new zealand customs service electronic forensic unit

New Zealand Customs ServiceElectronic Forensic Unit

Brent Whale CFCE

Electronic Forensic Investigator

Bruce EllisSenior Customs Officer

Who we are

The need for Computer Forensics

The object of a computer forensic investigationis to obtain evidence in cases of computer facilitated offending

It came clear to New Zealand Customs in 1998 that a large portion of offending in relation to the importation of prohibited goods was being undertaken using computer technology

What is Computer Forensics ?

The collection, preservation, analysis and presentation of computer related evidence utilising secure, controlled methodologies and auditable, evidentially correct procedures

Collection:

A complete physical bit-stream image of a target driveis acquired in a completely non-invasive manner.

Preservation:

The bit-stream is preserved in a read only format onto CD. This enables the original data to be examined at anytime in the future.

Analysis:

Specific forensic software tools are utilised to examine datafrom the suspects computer.

Presentation:

The presentation of digital evidence in a format that can be understood by non computer literate individuals

Case Study: Operation Green

NZ England

September 2001NZ resident (Dave) e-mails friend in the UK (Brent)requesting LSD and Ecstasy be sent to NZ via mail

Dave utilised the off shore e-mail facility ‘hotmail’ to correspondwith Brent. Dave believed that the data from these e-mail transactions were being stored in the USA.

The importation of the ‘acid’ was undertaken successfully.Dave contacted Brent via e-mail to advise that it had arrived.

Brent contacts Dave and advises him the the ‘acid’ has been sent and is in a red envelope.

Case Study: Operation Green

Customs intercept the ‘ecstasy’ at the International Mail Centre

Search Warrant undertaken on the residential address of Dave

Dave denies all knowledge of the importation

Dave is advised that his computer is going to be taken for anelectronic examination. Dave is advised that even if he has deleted the information it can still be recovered.

Case Study: Operation Green

What happens when a file is deleted

MBR BRFAT 1

Reserved FAT 1

Area FAT 1FAT 2

FAT 2FAT 2

ROOT DROOT D

ROOT D

ROOT D

Data Area

What happened next?

Dave was interviewed in regard to the evidence located on his computer

Dave admits that he imported the package intercepted by Customs containing the ecstasy.

Dave also admits that he imported a package containingLSD (acid).

Dave pleads guilty in court to two charges of importation ofclass A and B controlled drugs and has been sentenced to eight months in prison.

Brent arrives in NZ on holiday and is also charged and hasbeen sentenced to six months in prison.

Case Study: Other Offences

During the examination of the hard disk drive, child pornography images were also located.

WARNING

The following image depicts child pornography

WARNING

Child Porn Image in Hex View

Conclusion

Without the forensic capability Brent and Dave would nothave been convicted for the importation of controlled drugs.

QUESTIONS