Internal Investigations and the Cloud

Internal Investigations and the Cloud

Dan MichalukACFI Fraud ConferenceMay 28, 2012



• What is cloud computing?• Why is it a problem for investigators?• What’s the solution?• The problem with the consumer cloud• The consumer cloud – personal accounts• Good resources


What is cloud computing?

• Model for delivery of computing services• Services outsourced and accessed through the

internet, on demand, at desired scale• Data resides on servers owned by third-parties,

often with the data of others and often in one or more foreign countries

• Consumer services differ from enterprise services


What is cloud computing?

• It is related to a “data portability” phenomenon• “We’ve got work information on personal devices

and personal information on work devices”

• Add to that, multiple companies on physical servers

• This creates ambiguity that can be dealt with by

contract (and I assume by technology) – i.e. we

need to replace physical control with legal control


Why is it a problem for investigators?

• It threatens to timely access to reliable evidence• Providers default to low cost rather than service

• Investigations and e-discovery are afterthoughts

• Specialized forensic data capture services are rare

• Logs and other forensic data can be intermingled

• Proprietary software can make interpretation hard

• Access restrictions create a chain of custody issue

• Law of other jurisdictions may be restrictive


Why is it a problem for investigators?

• Discussion• Do your employers or clients use cloud-based

services for business?

• Has this affected your investigations?

• How?


What’s the solution?

• The solution is simple (in theory)• Outsourcing process requirements definition, vendor

selection, due diligence and contracting and

administration

• You need to insert yourself in all aspects of this

process to communicate your requirements and see

that they are met

• But… be prepared to compromise because the

cloud is the cloud and physical control is supreme



• The solution is simple (in theory)• Understand the system and the data it generates

• Develop investigation scenarios

• Develop investigation requirements

• Prioritize requirements

• Discuss requirements

• Ensure requirements can be met

• Service level agreement is key, but is not everything



• Assume your employer or a client is moving its accounting system to the cloud. As a fraud investigator, what are your key needs?



• Key questions (among others)• In what jurisdiction(s) will data reside?

• How is data stored at application & system levels?

• Can our data be extracted independently from

others’ data?

• What forensic data do we want? Will you make it

available to us? How? To others? How will that affect

us?



• Key questions (among others)• Will your employee give evidence to establish the

chain of custody?

• How fast will you make all this happen?


The problem with the consumer cloud

• It is a data security risk – business information is leeching into personal accounts and home computers• Example – employee sends work home via a web

based personal e-mail account

• Example – business unit starts using Google docs to

collaborate though the company has no enterprise

services relationship with Google


The consumer cloud - personal accounts

• The Calgary Police Service case (April 2012)• Internal sexual misconduct investigation

• E-mail review… search for “password”

• Found login credentials for personal e-mail account

• Accessed on “data leakage” theory

• Found (unanticipated) evidence of sexual

misconduct

• Alberta OPIC finds a violation of privacy legislation



• Why unauthorized access is a bad idea• Except in extraordinary circumstances it is likely to

be a criminal offence – Criminal Code s. 342.1

• A labour arbitrator may exclude evidence

• Though not ideal, there is a work-around



• The work-around• Finish the covert investigation

• Confront the employee

• Make a preservation demand

• Make a reasonable inspection demand

• Be prepared to manage a refusal through an

insubordination charge and an adverse inference



• “Friending” targets is risky• “Friending” as yourself may not be that helpful

• Impersonation is a criminal offence (s. 403)

• Do your professional rules prohibit the use of fake

profiles to gain information?


Related Resources

• J. Cheng, “IBM’s Siri ban highlights companies’ privacy, trade secret challenges”

• Digital Forensics Laboratories, “Digital investigations in the Cloud”• T. Harbert, “E-discovery in the Cloud? Not so easy.”• W. Manning, “Investigating in the Clouds”• K. Ruan et al, “Cloud forensics: An overview”• A. Savvas, “Cloud providers cave into more flexible contracts.”• T. Trappler, “In the Cloud, Your Data Can Get Caught Up in Legal

Actions”• K. Zetter, “FBI Uses ‘Sledgehammer’ to Seize E-Mail Server in Search

for Bomb Threat Evidence


Dan MichalukACFI Fraud ConferenceMay 28, 2012

Internal Investigations and the Cloud

Business

Transcript of Internal Investigations and the Cloud