The Forensic Approach to Complex Fraud Keith Foggon Head of Digital Forensics Unit Serious Fraud Office

Outline What is the SFO Forensic Challenges DFU Technology Forensic Processes

What is the SFO Created by Criminal Justice Act 1987 Roskill Fraud Trials Report 1986 began April 1988 compulsory powers (defeat confidentiality) Investigates and prosecutes Serious or complex fraud Multi-disciplinary teams Referral, vetting and acceptance

What is the SFO do Responsive – not reactive Reduce fraud and the cost of fraud Deliver Justice and rule of law Maintain confidence in UK business by: taking on appropriate cases investigating quickly prosecuting fairly communicating clearly to deter fraud Responsive – not reactive The Serious Fraud Office’ aim is to contribute to:  Reducing fraud and the cost of fraud  The delivery of justice and the rule of law  Maintaining confidence in the UK’s business and financial institutions By taking on appropriate cases and  Investigate them and bring them to a successful conclusion as quickly as individual circumstances allow  When a decision to prosecute is made, prosecute fairly and in a way that enables the jury to understand the issues In carrying out its aim and objectives the Serious Fraud Office will  Work effectively and efficiently  Co-operate with other agencies and overseas jurisdictions  Ensure that its activities and the way the are reported contribute to deterring fraud. Note that SFO does not detect, disrupt or directly deter - it is responsive not pro-active.

Criminal Justice Act 1987 s1: the director may investigate offences 1. (1) A Serious Fraud Office shall be constituted for England and Wales and Northern Ireland. (2) The Attorney General shall appoint a person to be the Director of the Serious Fraud Office (referred to in this part of this Act as "the Director"), and he shall discharge his functions under the superintendence of the Attorney General. (3) The Director may investigate any suspected offence which appears to him on reasonable grounds to involve serious or complex fraud. (4) The Director may. if he thinks fit, conduct any such investigation in conjunction either with the police or with any other person who is, in the opinion of the Director. a proper person to be concerned in it. (5) The Director may - (a) Institute and have the conduct of any criminal proceedings which appear to him to relate to such fraud; and (b) Take over the conduct of any such proceedings at any stage. (6) The Director shall discharge such other functions in relation to fraud as may from time to time be assigned to him by the Attorney General. (7) The Director may designate for the purposes of subsection (5) above any member of the Serious Fraud Office who is - (a) a barrister in England and Wales or Northern Ireland; b) a solicitor of the Supreme Court; or (c) a solicitor of the Supreme Court of Judicature of Northern Ireland. (8) Any member so designated shall without prejudice to any functions which may have been assigned to him in his capacity as a member of that Office, have all the powers of the Director as to the institution and conduct of proceedings but shall exercise those powers under the direction of the Director. Etc.

Criminal Justice Act 1987 s1: the director may investigate offences s2(2): answer questions or furnish information s2(3): copies of documents & explanations s2(4): warrant to enter premises s2 available for mutual legal assistance Criminal Justice Act 1987 2. ... (2) The Director may by notice in writing require the person whose affairs are to be investigated ("the person under investigation") or any other person whom he has reason to believe has relevant information to answer questions or otherwise furnish information with respect to any matter relevant to the investigation at a specified place and either at a specified time or forthwith. (3) The Director may by notice in writing require the person under investigation or any other person to produce at such place as may be specified in the notice and either forthwith or at such time as may be so specified any specified documents which appear to the Director to relate to any matter relevant to the investigation or any documents of a specified description which appear to him so to relate; and - (a) If any such documents are produced, the Director may - (i) Take copies or extracts from them; (ii) Require the person producing them to provide an explanation of any of them: (b) If any such documents are not produced: the Director may require the person who was required to produce them to state, to the best of his knowledge and belief, where they are. (4) Where, on information on oath laid by a member of the Serious Fraud Office, a justice of the peace is satisfied, in relation to any documents, that there are reasonable grounds for believing - (a) that- (i) A person has failed to comply with an obligation under this section to produce them; (ii) It is not practicable to serve a notice wider subsection (3) above in relation to them; or (iii) The service of such a notice in relation to them might seriously prejudice the investigation; and (b) That they are on premises specified in the information, he may issue such a warrant as is mentioned in subsection (5) below. Etc.

