RSA Conference 2009, Friday, 4-24-09
Combining video surveillance with data forensics could be decisive in legal cases involving e-discovery, but there are complex issues involved. And in "Case Study; Video Data Security Convergence," Jonathan Tal and Lawrence Dietz of TAL Global Corporation shared some invaluable insights on some of them.
"Many judges still don’t know the difference between a dog bite and a mega-byte,"
incontrovertible video evidence goes a long way to making your case."
When should you employ combined data and video investigations?
Dietz and Tal suggest the following circumstances:
When the suspect is known to you
When you believe it is important to be able to place an individual on a device at a certain time and match that individual with the device's activity
When you can physically limit and control data entry points
But of course there are legal and privacy concerns:
Are the computers to be monitored in a public place?
What is expectation of privacy in the location where the video is taken?
Have employees and others consented to video and data monitoring?
Will data or video evidence be used in legal proceedings?
Dietz and Tal stressed that there is a difference between recording sound and video versus recording video only; if you record sound then wiretap laws kick in.
Where you conduct such surveillance is also an issue; e.g., conference rooms and reception areas in the workplace are different from bathrooms in the workplace. In a bathroom, there is a reasonable expectation of privacy.
Also, be careful to avoid accidental disclosure of medical records. In this investigation, the hidden video camera was positioned to only see the person sitting at the workstation, not what was on the screen.
Tal framed the case study they offered in their presentation.
"Once upon a time in a hospital not very far from here there was a bad doctor, a cardiologist, and he was practicing bad medicine he was not only cavorting with the nurses, but endangering the patients. He was experimenting on patients, and the hospital took exception, and said you no longer have the right to do these experiments in our hospital. He launched a law suit, and started a campaign against the hospital. During the course of his campaign, he began generating information about procedures other doctors were using in the hospital, and was exploiting this information in his suit. The hospital was concerned, patient information was leaking, and this bad doctor’s attorney was using this leaked information. Where and who is leaking this information leaking from? The human side of our investigation narrowed it down to a few people who were close to the bad doctor, and we zeroed in on one doctor who was a good friend of the bad doctor. Now this good friend of the bad doctor often went to the doctor’s lounge in the hospital."
Dietz picked up the story from there.
"There were four computer workstations in this room. There was unauthorized access, but we didn't need to prove just that, we needed to prove who was doing it, whose is sitting at the workstation at the moment that the unauthorized access it taking place. Of the four workstations there were two thin clients and two PCs. We went in disguised as workmen. The cover story involved an overflowing restroom. When you are dressed like a workman, people tend to ignore you, particularly in the hospital environment, where there is a heavy caste system. You want to keep the number of people who know what you are doing as small as possible. We installed one hidden camera inside a particular pillar, one that gave us a view of all four workstations. The fewer cameras the better, less tape to review. Recording was activated by motion detection. We ran an Ethernet cable to a Digital Video Recording (DVR) lock box. The power for the camera also came from the Ethernet cable. The box held approximate thirty days storage of digital video recording."
Dietz also highlighted some planning stage issues.
"Secure communications between client site IT manager, and the data and video engineers is an important issue to address, so are your remote management capabilities. Both need to be coordinated ahead of time. You also will want to have an agreement in place on what is to be reported and to whom. There should also be prior agreement on if, when and how to destroy the video and forensics evidence. Not to mention level setting for expectations as to time and cost beforehand. You will also want to establish periodic checkpoints to review evidence and assess possible actions.
It is still early on in the evolution of digital forensics, e-discovery and related skills and processes. Clearly, there is a lot of opportunity both for technological innovation and the training of professionals in law, law enforcement and security.
-- Richard Power