The Forensic Approach to Complex Fraud

1
The Forensic Approach to Complex Fraud

• Keith Foggon
• Head of Digital Forensics Unit
• Serious Fraud Office

2
Outline

• What is the SFO
• Forensic Challenges
• DFU Technology
• Forensic Processes

3
What is the SFO

• Created by Criminal Justice Act 1987
• Roskill Fraud Trials Report 1986
• began April 1988
• compulsory powers (defeat confidentiality)
• Investigates and prosecutes
• Serious or complex fraud
• Multi-disciplinary teams
• Referral, vetting and acceptance

4
What is the SFO do

• Reduce fraud and the cost of fraud
• Deliver Justice and rule of law
• Maintain confidence in UK business
• by
• taking on appropriate cases
• investigating quickly
• prosecuting fairly
• communicating clearly to deter fraud
• Responsive not reactive

5
Criminal Justice Act 1987

• s1 the director may investigate offences

6
Criminal Justice Act 1987

• s1 the director may investigate offences
• s2(2) answer questions or furnish information
• s2(3) copies of documents explanations
• s2(4) warrant to enter premises
• s2 available for mutual legal assistance

7
Criminal Justice Act 1987

• s1 the director may investigate offences
• s2(2) answer questions or furnish information
• s2(3) copies of documents explanations
• s2(4) warrant to enter premises
• s2 available for mutual legal assistance
• s3 disclosure to other authorities

8
Investigate Prosecute

• Prosecutor leads the investigation team
• unique
• effective (if the product is a prosecution)
• Team formed with
• Internal investigators, law clerks, etc.
• Police (one or more forces)
• Counsel
• External accountants etc.

9
Criteria for Acceptance

• Direction of the investigation should be in the
  hands of the prosecutor
• Sum at risk gt 1m
• Public concern / interest
• International dimension
• Specialisms / multi-disciplinary teams
• Use of s2 appropriate

10
Roles and Responsibilities

• Case Controller
• (dual function maybe disclosure officer),
• leads overall investigation
• separate from the case - he is the arbiter in
  relation to the way it will be prosecuted

• Case Lawyer
• investigator
• involved closely in all aspects of the
  investigation

• Support Staff
• Law clerks / IT / analysts / DOCMAN
• Digital Forensics Unit

11
Computer Forensics

• Whats it all about
• Why does the SFO need a Forensics Unit?

Student Participation Time
12
Digital Forensics Unit

• Every case involves digital evidence
• Seizing server farms
• Work volume increasing each year
• Encryption built in to MS products
• Email, increasing volume value
• Anti-Forensics tools on the increase
• All fraud investigators need awareness
• Massive amount of data too much far too much

13
So how do we cope ?

• Forensics is such a linear process
• It does not cope well with multiple dimensions
• It confuses data and information
• It finds the useless and ignores the useful
• Imaging blank space (75 - 80 of image is of no
  use)
• Investigators need knowledge but forensics
  creates a mist of confusion

14
Consider Data and Query Equality
Intelligent Forensics
Traditional Forensics

• Queries find data ? ?
• Data finds queries ? ?
• Data finds data ? ?
• Queries find queries! ? ?

15
Treat all Data as a Query
If you dont process every new piece of data like
a query then you will not know if it matters
until you ask!
16
Pause for thought

• All single parameter forensic processes will
  fail.
• An investigator sitting at an EnCase machine will
  fail!
• The best, most reliable useful results for
  large and complex fraud will be realized using a
  multiple, simultaneous, approach

17
The route forward

• The Technology behind the process
• Using intelligence in forensic IT

• Hardware
• Environment
• Network
• Processes
• Databases
• Software

18
Our new Desktop Environment
HP xw8600 Workstation (2 x quad-core 64-bit, 16Gb
RAM, 1.5TB HD, Win XP Pro 64)
Dell XPS 700 series
19
Our new Storage Environment
Nexsan SATABeast 4 x 42TB Raided to 8 x 16.3TB
Volumes
20
Our new Network Environment
Blades
Silos
21
Our new Network Environment
Satabeasts
Closeup of Satabeasts
22
One for the Techies
Rear View
Full Frontal
23
New Work Area
24
New Work Area
25
New Work Area
26
New Work Area
27
New Work Area
28
Hardware / Network

