CSI for Regulators Part II Obtaining and Processing Electronic Evidence

1
CSI for Regulators Part II Obtaining and
Processing Electronic Evidence

• Glenn Benard
• Ernie Atkins
• Dean Benard
• Kristina Mulak

2
Objectives

• Understanding what electronic records are
• Consider why we might want electronic records
• Review the computer forensics process
• gaining access
• Imaging, locating and utilizing files / records

3
Objectives

• Discuss how emails can be useful in an
  investigation
• Learn about the good and not so good internet
  resources to locate information
• Consider the legal and ethical issues in
  electronic evidence
• Provide some interesting case examples

4
Fact or Fiction

• Deleting files and formatting a hard drive
• makes them
• impossible to find
• and use

5
Fact or Fiction

• Almost all data can be
• recovered from an
• electronic source if
• given enough time and
• resources

6
Fact or Fiction
7
What Are Electronic Documents?

• Data created and stored
• in such a way
• that a computer or
• other electronic device is
• needed to display,
• interpret, or process it.

8
Electronic Records

• Electronic records increasingly provide
  investigators
• with important evidence such as
• Recovery of deleted hard drive files even after a
  hard drive has been reformatted or repartitioned
• Decryption of some encrypted files
• Identification of web sites that have been
  visited as well as when they were visited

9
Electronic Records

• Determination of what files have been downloaded
• When files were last accessed
• Faxes sent or received on a computer
• Discovery of email messages and attachments even
  if previously deleted
• Locating and accessing financial records and
  other documents

10
When and Why do we want Electronic Documents?

• Electronic documents may contain information not
  accessible on paper
• Information that has been hidden or destroyed may
  be accessible
• Alterations made to data may be found
• e.g. deletion logs in some software programs show
  changes to records
• Historical information may be available
• Relationships

11
Electronic vs. Paper Records

• Sometimes dealing with electronic documents is
• preferred due to the volume of information.
  Consider
• this
• 1 Megabyte of data approximately 60 pages
• 1 Gigabyte of data approximately 60,000 pages
• 20 Gigabytes approximately 1.2 million pages
• 1.2 million pages
• a fifty storey building

12
The Computer Forensic Analyst
13
The Computer Forensics Process

• Identify
• Preserve
• Extract
• Interpret
• Present
• computer-related evidence

14
Data Classifications

• Active Data
• current information
• still visible and useable
• Latent Data
• generally inaccessible without special knowledge
  and tools
• e.g. deleted files
• Metadata
• when created, by whom, date accessed or altered
  etc.

15
How Do We Do It?

• Imaging of the hard drive or server
• Forensically sound
• i.e. no alterations to the original
• Make another image (working copy)
• Search for data
• Active (accessible) data
• Latent (inaccessible) data

16
How Do We Do It?

• Use specialized software (e.g. Encase) to analyze
  the drive for everything from the operating
  system to the directory structure
• Extract information relevant to investigation
• keyword searches
• file properties and comparisons
• Search caches and slack space

17
Case Example 1

• A health care practitioner was alleged to be
  billing insurers for treatments not provided
• A review of paper records showed no discrepancies
  as the chart matched the billings
• A review of the Explanation of Benefits from
  the insurer of one patient showed procedures
  which were not listed in the chart
• Billings were submitted to the insurer
  electronically

18
Case Example 1

• The practitioners hard drive was imaged
• Subsequent analysis showed in excess of
• 40,000 deleted entries
• The practitioner had submitted over 2 million
• dollars in fraudulent claims to various insurers
• over a two year period
• The matter was referred to a Discipline Hearing
• and the member pled guilty primarily due to the
• evidence obtained through the forensic analysis
• of the hard drive

19
Email
20
Email

• Email communication is becoming the preferred
  means of business communication
• Email contains much more information than what
  you normally see
• Email Header
• Date and time sent
• Routing
• Identification of sender through IP address

