![Page 1: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/1.jpg)
The Forensic Approach to Complex Fraud
Keith Foggon
Head of Digital Forensics Unit
Serious Fraud Office
![Page 2: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/2.jpg)
SeriousFraud Office
Outline
• What is the SFO• Forensic Challenges• DFU Technology• Forensic Processes
![Page 3: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/3.jpg)
SeriousFraud Office
What is the SFO
• Created by Criminal Justice Act 1987• Roskill Fraud Trials Report 1986• began April 1988• compulsory powers (defeat confidentiality)
• Investigates and prosecutes• Serious or complex fraud• Multi-disciplinary teams• Referral, vetting and acceptance
![Page 4: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/4.jpg)
SeriousFraud Office
• Reduce fraud and the cost of fraud• Deliver Justice and rule of law• Maintain confidence in UK business
by:• taking on appropriate cases• investigating quickly• prosecuting fairly• communicating clearly to deter fraud
• Responsive – not reactive
What is the SFO do
![Page 5: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/5.jpg)
SeriousFraud Office
Criminal Justice Act 1987
• s1: the director may investigate offences
![Page 6: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/6.jpg)
SeriousFraud Office
• s1: the director may investigate offences
• s2(2): answer questions or furnish information• s2(3): copies of documents & explanations• s2(4): warrant to enter premises• s2 available for mutual legal assistance
Criminal Justice Act 1987
![Page 7: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/7.jpg)
SeriousFraud Office
• s1: the director may investigate offences
• s2(2): answer questions or furnish information• s2(3): copies of documents & explanations• s2(4): warrant to enter premises• s2 available for mutual legal assistance
• s3: disclosure to other authorities
Criminal Justice Act 1987
![Page 8: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/8.jpg)
SeriousFraud Office
Investigate & Prosecute
• Prosecutor leads the investigation team• unique• effective (if the product is a prosecution)
• Team formed with:• Internal investigators, law clerks, etc.• Police (one or more forces)• Counsel• External accountants etc.
![Page 9: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/9.jpg)
SeriousFraud Office
Criteria for Acceptance
• Direction of the investigation should be in the hands of the prosecutor
• Sum at risk > £1m• Public concern / interest• International dimension• Specialisms / multi-disciplinary teams• Use of s2 appropriate
![Page 10: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/10.jpg)
SeriousFraud Office
Roles and ResponsibilitiesCase Controller • (dual function + maybe “disclosure officer”),• leads overall investigation• separate from the case - he is the arbiter in
relation to the way it will be prosecutedCase Lawyer• investigator• involved closely in all aspects of the
investigation
Support Staff• Law clerks / IT / analysts / DOCMAN• Digital Forensics Unit
![Page 11: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/11.jpg)
SeriousFraud Office
Computer Forensics
• What’s it all about• Why does the SFO need a Forensics Unit?
Student Participation Time
![Page 12: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/12.jpg)
SeriousFraud Office
Digital Forensics Unit• Every case involves digital evidence• Seizing server farms• Work volume increasing each year• Encryption built in to MS products• Email, increasing volume & value• Anti-Forensics tools on the increase• All fraud investigators need awareness• Massive amount of data – too much – far too
much
![Page 13: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/13.jpg)
SeriousFraud Office
So how do we cope ?
Forensics is such a linear process• It does not cope well with multiple dimensions• It confuses data and information• It finds the useless and ignores the useful • Imaging blank space (75% - 80% of image is
of no use)• Investigators need knowledge but forensics
creates a mist of confusion
![Page 14: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/14.jpg)
SeriousFraud Office
Consider: Data and Query Equality
Queries find data
Data finds queries
Data finds data
Queries find queries!
Traditional Forensics
IntelligentForensics
![Page 15: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/15.jpg)
SeriousFraud Office
Treat all Data as a Query
If you don’t process every new piece of data like a query …
then you will not know if it matters …
until you ask!
![Page 16: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/16.jpg)
SeriousFraud Office
Pause for thought
All single parameter forensic processes will fail.
An investigator sitting at an EnCase machine will fail!
