NAME OF GROUP MEMBERS: HON HAO KONG TP027895
THOR LIH YIN TP024383
YUVARAJ MURALITHARAN TP028059
GROUP : GROUP C2I
INTAKE CODE : UC3F1402IT{FC}
MODULE CODE : CT040-3.5-3-LEAFC MODULE TITLE : LEGAL EVIDENTRARY ASPECTS OF FORENSIC COMPUTING, LEAFC PROJECT TITLE : LEAFC 2nd Group Assignment
HAND-OUT DATE : 27th MAY 2014
HAND-IN DATE : 16TH JUNE 2014
LECTURER : MR. ALI JAVAN

Table of Contents 1.0 Workload Matrix 3 2.0 Executive Summary 4 3.0 Case Detail and Assumptions 5 4.0 First Responder 7 4.1 Overview 7 4.2 First Responder Procedures 7 4.2.1 Securing and evaluating electronic crime scene 7 4.2.2 Documenting electronic crime scene 10 4.2.3 Collecting and preserving electronic evidence 15 4.2.4 Packaging electronic evidence 21 4.2.5 Transporting electronic evidence 22 4.3 Chain of Custody 23 5.0 Critical Analysis 24 5.1 Forensic Analysis 29 6.0 Case Reconstruction 40 6.1 Functional Analysis 40 6.2 Timeline Analysis 42 6.3 Relational Analysis 43 7.0 Apply and Result of Subpoena 44 8.0 Legal Discussion and Implication 45 8.1 Legal Discussion Perspectives 47 9.0 Conclusion and recommendations 51 9.1 Conclusion 51 9.2 Recommendations 51 10.0 References 52 Appendix A– Affadavit 54 Appendix B- Subpoena 59

1.0 Workload Matrix

| Thor Lih Yin (TP024383) | Hon Hao Kong(TP027895) | Yuvaraj(TP028059) | Group Component 60% | Executive summary and preparation of authorization | * | | | Case details and assumptions | * | * | * | Referencing | * | * | * | Documentation | * | * | * | Conclusion and Recommendation | | | * | Individual Component | Evidence identification, collection and preservation | * | | | Critical Analysis and case reconstruction | | * | | Legal discussion/ implications | | | * |

2.0 Executive Summary

According to the scenario that been provided, an investigation were brought on Mr. James, the manager of the Financial Accounting Department of the MATM organisation. There were total 3 investigator that were in charge of this investigation. Inspector Thor Lih Yin will be involving in gathering all of the possible evidence preserve it and bring forward to the evidence analyst. Hon Hao Kong is the Senior Forensic analyst and meanwhile Yuvaraj is the forensic case Legal consultant. With the combination of the 3 parties, the suspect, Mr. James will be investigated by collecting his personal digital evidences to prove that he is illegally using the MATM company assets to commit crime for his personal benefits.

3.0 Case Detail and Assumptions

Mr James were the person who involved in the crime that happened. He is a very rich guy and active man inside the company. He is holding the position of Manager Secretary of the accounting department and he is in charge of bank in monthly salaries to all the staffs inside the organisation. Meanwhile, he has a wife name Mary. She is working as a Secretary Manager inside the Bank West in Australia. Mary is a very kind and friendly woman who always obey to her husband. They were staying in a rented room as they were just moved to Australia and haven’t brought a house yet.
FIFA World Cup 2014 were started. Mr James was an underground dealer which known as bookie that involving in online betting in FIFA World Cup 2014. He receive cash from customer that wants to gamble and he will in charge of everything once money been received. His wife Mary had suggested that he can able to get more customer by sending Emails to the employees in customer. In order to do that, he will need to send the email without getting him suspicious on doing underground gambling. His wife had send him an email which teach him how to perform email spoofing and cipher to prevent himself getting caught of it. Once he received the information given by his wife, he had applied the methods that been taught and send the email by using other staffs credential.
In order to get the email address of the staffs, he had get into access of the company staff database inside the office by using the company workstation. He snapped pictures of the information inside the database by using his smart phone and keep it secretly. The database involve in several important information that he might needed such as the email address and also the bank account of the employees. Once he get home, he used his own laptop and typed in the databases details into Microsoft excel.
Once the result of the FIFA World Cup been announced, he will be returning double of the betting amount to the gambler and he will be earning money from the customer who loses the game.
The money earned were known as underground money which is illegal. It cannot be used as it was earned unlawfully and the source of the money were untraceable. The money earned will be needed for laundering and he had asked the help of his wife.
He had passed the excel file to his wife for helping him to perform money laundering. To prevent bring suspicious by the company staffs, he had told his wife to do the money transaction in small amount of money and perform it partially and partially on all of the staffs.
Once he get called for a preliminary investigation, he was surprise and he ask the wife to stop what they were doing right now. To preventing get suspicious, he had perform the actions such as: * Clear all the browser history * Delete pictures capture from his SD card * Delete his email conversation with his wife * Delete the database file that been typed

4.0 First Responder

4.1 Overview

First responder had stand as an important role while performing digital evidence collecting. Actions that been taken to collect from the victim will be easily affecting weather the evidence will be valid or invalid. First responder is in charge of protecting, integrating and preserving all of the evidences that obtain from the victim.

4.2 First Responder Procedures

4.2.1 Securing and evaluating electronic crime scene

According to Susan Rice, the manager of the MATM cooperate had received several complains from the staffs that were working inside the company. There’s happened some small amount of transactions that were added and deducted from their bank account repeatedly. Although the amount were remain the same and there’s no loss, there is still suspicious that someone is misusing the staff bank details to perform some fraud. Mr. James who is the Accounting department manager of the MATM organisation is the suspect criminal for the case. This is because he is once found unauthorised access to the personnel database of the organisation. The database had stored details of all the staffs inside the organisation and also included the bank account number. Besides that, there’s also some staff’s email address being misused to send out unwanted advertising emails to his friends. By analysing and investigating, the investigator believed that the staff might been spoofed.

