Cyber-bullying, Cyber-stalking,
Online,
Email tracing and Cyber-crime
We can assist police, prosecutors, counsel and direct clients with specialised expert online investigative services in civil and criminal cases. In a recent case, we were able to expose the exact location, identity, motive and online activities of a cyber-stalker who had been active for over 5 years.
Using state of the art technology, methodologies and thought patterns, we were able to expose someone who on the face of it appeared to be very careful with their online activities.
They were certainly no match for eVestigator®.
In today's society, we place a great deal of trust in the companies who supply us, the people who know and service our families and the IT systems we use. Sometimes this trust is misused for criminal or destructive purposes. Your choice to engage eVestigator® would most likely come down to one of the most important decisions you could make. We help you take action, get answers and find justice in our highly connected online world.
Computer Forensic and Expert Witness Services
In legal cases, computer forensic techniques are frequently used to analyse computer systems belonging to defendants (in criminal cases) or litigants (in civil cases). There are five basic steps to the computer forensics:
1. Preparation (of the investigator, not the data)
2. Collection (the data)
3. Examination
4. Analysis
5. Reporting
The investigator must be properly trained to perform the specific kind of investigation that is at hand. Tools that are used to generate reports for court should be validated. There are many tools to be used in the process. One should determine the proper tool to be used based on the case. Digital evidence can be collected from many sources. Obvious sources include computers, cell phones, digital cameras, hard drives, CD-ROM, USB memory devices, and so on. Non-obvious sources include settings of digital thermometers, black boxes inside automobiles, RFID tags, and web pages (which must be preserved as they are subject to change).
Special care must be taken when handling computer evidence: most digital information is easily changed, and once changed it is usually impossible to detect that a change has taken place (or to revert the data back to its original state) unless other measures have been taken. For this reason it is common practice to calculate a cryptographic hash of an evidence file and to record that hash elsewhere, usually in an investigator's notebook, so that one can establish at a later point in time that the evidence has not been modified since the hash was calculated. Other specific practices that have been adopted in the handling of digital evidence include:
a) Imaging computer media using a writeblocking tool to ensure no data is added to the suspect device.
b) Establish and maintain the chain of custody.
c) Documenting everything that has been done.
d) Only use tools and methods that have been tested and evaluated to validate accuracy and reliability.
Some of the most valuable information obtained in the course of a forensic examination will come from the computer user. An interview with the user can yield valuable information about the system configuration, applications, encryption keys and methodology. Forensic analysis is much easier when analysts have the user's pass phrases to access encrypted files, containers, and network servers. In an investigation in which the owner of the digital evidence has not given consent to have his or her media examined (as in some criminal cases) special care must be taken to ensure that the forensic specialist has the legal authority to seize, copy, and examine the data.
Sometimes authority stems from a search warrant. As a general rule, one should not examine digital information unless one has the legal authority to do so. Amateur forensic examiners should keep this in mind before starting any unauthorised investigation. Traditionally computer forensic investigations were performed on data at rest---for example, the content of hard drives. This can be thought of as a dead analysis. Investigators were told to shut down computer systems when they were impounded for fear that digital time-bombs might cause data to be erased.
In recent years there has increasingly been an emphasis on performing analysis on live systems. One reason is that many current attacks against computer systems leave no trace on the computer's hard drive---the attacker only exploits information in the computer's memory. Another reason is the growing use of cryptographic storage: it may be that the only copy of the keys to decrypt the storage are in the computer's memory, turning off the computer will cause that information to be lost. The process of creating an exact duplicate of the original evidentiary media is often called Imaging.
Using a standalone hard-drive duplicator or software imaging tools such as DCFLdd or IXimager, the entire hard drive is completely duplicated. This is usually done at the sector level, making a bit-stream copy of every part of the user-accessible areas of the hard drive which can physically store data, rather than duplicating the file system. The original drive is then moved to secure storage to prevent tampering. During imaging, a write protection device or application is normally used to ensure that no information is introduced onto the evidentiary media during the forensic process.
