Finding the smoking gun in a mountain of digital evidence

Powered by SC Magazine
 

Traditional forensic approaches won't cut it.

Preventing white collar crime has become a priority for the corporate community as new opportunities have arisen for fraud, information leaks and identity theft.

Criminals can hide evidence of their misdeeds within massive volumes of data stored in digital devices. This makes traditional methods of electronic investigation ineffective and unsustainable.

Pricewaterhouse Coopers' 6th Global Economic Crime Survey found 47 per cent of Australian organisations participating in the report admitted to experiencing at least one instance of economic crime in the last 12 months, up 7 per cent from 2009. 

Losses from these crimes were in excess of $5 million for 16 per cent of respondents. More often than not, investigations after the fact found the source of the crime was internal.

As crime grows, so does the volume and complexity of data investigators must examine.

The McKinsey Global Institute estimated that in 2009, companies with more than 1000 employees stored an average of 200 terabytes of data – or up to 200GB per user.

With data growing at a compound rate of 50 per cent each year, the average today would be closer to one terabyte per employee.

Evidence can be stored in laptops, desktops, smartphones, email repositories, file shares and archives. A company could also have Microsoft SharePoint sites or Lotus Notes databases. The use of cloud storage, webmail, social media and other off-premise services adds another layer of difficulty to an already complex situation.

Traditional electronic investigations would use forensic applications to examine each data source individually, than rely on human brain power to extract intelligence and find the links between them.

Finding anything valuable using these methods is prohibitively time consuming and resource intensive. Human investigators, however brilliant, can’t hope to consistently and accurately find correlations across millions of data points.

Even when you have teams of investigators, it is easy to miss connections, particularly without an automated way to identify and correlate intelligence items. Crucial data can also be buried multiple levels deep within data repositories which many forensic tools may not recognise and simply skip over.

However, technology advances have also brought new ways for investigators to find evidence. Corporate and regulatory investigators can now embrace a way of working that makes it possible to extract and cross-reference intelligence across an entire data set, including multiple data repositories, devices and geographies.

Such tools automatically highlight and extract intelligence items such as names, phone numbers, email addresses and credit card numbers, as well as allowing investigators to customise and filter by the types of intelligence they want to extract. Advanced software can automatically correlate these intelligence items to show relationships between people and entities across multiple data sources and devices.

Consider this example. A government agency recently investigated a company fraudulently selling aircraft that didn’t exist. The agency had seized approximately 40 devices containing potential evidence, including desktop and laptop computers and smartphones. Investigating each device sequentially using traditional methods would have required a team of up to 20 investigators.

The solution? The agency put forensic images of all of the data to be searched into a single storage location. They then used investigations software to process and cross-reference it which allowed a single investigator to quickly bring the most valuable evidence to the surface, enabling the agency to initiate charges.  

In addition, by searching the data set for similar documents, the investigator unearthed a series of related companies conducting fraudulent transactions for aircraft parts, boats and other high-value products, which led to further charges.

In another situation, a corporate regulator brought a case against a former director of a merchant bank for insider trading. The regulator believed the director had written the trades on his BlackBerry, but could not prove this. Using investigations software, the regulator examined the complete metadata of the bank’s BlackBerry Enterprise Server, which included codes that identified email messages the director sent to his stockbroker requesting the illegal trades. This enabled the regulator to quickly prove its case and bring successful charges.

With the explosion of the size and complexity of data, traditional methods just won’t do the job. Investigators must start looking towards technology which automatically shows relationships between people and entities across multiple data sources.  This will save time, minimise the chance of human error, reduce the impact of white collar crime and help make sure those responsible for criminal activities are held to account.

Eddie Sheehy is the chief executive officer of Australian e-discovery company Nuix.

Copyright © SC Magazine, Australia


Finding the smoking gun in a mountain of digital evidence
 
 
 
Top Stories
Turnbull introduces data retention legislation
Still no definition of metadata to be stored.
 
Images: the next frontier in data analytics?
Barclay’s global data chief says we’re still at the starting line.
 
Crime Commission prepares core systems overhaul
Will replace 30 year-old national criminal database.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  27%
 
Sourcing and strategy
  13%
 
IT infrastructure (servers, storage, networking)
  21%
 
End user computing (desktops, mobiles, apps)
  14%
 
Software development
  26%
TOTAL VOTES: 415

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  55%
 
No
  45%
TOTAL VOTES: 195

Vote