A Glimpse Into Digital Forensics

Methods for Preventing Employee Theft & Embezzlement in the Digital Age

Click to edit Master subtitle style

Click icon to add picture

Gregory M. Cancilla RVM Director of Forensics

Presented by

rvminc.com

6/12/12

Terminology
Digital Forensics- The application of science to the
identification, collection, examination, and analysis of data [Electronically Stored Information (ESI)] while preserving the integrity of the information and maintaining a strict chain of custody for the data. SOURCE: Special Publication (SP) 800 series (SP 800-86)

Forensic Specialist- A professional who locates, identifies,

collects, analyzes, and examines data while preserving the integrity and maintaining a strict chain of custody of information discovered. SOURCE: Special Publication (SP) 800 Series (SP 800-72)

6/12/12

What is Electronically Stored Information (ESI)?

Information created, manipulated, communicated, stored, and best utilized in digital form, requiring the use of computer hardware and software.
- Kenneth J. Withers, Managing Director, The Sedona Conference NORTHWESTERN JOURNAL OF TECHNOLOGY AND INTELLECTUAL PROPERTY Spring 2006

6/12/12

Possible Sources of ESI

Computers Custodian local & home drives Printers Servers
Network shares Collaboration software & tools Cloud
Dropbox

Mobile devices
e.g., iPad, Android, Blackberry, iPhone

Back up tapes USB drives Memory cards

PDAs Smart phones Digital cameras

Any storage device

6/12/12

Sample Types of ESI

Email servers Microsoft Exchange GroupWise Lotus Notes Web hosted email
Gmail Hotmail

Email archives Symantec Enterprise Vault FrontBridge Zantaz EAS

6/12/12

ESI Hot Topic: Mobile Devices

Mobile devices are ubiquitous wellsprings of ESI including:
Emails Text messages Contacts Calendars Pictures

Taken or stored
Videos Call Logs Websites visited www.rvminc.com 6/12/12

Downloads

Computer Forensics
Take a snapshot in certain circumstances as employee leaves Should the computer be used after incident occurs? What is a forensic copy?

6/12/12

Collecting ESI: Self Collection vs. Forensic Expert

Self Collection (i.e., IT personnel)
Lets let the IT staff do it

Why invest in a forensic expert over IT personnel for data collections?

Verifies complete, defensible data collection Preserves metadata

Maintains chain of custody Neutral third party

6/12/12

Collecting ESI: Self Collection vs. Forensics Expert Continued

Self-Collection Pitfalls-Data that is not properly handled can result in:
Inadvertent evidence corruption (spoliation) Lack of proper chain of custody

Improper judgment call by custodian as to what is

responsive
Going too broad or narrow with data collection
6/12/12

IT vs. Forensic Expert

Why choose a forensic expert over IT personnel for data collections?

Ghost Image Preservation of metadata Maintaining chain of custody Logging

6/12/12

Examples of Digital Forensics Offerings

Meet and Confer Consultation Forensic Harvesting
(on-site, off-site, or remote) Preservation of metadata Maintenance of chain of custody

Handheld Forensics Targeted Collection

Forensic Analysis

Filters, Boolean, Keywords Date range

6/12/12

Considerations for Engaging a Forensic Expert

Certifications
EnCase Certified Examiner (EnCE) AccessData Certified Examiner (ACE) Safe Harbor Certification

Software
Open Source vs. Closed Source

Training Experience Tips for retaining a forensic expert

6/12/12

Advantages of Engaging a Forensic Expert for Litigation Readiness Assessment

Covering all the Bases

A forensic expert can properly

evaluate clients current practices for storing, 6/12/12

Technology
forensic experts use cutting-edge technology and follow strict
procedural guidelines to ensure the accuracy of the preservation of evidence

Some of the key forensic tools experts use and are certified in
include:

Guidance Softwares EnCase AccessDatas Forensic Toolkit (FTK) Parabens Network Email Examiner Kroll Ontracks Power Controls Cellebrites Universal Forensics Extraction Device(UFED)

6/12/12

Responding to Litigation
Forensic experts can assist clients in responding to litigation via:

Consulting clients counsel on Meet and Confer

appointments Preemptively preparing forensically sound data collection Developing models for legal hold preservation Bolstering defensibility Satisfying best practices standards and legal requirements Devising practices and implement technology for communication and enforcing legal hold compliance Assisting client counsel in preparation for depositions Serving as an expert witness
6/12/12

Examples of Litigation Matters For Forensic Expert Engagement

Commercial litigation
Product Liability Corporate and transactional

Regulatory
SEC

Mergers & Acquisitions Second Requests

Intellectual property
Trademark infringement Theft of intellectual property 6/12/12 Temporary Restraining Order (TRO)

Questions & Comments

6/12/12

Greg Cancilla, EnCE, ACE

Director of Forensics

Greg Cancilla, EnCE, ACE is a Certified Computer Forensic Engineer and the Director of Forensics at RVM. He is experienced in the preservation, identification, extraction, documentation 6/12/12and

RVM New York (Headquarters)

800.525.7915
info@rvminc.com
80 Pine Street, 10th Floor New York, NY 10005 212.693.1525 RVM Chicago RVM Cleveland

rvminc.com