The imaging process is verified by using the SHA-1 message digest algorithm (with a program such as sha1sum) or other still viable algorithms such as MD5. At critical points throughout the analysis, the media is verified again, known as "hashing", to ensure that the evidence is still in its original state. In corporate environments seeking civil or internal charges, such steps are generally overlooked due to the time required to perform them. They are essential for evidence that is to be presented in a court room, however.
If the machine is still active, any intelligence which can be gained by examining the applications currently open is recorded. If the machine is suspected of being used for illegal communications, such as terrorist traffic, not all of this information may be stored on the hard drive. If information stored solely in RAM is not recovered before powering down it may be lost. This results in the need to collect volatile data from the computer at the onset of the response. Several Open Source tools are available to conduct an analysis of open ports, mapped drives (including through an active VPN connection), and open or mounted encrypted files (containers) on the live computer system.
Utilising open source tools and commercially available products, it is possible to obtain an image of these mapped drives and the open encrypted containers in an unencrypted format. Open Source tools for PCs include Knoppix and Helix. Commercial imaging tools include Access Data's Forensic Toolkit and Guidance Software's EnCase application.
The aforementioned Open Source tools can also scan RAM and Registry information to show recently accessed web-based email sites and the login/password combination used. Additionally these tools can also yield login/password for recently accessed local email applications including MS Outlook.
In the event that partitions with EFS are suspected to exist, the encryption keys to access the data can also be gathered during the collection process. With Microsoft's most recent addition, Vista, and Vista's use of BitLocker and the Trusted Platform Module (TPM), it has become necessary in some instances to image the logical hard drive volumes before the computer is shut down. RAM can be analysed for prior content after power loss. Although as production methods become cleaner the impurities used to indicate a particular cell's charge prior to power loss are becoming less common.
However, data held statically in an area of RAM for long periods of time are more likely to be detectable using these methods. The likelihood of such recovery increases as the originally applied voltages, operating temperatures and duration of data storage increases. Holding non-powered RAM below - 60 degrees Celsius will help preserve the residual data by an order of magnitude, thus improving the chances of successful recovery. However, it can be impractical to do this during a field examination.
All digital evidence must be analysed to determine the type of information that is stored upon it.
For this purpose, specialty tools are used that can display information in a format useful to investigators. In many investigations, numerous other tools are used to analyse specific portions of information. Typical forensic analysis includes a manual review of material on the media, reviewing the Windows registry for suspect information, discovering and cracking passwords, keyword searches for topics related to the crime, and extracting e-mail and images for review. Once the analysis is complete, a report is generated. This report may be a written report, oral testimony, or some combination of the two.
An expert witness or professional witness is a witness, who by virtue of education, training, skill, or experience, is believed to have knowledge in a particular subject beyond that of the average person, sufficient that others may officially (and legally) rely upon the witness's specialised (scientific, technical or other) opinion about an evidence or fact issue within the scope of their expertise, referred to as the expert opinion, as an assistance to the fact-finder. Expert witnesses may also deliver expert evidence about facts from the domain of their expertise. At times, their testimony may be rebutted with a learned treatise, sometimes to the detriment of their reputations.
In an intellectual-property case for example, an expert may be shown two algorithms, website layouts, or circuit boards and asked to ascertain their degree of similarity. The tribunal itself, or the judge, can in some systems call upon experts to technically evaluate a certain fact or action, in order to provide the court with a complete knowledge on the fact/action it is judging. The expertise has the legal value of an acquisition of data. The results of these experts are then compared to those by the experts of the parties.
The Federal Court of Australia has issued guidelines for experts appearing in Australia courts. This covers the format of the expert's written testimony as well as their behaviour in court. Similar procedures apply in non-court forums, such as the Australian Human Rights and Equal Opportunity Commission.
If you feel eVestigator® may be the right choice for your needs, then please
contact your nearest branch to obtain your free 2 hour consultation and review as promised by our innovative and unmatched satisfaction guarantee.
