Feature Computer forensics by get11021


									Feature ❘ Computer forensics

               t is very difficult to hide       forensic science pertaining to legal evidence   investigations practice at Duff and
               anything nowadays,” says          found in computers and digital storage          Phelps (D&P), a 75-year-old US-based
               computer forensics expert         mediums. It is a tool that is used to achieve   international consulting firm with 21
               Hilton Chan. Consider this:       electronic discovery (e-discovery), which       offices in Europe, US, and Asia, including
               rumours circulate in the          deals with information in electronic formats    Shanghai, Tokyo and soon in Hong Kong.
cyber space suggesting your organisation         for civil litigation.                                According to Laykin, the computer
is troubled with a faltering financial status.       The general shortage of computer            forensics industry in the US is driven by
What evidence do you have in hand                forensics professionals in Asia, and the        the rules of civil litigation in the country’s
to prove that your company has already           fact that the practice is much less common      court system, which requires the procedure
exercised care and due diligence to protect      in Asia than in the US are due to the           of ‘e-discovery’.
your clients’ data? What is the de facto         fundamentally different legal systems, says          E-discovery is a pre-trial aspect of a court
standard within your industry? Are you           e-discovery expert Erik Laykin.                 case. In the US, if party A sues party B, then
above it, below it, or just average?                 Laykin is the managing director and         party A has the right to obtain party B’s
     Computer forensics is a branch of           practice chair of the global e-discovery        documents and to review it before trial. This

                                                                         The practice of computer

                                                                         forensics is catching on in asia
                                                                         as cyber crime increases and
                                                                         insiders pose security threats,
                                                                         writes CAROL KO.

14   january/february 2009 MISaSIa
is a fundamental building block of the US              Hilton Chan is the former head of
legal system, and which is absent in Asia.         technology crime at the HKPC, who
     “As a result, many of the e-discovery         served the unit till 2008. He says the then
professionals in Asia can only work in law         division’s 15-member computer forensics
enforcement, or, if they have access to            team was one of the largest in Asia.
companies that are based in litigation in the          At present, he chairs the Information
US, because there is little forensics litigation   Security and Forensics Society, a Hong
in Asia”, says Laykin.                             Kong-based non-profit organisation that
                                                   aims to advocate and drive information
Examinations                                       security and computer forensics in the city
In Hong Kong, the technology crime division        and its surrounding region.
of the Hong Kong Police Force (HKPC)                   Chan recalls that the most challenging
conducts computer forensics examinations           cases he handled at the HKPC were primarily          “Most people
to investigate technology-related crime.           related to banking and financial institutes.         don’t realise that
                                                   He says: “Most of those cases involved the
                                                   misuse of privileged or sensitive information
                                                   of companies.” Such cases are tough, as they         of which side
                                                   usually require deep investigations, when
                                                   senior management is involved, he says.
                                                                                                        retains an expert,
                                                       “There was a case which we initially             the duty of the
                                                   thought was merely a security incident.              expert is always
                                                   But after some investigation, we found it
                                                   involved the senior management of an
                                                                                                        to the court.”
                                                   organisation, and then the case became very                 —benedict Pasco, managing
                                                   sensitive,” Chan says.                               director of legal technologies for an
                                                       In contrast, cases that involve lower-level      e-discovery solutions provider Kroll
                                                   employees are usually easier to deal with                           Ontrack, asia Pacific
                                                   because you can ensure co-operation from the
                                                   IT department of the organisation, he says.
                                                                                                      in this area, a lot of corporate information
                                                   Hired guns and insiders                            with marketing intelligence value would be
                                                   ‘Hired guns’ are one of the biggest                leaked out, sometimes intentionally, while
                                                   emerging technology crime threats in Hong          at other times by mistake,” he says.
                                                   Kong today.                                            The Bank of East Asia (BEA) rumour
                                                       “Nowadays, a lot of people are offering        that happened in Hong Kong last year well
                                                   their services for sale on the Internet, such      illustrates the vulnerability of the banking
                                                   as virus hacking, denial of service attack,        industry to ‘cyber attacks’.
                                                   and helping users to write viruses to attack
                                                   specific targets. Certain specific viruses         Rumours of collapse
                                                   can even bypass anti-virus devices, as the         On 23 September 2008, a week after the
                                                   virus is specifically written to attack a          Lehman Brothers filed for bankruptcy
                                                   particular organisation, and a lot of anti-        protection, worried customers in Hong Kong
                                                   virus software is unable to identify them,”        formed long queues to withdraw savings
                                                   Chan says.                                         from the bank, as rumours circulated by
                                                       “In the business world, this means             SMS messages that the bank was on the brink
                                                   your company will be subject to industry           of financial collapse. BEA’s management
                                                   espionage, as hired guns could be deliberately     denied the rumours, but the bank was forced
                                                   engaged to write a specific virus, Trojan horse,   to extend business hours to cope with the
                                                   or malware to attack your staff,” says Chan.       queues for savings withdrawal. A week prior
                                                       “And if your staff have low awareness, or      to the incident, a BEA trader was suspected
                                                   your security employees are not well-trained       of being involved in false accounting of fraud