The best, most reliable & useful results for large and complex fraud will be realized using a multiple, & simultaneous, approach
![Page 17: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/17.jpg)
SeriousFraud Office
The route forward
The Technology behind the process:
Using intelligence in forensic IT
• Hardware• Environment• Network• Processes• Databases• Software
![Page 18: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/18.jpg)
SeriousFraud Office
Dell XPS 700 series HP xw8600 Workstation(2 x quad-core 64-bit, 16Gb RAM,
1.5TB HD, Win XP Pro 64)
Our new Desktop Environment
![Page 19: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/19.jpg)
SeriousFraud Office
Nexsan SATABeast4 x 42TB
Raided to 8 x 16.3TB Volumes
Our new Storage Environment
![Page 20: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/20.jpg)
SeriousFraud Office
Our new Network Environment
Blades Silos
![Page 21: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/21.jpg)
SeriousFraud Office
Our new Network Environment
Satabeasts Closeup of Satabeasts
![Page 22: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/22.jpg)
SeriousFraud Office
One for the Techies
Rear View Full Frontal
![Page 23: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/23.jpg)
SeriousFraud Office
New Work Area
![Page 24: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/24.jpg)
SeriousFraud Office
New Work Area
![Page 25: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/25.jpg)
SeriousFraud Office
New Work Area
![Page 26: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/26.jpg)
SeriousFraud Office
New Work Area
![Page 27: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/27.jpg)
SeriousFraud Office
New Work Area
![Page 28: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/28.jpg)
SeriousFraud Office
Hardware / Network
• Silo-based structure• Enhanced security• Dedicated dirty network• 64-bit workstations• Optimised processing• ‘RESTRICTED’• Improved throughput
![Page 29: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/29.jpg)
SeriousFraud Office
Hardware
![Page 30: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/30.jpg)
SeriousFraud Office
Hardware
![Page 31: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/31.jpg)
SeriousFraud Office
Hardware
![Page 32: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/32.jpg)
SeriousFraud Office
Network
SFO
DFU
ACPO
SOCA
UK Police
International Police
FSA
FCO
DTI
Non-UK SFO
Regulators
CPS
Forensic Industry
![Page 33: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/33.jpg)
SeriousFraud Office
Network
![Page 34: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/34.jpg)
SeriousFraud Office
Police Forces in England & Wales
Avon &
Somerset
Derby
Devon & Cornwall
Dorset
Dyfed-Powys
Wiltshire
HampshireSussex
Kent
GloucesterSouth
Wales
Gwent
North Wales
West Mercia
Stafford
W. Mids.
Leicestershire
Warwick
Thames Valley
Surrey
North
ants
.
Notts.
Merseyside
ClevelandDurham
Gtr. Man
Northumbria
North Yorkshire
HumbersideWest
Yorkshire
S. Yorks
Lancashire
Beds.
Cambs.
Essex
Lincolnshire
Norfolk
Suffolk
Herts.
Cumbria
Cheshire
Police Services ofNorthern Ireland
London
PSNI
AAAABBBB
EEEE
DDDD
Avon & Somerset
Devon & Cornwall
Dorset
Gloucestershire (Gloucester)
Hampshire
Kent
Sussex
Wiltshire
Bedfordshire (Beds.)
Cheshire
Cumbria
Greater Manchester (Gtr Man)
Hertfordshire
Lancashire
Merseyside
Cambridgeshire (Cambs.) ClevelandDurhamEssex
HumbersideLincolnshire
NorfolkNorthumbria
North YorkshireSouth Yorkshire (S. Yorks)
SuffolkWest Yorkshire
City of London
Metropolitan
Derbyshire (Derby)Dyfed-Powys
GwentLeicestershire
Northamptonshire (Northants.)North Wales
Nottinghamshire (Notts.)South Wales
Staffordshire (Stafford)Surrey
Thames ValleyWarwickshire (Warwick)
West MerciaWest Midlands (W. Mids.)PSNI (Police Service of
Northern Ireland)
![Page 35: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/35.jpg)
SeriousFraud Office
Domains of Investigation
CORRUPTION
DIGITAL FORENSIC UNIT
INDIVIDUAL & INVESTMENT FRAUD
MUTUAL LEGAL
ASSISTANCE
CORPORATE, CITY & PUBLIC SECTOR
FRAUD
![Page 36: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/36.jpg)
CUSTOMERS
USERS
Services
BUSINESS
PROCESSES
Hardware
Environments
Networks
Processes
Databases
Software
THE
TECHNOLOGY
What is the vision?Where are we
now?Where do we want
to be?