Data
Interrogation
Data Interrogation (often referred to as data mining) is the search for hidden patterns in large amounts of data. Data profiling in this context is the process of assembling information about a particular individual or group in order to generate a profile that is, a picture of their patterns and behaviour. Data profiling can be an extremely powerful tool for psychological and social network analysis. A skilled analyst can discover facts about a person that they might not even be consciously aware of themself.
Economic (such as credit card purchases) and social (such as telephone calls and emails) transactions in modern society create large amounts of stored data and records. In the past this data would be documented in paper records and would leave a "paper trail", or simply not be documented at all. Correlation of paper-based records was a laborious process as it required human intelligence operators to manually dig through documents, which was time-consuming and incomplete, at best.
But today many of these records are electronic, resulting in an "electronic trail". Every use of a bank machine, payment by credit card, use of a phone card, call from home, checked out library book, rented video, or otherwise complete recorded transaction generates an electronic record. Public records such as birth, court, tax and other records are increasingly being digitised and made available online. In addition, due to laws like CALEA, web traffic and online purchases are also available for profiling. Electronic record-keeping makes data easily collectable, storable, and accessible so that high-volume, efficient aggregation and analysis is possible at significantly lower costs.
Information relating to many of these individual transactions is often easily available because it is not generally not guarded in isolation, since the information, such as the title of a movie a person has rented, might not seem sensitive. However, when many such transactions are aggregated they can be used to assemble a detailed profile revealing the actions, habits, beliefs, locations frequented, social connections, and preferences of the individual. This profile is then used, by programs such as ADVISE and TALON, to determine whether the person is a military, criminal, or political threat.
In addition to its own aggregation and profiling tools, the government is able to access information from third parties for example, banks, credit companies or employers, etc. by requesting access informally, by compelling access through the use of subpoenas or other procedures, or by purchasing data from commercial data aggregators or data brokers.
Audit and
Analysis
An information technology audit, or information systems audit, is an examination of the controls within an Information technology (IT) infrastructure. An IT audit is the process of collecting and evaluating evidence of an organisation's information systems, practices, and operations. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively and efficiently to achieve the organisation's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement. IT audits are also known as automated data processing (ADP) audits and computer audits. They were formerly called electronic data processing (EDP) audits.
Tactical
Response Activities
The Tactical Response Group (TRG) is a Police Tactical Group, a component of the Counter-Terrorism and State Protection Group (CT&SP TRG). It is a civilian body accountable under the WA's police legislation (1892) and criminal code.
Since 1978, the Australian Government's National Anti-Terrorism Plan has required each state police force to maintain a specialised counter-terrorist and hostage-rescue unit.
TRG officers are trained for high-risk physical situations. They provide support to WAPOL and other agencies. Such situations include dealing with armed offenders, attending sieges and civil-disorder incidents, protecting endangered witnesses, undertaking searches of premises, securing and escorting dangerous prisoners, heads of state, VIPs and internationally protected persons, as well as the state's counter-terrorist responsibility.
The TRG is equipped with a wide range of less-lethal devices as well as specialist firearms and equipment for 'domestic' and counter-terrorist operations. Training includes tactical roping, fieldcraft, paramedical courses, the use of chemical, biological and radiological equipment, self-contained breathing apparatus and weapons.
eVestigator® is able to assist with investigations conducted by the group that rely on documentary electronic evidence for submission into the courts.
Digital
Surveillance
The vast majority of computer surveillance involves the monitoring of data and traffic on the Internet. In the United States for example, under the “Communications Assistance For Law Enforcement Act”, all phone calls and broadband Internet traffic (emails, web traffic, instant messaging, etc) are required to be available for unimpeded real-time monitoring by Federal law enforcement agencies.
There is far too much data on the Internet for human investigators to manually search through all of it. So automated Internet surveillance computers sift through the vast amount of intercepted Internet traffic and identify and report to human investigators traffic considered interesting by using certain "trigger" words or phrases, visiting certain types of web sites, or communicating via email or chat with suspicious individuals or groups.
