the forensic approach to complex fraud

The Forensic Approach to Complex Fraud

Keith Foggon

Head of Digital Forensics Unit

Serious Fraud Office

SeriousFraud Office

Outline

• What is the SFO• Forensic Challenges• DFU Technology• Forensic Processes

SeriousFraud Office

What is the SFO

• Created by Criminal Justice Act 1987• Roskill Fraud Trials Report 1986• began April 1988• compulsory powers (defeat confidentiality)

• Investigates and prosecutes• Serious or complex fraud• Multi-disciplinary teams• Referral, vetting and acceptance

SeriousFraud Office

• Reduce fraud and the cost of fraud• Deliver Justice and rule of law• Maintain confidence in UK business

by:• taking on appropriate cases• investigating quickly• prosecuting fairly• communicating clearly to deter fraud

• Responsive – not reactive

What is the SFO do

SeriousFraud Office

Criminal Justice Act 1987

• s1: the director may investigate offences

SeriousFraud Office


• s2(2): answer questions or furnish information• s2(3): copies of documents & explanations• s2(4): warrant to enter premises• s2 available for mutual legal assistance


SeriousFraud Office


• s2(2): answer questions or furnish information• s2(3): copies of documents & explanations• s2(4): warrant to enter premises• s2 available for mutual legal assistance

• s3: disclosure to other authorities


SeriousFraud Office

Investigate & Prosecute

• Prosecutor leads the investigation team• unique• effective (if the product is a prosecution)

• Team formed with:• Internal investigators, law clerks, etc.• Police (one or more forces)• Counsel• External accountants etc.

SeriousFraud Office

Criteria for Acceptance

• Direction of the investigation should be in the hands of the prosecutor

• Sum at risk > £1m• Public concern / interest• International dimension• Specialisms / multi-disciplinary teams• Use of s2 appropriate

SeriousFraud Office

Roles and ResponsibilitiesCase Controller • (dual function + maybe “disclosure officer”),• leads overall investigation• separate from the case - he is the arbiter in

relation to the way it will be prosecutedCase Lawyer• investigator• involved closely in all aspects of the

investigation

Support Staff• Law clerks / IT / analysts / DOCMAN• Digital Forensics Unit

SeriousFraud Office

Computer Forensics

• What’s it all about• Why does the SFO need a Forensics Unit?

Student Participation Time

SeriousFraud Office

Digital Forensics Unit• Every case involves digital evidence• Seizing server farms• Work volume increasing each year• Encryption built in to MS products• Email, increasing volume & value• Anti-Forensics tools on the increase• All fraud investigators need awareness• Massive amount of data – too much – far too

much

SeriousFraud Office

So how do we cope ?

Forensics is such a linear process• It does not cope well with multiple dimensions• It confuses data and information• It finds the useless and ignores the useful • Imaging blank space (75% - 80% of image is

of no use)• Investigators need knowledge but forensics

creates a mist of confusion

SeriousFraud Office

Consider: Data and Query Equality

Queries find data

Data finds queries

Data finds data

Queries find queries!

Traditional Forensics

IntelligentForensics

SeriousFraud Office

Treat all Data as a Query

If you don’t process every new piece of data like a query …

then you will not know if it matters …

until you ask!

SeriousFraud Office

Pause for thought

All single parameter forensic processes will fail.

An investigator sitting at an EnCase machine will fail!

The best, most reliable & useful results for large and complex fraud will be realized using a multiple, & simultaneous, approach

SeriousFraud Office

The route forward

The Technology behind the process:

Using intelligence in forensic IT

• Hardware• Environment• Network• Processes• Databases• Software

SeriousFraud Office

Dell XPS 700 series HP xw8600 Workstation(2 x quad-core 64-bit, 16Gb RAM,

1.5TB HD, Win XP Pro 64)

Our new Desktop Environment

SeriousFraud Office

Nexsan SATABeast4 x 42TB

Raided to 8 x 16.3TB Volumes

Our new Storage Environment

SeriousFraud Office

Our new Network Environment

Blades Silos

SeriousFraud Office

Our new Network Environment

Satabeasts Closeup of Satabeasts

SeriousFraud Office

One for the Techies

Rear View Full Frontal

SeriousFraud Office

New Work Area

SeriousFraud Office

Hardware / Network

• Silo-based structure• Enhanced security• Dedicated dirty network• 64-bit workstations• Optimised processing• ‘RESTRICTED’• Improved throughput

SeriousFraud Office

Hardware

SeriousFraud Office

Network

SFO

DFU

ACPO

SOCA

UK Police

International Police

FSA

FCO

DTI

Non-UK SFO

Regulators

CPS

Forensic Industry

SeriousFraud Office

Network

SeriousFraud Office

Police Forces in England & Wales

Avon &

Somerset

Derby

Devon & Cornwall

Dorset

Dyfed-Powys

Wiltshire

HampshireSussex

Kent

GloucesterSouth

Wales

Gwent

North Wales

West Mercia

Stafford

W. Mids.

Leicestershire

Warwick

Thames Valley

Surrey

North

ants

.

