Digital forensics and markets regulation
Published by the Australian Financial Markets Association in the Policy and Markets Brief, September 2015.
ASIC is regarded as a leader in the field of digital forensics.Our infrastructure, software and the expertise of our analysts are the envy of many markets regulators. However, maintaining this capability faces constant challenges. Increasing volumes of data, encryption, cloud computing, virtualisation and new devices and types of evidence are just some of the drivers of change we anticipate over the next five years. Ongoing investment, capacity building and inter-agency cooperation will ensure ASIC remains at the forefront of digital forensics.
Challenges facing digital forensics
A major challenge for ASIC is ensuring that our ability to manage evidence keeps pace with technological change.
Volume of data
The amount of data ASIC receives has increased substantially in recent years. Based on current trends, this is likely to continue. By 2020, it is projected that ASIC will receive 425TB of data per annum. This gives rise to a number of issues. For example, it requires more resources to acquire, process, analyse and store this volume of data.
Increasing volumes of data mean increasing numbers of files to review. Traditional review methodologies are based around targeted keyword searches and manual review. However, this methodology has become less practical. Smarter strategies are needed, for example, Technology Assisted Review (TAR). TAR uses tools such as predictive coding, machine learning and computer algorithms to assist in the review of large volumes of data.
Encryption has posed a challenge to digital forensics for a long time. More recently, newer operating systems have begun mandating encryption of user accounts without the end user intervention. These encryption technologies render a physical full-disk image useless without the decryption key. In addition to encryption being deployed in traditional computing environments, we are also facing encrypted mobile devices. These challenges require additional strategies and changes to standard operating procedures.
In the last few years there has been a move towards cloud computing – storing and processing data off-site. Often data is located overseas or even replicated across numerous data centres. This creates potential jurisdictional issues. Another issue is the time and effort involved in acquiring the data. Traditionally, forensic analysts have had physical access to a device for the purpose of acquiring data. With cloud computing, a direct physical connection to the server hosting the cloud storage may not be possible.
Similar to cloud computing, many businesses are moving from PCs to a virtualised environment. This allows organisations to scale their infrastructure without the overheads associated with physical infrastructure. Again, this can result in jurisdictional issues if the datacentre hosting the virtualised environment is located overseas. In addition, each virtualisation technology uses its own proprietary systems, including the way it stores data and the underlying application infrastructure sitting behind it. A lack of knowledge about these systems can lead to issues when trying to forensically capture this type of data.
New devices and types of evidence
More than 500 mobile phone models are released each year. Numerous competing mobile phone operating systems are also available. This creates problems for forensic analysts as each time a new operating system is released, procedures, tools and best-practice guidance need to be developed. This highlights the importance of digital forensics in the mobile communication area.
The release of each device, operating system or application is accompanied by new artefacts which need to be examined for potential evidentiary value. One artefact that has seen a surge of activity in recent years is Voice over Internet Protocol (VoIP) data. As an example, ASIC recently received over two million audio files as part of an investigation. Practically, it is not feasible to manually review such large volumes of recordings. Instead, regulators and law enforcement agencies require capabilities for transcribing, indexing, searching and reviewing this type of data.
Managing and utilising digital forensics
ASIC addresses the challenges facing digital forensics by investing in the infrastructure and software necessary to support the management of evidence and our intelligence capabilities. Equally important, we invest in the training and development of our forensic analysts. ASIC also collaborates with other Australian government agencies to facilitate access to data. These strategies mitigate the risk that deficiencies in our forensic toolkit will impact on ASIC's ability to ensure Australia's financial markets are fair, orderly, transparent and efficient.
Applying digital forensics to markets regulation has not only enabled us to keep pace with technological change, it has improved our capabilities and investigative techniques. This process is ongoing. A recent software innovation that will enhance our investigative analytics, known as 'Enhanced Investigative Analytics' (EIA), is currently in the testing phase and will be implemented later this year. EIA will create a centralised repository of intelligence that draws upon evidentiary and regulatory sources for use by ASIC's surveillance and enforcement teams. Features will include the ability to generate matter chronologies and evidence matrices, to automatically create links between uploaded data and to identify relationships between persons of interest.
Like other digital technologies ASIC uses, EIA offers the potential for future enhancements. These will further increase ASIC's efficiency and effectiveness as a markets regulator.