Presentation is loading. Please wait.

Presentation is loading. Please wait.

CLEAR 2008 Annual Conference Anchorage, Alaska CSI for Regulators Part II Obtaining and Processing Electronic Evidence Glenn Benard Ernie Atkins Dean Benard.

Similar presentations


Presentation on theme: "CLEAR 2008 Annual Conference Anchorage, Alaska CSI for Regulators Part II Obtaining and Processing Electronic Evidence Glenn Benard Ernie Atkins Dean Benard."— Presentation transcript:

1 CLEAR 2008 Annual Conference Anchorage, Alaska CSI for Regulators Part II Obtaining and Processing Electronic Evidence Glenn Benard Ernie Atkins Dean Benard Kristina Mulak

2 CLEAR 2008 Annual Conference Anchorage, Alaska Objectives Understanding what electronic records are Consider why we might want electronic records Review the computer forensics process –gaining access –Imaging, locating and utilizing files / records

3 CLEAR 2008 Annual Conference Anchorage, Alaska Objectives Discuss how s can be useful in an investigation Learn about the good and not so good internet resources to locate information Consider the legal and ethical issues in electronic evidence Provide some interesting case examples

4 CLEAR 2008 Annual Conference Anchorage, Alaska Fact or Fiction Deleting files and formatting a hard drive makes them impossible to find and use

5 CLEAR 2008 Annual Conference Anchorage, Alaska Fact or Fiction Almost all data can be recovered from an electronic source if given enough time and resources

6 CLEAR 2008 Annual Conference Anchorage, Alaska Fact or Fiction

7 CLEAR 2008 Annual Conference Anchorage, Alaska What Are Electronic Documents? Data created and stored in such a way that a computer or other electronic device is needed to display, interpret, or process it.

8 CLEAR 2008 Annual Conference Anchorage, Alaska Electronic Records Electronic records increasingly provide investigators with important evidence such as: Recovery of deleted hard drive files even after a hard drive has been reformatted or repartitioned Decryption of some encrypted files Identification of web sites that have been visited as well as when they were visited

9 CLEAR 2008 Annual Conference Anchorage, Alaska Electronic Records Determination of what files have been downloaded When files were last accessed Faxes sent or received on a computer Discovery of messages and attachments even if previously deleted Locating and accessing financial records and other documents

10 CLEAR 2008 Annual Conference Anchorage, Alaska When and Why do we want Electronic Documents? Electronic documents may contain information not accessible on paper Information that has been hidden or destroyed may be accessible Alterations made to data may be found –e.g. deletion logs in some software programs show changes to records Historical information may be available –Relationships

11 CLEAR 2008 Annual Conference Anchorage, Alaska Electronic vs. Paper Records Sometimes dealing with electronic documents is preferred due to the volume of information. Consider this: 1 Megabyte of data = approximately 60 pages 1 Gigabyte of data = approximately 60,000 pages 20 Gigabytes = approximately 1.2 million pages 1.2 million pages… … a fifty storey building

12 CLEAR 2008 Annual Conference Anchorage, Alaska The Computer Forensic Analyst

13 CLEAR 2008 Annual Conference Anchorage, Alaska The Computer Forensics Process Identify Preserve Extract Interpret Present …computer-related evidence

14 CLEAR 2008 Annual Conference Anchorage, Alaska Data Classifications Active Data –current information –still visible and useable Latent Data –generally inaccessible without special knowledge and tools –e.g. deleted files Metadata –when created, by whom, date accessed or altered etc.

15 CLEAR 2008 Annual Conference Anchorage, Alaska How Do We Do It? Imaging of the hard drive or server –Forensically sound i.e. no alterations to the original Make another image (working copy) Search for data –Active (accessible) data –Latent (inaccessible) data

16 CLEAR 2008 Annual Conference Anchorage, Alaska How Do We Do It? Use specialized software (e.g. Encase) to analyze the drive for everything from the operating system to the directory structure Extract information relevant to investigation –keyword searches –file properties and comparisons –Search caches and slack space

17 CLEAR 2008 Annual Conference Anchorage, Alaska Case Example 1 A health care practitioner was alleged to be billing insurers for treatments not provided A review of paper records showed no discrepancies as the chart matched the billings A review of the “Explanation of Benefits” from the insurer of one patient showed procedures which were not listed in the chart Billings were submitted to the insurer electronically

18 CLEAR 2008 Annual Conference Anchorage, Alaska Case Example 1 The practitioners hard drive was imaged Subsequent analysis showed in excess of 40,000 deleted entries The practitioner had submitted over 2 million dollars in fraudulent claims to various insurers over a two year period The matter was referred to a Discipline Hearing and the member pled guilty primarily due to the evidenceobtained through the forensic analysis of the hard drive