Notts.

Merseyside

ClevelandDurham

Gtr. Man

Northumbria

North Yorkshire

HumbersideWest

Yorkshire

S. Yorks

Lancashire

Beds.

Cambs.

Essex

Lincolnshire

Norfolk

Suffolk

Herts.

Cumbria

Cheshire

Police Services ofNorthern Ireland

London

PSNI

AAAABBBB

EEEE

DDDD

Avon & Somerset

Devon & Cornwall

Dorset

Gloucestershire (Gloucester)

Hampshire

Kent

Sussex

Wiltshire

Bedfordshire (Beds.)

Cheshire

Cumbria

Greater Manchester (Gtr Man)

Hertfordshire

Lancashire

Merseyside

Cambridgeshire (Cambs.) ClevelandDurhamEssex

HumbersideLincolnshire

NorfolkNorthumbria

North YorkshireSouth Yorkshire (S. Yorks)

SuffolkWest Yorkshire

City of London

Metropolitan

Derbyshire (Derby)Dyfed-Powys

GwentLeicestershire

Northamptonshire (Northants.)North Wales

Nottinghamshire (Notts.)South Wales

Staffordshire (Stafford)Surrey

Thames ValleyWarwickshire (Warwick)

West MerciaWest Midlands (W. Mids.)PSNI (Police Service of

Northern Ireland)

SeriousFraud Office

Domains of Investigation

CORRUPTION

DIGITAL FORENSIC UNIT

INDIVIDUAL & INVESTMENT FRAUD

MUTUAL LEGAL

ASSISTANCE

CORPORATE, CITY & PUBLIC SECTOR

FRAUD

CUSTOMERS

USERS

Services

BUSINESS

PROCESSES

Hardware

Environments

Networks

Processes

Databases

Software

THE

TECHNOLOGY

What is the vision?Where are we

now?Where do we want

to be?

How do we get to where we want to

be?

How do we check our milestones

have been reached?

How do we keep the momentum

going?Planning to implement Service Management

DIGITAL FORENSICS UNIT

Requirements

Optimise Operate Deploy Build Design

Application Management

Design and Planning

Technical Support

Deployment

Operations

ICT Infrastructure Management

Act Plan

DoCheck

Control

Security Management

Service Desk

Configuration Management

Incident Management

Change Management

Problem Management

Release Management

Availability Management

Capacity Management

Service Level Management

Financial Management for IT

Services

IT Service Continuity

Management

Service Delivery

Service Support

Business Relationship Management

Liaison, Education and

Communication

Supplier Relationship Management

Review, Planning and Development

Business Perpective

SeriousFraud Office

Processes

SeizureImagingAnalysisExtraction

General offence of fraud (Fraud Act 2006)– False representation– Failure to disclose information– Abuse of position

SanitisationPM MaterialLPP MaterialStaging

ExtractionPresentation

SeriousFraud Office

Processes

• Content extraction for defined data types• Comparison against known data• Transaction analysis (sequence of events)• Extraction of data• Deleted files recovery• Format conversion• Keyword searching• Decryption / Cracking• Storage Media types• Rebuild

SeriousFraud Office

Procedures 2008

SeriousFraud Office

Procedures 2009

SeriousFraud Office

Databases

SFO-generatedMicrosoftHashkeeperNSRLPolice OperationsCivil OperationsOperation OreSome others – looking at Bit9

SeriousFraud Office

Software

• Most Imaging / Analysis– iLook– FTK FTK2?– EnCase– Paraben P2

• Mobiles / PDAs– CellDeck / Neutrino / PDA Seizure /

Cellebrite• Write Blocking

– Tableau / FastBloc / Wiebetech• Tapes

– TapeCat / MMPC / eMAG

SeriousFraud Office

Software

And these others:

Microsoft Office Excel 97-2003 Worksheet

SeriousFraud Office

Electronic Presentation of Evidence

• Electronic Presentation of Evidence• Screen displays of:

– Documents– Graphics– Animations– Virtual Reality

SeriousFraud Office

TimeCases take a long time• To analyse,• investigate,• and prosecute

Computer Forensics is a slow process

Rules and procedures

Triage Processes

SeriousFraud Office

and don’t forget about theseiPods

iPhones

PSP

X-Box

PS3 / Wii

SatNav

Sky+ Box

BlackBerry

SeriousFraud Office

or thesePalm Foleo (linux-based)

Sony VGN (XP home)

Nokia N8000 (proprietary)

Fujitsu (??)

Samsung Q1

(Vista)

SeriousFraud Office

or even these

SeriousFraud Office

Final wordConventional computer forensics is struggling to keep pace with potential sources of electronic evidence.

We need to apply intelligence to our forensics as simply too much data to analyse.

Re-examine standard forensic procedures to adapt to advances in technology.

SeriousFraud Office

ThanksQuestions

SeriousFraud Office

Contact

Keith Foggon, Head of Digital Forensics Unit

Serious Fraud Office

Elm House, 10 - 16 Elm Street

London WC1X 0BJ

020 7239 7272

[email protected]