How do we get to where we want to
be?
How do we check our milestones
have been reached?
How do we keep the momentum
going?Planning to implement Service Management
DIGITAL FORENSICS UNIT
Requirements
Optimise Operate Deploy Build Design
Application Management
Design and Planning
Technical Support
Deployment
Operations
ICT Infrastructure Management
Act Plan
DoCheck
Control
Security Management
Service Desk
Configuration Management
Incident Management
Change Management
Problem Management
Release Management
Availability Management
Capacity Management
Service Level Management
Financial Management for IT
Services
IT Service Continuity
Management
Service Delivery
Service Support
Business Relationship Management
Liaison, Education and
Communication
Supplier Relationship Management
Review, Planning and Development
Business Perpective
![Page 37: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/37.jpg)
SeriousFraud Office
Processes
SeizureImagingAnalysisExtraction
General offence of fraud (Fraud Act 2006)– False representation– Failure to disclose information– Abuse of position
SanitisationPM MaterialLPP MaterialStaging
ExtractionPresentation
![Page 38: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/38.jpg)
SeriousFraud Office
Processes
• Content extraction for defined data types• Comparison against known data• Transaction analysis (sequence of events)• Extraction of data• Deleted files recovery• Format conversion• Keyword searching• Decryption / Cracking• Storage Media types• Rebuild
![Page 39: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/39.jpg)
SeriousFraud Office
Procedures 2008
![Page 40: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/40.jpg)
SeriousFraud Office
Procedures 2009
![Page 41: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/41.jpg)
SeriousFraud Office
Databases
SFO-generatedMicrosoftHashkeeperNSRLPolice OperationsCivil OperationsOperation OreSome others – looking at Bit9
![Page 42: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/42.jpg)
SeriousFraud Office
Software
• Most Imaging / Analysis– iLook– FTK FTK2?– EnCase– Paraben P2
• Mobiles / PDAs– CellDeck / Neutrino / PDA Seizure /
Cellebrite• Write Blocking
– Tableau / FastBloc / Wiebetech• Tapes
– TapeCat / MMPC / eMAG
![Page 43: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/43.jpg)
SeriousFraud Office
Software
And these others:
Microsoft Office Excel 97-2003 Worksheet
![Page 44: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/44.jpg)
SeriousFraud Office
Electronic Presentation of Evidence
• Electronic Presentation of Evidence• Screen displays of:
– Documents– Graphics– Animations– Virtual Reality
![Page 45: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/45.jpg)
SeriousFraud Office
TimeCases take a long time• To analyse,• investigate,• and prosecute
Computer Forensics is a slow process
Rules and procedures
Triage Processes
![Page 46: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/46.jpg)
SeriousFraud Office
and don’t forget about theseiPods
iPhones
PSP
X-Box
PS3 / Wii
SatNav
Sky+ Box
BlackBerry
![Page 47: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/47.jpg)
SeriousFraud Office
or thesePalm Foleo (linux-based)
Sony VGN (XP home)
Nokia N8000 (proprietary)
Fujitsu (??)
Samsung Q1
(Vista)
![Page 48: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/48.jpg)
SeriousFraud Office
or even these
![Page 49: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/49.jpg)
SeriousFraud Office
Final wordConventional computer forensics is struggling to keep pace with potential sources of electronic evidence.
We need to apply intelligence to our forensics as simply too much data to analyse.
Re-examine standard forensic procedures to adapt to advances in technology.
![Page 50: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/50.jpg)
SeriousFraud Office
ThanksQuestions
![Page 51: The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office](https://reader035.vdocuments.net/reader035/viewer/2022081516/55160f4655034694308b5251/html5/thumbnails/51.jpg)
SeriousFraud Office
Contact
Keith Foggon, Head of Digital Forensics Unit
Serious Fraud Office
Elm House, 10 - 16 Elm Street
London WC1X 0BJ
020 7239 7272