• Silo-based structure
• Enhanced security
• Dedicated dirty network
• 64-bit workstations
• Optimised processing
• RESTRICTED
• Improved throughput

29
Hardware
30
Hardware
31
Hardware
32
Network
33
Network
34
Police Forces in England Wales
Avon Somerset Devon Cornwall Dorset Glouceste
rshire (Gloucester) Hampshire Kent Sussex Wiltsh
ire
Cambridgeshire (Cambs.) Cleveland Durham Essex H
umberside Lincolnshire Norfolk Northumbria North
Yorkshire South Yorkshire (S. Yorks) Suffolk West
Yorkshire
Derbyshire (Derby) Dyfed-Powys Gwent Leicestershi
re Northamptonshire (Northants.) North
Wales Nottinghamshire (Notts.) South
Wales Staffordshire (Stafford) Surrey Thames
Valley Warwickshire (Warwick) West Mercia West
Midlands (W. Mids.) PSNI (Police Service of
Northern Ireland)
Bedfordshire (Beds.) Cheshire Cumbria Greater
Manchester (Gtr Man) Hertfordshire Lancashire
Merseyside
City of London Metropolitan
35
Domains of Investigation
INDIVIDUAL INVESTMENT FRAUD
MUTUAL LEGAL ASSISTANCE
CORRUPTION
CORPORATE, CITY PUBLIC SECTOR FRAUD
DIGITAL FORENSIC UNIT
36
(No Transcript)
37
Processes
Seizure Imaging Analysis Extraction
Sanitisation PM Material LPP Material Staging
Extraction Presentation

• General offence of fraud (Fraud Act 2006)
• False representation
• Failure to disclose information
• Abuse of position

38
Processes

• Content extraction for defined data types
• Comparison against known data
• Transaction analysis (sequence of events)
• Extraction of data
• Deleted files recovery
• Format conversion
• Keyword searching
• Decryption / Cracking
• Storage Media types
• Rebuild

39
Procedures 2008
40
Procedures 2009
41
Databases
SFO-generated Microsoft Hashkeeper NSRL Police
Operations Civil Operations Operation Ore Some
others looking at Bit9
42
Software

• Most Imaging / Analysis
• iLook
• FTK FTK2?
• EnCase
• Paraben P2
• Mobiles / PDAs
• CellDeck / Neutrino / PDA Seizure / Cellebrite
• Write Blocking
• Tableau / FastBloc / Wiebetech
• Tapes
• TapeCat / MMPC / eMAG

43
Software

• And these others

44
Electronic Presentation of Evidence

• Electronic Presentation of Evidence
• Screen displays of
• Documents
• Graphics
• Animations
• Virtual Reality

45
Time

• Cases take a long time
• To analyse,
• investigate,
• and prosecute
• Computer Forensics is a slow process
• Rules and procedures
• Triage Processes

46
and dont forget about these

• iPods
• iPhones
• PSP
• X-Box
• PS3 / Wii
• SatNav
• Sky Box
• BlackBerry

47
or these
Nokia N8000 (proprietary)

• Palm Foleo (linux-based)

Fujitsu (??)
Sony VGN (XP home)
Samsung Q1 (Vista)
48
or even these
49
Final word
Conventional computer forensics is struggling to
keep pace with potential sources of electronic
evidence.
We need to apply intelligence to our forensics as
simply too much data to analyse.
Re-examine standard forensic procedures to adapt
to advances in technology.
50
Thanks

• Questions

51
Contact

• Keith Foggon, Head of Digital Forensics Unit
• Serious Fraud Office
• Elm House, 10 - 16 Elm Street
• London WC1X 0BJ
• 020 7239 7272
• keith.foggon_at_sfo.gsi.gov.uk