Presentation on theme: "The Forensic Approach to Complex Fraud"— Presentation transcript:
1The Forensic Approach to Complex Fraud Keith FoggonHead of Digital Forensics UnitSerious Fraud Office
2Outline What is the SFO Forensic Challenges DFU Technology Forensic Processes
3What is the SFO Created by Criminal Justice Act 1987 Roskill Fraud Trials Report 1986began April 1988compulsory powers (defeat confidentiality)Investigates and prosecutesSerious or complex fraudMulti-disciplinary teamsReferral, vetting and acceptance
4What is the SFO do Responsive – not reactive Reduce fraud and the cost of fraudDeliver Justice and rule of lawMaintain confidence in UK businessby:taking on appropriate casesinvestigating quicklyprosecuting fairlycommunicating clearly to deter fraudResponsive – not reactiveThe Serious Fraud Office’ aim is to contribute to: Reducing fraud and the cost of fraud The delivery of justice and the rule of law Maintaining confidence in the UK’s business and financial institutionsBy taking on appropriate cases and Investigate them and bring them to a successful conclusion as quickly as individual circumstances allow When a decision to prosecute is made, prosecute fairly and in a way that enables the jury to understand the issuesIn carrying out its aim and objectives the Serious Fraud Office will Work effectively and efficiently Co-operate with other agencies and overseas jurisdictions Ensure that its activities and the way the are reported contribute to deterring fraud.Note that SFO does not detect, disrupt or directly deter - it is responsive not pro-active.
5Criminal Justice Act 1987 s1: the director may investigate offences 1. (1) A Serious Fraud Office shall be constituted for England and Wales and Northern Ireland.(2) The Attorney General shall appoint a person to be the Director of the Serious Fraud Office (referred to in this part of this Act as "the Director"), and he shall discharge his functions under the superintendence of the Attorney General.(3) The Director may investigate any suspected offence which appears to him on reasonable grounds to involve serious or complex fraud.(4) The Director may. if he thinks fit, conduct any such investigation in conjunction either with the police or with any other person who is, in the opinion of the Director. a proper person to be concerned in it.(5) The Director may -(a) Institute and have the conduct of any criminal proceedings which appear to him to relate to such fraud; and(b) Take over the conduct of any such proceedings at any stage.(6) The Director shall discharge such other functions in relation to fraud as may from time to time be assigned to him by the Attorney General.(7) The Director may designate for the purposes of subsection (5) above any member of the Serious Fraud Office who is -(a) a barrister in England and Wales or Northern Ireland;b) a solicitor of the Supreme Court; or(c) a solicitor of the Supreme Court of Judicature of Northern Ireland.(8) Any member so designated shall without prejudice to any functions which mayhave been assigned to him in his capacity as a member of that Office, have all the powers of the Director as to the institution and conduct of proceedings but shall exercise those powers under the direction of the Director.Etc.
6Criminal Justice Act 1987 s1: the director may investigate offences s2(2): answer questions or furnish informations2(3): copies of documents & explanationss2(4): warrant to enter premisess2 available for mutual legal assistanceCriminal Justice Act 19872. ...(2) The Director may by notice in writing require the person whose affairs are to be investigated ("the person under investigation") or any other person whom he has reason to believe has relevant information to answer questions or otherwise furnish information with respect to any matter relevant to the investigation at a specified place and either at a specified time or forthwith.(3) The Director may by notice in writing require the person under investigation or any other person to produce at such place as may be specified in the notice and either forthwith or at such time as may be so specified any specified documents which appear to the Director to relate to any matter relevant to the investigation or any documents of a specified description which appear to him so to relate; and -(a) If any such documents are produced, the Director may -(i) Take copies or extracts from them;(ii) Require the person producing them to provide an explanation of any of them:(b) If any such documents are not produced: the Director may require the person who was required to produce them to state, to the best of his knowledge and belief, where they are.(4) Where, on information on oath laid by a member of the Serious Fraud Office, a justice of the peace is satisfied, in relation to any documents, that there are reasonable grounds for believing -(a) that-(i) A person has failed to comply with an obligation under this section to produce them;(ii) It is not practicable to serve a notice wider subsection (3) above in relation to them; or(iii) The service of such a notice in relation to them might seriously prejudice the investigation; and(b) That they are on premises specified in the information, he may issue such a warrant as is mentioned in subsection (5) below.Etc.