Billions of dollars per year are spent, by agencies such as the Information Awareness Office, NSA, and the FBI, to develop, purchase, implement, and operate systems such as Carnivore, NarusInsight, and ECHELON to intercept and analyse all of this data, and extract only the information which is useful to law enforcement and intelligence agencies.
Computers are also a surveillance target because of the personal data stored on them. If someone is able to install software (either physically or remotely), such as the FBI's "Magic Lantern" and CIPAV, on a computer system, they can easily gain unauthorised access to this data.
Another form of computer surveillance, known as TEMPEST, involves reading electromagnetic emanations from computing devices in order to extract data from them at distances of hundreds of meters.
Biometric surveillance refers to technologies that measure and analyse human physical and/or behavioural characteristics for authentication, identification, or screening purposes. Examples of physical characteristics include fingerprints, DNA, and facial patterns. Examples of mostly behavioural characteristics include gait (a person's manner of walking) or voice.
Forensic
Analysis
Computational forensics (CF) is a quantitative approach to the methodology of the forensic sciences. It involves computer-based modelling, computer simulation, analysis, and recognition in studying and solving problems posed in various forensic disciplines. CF integrates expertise from computational science and forensic sciences.
A broad range of objects, substances and processes are investigated, which are mainly based on pattern evidence, such as toolmarks, fingerprints, shoeprints, documents etc., but also physiological and behavioural patterns, DNA, digital evidence and crime scenes.
Computational methods are used in forensic sciences in several ways, as for example:
rigorous quantification of individuality,
definition and establishment of likelihood ratio,
increase of efficiency and effectiveness in daily forensic casework.
Algorithms implemented are from the fields of signal and image processing, computer vision, computer graphics, data visualisation, statistical pattern recognition, data mining, machine learning, and robotics.
Computer forensics (also referred to as "digital forensics" or "forensic information technology") is one specific discipline that could use computational science to study digital evidence. Computational Forensics examines diverse types of evidence.
Electronic
Discovery
Electronic discovery (or e-discovery) refers to discovery in civil litigation which deals with information in electronic format also referred to as Electronically Stored Information (ESI). Electronic information is different from paper information because of its intangible form, volume, transience and persistence. Also, electronic information is usually accompanied by metadata, which is not present in paper documents. However, paper documents can be scanned into electronic format and then manually coded with metadata.
The preservation of metadata from electronic documents creates special challenges to prevent spoliation.
Electronic discovery was the subject of amendments to the Federal Rules of Civil Procedure, effective December 1, 2006. Examples of the types of data included in e-discovery are e-mail, instant messaging chats, documents (such as Microsoft Office documents files), accounting databases, CAD/CAM files, Web sites, and any other electronically-stored information which could be relevant evidence in a law suit.
Also included in e-discovery is "raw data" which Forensic Investigators can review for hidden evidence. The original file format is known as the "native" format. Litigators may review material from e-discovery in one of several formats: printed paper, "native file," or as TIFF images.
Native format is increasingly the preferred choice for document review and involves the review of documents in their original file formats. This can require installation of the native applications, such as Microsoft Word in order to open a Microsoft Word document. Because there are hundreds of possible electronic file types, installing every application type could be a real challenge for reviewers.
TIFFing involves the conversion of native files into an image format that does not require use of the native applications. If the native file contains multiple pages, then an electronic discovery vendor can convert each page into TIFF images (for example 10 images for a 10 page Microsoft Word document) for use in a discovery review database. More frequently, review applications now utilise special viewers, called embedded native viewers, that avoid the need to install native applications and also avoid having to convert native files into TIFF images, which can require significant storage space for large data sets. Documents that are produced are often numbered using Bates numbering.
Individuals working in the field of electronic discovery commonly refer to the field as Litigation Support.
