist forensic computing firms– IT Security and corporate investigations companies– Big Four, and middle tier, accounting firms

• Public sector– Police forces– Government agencies such as Customs & Excise, the DTi, and the Serious Fraud Office

LEE & ALLEN FORENSIC COMPUTING SERVICES

A career in forensic computing

• Private sector

– Commercial focused

– Close contact with lawyers, commercial organisations and investigation agencies

– Greater focus on reporting than analysis

– High level of inter-personal skills required

– Criminal defence work

– Less attendance in Court

– Better paid but less variety

LEE & ALLEN FORENSIC COMPUTING SERVICES

A career in forensic computing

• Public sector

– Criminal focus

– Child pornography/terrorism/ID theft

– Greater focus on analysis than reporting

– Higher turnover of cases

– More attendance in Court

– Not as well paid but greater variety

LEE & ALLEN FORENSIC COMPUTING SERVICES

A career in forensic computing

• Types of skills sought by Forensic Computing departments

– In-depth knowledge of operating systems, file systems and applications

– Ability to explain technical situations to the layman

– Training provided by employers due to specialist nature of the field

– New entrants to the field usually enter via larger companies or government bodies

LEE & ALLEN FORENSIC COMPUTING SERVICES

A career in forensic computing

• Due to the growth of this field there are now Forensic Computing components to a number of computer science degrees

• Specialist Masters and post-graduate diploma programmes

• Due to the rise in awareness a number of books have been published concerning good practise, structured investigation and other elements of the forensic computing process

LEE & ALLEN FORENSIC COMPUTING SERVICES

A career in forensic computing

• Imaging computers and media

• Restoration of backup tapes

• Perform and review searches of data

• Technical research (including identification of software)

• Format conversion (e-mail, documents etc)

• Development of methodology

LEE & ALLEN FORENSIC COMPUTING SERVICES

Contact Details

• Craig G Earnshaw– Lee & Allen Forensic Computing Services

1 New Fetter LaneLondonEC4A 1AN

– CEarnshaw@Lee-And-Allen.Com– Telephone +44 020 7353 5600– Fax +44 020 7353 5252