4.2.1.1 Preparation for authority

After receiving the result of the preliminary interview that were done earlier from the police enforcement, the inspector had come out with some personal background checking towards the suspect, Mr James. Based on the analysis, it is found that he has a wife who is working in the BankWest with the position of manager assistant. Besides that, Mr James is said as a friendly person among the neighbourhood. In addition, they claim that his wife were a very lovely woman and both of the couples seems lovely all the time. This makes the investigator believe that Mr James family were good and friendly enough. After making a research on Mr James, the inspector decided to apply on a normal search and seizure warrant. In this case, the inspector take into concern that during the day time, both of the husband and wife might be working and not available at home, so that the inspector plan to pay a visit during evening. The affidavit letter to apply for search warrant were included inside appendix A.

4.2.2.2 Planning the search and seizure

Once the affidavit letter been approved, there will be planning needed to perform the searching of the evidences. The approval were received back from the high court of Australia on 1st of June 2014. Meanwhile, the inspector had planned to visit Mr James on the next day which is 2nd of June 2014. A day before paying a visit to Mr James, the inspector will well prepared the tools and documents such as evidence bag, chain of custody, first responder toolkits. Once preparation been done, the inspector will depart from the police station together with the colleagues to Unit 2, 27 Morang Rd, Hawthorn, VIC 3122 Melbourne at evening 7pm and with the search warrant that been approved.

4.2.2.3 Approval from the High Court

Criminal Investigation Act 2006 s. 42 | Search warrant | To 1 | All police officers. | Application | The applicant has applied under the Criminal Investigation Act 2006 s. 41 to me, a Justice of the Peace, for a search warrant. | Applicant’s details 2 | Name of officer | INSPECTOR THOR | | Office held | 396-400 Malvern Rd | Registered No. | 12345 | | Station/squad | Prahran VIC | Suspected offence(s) | MR. JAMES | Warrant | This warrant authorises you to search the place described below for the person described below, or for the thing(s) or class of thing described below, using the powers in the Criminal Investigation Act 2006 s. 43 and 44.
This warrant must be executed in accordance with s. 43 to s. 45 of that Act. | Place to be searched 3 | Mr James workstation | Person or thing(s) to be searched for 4 | Digital evidences | Execution period 5 | This warrant must be executed within days after the date it is issued. | Issuing details | Name of JP | Mr Ali Javan | | Date | 1 June 2014 | Time | 11:00 am | JP’s signature | Issued by me on the above date and at the above time.

Justice of the Peace | Execution details | Start | Date:2June Time:19:00 | End | Date: 2June Time: 21:00 | | Occupier present? Yes/No Search audiovisually recorded? Yes/No | | Other place entered under s. 44(2)(a)? Yes/No If yes, official details of senior officer who approved the entry: | | Person found/Thing(s) seized? Yes/No | Officer in charge of execution 2 | Name | Hon Hao Kong | | Office held | 396-400 Malvern Rd | Registered No. | TP027895 | | Station/squad | Prahran VIC |

4.2.2 Documenting electronic crime scene

Once reaching the suspect house around 19:15, the inspector had ringed the doorbell and here’s appear Mr James on the door. The inspector had clarify his identity and showing the search warrant that were legally assigned. In this case, Mr James has no any comment towards it and peacefully letting us for continuing the search and seizure procedure.
After going into the suspect rented house, we had asked him to stay on the living room. Wife of Mr James looked quite shock and keep quiet sitting at the living room. After asking the cooperation of Mr James, the inspector had begin the first responder procedure. 4.2.2.1 Environment of the crime scene

Figure 4a: Entrance of the room of Mr James

Figure 4b: View of the room (1)

Figure 4c: View of the room (2)

Figure 4d: View of the room (3)
Figure 4d: View of the room (3)

Figure 4e: View of the room (4)
Figure 4e: View of the room (4)

Figure 4f: View of the room (5)
Figure 4f: View of the room (5)

4.2.2.2 Sketches of the evidence found on the crime scene

Figure 4g: The overview of the entire room

Figure 4h: The 1st view of location of evidences

Figure 4i: The 2nd view of location of evidences

Figure 4i: The 2nd view of location of evidences

Figure 4j: The 3rd view of location of evidences

Figure 4j: The 3rd view of location of evidences

Figure 4k: The 4th view of location of evidences

Figure 4k: The 4th view of location of evidences

4.2.3 Collecting and preserving electronic evidence

After having an overview of the entire house of Mr James, the inspector had search around and find out all the possible evidences and took a photograph before seizing it. After taking a clearer look on the evidence, it will needed to be analyse by the senior analyser to understand the information of the evidence and how does it related with the case that been happened. This stage is very important and needed to be doing it carefully. This is because if there were some mistake happened, it can make the evidence lost and unable to be found back later on. As an example, the moment collecting the external hard drive had fall to the floor and information inside the hard drive are all corrupted. The figure below shows the evidence that been collected from the crime scene.

4.2.3.1 Evidence Collected

Figure 4.1: Evidence ID001 Mobile Phone

Figure 4.1 is a mobile phone that placed on the desktop computer table inside the suspect room.

Figure 4.2: Evidence ID002 CPU
Figure 4.2: Evidence ID002 CPU

Figure 4.2 shows the CPU that were located in the victim room.
Figure 4.3: Evidence ID003 Printer
Figure 4.3: Evidence ID003 Printer

Figure 4.3 shows the printer that were also found under the desktop computer table. The instructor had found out there were papers located inside the printer which shown in figure 4.4. The instructor had took the paper and keep it as evidence.

Figure 4.4: Evidence ID004 Paper found inside the printer
Figure 4.4: Evidence ID004 Paper found inside the printer

Figure 4.5: Evidence ID005 Laptop
Figure 4.5: Evidence ID005 Laptop

Figure 4.5 shows the laptop of Mr James. It was in a shutdown mode and there’s were no live acquisition needed as it does not have RAM that might shows information.

Figure 4.6: Evidence ID006 Laptop Bag
Figure 4.6: Evidence ID006 Laptop Bag

Figure 4.6 shows a laptop bag that placed on the bed of the suspect. Once the laptop bag being opened, the inspector had found out a charger of the laptop and 2 pen drive.