Litigation
Support
Rules of criminal or civil procedure govern the conduct of a lawsuit in the common law adversarial system of dispute resolution. Procedural rules are additionally constrained/informed by separate statutory laws, case law, and constitutional provisions that define the rights of the parties to a lawsuit (see especially due process), though the rules will generally reflect this legal context on their face. The details of procedure will differ from jurisdiction to jurisdiction, and often from court to court within the same jurisdiction. The rules are very important for litigants to know, however, because they dictate the timing and progression of the lawsuit what may be filed and when to get what result.
Failure to comply with the procedural rules can result in serious limitations in conducting the trial or even dismissal of the lawsuit.
Direct contempt is a special summary procedure used in federal courts. It allows federal judges to order litigants to be incarcerated if they do not obey direct orders as to what they should file or do in another court. No U.S. Attorney participation is required. No statutory authority is needed. The aggrieved party simply requests a federal judge to put the plaintiff in a different court in jail if he or she doesn't obey a direct order to file a motion to voluntarily dismiss the action in the other court. Edward Nottingham, former federal judge used the direct contempt procedure to jail pro se litigant Kay Sieverding because she didn't obey his direct orders as to what she should write to other courts.
When direct contempt is used, the section on the warrant for offence does not need to be filled in with an Act of Congress.
Though the majority of lawsuits are settled and never even get to trial, they can expand into a very complicated process. This is particularly true in federal systems, where a federal court may be applying state law (e.g., the Erie doctrine in the United States) or vice versa, or one state applying the law of another, and where it additionally may not be clear which level (or location) of court actually has jurisdiction over the claim or personal jurisdiction over the defendant. Domestic courts are also often called upon to apply foreign law, or to act upon foreign defendants, over whom they may not, as a practical matter, even have the ability to enforce a judgment if the defendant's assets are outside their reach.
Lawsuits become additionally complicated as more parties become involved.
Within a "single" lawsuit, there can be any number of claims and defences (all based on numerous laws) between any number of plaintiffs or defendants, who each can bring any number of cross-claims and counterclaims against each other, and even bring additional parties into the suit on either side after it progresses. However, courts typically have some power to separate out claims and parties into separate suits if it is more efficient to do so, such as if there is not a sufficient overlap of factual issues between the various claims.
Due
Diligence
Due Diligence is a term used for a number of concepts involving either the performance of an investigation of a business or person, or the performance of an act with a certain standard of care. It can be a legal obligation, but the term will more commonly apply to voluntary investigations. A common example of due diligence in various industries is the process through which a potential acquirer evaluates a target company or its assets for acquisition.
With origins in the private-sector world of business and finance, the term "due diligence" [in philanthropy] refers to the process through which an investor researches an organisation’s financial and organisational health [and capacity] to guide an investment decision. The decision to fund or not to fund is based upon a balance of objective data analysis, insight into the general state of organisational health and stability, and intuition.
A sound and thorough due diligence review is the process through which all the factors that make up that equation are uncovered and understood. It is the process in which a program officer seeks the "truth" about an organisation. It is not correct to confuse due care and due diligence. Due care should be spelled out in full as duty of care. It is a legal concept by itself. Duty of care may be very wide, far reaching, and also a grey area subject to argument. Basically, parents owe their infant a duty of care in everything.
As the infant grows to be a child, to be an adolescent, an adult, the duty of care and its scope become less and less. Fundamentally, a duty of care is a moral duty to care. When legal acknowledgment is extended to this moral obligation, then this duty becomes a legal requirement. Inversely, the legislature sets the duty in the statute.
When read carefully, care is the passive mode; diligence is the active mode.
First the duty of care (due care) arises, making it a requirement. In order to fulfil this duty, due diligence is exercised. The flow may be continuous, but these two concepts are different. When due diligence is called for, then there will be a set of demands to be complied with, depending on the context. For example, before a surgery, what should be done and who should be present in the theatre? After the surgery, what must be done to the patient, equipment, facilities?
As a matter of independent inquiry, whether by a court of law or professional body, the line of investigation is: Is there a duty of care? How is this duty of care imputed? (Previous case law, statute, new case).
If the duty of care exists, what are the applicable standards? In other words, what due diligence (and the components that go to make it a comprehensive due diligence) is required?