Criminal Justice Act 1987 s1: the director may investigate offences s2(2): answer questions or furnish information s2(3): copies of documents & explanations s2(4): warrant to enter premises s2 available for mutual legal assistance s3: disclosure to other authorities S3 (5) Subject to subsections (I) and (3) above and to any provision of an agreement for the supply of information which restricts the disclosure of the information supplied, information obtained by any person in his capacity as a member of the Serious Fraud Office may be disclosed by any member of that office designated by the Director for the purposes of this subsection - (a)to any government department or Northern Ireland department or other authority or body discharging its functions on behalf of the Crown (including the Crown in right of Her Majesty's Government in Northern Ireland);(b) to any competent authority; (c) for the purposes of any prosecution in England and Wales, Northern Ireland or elsewhere; and (d) for the purposes of assisting any public or other authority for the time being designated for the purposes of this paragraph by an order made by the Secretary of State to discharge any functions which are specified in the order. Recent challenge in a judicial review in the Holbein case, gave rise to headlines of SFO Acted Unfairly. In essence the complaint by the applicant was that prior to making disclosure to the DoH the SFO should have given the applicant the opportunity to make representations as to whether the Director should exercise his discretion in favour of disclosing information. The applicant's claim for judicial review was dismissed, however in the course of its judgment the Court found that the then director had acted unfairly. Essentially, counsel is of the opinion that advance notice of an intended disclosure is likely to be required only in exceptional cases and even where disclosure under section 3(5) takes place without notice being given, the circumstances in which a potential complainant would have any legitimate cause for complaint would be exceptional.

Investigate & Prosecute Prosecutor leads the investigation team unique effective (if the product is a prosecution) Team formed with: Internal investigators, law clerks, etc. Police (one or more forces) Counsel External accountants etc.

Criteria for Acceptance Direction of the investigation should be in the hands of the prosecutor Sum at risk > £1m Public concern / interest International dimension Specialisms / multi-disciplinary teams Use of s2 appropriate The key criterion for the SFO to take on a case should be that the suspected fraud is such that the direction of the investigation should be in the hands of those who will be responsible for the prosecution. The factors that will need to be taken in to account include 1. The sum at risk is estimated to be at least £1m (this is simply and objective and recognisable signpost of seriousness and likely public concern rather than the main indicator of suitability). 2. The case is likely to give rise to national publicity and widespread public concern. Factors include those involving government departments, public bodies, the governments of other countries and commercial cases of public interest. 3. The investigation requires a highly specialist knowledge of, for example, financial markets and their practices. 4. The case has a significant international dimension. 5. There is a need for legal, accountancy and investigative skills to be brought together as a combined operation. 6. The suspected fraud appears to be complex and one in which the use of Section 2 powers might be appropriate.

Roles and Responsibilities Case Controller (dual function + maybe “disclosure officer”), leads overall investigation separate from the case - he is the arbiter in relation to the way it will be prosecuted Case Lawyer investigator involved closely in all aspects of the investigation Support Staff Law clerks / IT / analysts / DOCMAN Digital Forensics Unit

Student Participation Time Computer Forensics What’s it all about Why does the SFO need a Forensics Unit? Student Participation Time

Digital Forensics Unit Every case involves digital evidence Seizing server farms Work volume increasing each year Encryption built in to MS products Email, increasing volume & value Anti-Forensics tools on the increase All fraud investigators need awareness Massive amount of data – too much – far too much

So how do we cope ? Forensics is such a linear process It does not cope well with multiple dimensions It confuses data and information It finds the useless and ignores the useful Imaging blank space (75% - 80% of image is of no use) Investigators need knowledge but forensics creates a mist of confusion

Consider: Data and Query Equality Traditional Forensics Intelligent Forensics Queries find data   Data finds queries   Data finds data   Queries find queries!  

Treat all Data as a Query If you don’t process every new piece of data like a query … then you will not know if it matters … until you ask!