19 CLEAR 2008 Annual Conference Anchorage, Alaska

20 CLEAR 2008 Annual Conference Anchorage, Alaska communication is becoming the preferred means of business communication contains much more information than what you normally see – Header Date and time sent Routing Identification of sender through IP address

21 CLEAR 2008 Annual Conference Anchorage, Alaska Abbreviated Header Received: from psmtp.com ([ ]) by remwebsolutions.com with MailEnable ESMTP; Tue, 02 Sep :15: Received: from source ([ ]) by exprod7mx174.postini.com ([ ]) with SMTP; Tue, 02 Sep :15:47 GMT From: "Dean Benard" To: Subject: Sample Header Date: Tue, 2 Sep :16: Message-ID:

22 CLEAR 2008 Annual Conference Anchorage, Alaska Case Example 2 The subject, a healthcare provider, was accused of having a sexual relationship with a patient - he denied the relationship Explicit s were allegedly exchanged and hard copies were provided by the complainant Subject denied sending s, accused the complainant of manufacturing them The complainant agreed to provide her computer for analysis

23 CLEAR 2008 Annual Conference Anchorage, Alaska Case Example 2 header information was obtained Header contained senders IP address and message ID number A trace of the IP address connected the source of the incoming s to the subject –Subject utilized his business account (.com) to send messages Subject confronted with information and admitted to everything

24 CLEAR 2008 Annual Conference Anchorage, Alaska Case Example 2 When questioned by the investigator about this information the doctor admitted his involvement with the complainant

25 CLEAR 2008 Annual Conference Anchorage, Alaska Internet Resources

26 CLEAR 2008 Annual Conference Anchorage, Alaska Internet Resources Free resources (ex. Google, My space, Face book) –Good for finding associations / relationships –Historical information Resources for a fee (ex. Classmates, People Finders, e-Detective) –Fee involved can be substantial –No guarantee of useful information

27 CLEAR 2008 Annual Conference Anchorage, Alaska Internet Resources Government websites –Patent offices –Business registries –Tax offices Validating Social Insurance Numbers in Canada and Social Security Numbers in the USA –Beware of non governmental sources as validation from many sites doesn’t mean the card exists

28 CLEAR 2008 Annual Conference Anchorage, Alaska Blogs A blog is a website that is dedicated to individuals personal comments or thoughts. Blogs are essentially an online diary that the world gets to read Can be a good source of publically available info Can cause serious problems for blogger and others

29 CLEAR 2008 Annual Conference Anchorage, Alaska Legal Considerations Expectation of Privacy –internet and usage policies Privileged Documents –solicitor / client Scope of Investigation –Relevance of information

30 CLEAR 2008 Annual Conference Anchorage, Alaska Expectation of Privacy Use of computer system to send personal s from the workplace Storage of personal financial information –credit card information –credit reports –personal banking records

31 CLEAR 2008 Annual Conference Anchorage, Alaska Privileged Documents Communication between individual and legal counsel –How do we handle these documents –What steps do we take to ensure privilege is not violated in such a way as to compromise the investigation

32 CLEAR 2008 Annual Conference Anchorage, Alaska Scope of Investigation We must remember that when imaging a hard drive all data is obtained We are not on a fishing trip Data must be relevant to the investigation Utilization of data not relevant may compromise the evidence and the investigation

33 CLEAR 2008 Annual Conference Anchorage, Alaska Summary Electronic documentation is the future so it is important to consider what resources are available to manage it CFA can be very valuable and should be considered in some cases Recognize that it has some limitations Always consider the cost benefit analysis

34 CLEAR 2008 Annual Conference Anchorage, Alaska Summary The internet can be an excellent source of information but USER BEWARE Consider your own information and what you allow on the web Once your information is out there it can be impossible to take it back

35 CLEAR 2008 Annual Conference Anchorage, Alaska

36 CLEAR 2008 Annual Conference Anchorage, Alaska Speaker Contact Information Kristina Mulak Manager of Investigations College of Chiropractors of Ontario 130 Bloor Street West, Suite 900 Toronto, Ontario Ernie Atkins Investigator Commonwealth of Virginia DPOR-CID Field Investigations, Tidewater Region 9960 Mayland Dr. Suite 400 Richmond, Virginia Dean Benard President Benard + Associates Erb Street West Suite 500 Waterloo, Ontario Glenn Benard Associate Benard + Associates Erb Street West Suite 500 Waterloo, Ontario


Download ppt "CLEAR 2008 Annual Conference Anchorage, Alaska CSI for Regulators Part II Obtaining and Processing Electronic Evidence Glenn Benard Ernie Atkins Dean Benard."

Similar presentations


Ads by Google