Figure 4.7: Evidence ID007 Laptop Charger
Figure 4.7: Evidence ID007 Laptop Charger

Figure 4.8: Evidence ID008 Pen drive 521MB
Figure 4.8: Evidence ID008 Pen drive 521MB

Figure 4.9: Evidence ID009 Pen drive 8GB
Figure 4.9: Evidence ID009 Pen drive 8GB

Figure 5.0: Evidence ID0010 Pen drive 1GB
Figure 5.0: Evidence ID0010 Pen drive 1GB

A pen drive were found in the small cupboard of the suspect. It was looking special and it is made in china.

4.2.3.2 Evidence Preservation

There were total 4 digital evidences that needed the inspector to create an image file to make sure the evidence were preserved properly. The evidence were the Desktop computer, the mobile phone, the 3 pen drives and also the laptop. All of the images created were using FTK imager 3.13.

Figure 4.2.3.2 (1): Converting Mr James Laptop into image

-

Figure 4.2.3.2 (2): Converting Mr James Mobile phone into image

Figure 4.2.3.2 (3): Converting Mr James Pendrive into image

4.2.4 Packaging electronic evidence As known, once evidence were all being identified, there will be needed to pack all of the evidences into the evidence bag. The evidence were collected by using antistatic bag and not a normal plastic bags. This is because a normal plastic bags will be having chances to produce static electricity that might cause some changes to the evidence gathered. Besides that all the evidences were labelled properly before it been transport back to the labs.
The evidences were categorised into 2 different category such known as digital evidences and non-digital evidences. The digital evidences that found are Mr James laptop, Pen drives, mobile phone device, printer and a desktop computer. For the non-digital evidence that found were a paper found inside the printer.
In this case, there were non-live acquisition been performed. This is because all of the digital evidence were shut off and this shows that there’s no availability of RAM or live memory to do a live data acquisition.
Meanwhile, for all of the digital evidence that gathered, the inspector had created dd images for 3 of the pen drives, SD card of the smart phone and the desktop personal computer. However, while the inspector were attempting to create dd image for the desktop, the action had been failed and the inspector had found old it is an 8 years old desktop computer which might already unable to be open. Even though, the CPU were still be packed up as evidences.
The pen drives and smart phone were all been put into a Stronghold bag and put into the evidence bag properly. At the same moment, the inspector will make sure that the all of the evidences were properly labelled and documented before leaving the house. In addition, there were chain of custody form prepared to ensure there were nothing left out and after that, the evidence bag will be moved into a cardboard box for transferring.
After that, the inspector had greet Mr James and his wife for the cooperation for letting them to perform the search. Before leaving, Mr James had said that he is innocent and does not involved in what is happening towards the company. After his first preliminary interview, he had knew that the company were suspicious on someone in the company might had misused the staff information to commit some crimes. His wife had also claimed that her husband were innocent and impossible involving in stealing company information.

4.2.5 Transporting electronic evidence

Once the evidence were all moved into the transport, the investigator had make sure that all the evidences were located properly such as putting the desktop computer horizontally to prevent falling down and make sure the evidences were staying away from the speakers that were built in the car. This is to ensure all of the digital evidence were staying away from all of the possible magnetic sources to prevent some circuit failure. The temperature inside the transport were also been controlled to make sure all of the digital evidences will not overheated which gives damages to the electronic evidences.

4.3 Chain of Custody

5.0 Critical Analysis According to the evidence that collected by the inspector Thor, there were total 10 numbers of digital evidence that needed to be analysed. All of the evidence were gathered from the suspect room and there were no live acquisition to bring forward for the further investigation.
The first evidence is the mobile phone with the evidence ID001. The senior analyser had found there were a SD memory card inside the mobile phone. The SD card will bring forward for the forensic investigation.

Figure 5.1: Evidence ID001 Mobile Phone

Figure 5.2: Evidence ID002 CPU
Figure 5.2: Evidence ID002 CPU

Figure 5.2 shows the second digital evidence that been collected. The computer was believed spoiled as there is device failure while the analyser trying to abstract the image file of the desktop computer. There is possibilities that the computer was too old and spoil or there were something made towards the computer to prevent analyser to gain data from it.

Figure 5.3: Evidence ID003 Printer
Figure 5.3: Evidence ID003 Printer

Figure 5.3 shows there were printer been collected to find out extra information. However, there were no logs stored inside the printer. It is known as old model of printer. The instructor had mentioned there were paper found out there were papers located inside the printer. It is possible that there were information the suspect were trying to scan into the computer.

Figure 5.4: Evidence ID004 Paper found inside the printer
Figure 5.4: Evidence ID004 Paper found inside the printer

Figure 5.4 shows the content of the paper that were found inside the printer. It is showing information of gambling betting. It contains the amount of the betting game, name, account number and also the team. The analyser believe that it is possible to be a underground betting was launching by the suspect. It might possibly related with the game that held last month, FIFA 2014.

Figure 5.5: Evidence ID005 Laptop
Figure 5.5: Evidence ID005 Laptop

For evidence ID005, it will bring forward to perform analysis by using forensic procedure. The workstation might contains lots of information.

Figure 5.6: Evidence ID006 Laptop Bag
Figure 5.6: Evidence ID006 Laptop Bag

Once the laptop bag being opened, the inspector had found out a charger of the laptop and 2 pen drive.

Figure 5.7: Evidence ID007 Laptop Charger
Figure 5.7: Evidence ID007 Laptop Charger

The analyser had figured out that the laptop charger is matched with the laptop found on the desk in the suspect room. It is the battery charger for Asus model.

Figure 5.8: Evidence ID008 Pen drive 521MB
Figure 5.8: Evidence ID008 Pen drive 521MB

The analyser believed that there might be important information stored inside the pen drive. This shows that there will be forensic investigation procedure to apply on the pen drive.

Figure 5.9: Evidence ID009 Pen drive 8GB
Figure 5.9: Evidence ID009 Pen drive 8GB

The analyser believed that there might be important information stored inside the pen drive. This shows that there will be forensic investigation procedure to apply on the pen drive.