The last issue is always considered in light of specific circumstances of the case. If brain surgery is involved, the standards are those required of competent brain surgeons. If deep sea welding is involved, the standards are those required of competent deep sea welders. In an auction of a Picasso, due diligence standard must be comparable with an international auctioneer to authenticate an art object.
In the sale of a diamond, due diligence may be necessary from human rights and political aspects. As such, expert opinions are often considered.
In criminal law, due diligence is the only available defence to a crime that is one of strict liability (i.e., a crime that only requires an actus reus and no mens rea). Once the criminal offence is proven, the defendant must prove beyond a reasonable doubt that they did everything possible to prevent the act from happening. It is not enough that they took the normal standard of care in their industry - they must show that they took every reasonable precaution.
Corporate
Intelligence/Risk Analysis
Corporate Intelligence is often also referred to as "competitive intelligence". A broad definition of competitive intelligence is the action of defining, gathering, analysing, and distributing information about products, customers, competitors and any aspect of the environment needed to support executives and managers in making strategic decisions for an organisation.
Key points of these definitions:
Competitive Intelligence is an ethical and legal business practice, as opposed to industrial espionage which is illegal.
The focus is on the external business environment.
There is a process involved in gathering information, converting it into intelligence and then utilising this in business decision making. CI professionals emphasise that if the intelligence gathered is not usable (or actionable) then it is not intelligence.
A more focused definition of CI regards it as the organisational function responsible for the early identification of risks and opportunities in the market before they become obvious. Experts also call this process the early signal analysis.
This definition focuses attention on the difference between dissemination of widely available factual information (such as market statistics, financial reports, newspaper clippings) performed by functions such as libraries and information centres, and competitive intelligence which is a perspective on developments and events aimed at yielding a competitive edge.
The term CI is often viewed as synonymous with Competitor analysis but Competitive Intelligence is more than analysing competitors. It is about making the organisation more competitive relative to its entire environment and stakeholders, customers, competitors, distributors, technologies, macro-economic data etc.
FRAP (Facilitated Risk Analysis Process) is often used in analysing risk in corporate settings. FRAP analyses one system, application or segment of business processes at time.
FRAP assumes that additional efforts to develop precisely quantified risks are not cost effective because:
such estimates are time consuming
risk documentation becomes too voluminous for practical use
specific loss estimates are generally not needed to determine if controls are needed.
After identifying and categorising risks, a team identifies the controls that could mitigate the risk.
The decision for what controls are needed lies with the business manager. The team's conclusions as to what risks exist and what controls needed are documented along with a related action plan for control implementation.
Three of the most important risks a software company faces are unexpected changes in revenue and costs from those budgeted and amount of specialisation of the software planned. Risks that affect revenues can be unanticipated competition, privacy, intellectual property right problems, and unit sales that are less than forecast; unexpected development costs also create risk that can be in the form of more rework than anticipated, security holes, and privacy invasions.
Narrow specialisation of software with a large amount of research and development expenditures can lead both business and technological risks since specialisation does not lead to lower unit costs of software. Combined with the decrease in the potential customer base, specialisation risk can be significant for a software firm. After probabilities of scenarios have been calculated with risk analysis, the process of risk management can be applied to help manage the risk.
Methods like Applied Information Economics add to and improve on risk analysis methods by introducing procedures to adjust subjective probabilities, compute the value of additional information and to use the results in part of a larger portfolio management problem.
Consultancy
Services
eVestigator® is able to offer dynamic consultancy services to you assist you or your client in litigation or internal investigations. We offer a dynamic skill set that is credible and reliable. Contact us for an obligation free consultation today.
We have worked with a range of clients in various sectors all across the country. We are not limited by distance or industry; however we only accept jobs that have a strong requirement for digital analysis and expert intervention.
If you feel eVestigator® may be the right choice for your needs, then please
contact your nearest branch to obtain your free 2 hour consultation and review as promised by our innovative and unmatched satisfaction guarantee.
