the forensic approach to complex fraud keith foggon head of digital forensics unit serious fraud...
TRANSCRIPT
The Forensic Approach to Complex Fraud
Keith Foggon
Head of Digital Forensics Unit
Serious Fraud Office
SeriousFraud Office
Outline
• What is the SFO• Forensic Challenges• DFU Technology• Forensic Processes
SeriousFraud Office
What is the SFO
• Created by Criminal Justice Act 1987• Roskill Fraud Trials Report 1986• began April 1988• compulsory powers (defeat confidentiality)
• Investigates and prosecutes• Serious or complex fraud• Multi-disciplinary teams• Referral, vetting and acceptance
SeriousFraud Office
• Reduce fraud and the cost of fraud• Deliver Justice and rule of law• Maintain confidence in UK business
by:• taking on appropriate cases• investigating quickly• prosecuting fairly• communicating clearly to deter fraud
• Responsive – not reactive
What is the SFO do
SeriousFraud Office
Criminal Justice Act 1987
• s1: the director may investigate offences
SeriousFraud Office
• s1: the director may investigate offences
• s2(2): answer questions or furnish information• s2(3): copies of documents & explanations• s2(4): warrant to enter premises• s2 available for mutual legal assistance
Criminal Justice Act 1987
SeriousFraud Office
• s1: the director may investigate offences
• s2(2): answer questions or furnish information• s2(3): copies of documents & explanations• s2(4): warrant to enter premises• s2 available for mutual legal assistance
• s3: disclosure to other authorities
Criminal Justice Act 1987
SeriousFraud Office
Investigate & Prosecute
• Prosecutor leads the investigation team• unique• effective (if the product is a prosecution)
• Team formed with:• Internal investigators, law clerks, etc.• Police (one or more forces)• Counsel• External accountants etc.
SeriousFraud Office
Criteria for Acceptance
• Direction of the investigation should be in the hands of the prosecutor
• Sum at risk > £1m• Public concern / interest• International dimension• Specialisms / multi-disciplinary teams• Use of s2 appropriate
SeriousFraud Office
Roles and ResponsibilitiesCase Controller • (dual function + maybe “disclosure officer”),• leads overall investigation• separate from the case - he is the arbiter in
relation to the way it will be prosecutedCase Lawyer• investigator• involved closely in all aspects of the
investigation
Support Staff• Law clerks / IT / analysts / DOCMAN• Digital Forensics Unit
SeriousFraud Office
Computer Forensics
• What’s it all about• Why does the SFO need a Forensics Unit?
Student Participation Time
SeriousFraud Office
Digital Forensics Unit• Every case involves digital evidence• Seizing server farms• Work volume increasing each year• Encryption built in to MS products• Email, increasing volume & value• Anti-Forensics tools on the increase• All fraud investigators need awareness• Massive amount of data – too much – far too
much
SeriousFraud Office
So how do we cope ?
Forensics is such a linear process• It does not cope well with multiple dimensions• It confuses data and information• It finds the useless and ignores the useful • Imaging blank space (75% - 80% of image is
of no use)• Investigators need knowledge but forensics
creates a mist of confusion
SeriousFraud Office
Consider: Data and Query Equality
Queries find data
Data finds queries
Data finds data
Queries find queries!
Traditional Forensics
IntelligentForensics
SeriousFraud Office
Treat all Data as a Query
If you don’t process every new piece of data like a query …
then you will not know if it matters …
until you ask!
SeriousFraud Office
Pause for thought
All single parameter forensic processes will fail.
An investigator sitting at an EnCase machine will fail!
The best, most reliable & useful results for large and complex fraud will be realized using a multiple, & simultaneous, approach
SeriousFraud Office
The route forward
The Technology behind the process:
Using intelligence in forensic IT
• Hardware• Environment• Network• Processes• Databases• Software
SeriousFraud Office
Dell XPS 700 series HP xw8600 Workstation(2 x quad-core 64-bit, 16Gb RAM,
1.5TB HD, Win XP Pro 64)
Our new Desktop Environment
SeriousFraud Office
Nexsan SATABeast4 x 42TB
Raided to 8 x 16.3TB Volumes
Our new Storage Environment
SeriousFraud Office
Our new Network Environment
Blades Silos
SeriousFraud Office
Our new Network Environment
Satabeasts Closeup of Satabeasts
SeriousFraud Office
One for the Techies
Rear View Full Frontal
SeriousFraud Office
New Work Area
SeriousFraud Office
New Work Area
SeriousFraud Office
New Work Area
SeriousFraud Office
New Work Area
SeriousFraud Office
New Work Area
SeriousFraud Office
Hardware / Network
• Silo-based structure• Enhanced security• Dedicated dirty network• 64-bit workstations• Optimised processing• ‘RESTRICTED’• Improved throughput
SeriousFraud Office
Hardware
SeriousFraud Office
Hardware
SeriousFraud Office
Hardware
SeriousFraud Office
Network
SFO
DFU
ACPO
SOCA
UK Police
International Police
FSA
FCO
DTI
Non-UK SFO
Regulators
CPS
Forensic Industry
SeriousFraud Office
Network
SeriousFraud Office
Police Forces in England & Wales
Avon &
Somerset
Derby
Devon & Cornwall
Dorset
Dyfed-Powys
Wiltshire
HampshireSussex
Kent
GloucesterSouth
Wales
Gwent
North Wales
West Mercia
Stafford
W. Mids.
Leicestershire
Warwick
Thames Valley
Surrey
North
ants
.