Figure 6.0: Evidence ID0010 Pen drive 1GB
Figure 6.0: Evidence ID0010 Pen drive 1GB

The analyser believed that there might be important information stored inside the pen drive. This shows that there will be forensic investigation procedure to apply on the pen drive.

5.1 Forensic Analysis
In this part, the forensic examiner, Hon Hao Kong will examine and analyzed all the digital evidence seized in previous stage. Evidence 001, 005, 008, 009, and 0010 will be the digital evidences to be examined and analyzed. Case Number:1 | Evidence Number:005 | Name of Investigator:Hon Hao Kong | Signature of Investigator:Kong | Date Obtained:2nd June 2014 | Obtained From (title, name, location, phone number):Mr. James HomeMelbourne, Australia310-808 2323 | Description of Item:Item: Asus LaptopManufacturer: AsusModel: 20217Serial no: YB01354465Dimensions: 42cm * 19cm * 45cmWeight: 7.5kg | Quantity of Item:1 | CHAIN OF CUSTODY | Date | Released by | Released to | 5th June 2014 | Inspector Thor | Hon Hao Kong | - | - | - | - | - | - |
Table 1 Chain of Custody for Evidence 005

Firstly, the examiner created dd image for evidence 005 from the original copy and retain two copies of it using Access Data FTK Imager as shown in Figure 1 below.

Figure 1 Create dd image for evidence 005
Md5 and SHA1 hashes were then identified on every copy to ensure all the hashes are same as the original copy as shown in Figure 1 above. This is to preserve the evidence so that no changes were made to the original evidence.

After that, evidence 005 is analyzed using Autopsy 3.0.10, a digital forensic tools based on The Sleuth Kit™. There are an deleted excel file and a deleted .jpg file bring found and extracted using that tools as shown in Figure 2.

Figure 2 Deleted found file for evidence 005
However, the excel files is being protected. However, the content of the excel file had been revealed using Autopsy 3.0.10. Figure 3 below shows the content of the database and its metadata. It seems like a database which consists of all the staff’s bank account information. From this, we know that James had unauthorized accessed to the staff’s database in his computer.

Figure 3 Database Consist of Staff Information
Although the excel files is deleted, but its metadata remain and being retrieved using Autopsy 3.0.10. It shows that Mr. James is the creator and the modifier of the excel files. With this, we believe that Mr. James had unauthorized access the company database and save the information for his personal use.
Besides that, from the deleted JPG images, we found some online transaction statements, showing that James had performed online transaction by deposit and withdraw money against his company staff’s account. Figure 4 below shows a sample of the transaction statement from Bankwest- a bank in Australia. With this we have strong reason to believe that Mr. James had unauthorized performed some transaction against his staff’s account.

Figure 4 Bankwest’s transaction statement

Figure 5 Deleted Browser History for evidence 005
Besides that, the examiner found some deleted browser history using Autopsy 3.0.10 as shown in Figure 5 above. From the browser history, we found out that James had accessed to an online gambling website- “bet365.com”, banking website- “bankwest.com”. He had also performed some google search on generating fake email techniques as well as some generating cipher techniques. From this, we know that James performed some online transaction using “bankwest.com” and performed illegal online gambling.

Figure 6 Deleted Emails Found for evidence 005
Besides that, there is an option in Autopsy where we can locate all the emails even if it is deleted. Figure 6 above shows all deleted email message. After clicking “View Source File in Directory”, the directory where all deleted emails is being retrieved as:
“/Users/James/AppData/Roaming/Thunderbird/Profiles/jjzurk7b.default/ImapMail/ima.googlemail.com/[Gmail].sbd”
From the recovered email message, it shows that James had chat with his wife Mary Lih Yin with the conversation regarding cipher. It also shows a user named “Hao Kong” had send enquiries to Mr. James regarding the gaining money through advertisement postings. Thus, we have strong reason to believe that Mr. James had sent some spam advertisement emails to some users.

Case Number:1 | Evidence Number:001 | Name of Investigator:Hon Hao Kong | Signature of Investigator:Kong | Date Obtained:2nd June 2014 | Obtained From (title, name, location, phone number):Mr. James HomeMelbourne, Australia310-808 2323 | Description of Item:Item: Mobile PhoneManufacturer: Sony EricsonModel: Z520Serial no: SE01354465Dimensions: 12cm * 19cm * 5cmWeight: 600g | Quantity of Item:1 | CHAIN OF CUSTODY | Date | Released by | Released to | 5th June 2014 | Inspector Thor | Hon Hao Kong | - | - | - | - | - | - |

Table 2 Chain of Custody for Evidence

Figure 7 hash of evidence 001
Figure 7 above shows the md5 hash and sha1 hash for evidence 001. Same as evidence 005, this dd image is created in two copies, while all the copies having same hash. This is to prove that no changes were made to the original copy.

Figure 8 deleted image in sd Card for evidence 001
After that, the dd image of the phone’s sd card was processed and analysed using Autopsy 3.0.10. It shows that there are some .jpeg images being deleted. Two of the image raised the suspicion of the examiner. As shown in Figure 9 below, it shows a database’s content being captured using the phone camera.

Figure 9 deleted database image A
However, the content of the database is same as the excel file in previous section. From this, we have strong reason to believe that Mr. James performed unauthorized access to the company database and capture a picture of it and saved in the sd card. However, even though it is deleted, but it had been successfully recovered.

Figure 10 deleted image B
As show in Figure 10, Mr James had captured and saved his transaction list in his phone’s sd card. From the transaction list, we know that Mr. James had performed transaction by deposit and withdraw against staffs account.