                                                                                                           MISaSIa january/february 2009         15
Feature ❘ Computer forensics

  Landmark case
  Computer forensics expert ben Pasco, the former                          Web surfing history, websites visited and terms typed into
  director of forensic and legal technologies with a major                 search engines.
  consulting organisation, had previously represented the                      Would you consider the e-discovery
  defence in the nancy Kissel murder case in the Hong                      investigation process for this case a tough one?
  Kong court in 2005, and testified with live demonstration                    The challenge was to communicate to a jury in a non-
  on the retrieval of computer forensic evidence. nancy                    technical manner, the complex procedures I had used to
  Kissel, 41, was accused of murdering her banker                          reach my findings and what those findings were. Trying
  husband, robert Kissel, on the night of 2 november                       to do this orally would have been a very lengthy exercise;
  2003 in Hong Kong. Prosecutors said she drugged                          it would have surely bored the jury and ran the risk of not
  her husband with a milkshake laced with sedatives                        being understood at all.
  before clubbing him to death. Kissel was convicted of                        Having noted that the police had used enCase
  premeditated murder and was sent to prison for life.                     forensic edition Version 4.2 to image and analyse the
       Pasco is currently the managing director of legal                   computer data, the defence team proposed that I use
  technologies for an e-discovery solutions provider Kroll                 the same software to demonstrate live, in court. using
  Ontrack, asia Pacific.                                                   the same image and software as the police, I was able to
       Please describe your findings in the Kissel case                    find evidence on the disks that was not presented by the
  in relation to the use of computer forensics.                            prosecution, evidence that was potentially unfavourable
       evidence from computers is latent evidence, meaning                 to the deceased. Most people don’t realise that regardless
  it is similar to fingerprints, blood, Dna, and is just as                of which side retains an expert, the duty of the expert
  fragile. To process such evidence and make it acceptable                 is always to the court. fortunately, everything on the
  in a court of law, forensically sound methods must be                    technical side went smoothly and although I did not have it
  used.                                                                    easy in the witness box, my evidence was accepted, which
       The police computer forensic experts deployed                       is the goal of any forensics examiner.
  in the Kissel case did a good job in imaging all of the                      In your opinion, how significant was the
  computers used by the Kissel family, and as part of the                  computer forensics evidence in this hearing?
  e-discovery process, the defence also had access to                          The Kissel trial was a landmark case in many ways for
  those forensic images. I represented the defence and                     computer forensics. The three key reasons include:
  carried out an examination of two of the images taken by                  Computer forensics was used on a case that was not
  the police.                                                                   directly related to computer crime.
       The prosecution opened their case by painting a                      enCase was firmly established as a tool for computer
  picture of the deceased favourably and the accused                            forensics.
  (nancy Kissel) unfavourably. On many occasions                            Most importantly, every computer forensics expert
  throughout their submission, the prosecution would                            that testifies in Hong Kong must be prepared to
  refer to evidence obtained from the family computers to                       demonstrate live, in-court, how he or she arrived at
  substantiate a particular point.                                              any findings in support of their reports.
       using my findings, the defence wanted to counter                        following this trial, the use of computer forensics is
  the prosecution by showing that they had been selective                  now being seen in family disputes where, for example,
  in their submission and that the computer evidence                       one side would allege that the spouse had used the family
  showed that the deceased was not as the prosecution                      computer to visit certain websites as ‘proof’ of the alleged
  had suggested. My findings included the reconstruction of                state of mind of that particular spouse.

activities. “In a lot of these activities, from   Chan says. Laykin says the primary security      most of the problems take place in the
the digital records, you can identify evidence    threat in Asia is always the users. “CIOs have   networks with the theft of data, whether by
to show what actually happened, how the           done a very good job of figuring out how         accident or intentional fraud.
entire process was conducted in a normal          to protect the perimeter, firewalls, intrusion       “And so CIOs face the challenge of
business environment.                             detection systems, and various applications      creating security on one hand, [to comply
    “Who logged in? Who approved the              that prevent bad guys from getting in. That      with licensing obligations in the regulatory
transaction? Any e-mail exchanged between         part they have figured out very well. It’s the   space] and accessibility on the other hand.
the involved parties? How was the business        internal people that are representing the big    And somewhere in the middle is where they
process authenticated and authorised?”            challenge.” The office, says Laykin, is where    have to find harmony,” he says. n

16   january/february 2009 MISaSIa

To top