Notts.
Merseyside
ClevelandDurham
Gtr. Man
Northumbria
North Yorkshire
HumbersideWest
Yorkshire
S. Yorks
Lancashire
Beds.
Cambs.
Essex
Lincolnshire
Norfolk
Suffolk
Herts.
Cumbria
Cheshire
Police Services ofNorthern Ireland
London
PSNI
AAAABBBB
EEEE
DDDD
Avon & Somerset
Devon & Cornwall
Dorset
Gloucestershire (Gloucester)
Hampshire
Kent
Sussex
Wiltshire
Bedfordshire (Beds.)
Cheshire
Cumbria
Greater Manchester (Gtr Man)
Hertfordshire
Lancashire
Merseyside
Cambridgeshire (Cambs.) ClevelandDurhamEssex
HumbersideLincolnshire
NorfolkNorthumbria
North YorkshireSouth Yorkshire (S. Yorks)
SuffolkWest Yorkshire
City of London
Metropolitan
Derbyshire (Derby)Dyfed-Powys
GwentLeicestershire
Northamptonshire (Northants.)North Wales
Nottinghamshire (Notts.)South Wales
Staffordshire (Stafford)Surrey
Thames ValleyWarwickshire (Warwick)
West MerciaWest Midlands (W. Mids.)PSNI (Police Service of
Northern Ireland)
SeriousFraud Office
Domains of Investigation
CORRUPTION
DIGITAL FORENSIC UNIT
INDIVIDUAL & INVESTMENT FRAUD
MUTUAL LEGAL
ASSISTANCE
CORPORATE, CITY & PUBLIC SECTOR
FRAUD
CUSTOMERS
USERS
Services
BUSINESS
PROCESSES
Hardware
Environments
Networks
Processes
Databases
Software
THE
TECHNOLOGY
What is the vision?Where are we
now?Where do we want
to be?
How do we get to where we want to
be?
How do we check our milestones
have been reached?
How do we keep the momentum
going?Planning to implement Service Management
DIGITAL FORENSICS UNIT
Requirements
Optimise Operate Deploy Build Design
Application Management
Design and Planning
Technical Support
Deployment
Operations
ICT Infrastructure Management
Act Plan
DoCheck
Control
Security Management
Service Desk
Configuration Management
Incident Management
Change Management
Problem Management
Release Management
Availability Management
Capacity Management
Service Level Management
Financial Management for IT
Services
IT Service Continuity
Management
Service Delivery
Service Support
Business Relationship Management
Liaison, Education and
Communication
Supplier Relationship Management
Review, Planning and Development
Business Perpective
SeriousFraud Office
Processes
SeizureImagingAnalysisExtraction
General offence of fraud (Fraud Act 2006)– False representation– Failure to disclose information– Abuse of position
SanitisationPM MaterialLPP MaterialStaging
ExtractionPresentation
SeriousFraud Office
Processes
• Content extraction for defined data types• Comparison against known data• Transaction analysis (sequence of events)• Extraction of data• Deleted files recovery• Format conversion• Keyword searching• Decryption / Cracking• Storage Media types• Rebuild
SeriousFraud Office
Procedures 2008
SeriousFraud Office
Procedures 2009
SeriousFraud Office
Databases
SFO-generatedMicrosoftHashkeeperNSRLPolice OperationsCivil OperationsOperation OreSome others – looking at Bit9
SeriousFraud Office
Software
• Most Imaging / Analysis– iLook– FTK FTK2?– EnCase– Paraben P2
• Mobiles / PDAs– CellDeck / Neutrino / PDA Seizure /
Cellebrite• Write Blocking
– Tableau / FastBloc / Wiebetech• Tapes
– TapeCat / MMPC / eMAG
SeriousFraud Office
Software
And these others:
Microsoft Office Excel 97-2003 Worksheet
SeriousFraud Office
Electronic Presentation of Evidence
• Electronic Presentation of Evidence• Screen displays of:
– Documents– Graphics– Animations– Virtual Reality
SeriousFraud Office
TimeCases take a long time• To analyse,• investigate,• and prosecute
Computer Forensics is a slow process
Rules and procedures
Triage Processes
SeriousFraud Office
and don’t forget about theseiPods
iPhones
PSP
X-Box
PS3 / Wii
SatNav
Sky+ Box
BlackBerry
SeriousFraud Office
or thesePalm Foleo (linux-based)
Sony VGN (XP home)
Nokia N8000 (proprietary)
Fujitsu (??)
Samsung Q1
(Vista)
SeriousFraud Office
or even these
SeriousFraud Office
Final wordConventional computer forensics is struggling to keep pace with potential sources of electronic evidence.
We need to apply intelligence to our forensics as simply too much data to analyse.
Re-examine standard forensic procedures to adapt to advances in technology.
SeriousFraud Office
ThanksQuestions
SeriousFraud Office
Contact
Keith Foggon, Head of Digital Forensics Unit
Serious Fraud Office
Elm House, 10 - 16 Elm Street
London WC1X 0BJ
020 7239 7272