7Criminal Justice Act 1987 s1: the director may investigate offences s2(2): answer questions or furnish informations2(3): copies of documents & explanationss2(4): warrant to enter premisess2 available for mutual legal assistances3: disclosure to other authoritiesS3 (5) Subject to subsections (I) and (3) above and to any provision of an agreement for the supply of information which restricts the disclosure of the information supplied, information obtained by any person in his capacity as a member of the Serious Fraud Office may be disclosed by any member of that office designated by the Director for the purposes of this subsection -(a)to any government department or Northern Ireland department or other authority or body discharging its functions on behalf of the Crown (including the Crown in right of Her Majesty's Government in Northern Ireland);(b) to any competent authority;(c) for the purposes of any prosecution in England and Wales, Northern Ireland or elsewhere; and(d) for the purposes of assisting any public or other authority for the time being designated for the purposes of this paragraph by an order made by the Secretary of State to discharge any functions which are specified in the order.Recent challenge in a judicial review in the Holbein case, gave rise to headlines of SFO Acted Unfairly.In essence the complaint by the applicant was that prior to making disclosure to the DoH the SFO should have given the applicant the opportunity to make representations as to whether the Director should exercise his discretion in favour of disclosing information. The applicant's claim for judicial review was dismissed, however in the course of its judgment the Court found that the then director had acted unfairly.Essentially, counsel is of the opinion that advance notice of an intended disclosure is likely to be required only in exceptional cases and even where disclosure under section 3(5) takes place without notice being given, the circumstances in which a potential complainant would have any legitimate cause for complaint would be exceptional.
8Investigate & Prosecute Prosecutor leads the investigation teamuniqueeffective (if the product is a prosecution)Team formed with:Internal investigators, law clerks, etc.Police (one or more forces)CounselExternal accountants etc.
9Criteria for Acceptance Direction of the investigation should be in the hands of the prosecutorSum at risk > £1mPublic concern / interestInternational dimensionSpecialisms / multi-disciplinary teamsUse of s2 appropriateThe key criterion for the SFO to take on a case should be that the suspected fraud is such that the direction of the investigation should be in the hands of those who will be responsible for the prosecution.The factors that will need to be taken in to account include1. The sum at risk is estimated to be at least £1m (this is simply and objective and recognisable signpost of seriousness and likely public concern rather than the main indicator of suitability).2. The case is likely to give rise to national publicity and widespread public concern. Factors include those involving government departments, public bodies, the governments of other countries and commercial cases of public interest.3. The investigation requires a highly specialist knowledge of, for example, financial markets and their practices.4. The case has a significant international dimension.5. There is a need for legal, accountancy and investigative skills to be brought together as a combined operation.6. The suspected fraud appears to be complex and one in which the use of Section 2 powers might be appropriate.
10Roles and Responsibilities Case Controller(dual function + maybe “disclosure officer”),leads overall investigationseparate from the case - he is the arbiter in relation to the way it will be prosecutedCase Lawyerinvestigatorinvolved closely in all aspects of the investigationSupport StaffLaw clerks / IT / analysts / DOCMANDigital Forensics Unit
11Student Participation Time Computer ForensicsWhat’s it all aboutWhy does the SFO need a Forensics Unit?Student Participation Time
12Digital Forensics Unit Every case involves digital evidenceSeizing server farmsWork volume increasing each yearEncryption built in to MS products, increasing volume & valueAnti-Forensics tools on the increaseAll fraud investigators need awarenessMassive amount of data – too much – far too much
13So how do we cope ? Forensics is such a linear process It does not cope well with multiple dimensionsIt confuses data and informationIt finds the useless and ignores the usefulImaging blank space (75% - 80% of image is of no use)Investigators need knowledge but forensics creates a mist of confusion
14Consider: Data and Query Equality TraditionalForensicsIntelligentForensicsQueries find data Data finds queries Data finds data Queries find queries!
15Treat all Data as a Query If you don’t process every new piece of data like a query …then you will not know if it matters …until you ask!
16Pause for thought All single parameter forensic processes will fail. An investigator sitting at an EnCase machine will fail!The best, most reliable & useful results for large and complex fraud will be realized using a multiple, & simultaneous, approach
17The route forward The Technology behind the process: Using intelligence in forensic ITHardwareEnvironmentNetworkProcessesDatabasesSoftware
18Our new Desktop Environment Dell XPS 700 seriesHP xw8600 Workstation(2 x quad-core 64-bit, 16Gb RAM,1.5TB HD, Win XP Pro 64)
19Our new Storage Environment Nexsan SATABeast4 x 42TBRaided to 8 x 16.3TB Volumes
37Processes Seizure Sanitisation Extraction Imaging PM Material AnalysisExtractionSanitisationPM MaterialLPP MaterialStagingExtractionPresentationGeneral offence of fraud (Fraud Act 2006)False representationFailure to disclose informationAbuse of position
38Processes Content extraction for defined data types Comparison against known dataTransaction analysis (sequence of events)Extraction of dataDeleted files recoveryFormat conversionKeyword searchingDecryption / CrackingStorage Media typesRebuild1GB of paper is 160,000 pages of A4 double sided1GB of paper would fit in the back of a pickup if stacked 11 feet highPC images in store at present on ICG, average 40GB each, 40 trucksBackup tapes, average 6GB, largest is 11GB
49Final wordConventional computer forensics is struggling to keep pace with potential sources of electronic evidence.We need to apply intelligence to our forensics as simply too much data to analyse.Re-examine standard forensic procedures to adapt to advances in technology.