Pause for thought All single parameter forensic processes will fail. An investigator sitting at an EnCase machine will fail! The best, most reliable & useful results for large and complex fraud will be realized using a multiple, & simultaneous, approach

The route forward The Technology behind the process: Using intelligence in forensic IT Hardware Environment Network Processes Databases Software

Our new Desktop Environment Dell XPS 700 series HP xw8600 Workstation (2 x quad-core 64-bit, 16Gb RAM, 1.5TB HD, Win XP Pro 64)

Our new Storage Environment Nexsan SATABeast 4 x 42TB Raided to 8 x 16.3TB Volumes

Our new Network Environment Blades Silos

Our new Network Environment Satabeasts Closeup of Satabeasts

One for the Techies Rear View Full Frontal

New Work Area

New Work Area

New Work Area

New Work Area

New Work Area

Hardware / Network Silo-based structure Enhanced security Dedicated dirty network 64-bit workstations Optimised processing ‘RESTRICTED’ Improved throughput

Hardware

Hardware

Hardware

Network

Network

Police Forces in England & Wales Avon & Somerset Derby Devon & Cornwall Dorset Dyfed-Powys Wiltshire Hampshire Sussex Kent Gloucester South Wales Gwent North Wales West Mercia Stafford W. Mids. Leicestershire Warwick Thames Valley Surrey Northants. Notts. Merseyside Cleveland Durham Gtr. Man Northumbria North Yorkshire Humberside West Yorkshire S. Yorks Lancashire Beds. Cambs. Essex Lincolnshire Norfolk Suffolk Herts. Cumbria Cheshire Police Services of Northern Ireland London PSNI A B E D Cambridgeshire (Cambs.) Cleveland Durham Essex Humberside Lincolnshire Norfolk Northumbria North Yorkshire South Yorkshire (S. Yorks) Suffolk West Yorkshire Avon & Somerset Devon & Cornwall Dorset Gloucestershire (Gloucester) Hampshire Kent Sussex Wiltshire Derbyshire (Derby) Dyfed-Powys Gwent Leicestershire Northamptonshire (Northants.) North Wales Nottinghamshire (Notts.) South Wales Staffordshire (Stafford) Surrey Thames Valley Warwickshire (Warwick) West Mercia West Midlands (W. Mids.) PSNI (Police Service of Northern Ireland) Bedfordshire (Beds.) Cheshire Cumbria Greater Manchester (Gtr Man) Hertfordshire Lancashire Merseyside City of London Metropolitan

Domains of Investigation INDIVIDUAL & INVESTMENT FRAUD MUTUAL LEGAL ASSISTANCE CORRUPTION CORPORATE, CITY & PUBLIC SECTOR FRAUD DIGITAL FORENSIC UNIT

Processes Seizure Sanitisation Extraction Imaging PM Material Analysis Extraction Sanitisation PM Material LPP Material Staging Extraction Presentation General offence of fraud (Fraud Act 2006) False representation Failure to disclose information Abuse of position

Processes Content extraction for defined data types Comparison against known data Transaction analysis (sequence of events) Extraction of data Deleted files recovery Format conversion Keyword searching Decryption / Cracking Storage Media types Rebuild 1GB of paper is 160,000 pages of A4 double sided 1GB of paper would fit in the back of a pickup if stacked 11 feet high PC images in store at present on ICG, average 40GB each, 40 trucks Backup tapes, average 6GB, largest is 11GB

Procedures 2008

Procedures 2009

Databases SFO-generated Microsoft Hashkeeper NSRL Police Operations Civil Operations Operation Ore Some others – looking at Bit9

Software Most Imaging / Analysis iLook FTK FTK2? EnCase Paraben P2 Mobiles / PDAs CellDeck / Neutrino / PDA Seizure / Cellebrite Write Blocking Tableau / FastBloc / Wiebetech Tapes TapeCat / MMPC / eMAG

Software And these others:

Electronic Presentation of Evidence Screen displays of: Documents Graphics Animations Virtual Reality

Time Cases take a long time To analyse, investigate, and prosecute Computer Forensics is a slow process Rules and procedures Triage Processes

and don’t forget about these iPods iPhones PSP X-Box PS3 / Wii SatNav Sky+ Box BlackBerry

or these Palm Foleo (linux-based) Nokia N8000 (proprietary) Fujitsu (??) Sony VGN (XP home) Samsung Q1 (Vista)

or even these

Final word Conventional computer forensics is struggling to keep pace with potential sources of electronic evidence. We need to apply intelligence to our forensics as simply too much data to analyse. Re-examine standard forensic procedures to adapt to advances in technology.

Thanks Questions

Contact Keith Foggon, Head of Digital Forensics Unit Serious Fraud Office Elm House, 10 - 16 Elm Street London WC1X 0BJ 020 7239 7272 keith.foggon@sfo.gsi.gov.uk