1 / 36

CSI for Regulators Part II Obtaining and Processing Electronic Evidence

CSI for Regulators Part II Obtaining and Processing Electronic Evidence. Glenn Benard Ernie Atkins Dean Benard Kristina Mulak . Objectives. Understanding what electronic records are Consider why we might want electronic records Review the computer forensics process gaining access

quade
Download Presentation

CSI for Regulators Part II Obtaining and Processing Electronic Evidence

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSI for Regulators Part II Obtaining and Processing Electronic Evidence Glenn Benard Ernie Atkins Dean Benard Kristina Mulak

  2. Objectives • Understanding what electronic records are • Consider why we might want electronic records • Review the computer forensics process • gaining access • Imaging, locating and utilizing files / records CLEAR 2008 Annual Conference Anchorage, Alaska

  3. Objectives • Discuss how emails can be useful in an investigation • Learn about the good and not so good internet resources to locate information • Consider the legal and ethical issues in electronic evidence • Provide some interesting case examples CLEAR 2008 Annual Conference Anchorage, Alaska

  4. Deleting files and formatting a hard drive makes them impossible to find and use Fact or Fiction CLEAR 2008 Annual Conference Anchorage, Alaska

  5. Almost all data can be recovered from an electronic source if given enough time and resources Fact or Fiction CLEAR 2008 Annual Conference Anchorage, Alaska

  6. Fact or Fiction CLEAR 2008 Annual Conference Anchorage, Alaska

  7. What Are Electronic Documents? Data created and stored in such a way that a computer or other electronic device is needed to display, interpret, or process it. CLEAR 2008 Annual Conference Anchorage, Alaska

  8. Electronic Records Electronic records increasingly provide investigators with important evidence such as: • Recovery of deleted hard drive files even after a hard drive has been reformatted or repartitioned • Decryption of some encrypted files • Identification of web sites that have been visited as well as when they were visited CLEAR 2008 Annual Conference Anchorage, Alaska

  9. Electronic Records • Determination of what files have been downloaded • When files were last accessed • Faxes sent or received on a computer • Discovery of email messages and attachments even if previously deleted • Locating and accessing financial records and other documents CLEAR 2008 Annual Conference Anchorage, Alaska

  10. When and Why do we want Electronic Documents? • Electronic documents may contain information not accessible on paper • Information that has been hidden or destroyed may be accessible • Alterations made to data may be found • e.g. deletion logs in some software programs show changes to records • Historical information may be available • Relationships CLEAR 2008 Annual Conference Anchorage, Alaska

  11. Electronic vs. Paper Records Sometimes dealing with electronic documents is preferred due to the volume of information. Consider this: • 1 Megabyte of data = approximately 60 pages • 1 Gigabyte of data = approximately 60,000 pages • 20 Gigabytes = approximately 1.2 million pages • 1.2 million pages… … a fifty storey building CLEAR 2008 Annual Conference Anchorage, Alaska

  12. The Computer Forensic Analyst CLEAR 2008 Annual Conference Anchorage, Alaska

  13. The Computer Forensics Process • Identify • Preserve • Extract • Interpret • Present …computer-related evidence CLEAR 2008 Annual Conference Anchorage, Alaska

  14. Data Classifications • Active Data • current information • still visible and useable • Latent Data • generally inaccessible without special knowledge and tools • e.g. deleted files • Metadata • when created, by whom, date accessed or altered etc. CLEAR 2008 Annual Conference Anchorage, Alaska

  15. How Do We Do It? • Imaging of the hard drive or server • Forensically sound • i.e. no alterations to the original • Make another image (working copy) • Search for data • Active (accessible) data • Latent (inaccessible) data CLEAR 2008 Annual Conference Anchorage, Alaska

  16. How Do We Do It? • Use specialized software (e.g. Encase) to analyze the drive for everything from the operating system to the directory structure • Extract information relevant to investigation • keyword searches • file properties and comparisons • Search caches and slack space CLEAR 2008 Annual Conference Anchorage, Alaska

  17. Case Example 1 • A health care practitioner was alleged to be billing insurers for treatments not provided • A review of paper records showed no discrepancies as the chart matched the billings • A review of the “Explanation of Benefits” from the insurer of one patient showed procedures which were not listed in the chart • Billings were submitted to the insurer electronically CLEAR 2008 Annual Conference Anchorage, Alaska

  18. Case Example 1 • The practitioners hard drive was imaged • Subsequent analysis showed in excess of 40,000 deleted entries • The practitioner had submitted over 2 million dollars in fraudulent claims to various insurers over a two year period • The matter was referred to a Discipline Hearing and the member pled guilty primarily due to the evidence obtained through the forensic analysis of the hard drive CLEAR 2008 Annual Conference Anchorage, Alaska

  19. Email CLEAR 2008 Annual Conference Anchorage, Alaska

  20. Email • Email communication is becoming the preferred means of business communication • Email contains much more information than what you normally see • Email Header • Date and time sent • Routing • Identification of sender through IP address CLEAR 2008 Annual Conference Anchorage, Alaska

