Wednesday, 1 October 2008

Electronic Evidence Tampering on the Rise

More IT-savvy users caught trying to eliminate evidence of wrongdoing.

I think using Guttman algorithm 35 passes should remove any traces that even forensic recovery software can't retrieve.
PDF

1 comment:

Guanyu said...

Electronic Evidence Tampering on the Rise

More IT-savvy users caught trying to eliminate evidence of wrongdoing.

Chua Hian Hou - The Straits Times
29 September 2008

E-MAIL messages, Excel spreadsheets and customer databases are featuring increasingly in cases of fraud, defamation and information theft, which gives wrongdoers more reason than ever to tamper with these electronic pieces of evidence.

How well they do it could make a difference between being caught and getting away with their misdeeds.

The taxman here, for instance, is finding that nine in 10 tax evasion cases involve the use of computers.

The exceptions are when the tax dodgers are operators of small businesses like hawkers, said the assistant commissioner for investigation and intelligence at the Inland Revenue Authority of Singapore (Iras), Mr Tay Yong Chin.

Elsewhere, technology-related fraud has also emerged as ‘the fastest-growing and most pervasive category of fraud’ in the business world, said a KPMG fraud report published in July.

In 2004, just 19 per cent of the firms polled reported such offences; by last year, the figure was 59 per cent.

There is no way to determine exactly how widespread tampering of electronic evidence is, but law firms, enforcement agencies such as Iras and private sector computer forensics firms such as KPMG and Tecbiz Frisman are all seeing the uptrend.

Among Iras’ many cases of tax evasion involving tinkering with electronic records is that of a man who deleted incriminating files and then installed a new operating system on his computer.

He was prosecuted after being caught - he failed to outsmart Iras’ computer forensics team, which recovered the data.

Other high-profile cases involving the tampering of electronic records include that of former Asia Pacific Breweries manager Chia Teck Leng, who embezzled over $100 million, and that of former National Kidney Foundation head T.T. Durai, who was also accused of destroying electronic documents.

Lawyer Bryan Tan of Keystone Law Corporation said people tamper with or destroy electronic evidence - e-mail correspondence, financial records or downloaded hacking tools - to weaken or even snuff out the case against them.

And they are getting better at it, said KPMG forensics head Bob Yip.

Where previously the person would just delete e-mail correspondence or documents, many now format their hard disks or use specialised electronic erasing programs to cover their electronic trails.

In a case KPMG investigated, a man accused of manipulating his company’s accounting records made changes to the software’s audit logs, which are meant to keep track of who accesses the software.

Some go one step further and try to ‘create doubt’, said Keystone’s Mr Tan.

For instance, the suspect may install an unsecured wireless network before putting up racist blog posts or sending out defamatory e-mail messages.

An unsecured wireless network gives a defendant some ‘plausible deniability’, by giving him room to claim that someone else may have used his network to commit the offence.

Another tactic a perpetrator can use is to change his hard disk or computer. When presented with a new hard disk, computer forensics can do little to recover evidence from it, since it never had anything incriminating on it to begin with.

A lawyer who declined to be named said this can be a ‘decent argument’ to take to court, especially in criminal cases in which the prosecution’s burden of proof is higher.

After all, destroying or tampering with evidence does not necessarily mean the defendant is guilty, he argued.

This strategy can work well in civil lawsuits, since the defendants usually receive advance notice that they are being sued and can quickly take action to alter or destroy evidence, he said.

But Mr Tan warned that such actions can backfire.

If the defendant is found to have, say, changed his hard disk after getting a lawyer’s letter of the lawsuit against him, or after news breaks about a police investigation into his alleged offence, such actions may be viewed as an attempt to ‘pervert justice’.

TecBiz managing director Tan Swee Wan said that not only are such actions unlikely to impress the court, they could also land the perpetrator with criminal charges.

Any action aimed at obstructing the course of justice is an offence under the Penal Code. It could bring jail time of up to seven years.

Despite the hefty penalties, experts believe cases of tampering with or destroying evidence will continue to rise.

The lawyer who spoke on condition of anonymity said: ‘In the real world, many clients facing a choice between jail or a fine, versus deleting that incriminating e-mail and then swearing in court that he did no such thing, would probably choose the latter, even if we counsel them against it.’

This story was first published in The Straits Times on 29 September 2008.