This item has been updated since initial publication.
By Lee Shih
Alex Tan, Executive Director, Forensic Services of PwC Malaysia; and Neil Meikle, Associate Director of Forensic Technology, also from PwC Malaysia, and the Honourable Justice Glenn Martin AM, Judge, Supreme Court of Queensland, kept the audience riveted with real–life scenarios and trends in the area of forensic investigations and e–discovery, in the session entitled “Electronic Discovery and Admissibility of Electronically–Stored Information”.
Overview of Global and Malaysian Trends Influencing Forensic Investigations
Mr Tan provided an overall overview of forensic investigations which involve reacting to a crisis situation, and such situations may involve allegations of bribery, corruption, money laundering or accounting fraud. He mentioned that he is seeing a lot of regulatory action from the United States and increasingly, from the United Kingdom. There is also an increase in the impact of foreign laws, such as the Foreign Corrupt Practices Act and the Bribery Act, in Malaysia.
Next, he highlighted some key findings from the PwC Global Economic Crime Survey 2014, in particular for Malaysia. The statistics from this survey showed that 35% of the respondents have operations in markets having a high risk of corruption, while 38% of respondents believed that it is likely that they will experience corruption. 31% of respondents revealed that they have experienced cybercrime, which is a big increase from 5% in 2011. The survey also disclosed that of those who experienced some form of economic crime, 58% said that the frequency and size of economic crimes has increased. A disturbing fact is that seven out of 10 respondents have lost in excess of US$1 million in the last two years, and alarmingly, 26% have not undertaken a fraud risk assessment in the last two years.
Forensic Investigations and e–Discovery Experiences
Mr Meikle weighed in with his perspective from running the forensic laboratory in PwC Malaysia. He started off his presentation by emphasising that communications and documents are now largely digital. Furthermore, social media is heavily used. In Malaysia for example, 90% of the 18–24 age group use Facebook. Therefore, relevant evidence is likely to be stored electronically in some form or another, and such evidence must be preserved to evidential standards.
In this regard, he stressed the unbreakable guidelines for forensic investigators set out in the ACPO Principles of Digital Evidence:
Principle 1: No action taken by law enforcement agencies, or by persons employed within those agencies or their agents should change data which may subsequently be relied upon in court.
Principle 2: In circumstances where a person finds it necessary to access original data, that person must be competent to do so and be able to give evidence explaining relevance and the implications of their actions.
Principle 3: An audit trail or other records of all processes applied to digital evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same results.
Principle 4: The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to.
Arising from this, Mr Meikle provided an important tip: do not allow IT teams / experts to switch on the machines and browse through the files stored on these machines, as that would undermine the integrity of the evidence and may destroy evidence. When the system is switched on, active or temporary files may be written over.
He next addressed the often–asked–question on how does one recover deleted files from computers and mobile devices. He explained that the act of deleting merely removes the entry from the index but the underlying file is not. Data is lost only if newer files are saved over them. Mr Meikle then showcased the different equipment and software that he uses in the forensic laboratory to retrieve deleted files. The equipment used in his laboratory allows for imaging and preserving of data (both from computers and mobile devices) and recovering deleted files. Keyword searching can then be carried out for files of potential interest.
He also provided pointers on the type of qualifications one could look for in a forensic investigator, ie qualifications such as EnCase Certified Examiner (“EnCE”), Forensic Toolkit (“FTK”), and CISSP.
Information from New Developments and Techniques in Electronic Discovery
Justice Martin started by flagging three developments that have generated a lot more digital information. Firstly, the rise in the use of social media. Aside from data on hard drives or peripherals, there may be information in the public domain. For example, what a Chief Executive Officer (“CEO”) says during negotiations on a deal may be quite different from what he/she may say on social media on that same deal. So, the candour in a tweet by an employee could often be very different from the position taken by the company in the deal or in the litigation.
Secondly, the use of cloud data storage which will contain information on equipment not owned by the client. Access to such information may be problematic, in the sense that if a client is in financial difficulties, or if you are acting for a receiver or liquidator of a company, it may be difficult to access those documents on a farm of hard drives, or perhaps in another country.
Thirdly, the increasing use of Bring Your Own Device (“BYOD”) policies in companies. Companies allow their employees to bring their own device to carry out company work. That may be fine when the relationship between company and employee is a happy one. But if things were to go sour, an employee will not surrender his/her property for any investigation.
Finally, moving to the area of discovery and dealing with large volumes of electronic documents, Justice Martin provided a recent example which may help with the problem of locating and sifting down the relevant electronic documents. He said that a group of senior lawyers would get together, and decide the types of words, terms, images, and exchanges which will be relevant. Predictive coding takes that information, combines them into a mathematical model, and applies it to all the electronic documents. This method then produces a sample set of documents, and lastly, the group of senior lawyers would verify that this method is accurate in collating the relevant types of documents.