  21. Abbreviated E-Mail Header Received: from psmtp.com ([64.18.2.132]) by remwebsolutions.com with MailEnable ESMTP; Tue, 02 Sep 2008 12:15:48 -0400 Received: from source ([68.142.225.229]) by exprod7mx174.postini.com ([64.18.6.14]) with SMTP; Tue, 02 Sep 2008 16:15:47 GMT From: "Dean Benard" <dbenard@benardandassociates.com> To: <dbenard@benardandassociates.com> Subject: Sample Email Header Date: Tue, 2 Sep 2008 12:16:34 -0400 Message-ID: <2AB2664DA7C84B9DAFFC0B77409155E9@benassoc.local> CLEAR 2008 Annual Conference Anchorage, Alaska

  22. Case Example 2 • The subject, a healthcare provider, was accused of having a sexual relationship with a patient - he denied the relationship • Explicit emails were allegedly exchanged and hard copies were provided by the complainant • Subject denied sending e-mails, accused the complainant of manufacturing them • The complainant agreed to provide her computer for analysis CLEAR 2008 Annual Conference Anchorage, Alaska

  23. Case Example 2 • E-mail header information was obtained • Header contained senders IP address and message ID number • A trace of the IP address connected the source of the incoming emails to the subject • Subject utilized his business email account (.com) to send messages • Subject confronted with information and admitted to everything CLEAR 2008 Annual Conference Anchorage, Alaska

  24. Case Example 2 • When questioned by the investigator about this information the doctor admitted his involvement with the complainant CLEAR 2008 Annual Conference Anchorage, Alaska

  25. Internet Resources CLEAR 2008 Annual Conference Anchorage, Alaska

  26. Internet Resources • Free resources (ex. Google, My space, Face book) • Good for finding associations / relationships • Historical information • Resources for a fee (ex. Classmates, People Finders, e-Detective) • Fee involved can be substantial • No guarantee of useful information CLEAR 2008 Annual Conference Anchorage, Alaska

  27. Internet Resources • Government websites • Patent offices • Business registries • Tax offices • Validating Social Insurance Numbers in Canada and Social Security Numbers in the USA • Beware of non governmental sources as validation from many sites doesn’t mean the card exists CLEAR 2008 Annual Conference Anchorage, Alaska

  28. Blogs A blog is a website that is dedicated to individuals personal comments or thoughts. Blogs are essentially an online diary that the world gets to read • Can be a good source of publically available info • Can cause serious problems for blogger and others CLEAR 2008 Annual Conference Anchorage, Alaska

  29. Legal Considerations • Expectation of Privacy • internet and email usage policies • Privileged Documents • solicitor / client • Scope of Investigation • Relevance of information CLEAR 2008 Annual Conference Anchorage, Alaska

  30. Expectation of Privacy • Use of computer system to send personal emails from the workplace • Storage of personal financial information • credit card information • credit reports • personal banking records CLEAR 2008 Annual Conference Anchorage, Alaska

  31. Privileged Documents • Communication between individual and legal counsel • How do we handle these documents • What steps do we take to ensure privilege is not violated in such a way as to compromise the investigation CLEAR 2008 Annual Conference Anchorage, Alaska

  32. Scope of Investigation • We must remember that when imaging a hard drive all data is obtained • We are not on a fishing trip • Data must be relevant to the investigation • Utilization of data not relevant may compromise the evidence and the investigation CLEAR 2008 Annual Conference Anchorage, Alaska

  33. Summary • Electronic documentation is the future so it is important to consider what resources are available to manage it • CFA can be very valuable and should be considered in some cases • Recognize that it has some limitations • Always consider the cost benefit analysis CLEAR 2008 Annual Conference Anchorage, Alaska

  34. Summary • The internet can be an excellent source of information but USER BEWARE • Consider your own information and what you allow on the web • Once your information is out there it can be impossible to take it back CLEAR 2008 Annual Conference Anchorage, Alaska

  35. CLEAR 2008 Annual Conference Anchorage, Alaska

  36. Kristina Mulak Manager of Investigations College of Chiropractors of Ontario 130 Bloor Street West, Suite 900 Toronto, Ontario kmulak@cco.on.ca Ernie Atkins Investigator Commonwealth of Virginia DPOR-CID Field Investigations, Tidewater Region 9960 Mayland Dr. Suite 400 Richmond, Virginia ernie.atkins@dpor.virginia.gov Dean Benard President Benard + Associates 5-420 Erb Street West Suite 500 Waterloo, Ontario dbenard@benardandassociates.com Glenn Benard Associate Benard + Associates 5-420 Erb Street West Suite 500 Waterloo, Ontario grbenard@benardandassociates.com Speaker Contact Information CLEAR 2008 Annual Conference Anchorage, Alaska

More Related