Use of IT Resources forEvidence Gathering & AnalysisUse of IT Resources forEvidence Gathering & Analysis

Raymond SO Wing-keungAssistant DirectorIndependent Commission Against CorruptionHong Kong Special Administrative Region, China

Raymond SO Wing-keungAssistant DirectorIndependent Commission Against CorruptionHong Kong Special Administrative Region, China

APEC ACT Workshop, Santiago, Chile11th-13th June 2013APEC ACT Workshop, Santiago, Chile11th-13th June 2013

2

Computing Devices

3

Social Networking Tools

4

370,000+ Minutes Voice Calls

98,000+ Tweets100+ New Accounts

80,000+ Wall Posts510,000+ Comments

6,600+ Pictures Uploaded

600+ Videos (25 Hours+) Uploaded

168+ Million Emails Sent

700,000+ Search Queries

(Source: Go-Globe.com)

Every 60 Seconds on the Internet

5

Why Criminals Use IT

• Share information

• Multi-national communication

• Swift action

• Hiding identity

• Process and storage of large amount of data

• ………………….ultimately to avoid detection

6

How do we use IT resources?

7

Digital Forensics• Data acquisition, recovery, preservation and examination• Computer

– Email– Document file…

• Mobile phone– Call history– Contact list– Short message– Email– Photo– WhatsApp

8

Mobile Digital Forensics Laboratory

• Shielded environment to block communication, e.g. remote wipe

9

Faraday Bags

10

Technical Tools

• Data recovery– Recover deleted files

• Information analysis– Call records

– SMS

– Email…

– WhatsApp

11

Data Recovery Tool

12

Call Record Analysis

13

SMS Analysis

14

Email Analysis

ultinational Fast Food Managing DirectorAccepted Bribes

16

Record Digitization System

• Handled > 100,000 pages of bank statement each year

• Automatic conversion of statements/records in pre-defined templates into Excel files

• Developed by internal IT experts

17

18

R. D. S.R. D. S.

19

Centralized Storage ofDigital Exhibits

• Storage Area Network (SAN)– Over 250TB storage– Connected by fibre channel

• Multiple examiners can work collaboratively on one case

20

ISP Enquiry

• Internet Service Provider (ISP) may provide

– Subscriber information

– Login IP address: for tracing physical location and subscriber information

– Email content: usually court warrant is needed

– How about ISP or their servers in other jurisdictions?

• Mutual Legal Assistance

21

Challenges (1)

Technical difficulties

• Cloud computing– Information and evidence are remotely stored– Liaison with online service providers

• Huge data size– Storage Area Network (SAN) to keep forensic image

• Data encryption– Password cracking tool– Chip level data acquisition

22

Challenges (2)

Admissibility of digital evidence

• Local digital evidence

• Foreign digital evidence

• Expert opinion on chain of evidence

• Admissibility of evidence in court trials

23

The Way Ahead

Capacity Building

• Dedicated expert teams

• Training

• Collaboration with IT counterparts

24

The Way Ahead

International Cooperation

• Formal Cooperation – UNCAC

• Informal Channels – APEC

Thank You

www.icac.org.hk