"It is very difficult to hide anything nowadays,” says computer forensics expert Hilton Chan. Consider this: rumours circulate in the cyber space suggesting your organisation is troubled with a faltering financial status. What evidence do you have in hand to prove that your company has already exercised care and due diligence to protect your clients’ data? What is the de facto standard within your industry? Are you above it, below it, or just average?
Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums. It is a tool that is used to achieve electronic discovery (e-discovery), which deals with information in electronic formats for civil litigation.
The general shortage of computer forensics professionals in Asia, and the fact that the practice is much less common in Asia than in the US are due to the fundamentally different legal systems, says e-discovery expert Erik Laykin.
Laykin is the managing director and practice chair of the global e-discovery investigations practice at Duff and Phelps (D&P), a 75-year-old US-based international consulting firm with 21 offices in Europe, US, and Asia, including Shanghai, Tokyo and soon in Hong Kong.
According to Laykin, the computer forensics industry in the US is driven by the rules of civil litigation in the country’s court system, which requires the procedure of ‘e-discovery’.
E-discovery is a pre-trial aspect of a court case. In the US, if party A sues party B, then party A has the right to obtain party B’s documents and to review it before trial. This is a fundamental building block of the US legal system, and which is absent in Asia.
“As a result, many of the e-discovery professionals in Asia can only work in law enforcement, or, if they have access to companies that are based in litigation in the US, because there is little forensics litigation in Asia”, says Laykin.
Examinations
In Hong Kong, the technology crime division of the Hong Kong Police Force (HKPC) conducts computer forensics examinations to investigate technology-related crime.
Hilton Chan is the former head of technology crime at the HKPC, who served the unit till 2008. He says the then division’s 15-member computer forensics team was one of the largest in Asia.
At present, he chairs the Information Security and Forensics Society, a Hong Kong-based non-profit organisation that aims to advocate and drive information security and computer forensics in the city and its surrounding region.
Chan recalls that the most challenging cases he handled at the HKPC were primarily related to banking and financial institutes. He says: “Most of those cases involved the misuse of privileged or sensitive information of companies.” Such cases are tough, as they usually require deep investigations, when senior management is involved, he says.
“There was a case which we initially thought was merely a security incident. But after some investigation, we found it involved the senior management of an organisation, and then the case became very sensitive,” Chan says.
In contrast, cases that involve lower-level employees are usually easier to deal with because you can ensure co-operation from the IT department of the organisation, he says.
Hired guns and insiders
‘Hired guns’ are one of the biggest emerging technology crime threats in Hong Kong today.
“Nowadays, a lot of people are offering their services for sale on the Internet, such as virus hacking, denial of service attack, and helping users to write viruses to attack specific targets. Certain specific viruses can even bypass anti-virus devices, as the virus is specifically written to attack a particular organisation, and a lot of anti-virus software is unable to identify them,” Chan says.
“In the business world, this means your company will be subject to industry espionage, as hired guns could be deliberately engaged to write a specific virus, Trojan horse, or malware to attack your staff,” says Chan.
“And if your staff have low awareness, or your security employees are not well-trained in this area, a lot of corporate information with marketing intelligence value would be leaked out, sometimes intentionally, while at other times by mistake,” he says.
The Bank of East Asia (BEA) rumour that happened in Hong Kong last year well illustrates the vulnerability of the banking industry to ‘cyber attacks’.
Rumours of collapse
On 23 September 2008, a week after the Lehman Brothers filed for bankruptcy protection, worried customers in Hong Kong formed long queues to withdraw savings from the bank, as rumours circulated by SMS messages that the bank was on the brink of financial collapse. BEA’s management denied the rumours, but the bank was forced to extend business hours to cope with the queues for savings withdrawal. A week prior to the incident, a BEA trader was suspected of being involved in false accounting of fraud activities. “In a lot of these activities, from the digital records, you can identify evidence to show what actually happened, how the entire process was conducted in a normal business environment.
“Who logged in? Who approved the transaction? Any e-mail exchanged between the involved parties? How was the business process authenticated and authorised?” Chan says. Laykin says the primary security threat in Asia is always the users. “CIOs have done a very good job of figuring out how to protect the perimeter, firewalls, intrusion detection systems, and various applications that prevent bad guys from getting in. That part they have figured out very well. It’s the internal people that are representing the big challenge.” The office, says Laykin, is where most of the problems take place in the networks with the theft of data, whether by accident or intentional fraud.
“And so CIOs face the challenge of creating security on one hand, [to comply with licensing obligations in the regulatory space] and accessibility on the other hand. And somewhere in the middle is where they have to find harmony,” he says.
Landmark case
Computer forensics expert Ben Pasco, the former director of forensic and legal technologies with a major consulting organisation, had previously represented the defence in the Nancy Kissel murder case in the Hong Kong court in 2005, and testified with live demonstration on the retrieval of computer forensic evidence. Nancy Kissel, 41, was accused of murdering her banker husband, Robert Kissel, on the night of 2 November 2003 in Hong Kong. Prosecutors said she drugged her husband with a milkshake laced with sedatives before clubbing him to death. Kissel was convicted of premeditated murder and was sent to prison for life.
Pasco is currently the managing director of legal technologies for an e-discovery solutions provider Kroll Ontrack, Asia Pacific.
Please describe your findings in the Kissel case in relation to the use of computer forensics.
Evidence from computers is latent evidence, meaning it is similar to fingerprints, blood, DNA, and is just as fragile. To process such evidence and make it acceptable in a court of law, forensically sound methods must be used.
The police computer forensic experts deployed in the Kissel case did a good job in imaging all of the computers used by the Kissel family, and as part of the e-discovery process, the defence also had access to those forensic images. I represented the defence and carried out an examination of two of the images taken by the police.
The prosecution opened their case by painting a picture of the deceased favourably and the accused (Nancy Kissel) unfavourably. On many occasions throughout their submission, the prosecution would refer to evidence obtained from the family computers to substantiate a particular point.
Using my findings, the defence wanted to counter the prosecution by showing that they had been selective in their submission and that the computer evidence showed that the deceased was not as the prosecution had suggested. My findings included the reconstruction of Web surfing history, websites visited and terms typed into search engines.
Would you consider the e-discovery investigation process for this case a tough one?
The challenge was to communicate to a jury in a non-technical manner, the complex procedures I had used to reach my findings and what those findings were. Trying to do this orally would have been a very lengthy exercise; it would have surely bored the jury and ran the risk of not being understood at all.
Having noted that the police had used EnCase Forensic Edition Version 4.2 to image and analyse the computer data, the defence team proposed that I use the same software to demonstrate live, in court. Using the same image and software as the police, I was able to find evidence on the disks that was not presented by the prosecution, evidence that was potentially unfavourable to the deceased. Most people don’t realise that regardless of which side retains an expert, the duty of the expert is always to the court. Fortunately, everything on the technical side went smoothly and although I did not have it easy in the witness box, my evidence was accepted, which is the goal of any forensics examiner.
In your opinion, how significant was the computer forensics evidence in this hearing?
The Kissel trial was a landmark case in many ways for computer forensics. The three key reasons include:
- Computer forensics was used on a case that was not directly related to computer crime.
- EnCase was firmly established as a tool for computer forensics.
- Most importantly, every computer forensics expert that testifies in Hong Kong must be prepared to demonstrate live, in-court, how he or she arrived at any findings in support of their reports.
Following this trial, the use of computer forensics is now being seen in family disputes where, for example, one side would allege that the spouse had used the family computer to visit certain websites as ‘proof’ of the alleged state of mind of that particular spouse.
