Navigating Data Privacy Issues and Performing Computer ...Slide 19 Data Protection and Computer Forensics Computer Forensics Basics Bit-by-bit image of the physical hard drive Data

Navigating Data Privacy Issues and Performing Computer Forensics in Corruption Investigations

International Pharmaceutical Compliance Congress May 2011

Data Protection and Computer Forensics Slide 2

Agenda

►  A brief introduction to data protection ►  Data identification and preservation ►  Computer forensics ►  Corruption-specific analysis examples


DATA PROTECTION


OECD Data Protection Principles

►  Notice ►  Purpose ►  Consent ►  Security ►  Disclosure ►  Access ►  Accountability


EU Data Protection Directive

►  Incorporates OECD principles ►  Conditions under which data may be processed

►  Transparency ►  Legitimate purpose ►  Proportionality

►  Varying implementations by country ►  Non-EU data protection ►  Other local or company considerations

►  Unions or workers councils ►  Company policies


Safe Harbor Principles

►  Notice ►  Choice ►  Onward transfer ►  Security ►  Data integrity ►  Access ►  Enforcement


DATA IDENTIFICATION AND PRESERVATION


Electronic Discovery Process Model

Source: EY based on edrm.net

Information management

Keywords and batches

Data review and analysis

Report preparation

Results presentation

Volume of data Relevance

IdentificationPreservation

and Collection

Data processing and culling

Data extraction


Data Sources

Email Server(s)

Corporate Network (Intranet)

Employees’ workstations (desktop computers)

User Documents Emails

Other

File Server(s) – Network Shares

User documents Emails

Other

Employees’ portable computers

Other data sources

Portable devices Backup tapes Portable USB drives


0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

Other

Video

Instant Messaging

Photos

Financial statements

Invoices

Databases

User docs

E-mails

Data types

Source: http://www.renewdata.com/pdf/ESG-Brief-RenewData-1008.pdf


Increasing storage capabilities

Source: EY


Increasing number of electronic documents

Source: EY


Data processing

eDiscovery system

Lotus Notes Database,nsf

Deduplication Indexing Data review

Data culling – narrowind down the number of emails and documents

Facilitating the review Analysis, documentation, classification


Data culling

Filtering the relevant items. Deduplication

Applying the keywords

Data review

Data collection ~ 140 GB / HDD

Data processing Export ~ 15 GB of data ► ~ 45 000 emails ► ~ 5 000 files

Data review Assigned for review ► ~ 1 000 - 1 500 emails and files

Production Preparation of production files ► ~ 10-20 docs per custodian


Identification – Common Issues

►  Lack of an information management program ►  Uncoordinated/de-centralized IT ►  Addressing consent for former or unavailable employees ►  Legacy systems ►  Encrypted devices, hard drives or email boxes ►  User usage patterns are not known


Preservation – Common Issues

►  Document hold notices ►  Rewriting of backup tapes ►  Lack of understanding of what is maintained on servers ►  Data for former employees ►  Mobile/detachable media ►  Information stored on clouds


Collection – Common issues

►  Logistics ►  Availability of devices ►  Time to verify images ►  Access to servers ►  Understanding what media may be relevant ►  What NOT to image ►  Restoration of backup media ►  Documentation of chain of custody ►  EU data protection and the safe harbor


COMPUTER FORENSICS


Computer Forensics Basics

►  Bit-by-bit image of the physical hard drive ►  Data can also be forensically acquired from other

media ►  Chain of custody assisted through MD5 hash ►  Generally requires direct access to a custodian’s

computer ►  Can be inconvenient for users ►  Key questions:

►  What do you hope to obtain from the hard drive imaging? ►  What data will you analyze from the image?


Computer Forensics Analysis

►  Samples of data available ►  User data files (e.g. Office documents, emails, media) ►  Internet history and cookies ►  Recoverable deleted files ►  RAM and file slack ►  Registry information

►  Snapshot of media at one point in time; triangulation with other sources may be more effective

►  May provide hints to other data ►  Deleted files are overwritten after time ►  Analysis other than of user data files can be labor

intensive


CORRUPTION-SPECIFIC ANALYSIS EXAMPLES


Corruption-specific Analysis Examples

►  Existence/use of other email accounts ►  Traffic patterns between users ►  Attempts to change data or obscure transactions

►  Registry ►  Deleted files ►  Transaction and master file logs ►  Transactions at odd hours

►  Keyword searches ►  User files from forensic images ►  All files loaded onto an eDiscovery platform ►  Structured data description fields


Corruption-specific Analysis Examples (continued)

►  Accounting data analysis ►  Transaction in accounts of interest ►  Vendors with multiple bank accounts ►  Bank accounts in unexpected countries ►  Vendors in countries with poor Corruption Perception Index

scores ►  Repeating transactions ►  Payments to vendors that appear to be individuals ►  Master files changes


Questions?


SanDee I. Priser Zone Leader - Forensic Technology & Discovery Services Eschborn (Frankfurt), Germany +49 6196 996 27681 [email protected]