Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Navigating Data Privacy Issues and Performing Computer Forensics in Corruption Investigations
International Pharmaceutical Compliance Congress May 2011
Data Protection and Computer Forensics Slide 2
Agenda
► A brief introduction to data protection ► Data identification and preservation ► Computer forensics ► Corruption-specific analysis examples
Data Protection and Computer Forensics Slide 3
DATA PROTECTION
Data Protection and Computer Forensics Slide 4
OECD Data Protection Principles
► Notice ► Purpose ► Consent ► Security ► Disclosure ► Access ► Accountability
Data Protection and Computer Forensics Slide 5
EU Data Protection Directive
► Incorporates OECD principles ► Conditions under which data may be processed
► Transparency ► Legitimate purpose ► Proportionality
► Varying implementations by country ► Non-EU data protection ► Other local or company considerations
► Unions or workers councils ► Company policies
Data Protection and Computer Forensics Slide 6
Safe Harbor Principles
► Notice ► Choice ► Onward transfer ► Security ► Data integrity ► Access ► Enforcement
Data Protection and Computer Forensics Slide 7
DATA IDENTIFICATION AND PRESERVATION
Data Protection and Computer Forensics Slide 8
Electronic Discovery Process Model
Source: EY based on edrm.net
Information management
Keywords and batches
Data review and analysis
Report preparation
Results presentation
Volume of data Relevance
IdentificationPreservation
and Collection
Data processing and culling
Data extraction
Data Protection and Computer Forensics Slide 9
Data Sources
Email Server(s)
Corporate Network (Intranet)
Employees’ workstations (desktop computers)
User Documents Emails
Other
File Server(s) – Network Shares
User documents Emails
Other
Employees’ portable computers
Other data sources
Portable devices Backup tapes Portable USB drives
Data Protection and Computer Forensics Slide 10
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Other
Video
Instant Messaging
Photos
Financial statements
Invoices
Databases
User docs
E-mails
Data types
Source: http://www.renewdata.com/pdf/ESG-Brief-RenewData-1008.pdf
Data Protection and Computer Forensics Slide 11
Increasing storage capabilities
Source: EY
Data Protection and Computer Forensics Slide 12
Increasing number of electronic documents
Source: EY
Data Protection and Computer Forensics Slide 13
Data processing
eDiscovery system
Lotus Notes Database,nsf
Deduplication Indexing Data review
Data culling – narrowind down the number of emails and documents
Facilitating the review Analysis, documentation, classification
Data Protection and Computer Forensics Slide 14
Data culling
Filtering the relevant items. Deduplication
Applying the keywords
Data review
Data collection ~ 140 GB / HDD
Data processing Export ~ 15 GB of data ► ~ 45 000 emails ► ~ 5 000 files
Data review Assigned for review ► ~ 1 000 - 1 500 emails and files
Production Preparation of production files ► ~ 10-20 docs per custodian
Data Protection and Computer Forensics Slide 15
Identification – Common Issues
► Lack of an information management program ► Uncoordinated/de-centralized IT ► Addressing consent for former or unavailable employees ► Legacy systems ► Encrypted devices, hard drives or email boxes ► User usage patterns are not known
Data Protection and Computer Forensics Slide 16
Preservation – Common Issues
► Document hold notices ► Rewriting of backup tapes ► Lack of understanding of what is maintained on servers ► Data for former employees ► Mobile/detachable media ► Information stored on clouds
Data Protection and Computer Forensics Slide 17
Collection – Common issues
► Logistics ► Availability of devices ► Time to verify images ► Access to servers ► Understanding what media may be relevant ► What NOT to image ► Restoration of backup media ► Documentation of chain of custody ► EU data protection and the safe harbor
Data Protection and Computer Forensics Slide 18
COMPUTER FORENSICS
Data Protection and Computer Forensics Slide 19
Computer Forensics Basics
► Bit-by-bit image of the physical hard drive ► Data can also be forensically acquired from other
media ► Chain of custody assisted through MD5 hash ► Generally requires direct access to a custodian’s
computer ► Can be inconvenient for users ► Key questions:
► What do you hope to obtain from the hard drive imaging? ► What data will you analyze from the image?
Data Protection and Computer Forensics Slide 20
Computer Forensics Analysis
► Samples of data available ► User data files (e.g. Office documents, emails, media) ► Internet history and cookies ► Recoverable deleted files ► RAM and file slack ► Registry information
► Snapshot of media at one point in time; triangulation with other sources may be more effective
► May provide hints to other data ► Deleted files are overwritten after time ► Analysis other than of user data files can be labor
intensive
Data Protection and Computer Forensics Slide 21
CORRUPTION-SPECIFIC ANALYSIS EXAMPLES
Data Protection and Computer Forensics Slide 22
Corruption-specific Analysis Examples
► Existence/use of other email accounts ► Traffic patterns between users ► Attempts to change data or obscure transactions
► Registry ► Deleted files ► Transaction and master file logs ► Transactions at odd hours
► Keyword searches ► User files from forensic images ► All files loaded onto an eDiscovery platform ► Structured data description fields
Data Protection and Computer Forensics Slide 23
Corruption-specific Analysis Examples (continued)
► Accounting data analysis ► Transaction in accounts of interest ► Vendors with multiple bank accounts ► Bank accounts in unexpected countries ► Vendors in countries with poor Corruption Perception Index
scores ► Repeating transactions ► Payments to vendors that appear to be individuals ► Master files changes
Data Protection and Computer Forensics Slide 24
Questions?
Data Protection and Computer Forensics Slide 25
SanDee I. Priser Zone Leader - Forensic Technology & Discovery Services Eschborn (Frankfurt), Germany +49 6196 996 27681 [email protected]