Case Number:1 | Evidence Number:008, 009 and 0010 | Name of Investigator:Hon Hao Kong | Signature of Investigator:Kong | Date Obtained:2nd June 2014 | Obtained From (title, name, location, phone number):Mr. James HomeMelbourne, Australia310-808 2323 | Description of Item:Item: Removable DriveManufacturer: Sandisk, KingstonModel: -Serial no: -Dimensions: 3cm * 5cm * 4cmWeight: 60g | Quantity of Item:1 | CHAIN OF CUSTODY | Date | Released by | Released to | 5th June 2014 | Inspector Thor | Hon Hao Kong | - | - | - | - | - | - |

Figure 11 Create DD image of James's Removable drive
For evidence 008, 009 and 0010 which is Mr. James’ removable drives, the examiner also create the dd image and preserve these evidences by creating two copies of it and verify its MD5 and SHA1 hash as show in Figure 11. However, after analyzing, the examiner found out that all the data inside is not related to the case, it’s all Mr. James song, movies and photo.

6.0 Case Reconstruction
Not all evidences collected will be used for identification and analysis purpose. We must identify the function, locations and the duration for the evidences. Therefore, in this stage, the examiner will construct all the evidences to find out which is related to the case. This stage broken down into three sections: functional, timeline and relational analysis. Functional analysis is to find out how the evidence works and is that possible or impossible to work. Timeline analysis is to find out the sequences of analyzing the evidence in time. Last but not least, relational analysis is to find out who is involved in the case, where it is happens and what is the case.
6.1 Functional Analysis
There are some evidences found using forensic tools in previous section. The first evidence is found is the seizure computer. After the investigation on it, we found out that Mr. James running Windows 7 in his laptop’s virtual machines. Some files are being recovered using forensic tools- Autopsy 3.0.10. We found out that Mr. James created a excel file and put all the staff’s information inside it and this excel file is being deleted. Besides that, Mr. James performed some search on email spoofing and cipher creation techniques on his chrome browser. He also frequently accessed banking website- “bankwest.com.au” and online gambling website- “bet365.com”. Besides that, he used Mozilla Thunderbird as his email manager and chat client. Analysis in previous section shows that Mr. James has a conversation channel with his wife in Mozilla Thunderbird and he also sends spam advertisement emails using this. Table 1 below shows the Mr. James action and the software used in this case.

Action | Software | Description | - Create excel files | - Microsoft Excel | - Created database related to staff information and deleted it | - Create fake email- Chat with Mary | - Mozilla Thunderbird | - Created and send spams advertisement email- Chat with his wife, Mary regarding cipher and email spoofing | - Accessed online gambling website, banking website- Search on cipher and faking email | - Google Chrome | - Performed online gambling and online banking - Learn cipher and email spoofing techiques |
Table 3 Mr. James Functional Analysis

6.2 Timeline Analysis
On 25th May 2014, our team had applied for the search warrant in the suspect’s- Mr. James room. On 1st June 2014, the search warrant had been obtained. On 2nd June, we performed and search and seizure at the suspect room. The suspect room was taken photograph from all directions. All the seize evidence had been identified and preserved. MD5 and SHA1 hash was identified for all the evidence collected. This is done to preserve the integrity of the data in the evidence.
The analysis was then started on 5th June, where the dd image of James laptop is being added and analyzed in Autopsy 3.0.10- a forensic tool based on The Sleuth Kit. The analysis shows that Mr. James had browse through the online gambling website and banking website on 18th May to 21st May- which is 1 week before Susan Rice, Manager of MATM received the complaint. Besides that, it shows that Mr. James had an email conversation in Mozilla Thunderbird with his wife, Mary on 20th May regarding cipher and email spoofing topics. Besides that, Mr. James had created and deleted a database with all the staff information on 21st May.
After analyzed Mr. James laptop, we quickly analyzed the sd card of Mr. James phone on 20th June 2014. It shows that there are 2 photos being deleted from his sd card regarding the database and bank transaction history on 22nd May. Whereby, the database photo having the same content as the excel database in his desktop.
With all this information and the timestamps, we have strong reason to believe that the suspect Mr. James had performed the crime as stated in the case study.
10th June 4pm- Reconstruct all the evidences
10th June 4pm- Reconstruct all the evidences
8th June 10a.m- Analyse Evidence 008, 009, and 0010- Mr James removable drive
8th June 10a.m- Analyse Evidence 008, 009, and 0010- Mr James removable drive
7th June 4pm- Analyse Evidence 005- Mr James Laptop
7th June 4pm- Analyse Evidence 005- Mr James Laptop
6th June 10a.m- Analyse Evidence 001- Mr James Phone
6th June 10a.m- Analyse Evidence 001- Mr James Phone
5th June 3pm- Create dd image for all seize evidences
5th June 3pm- Create dd image for all seize evidences
25th May 3.00pm- Apply Search Warrant
25th May 3.00pm- Apply Search Warrant
2nd June 7.00pm – Perform Search and Seizure in James Home
2nd June 7.00pm – Perform Search and Seizure in James Home

6.3 Relational Analysis

Figure 12 Relational Analysis
Based on Figure 12 above, we basically understand the whole story. James, a Manager’s Secretary of MATM plans to perform money laundering using staffs account. He asked his wife, Mary to perform the transaction in the staff account as his wife holds an importance position in Bankwest by providing the database of the staff account to his wife. Besides that, Susan Rice the manager of MATM received complaint from her staffs regarding money added and subtracted from their bank account and their friends received unwanted advertisement emails.

7.0 Apply and Result of Subpoena

Once the subpoena been applied towards the BankWest shown in appendix B, the forensic investigator had found out that the transaction shown were matched as what been assume earlier on. Although there were unknown had transfer the money into bank account of the staffs, on the next day, the same amount of money are all been transferred to the family account of Mr James.

The family were all being questioned and they had clarified that they did not knew there were money being transferred into their account. They claimed that all of their accounts were handle by Mary, the wife most of the time.

After the investigation and result gained from the subpoena, it were able to prove that Mr James and his wife were performing money laundering.