21
Abbreviated E-Mail Header

• Received from psmtp.com (64.18.2.132) by
  remwebsolutions.com
• with MailEnable ESMTP Tue, 02 Sep 2008 121548
  -0400
• Received from source (68.142.225.229) by
• exprod7mx174.postini.com (64.18.6.14) with
  SMTP
• Tue, 02 Sep 2008 161547 GMT
• From "Dean Benard" ltdbenard_at_benardandassociates.c
  omgt
• To ltdbenard_at_benardandassociates.comgt
• Subject Sample Email Header
• Date Tue, 2 Sep 2008 121634 -0400
• Message-ID
• lt2AB2664DA7C84B9DAFFC0B77409155E9_at_benassoc.localgt

22
Case Example 2

• The subject, a healthcare provider, was accused
  of having a sexual relationship with a patient -
  he denied the relationship
• Explicit emails were allegedly exchanged and hard
  copies were provided by the complainant
• Subject denied sending e-mails, accused the
  complainant of manufacturing them
• The complainant agreed to provide her computer
  for analysis

23
Case Example 2

• E-mail header information was obtained
• Header contained senders IP address and message
  ID number
• A trace of the IP address connected the source of
  the incoming emails to the subject
• Subject utilized his business email account
  (.com) to send messages
• Subject confronted with information and admitted
  to everything

24
Case Example 2

• When questioned by the investigator about this
  information the doctor admitted his involvement
  with the complainant

25
Internet Resources
26
Internet Resources

• Free resources (ex. Google, My space, Face book)
• Good for finding associations / relationships
• Historical information
• Resources for a fee (ex. Classmates, People
  Finders, e-Detective)
• Fee involved can be substantial
• No guarantee of useful information

27
Internet Resources

• Government websites
• Patent offices
• Business registries
• Tax offices
• Validating Social Insurance Numbers in Canada and
  Social Security Numbers in the USA
• Beware of non governmental sources as validation
  from many sites doesnt mean the card exists

28
Blogs

• A blog is a website that is dedicated to
• individuals personal comments or thoughts.
• Blogs are essentially an online diary that the
• world gets to read
• Can be a good source of publically available info
• Can cause serious problems for blogger and others

29
Legal Considerations

• Expectation of Privacy
• internet and email usage policies
• Privileged Documents
• solicitor / client
• Scope of Investigation
• Relevance of information

30
Expectation of Privacy

• Use of computer system to send personal emails
  from the workplace
• Storage of personal financial information
• credit card information
• credit reports
• personal banking records

31
Privileged Documents

• Communication between individual and legal
  counsel
• How do we handle these documents
• What steps do we take to ensure privilege is not
  violated in such a way as to compromise the
  investigation

32
Scope of Investigation

• We must remember that when imaging a hard drive
  all data is obtained
• We are not on a fishing trip
• Data must be relevant to the investigation
• Utilization of data not relevant may compromise
  the evidence and the investigation

33
Summary

• Electronic documentation is the future so it is
  important to consider what resources are
  available to manage it
• CFA can be very valuable and should be considered
  in some cases
• Recognize that it has some limitations
• Always consider the cost benefit analysis

34
Summary

• The internet can be an excellent source of
  information but USER BEWARE
• Consider your own information and what you allow
  on the web
• Once your information is out there it can be
  impossible to take it back

35
(No Transcript)
36
Speaker Contact Information

• Kristina Mulak
• Manager of Investigations
• College of Chiropractors of Ontario
• 130 Bloor Street West, Suite 900
• Toronto, Ontario
• kmulak_at_cco.on.ca
• Ernie Atkins
• Investigator
• Commonwealth of Virginia DPOR-CID
• Field Investigations, Tidewater Region
• 9960 Mayland Dr. Suite 400
• Richmond, Virginia
• ernie.atkins_at_dpor.virginia.gov

• Dean Benard
• President
• Benard Associates
• 5-420 Erb Street West Suite 500
• Waterloo, Ontario
• dbenard_at_benardandassociates.com
• Glenn Benard
• Associate
• Benard Associates
• 5-420 Erb Street West Suite 500
• Waterloo, Ontario
• grbenard_at_benardandassociates.com