DF2: Lars Wilberg (BDO)
9 jun. 2013Forensic Services - Investigations in the private sector
One of Scandinavian’s leading professional audit & advisory firms.
Forensic services: "Big four companies": Ernst & Young, Kpmg, Pwc, Deloitte and BDO as number 5, followed by Pretax Group and RSM. IBAS was also mentioned specializing in physical data recovery. Mnemonic was also mentioned as a Nordic supplier of these kinds of services:
- Anti-corruption compliance & investigation
- Fraud and misconduct investigations
- Fraud prevention: Big hard because companies does not want to use money for preventive measures
- Anti-money laundering
- Computer forensics & E-Discovery: This area, on of the top priority areas, huge growth in market. eDiscovery is "Discovery is the term used for the initial phase of litigation where the parties in a dispute are required to provide each other relevant information and records, along with all other evidence related to the case" [aiim.org]
- Ethical Investigative Due Diligence: Background checks on employees..
- Forensic Accounting
- Whistleblowing services: Employee able to report wrong doings without fear of negative impact for him or her self.
Why use such services/companies: Police does not have enough resources or company don't want to contact police before they know what they are dealing with (police running around is bad for business). Can also be called on by local police to help non-technical police in handling forensics correctly.
Legal framework
The important distinction here is private investigation has restricted authority. There is no specific legislation (in Norway) regarding private investigation, so they must follow the common laws that apply to all civilians. Important legislation is
- The personal data act (and regulation): Personal data can be linked to a natural person, applies to both manual and automatic procsssing of the data. Rules for access to and storage safety of this data. More strict for sensitive personal data. There must be an agreement by the employers to the employees explaining how business computer networks shall be used. There must also be a data processing agreement when personal information is shared (like when BDO need access to data that can contain personal identifiable data in a forensics case - like work related e-mail, personal area, other electronic equipment). Different rules for company owned equipment and personal owned equipment (BYOD policy). This is restrictions law enforcement does not have. Access to employees mail reasons: maintain daily operations (employee absent, quit) and when justified suspicion of a serious breach of duties. Monitoring of usage (including Internet) is not allowed, except some few things...
- Work environment act
- Non-statutory personal protection (what has been decided in court before)
- Practice of the data inspectorate: (datatilsynet): Have the power to give fines and regulates the personal data act.
Investigation
Criminal investigations (only police/court can decide whether a crime has taken place - no blame only facts). Accident and disaster investigations and non-policing investigations. Private cannot use force: need consent. Police need to find subjective and objective guilt, and work within constitutional laws.
- Dealing with accused employees: Tell them of the process, inform and explain, allow them to give explanation, have a lawyer/union representive etc. They can be present when going through their e-mail.
- Interviews: All about trust and knowledge, situation/sitting area, record or write down, dress correctly, learn by demonstration, tell reason, mandate, be open. Tell why but not all the details. Use details to confirm or repute their story. Want to change your previous explanation. Received new information.
- On reporting: Explain in detail where information was found. In the private context, system logs and private information cannot be used.
- In court as "interested party", not an expert witness, but depends on the relationship with the parties.
- Reporting things directly to the police, usually not, but in very serious cases like child abuse and terror. A company would not ask to hide such things anyway.
- Give back the data (images), usually encrypted, to the police or organization afterwards. Delete personal data after the case is finished as regulated by law.
- Plan (resources, limitations and organization-manager, plan, background information), secure information (assets, information and protect privacy), document and analyze (documents, electronic documents, interviews, analyze and assess it "whole picture") and report (draft, contradiction (allow subject to read and add information to draft) and final report)
- Understand the business you are working with and be updated on rules and regulations.
Managing digital evidence
Tools: EnCase, Relativity, Analyst Notebook. Need many sources because a single source is not reliable dealing with digital information. Visualize in timeline to make the big picture clear. Encrypt equipment used in cases, especially when traveling. Do not bring more information then necessary. Chain of custody forms.
eDiscovery system like Relativity, a web-portal for gathering information in a framework, restrict information, log how has accessed a document, accessed via secure HTTP. Does recovery of deleted files, file signature analysis, resolve scanned PDF files, remove duplicates, cluster, thread e-mail etc.