8.0 Legal Discussion and Implication
This section of the report covers the legal discussions of the acts committed by Mr. James and his wife using the accounts of MATM’s staff. These unethical and unlawful acts would be judged based on a few Australian laws and to name a few would be the Anti-Money Laundering and Counter-Terrorism Financing Act 2006, Interactive Gambling Act 2001, Privacy Act 1988, and the Income Tax Assessment Act 1997. Since the crimes committed were done in Bankwest in Perth, Australia the penalties that will be sentenced on the perpetrator will be based on the Australian Laws. 1. Anti-Money Laundering and Counter-Terrorism Financing Act 2006
This law was established after close consultation with stakeholders from various industries from 2004 to 2005 and the Australian government decided to implement this AML/CTF Act in two divisions. The first was to regulate the financial and gambling sectors and the second was to extend the jurisdiction to include business and professions such as lawyers, accountants, and real estate agents (Commonwealth of Australian, 2013). The act was meant to help detect and prevent money laundering from happening as it also provides financial intelligence for major agencies in Australia. Mr. James and his wife as an accomplice had violated this act by laundering money using the MATM’s staff accounts. 2. Interactive Gambling Act 2001
This act was devised to regulate interactive gambling services such as betting, online poker, and internet gambling. These services are regulated by prohibiting customers in Australia to indulge in interactive gambling services and also to prohibit any Australian-based interactive gambling services to customers in any countries. One of the important things outlined in the act is that any form of advertising for of interactive gambling service is prohibited (ComLaw, 2011). In the Department of Broadband, Communications and the Digital Economy’s (DBCDE) Final Report it was stated that all types of micro betting should be banned and the state authorities and sporting bodies have greater power in approving bet types for betting companies (J. Nettleton, 2013). In this case, Mr. James had violated this law by advertising his betting services in emails and also by illegally conducting online wagering services. 3. Privacy Act 1988
The Privacy Act of 1988 was developed with the objective of protecting the privacy and protecting the data for individuals including promoting the transparent handling of personal information by business entities responsibly. Stated in the object of the act is also on ensuring privacy of individuals is respected when facilitating a credit reporting system (ComLaw, 2014). Mr. James and his wife both did not get the consent all the staff that had money added and subtracted from their account therefore, they will be put to trial with this act being one of their convictions. 4. Income Tax Assessment Act 1997
This Act is designed to help an individual to accurately identify the provisions that are relevant to their purpose in reading the income tax law. The act focuses on other obligations of individuals other than just being taxpayers of Australia which are to keep records of income and provide information on it and to lodge income tax returns based on annual earnings (Australian Taxation Office, 2013). Every registered business and source of income of an individual must have its tax paid for. Due to Mr. James being an illegal bookie, the income from this financial fraud crime did not have its tax paid which also mainly due to his money laundering activities. 5. Cybercrime Act 2001
This act was enacted to help deter crimes happening online and on computers. It was a quick decision to come up with this acts due to the well-publicized online attacks. The Australian government has a reputation of implementing excessive online laws which is also capable of criminalizing innocent activities such as possession of security software (Electronic Frontiers, 2001). In this case, Mr. James is guilty of accessing a computer with authorization and using it for other illegal activities.

8.1 Legal Discussion Perspectives
From the analysis results of the evidence obtained, it is clear that Mr. James had committed numerous crimes and will be put on trial for his offences. The following table shows the parties involved in this case and also how they are involved. Parties | Description | Mr. James | The main perpetrator of this case. Among the charges that will be filed against him are counts of money laundering, tax evasion, illegal sports betting, and also unauthorized access to personal database and distribution personal data of MATM staff. | Mary | Wife of Mr. James and Secretary Manager in Bankwest. She is an accomplice to the crimes of Mr. James which includes laundering money using accounts of registered bank customers. She also had access to personal data of MATM staff in the form of an Excel file. | MATM | Mr. James was the head of accounting department in this company. This is the company where he stole the staff database and shared it with his wife, Mary. The company is able to sue Mr. James for disclosing personal data of staff and for using their staff as a medium to launder money. | Victims (MATM Staff) | The staffs noticed transactions happening in their bank account where small amounts of money is added and then subtracted from their account. One staff claimed his personal email address was used to send advertising emails about the FIFA World Cup and this is due to Mr. James performing email spoofing. This staffs are the victims of having their personal data misused. | AUSTRAC | They are the financial intelligence unit and anti-money laundering regulators in Australia. They serve to protect the integrity of their country’s financial system. They will be the main party trying to get Mr. James a long time in prison. |

Mr. James can be convicted under many acts as stated above. Written below are some of the many implications that he might face. 1. MATM vs Mr. James
Statement:
Mr. James misused his powers by accessing personnel database without authorization and took pictures of the databases using his phone and later gave it to his wife in an Excel file format. The MATM employees noticed their fellow colleague have been spamming them with advertising emails regarding the FIFA World Cup in their inboxes.
Verdict:
Based on the statement above, it is concluded that Mr. James had unauthorized access to the database of MATM which is a direct violation to the Cybercrime Act 2001 Part 10.7 Division 477.1 (5) which is titled ‘Unauthorized access, modification or impairment with intent to commit a serious offence’. This part of the act states that a person is guilty of an offence if the person “causes any unauthorized access to data held in a computer, and the person knows the access, modification or impairment is unauthorized”. The fact that Mr. James had use this information for other illegal purposes like money laundering and illegal betting, his case will also be classified as a serious computer offence where “the person intends to commit, or facilitate the commission of, a serious offence against a law of the Commonwealth by the access, modification or impairment”. The penalty that he might receive for this breach of trust is only 2 years, but for his case it might reach up to the amount of jail time for the serious offence that he has committed from accessing the database, which is money laundering. 2. Data theft victims (MATM Staff) vs Mr. James
Statement:
Mr. James and his wife had used the personal data for the MATM staff for their personal gain. It can be said that Mr. James had used the information of the staff without consent and his wife, Mary had been an accomplice to James in abetting his crime.
Verdict:
Privacy Act 1988 Part IIIA Division 3 Subdivision E 20Q (2) (a) states that “all credit reporting body has to enter into agreements with credit providers that require the providers to protect credit reporting information that is disclosed to them from unauthorized access, modification or disclosure” which is what Mr. James had violated while being in a position of power. As such, he is deemed to have caused an offence in Privacy Act 1988 Part IIIA Division 6 No.24 which states “an entity commits an offence if the entity obtains credit reporting information and the entity is not an entity to which the body is permitted to disclose the information under Division 2 of this Part”. The penalty to this offence is 200 penalty units and currently one penalty unit is $144.36 (Victoria Legal Aid, 2014). This may lead Mr. James and his wife to be fined up to $28,872 individually.

3. AUSTRAC vs Mr. James
Statement:
Mr. James had been laundering money with the help of his wife, Mary with the earnings from his FIFA World Cup betting services that he provides. Due to earning funds from illicit activities, the money earned will not be taxed therefore Mr. James will also be charged with tax evasion.
Verdict:
It is stated in the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 Part 12 (142) (1) that “the first person is, or causes another person to become, a party to 2 or more non‑reportable transactions and it would be reasonable to conclude that the first person conducted, or caused the transactions to be conducted, in that manner or form for the sole or dominant purpose of ensuring, or attempting to ensure, that the money or property involved in the transactions was transferred in a manner and form that would not give rise to a threshold transaction that would have been required to have been reported under section 43”. Mr. James had made his wife become an accomplice by having her to launder his dirty money and it will be impossible for both of them to claim they did their actions unknowingly. The penalty for this crime might be up to 5 years and 300 penalty units.
Sports betting are considered as excluded wagering service and are legal in Australia if it complies with specific rules. Based on the Interactive Gambling Act 2001 Part 2A (15) “a person is guilty of an offence if the person intentionally provides an interactive gambling service and is a service relating to betting on the outcome of a game of chance or of mixed chance and skill.” Mr. James has also been acting as a bookie for the FIFA World Cup and has not registered his business therefore making it illegal. He also committed another offense which was to advertise his betting service on emails and this offence may lead to a penalty of 2000 penalty units.
Mr. James had also violated the Income Tax Assessment Act 1997 by soliciting himself with illicit money gained from being a FIFA World Cup bookie. This will be one of the charges AUSTRAC will be charging Mr. James with in accordance to the money laundering charges.

9.0 Conclusion and recommendations

9.1 Conclusion

Mr. James is the supervisor of the accounting department in MATM and has committed several crimes during his period of working with MATM. He was also a bookie for the FIFA World Cup 2014 and opened an online betting service. He used email spoofing to use an email of his staff to advertise his betting service. In order to gain access to the staff information, Mr. James used the company workstation and had unauthorized access to its database which he took pictures of and provided it to his wife to launder money for him. Staff of MATM began complaining to their manager Susan Rice that money was being added and then subtracted from their account. Susan Rice decided to have an investigation as Mr. James turned out to be the main suspect. Numerous steps as documented above are done before seizing the evidence and during the seizing of evidence. The evidences seized were Mr. James mobile phone, printer, laptop, and pen drives. Legal implications were discussed as well whereby it was shown that Mr. James would be charged under 5 different acts which are the Anti-Money Laundering and Counter-Terrorism Financing Act 2006, Interactive Gambling Act 2001, Privacy Act 1988, and the Income Tax Assessment Act 1997.
9.2 Recommendations

1. Having a superior to always keep an eye on the activities done by the managers and head of departments. 2. Having the database files to require two authorization or 2 accounts to be logged in to be accessed as this would prevent unauthorized access like what Mr. James did. 3. Implementing CCTV to monitor employee behavior during working hours. Employees network activity should also be monitored to gain knowledge of what they are doing in the office. 4. The company must implement Access Level Privileges (ACL) to all staffs, so that every staffs will have limited access to company information. 5. Be aware of more new forensics software to bring into investigation.

10.0 References
Ag.gov.au, (2013). Australia’s anti-money laundering and counter-terrorism financing regime | Attorney-General's Department. [online] Available at: http://www.ag.gov.au/CrimeAndCorruption/AntiLaunderingCounterTerrorismFinancing/Pages/regime.aspx [Accessed 12 Jun. 2014].
Austlii.edu.au, (2014). ANTI-MONEY LAUNDERING AND COUNTER-TERRORISM FINANCING ACT 2006. [online] Available at: http://www.austlii.edu.au/au/legis/cth/consol_act/alacfa2006522/ [Accessed 11 Jun. 2014].
Austlii.edu.au, (2014). INTERACTIVE GAMBLING ACT 2001. [online] Available at: http://www.austlii.edu.au/au/legis/cth/consol_act/iga2001193/ [Accessed 12 Jun. 2014].
Comlaw.gov.au, (2011). Interactive Gambling Act 2001. [online] Available at: http://www.comlaw.gov.au/Details/C2012C00299 [Accessed 12 Jun. 2014].
Comlaw.gov.au, (2014). Cybercrime Act 2001. [online] Available at: http://www.comlaw.gov.au/Details/C2004A00937 [Accessed 12 Jun. 2014].
Comlaw.gov.au, (2014). Income Tax Assessment Act 1997. [online] Available at: http://www.comlaw.gov.au/Details/C2013C00082 [Accessed 11 Jun. 2014].
Comlaw.gov.au, (2014). Privacy Act 1988. [online] Available at: http://www.comlaw.gov.au/Details/C2014C00076/Html/Text#_Toc382302891 [Accessed 13 Jun. 2014].
Efa.org.au, (2001). Cybercrime / Computer Crime Legislation. [online] Available at: https://www.efa.org.au/Issues/Privacy/cybercrimeact.html [Accessed 15 Jun. 2014].
Law.ato.gov.au, (2013). TPAL 2013/1 - Lodgment of returns for the year of income ended 30 June 2013 in accordance with the Income Tax Assessment Act 1936 , the Income Tax Assessment Act 1997 , the Taxation Administration Act 1953 , the Superannuation Industry (Supervision) Act 1993 and the Income Tax (Transitional Provisions) Act 1997. [online] Available at: http://law.ato.gov.au/atolaw/view.htm?docid=%22OPS%2FTPAL20131%2F00001%22 [Accessed 13 Jun. 2014].
Legalaid.vic.gov.au, (2014). Penalty units | Victoria Legal Aid. [online] Available at: http://www.legalaid.vic.gov.au/find-legal-answers/fines-and-infringements/penalty-units [Accessed 15 Jun. 2014].
Nettleton, J. (2013). Review of the Interactive Gambling Act 2001 - release of the final report of DBCDE - implications for online gambling in Australia - Media, Telecoms, IT, Entertainment - Australia. [online] Mondaq.com. Available at: http://www.mondaq.com/australia/x/257770/Gaming/Review+of+the+Interactive+Gambling+Act+2001+release+of+the+final+report+of+DBCDE+implications+for+online+gambling+in+Australia [Accessed 13 Jun. 2014].

Appendix A– Affadavit

AFFIDAVOT FOR SEARCH WARRANT Search Warrant Number:1314567
AFFIDAVIT AND APPLICATION FOR A SEARCH WARRANT

The undersigned Affiant, being a Police Officer under the laws of Australia and being duly sworn, on oath makes the following statements and accusations: 1) There is in Melbourne, Australia, a suspected place and premises described as and located as follows Unit 2, 27 Morang Rd, Hawthorn, VIC 3122 2) There is at said suspected place and premises the following item(s) which are implements or instruments used in the commission of a crime and, or items constituting evidence of a criminal offense or constituting evidence tending to show that a particular person committed a criminal offense: a. Computers, including personal computers, smartphone, computer systems, central processing units, and computer peripheral devices, any electronic, magnetic, optical, electrochemical, or other high speed data processing and storage devices performing logical, arithmetic, or storage functions; data storage facilities (internal and/or peripheral) or media storage devices such as magnetic tape, hard disk drives, floppy disks, thumb drive, CD-ROM or scanner; b. Data stored within computers or other processing and storage devices, to include computer applications, images, text, programs, encryption routines and algorithms, or other data that may be decoded, reconstituted, or otherwise manipulated to produce, utilize, transmit, receive, encrypt, encode, or display such images, text, programs, encryption routines, and algorithms. c. Computer manuals, documents, logs and system documentation or instructional material including passwords, passphrases or other material whether handwritten, printed, or in book form, relating to such devices and printers. a. Electronic communications stored within computers or other processing and storage devices as e-mail. Such information and/or communications that may be in the form of electronic communications (such as e-mail) residing on any media (e.g., magnetic, optical or digital media). That information may include electronic communications held or maintained in electronic storage by an electronic communication service or remote computing service. These communications are referred to herein as “stored communications”. These communications related to this case stored in the suspect’s computer or other electronic devices as e-mail. a. Printed copy(s) of electronic communications between suspect and conspirators, known or unknown. **OR** a. Printed copy(s) of electronic communications between suspect and other persons, known or unknown apparently interested in suspect. 3) Said suspected place and premises are in charge of and controlled by each of the following persons: James Michael. DOB: 2 September 1969. 4) It is the belief of the Affiant, and he hereby charges and accuses, that: James Michael. DOB: 2 September 1978, committed the offense(s) of Personal Data Protection Act 2009 Section 130 Computer Crime Act 1997 Section 3 5) Affiant has probable cause for said belief by reason of the following facts: a. Affiant is Thor Lih Yin, Senior Inspector

b. During the course of this investigation and preparation of this warrant, Affiant has consulted with an Investigator for Australia. The Investigator is responsible for the investigation of cases involving computers utilized in criminal activities. c. Based on your Affiant’s knowledge, training, and experience along with the experience of other law enforcement personnel with whom Affiant has consulted on this issue, your Affiant knows that data “erased” or unsaved can remain on a computer for some time after it is deleted and or viewed in slack or unallocated space. It will remain on the computer until such data is overwritten by another file, which frequently does not occur for months. d. Based upon your Affiant’s knowledge, training, and experience along with the experience of other law enforcement personnel with whom Affiant has consulted on this issue, your Affiant knows that effective searches and seizures of evidence from computers commonly require law enforcement officers to seize most or all computer items (hardware, software, and documentation) and then process these items later in a controlled laboratory environment which may be in a County other than that in which the material was seized. This is true because of the following:

i. Computer storage devices (hard disks, diskettes, tape, and removable drives) can store the equivalent of thousands or millions of pages of information. When users desire to conceal criminal evidence, they often store the information in random order with deceptive file names. Directories and subdirectories that contain these files can also be electronically hidden from normal view. Special forensic software is required to detect these hidden directories. This requires searching authorities examine all the stored data to determine whether it is included in the search warrant. This sorting process can take weeks or months, depending on the volume of data stored. This would make it impractical to attempt this kind of forensic analysis on site at the time of search warrant execution. ii. Searching computer systems for criminal evidence is a highly technical process requiring expert skills in a properly controlled environment. The vast array of computer hardware and software available requires even computer experts to specialize in some systems and applications. It is difficult to predict before a search which expert should analyze the system and its data or which facility would be best suited to that analysis. iii. The search of a computer is an exacting scientific procedure which is designed to protect the integrity of the evidence and to recover even hidden, erased, compressed, password protected, and/or encrypted files. Since computer evidence is extremely vulnerable to tampering or destruction from both external sources or from destructive codes imbedded in the system in the form of a “booby trap,” the controlled environment of a forensic laboratory is essential to its complete and accurate analysis and retrieval. iv. In order to fully retrieve data from a computer system, the forensic analyst needs all magnetic storage devices, as well as the central processing unit (CPU). In cases like this one, where the evidence consists partly of graphic files, the monitor and printer are also essential to show the nature and quality of graphic images that the system could produce. v. In addition, the forensic analyst needs all the system manuals, directions, notes, passwords, software, encryption, encoding, archiving, unarchiving and security software (operating system, applications, and hardware drivers) which may have been used to retrieve, store, create, transmit, encrypt or encode the data. The Affiant seeks the above noted items to facilitate and affect search with minimal intrusion and to lessen the likelihood of damage to non-pertinent files or equipment. vi. In addition, there is probable cause to believe that the computer and its storage devices, monitor, keyboard, modem, printer, as well as all internal and external storage devices are all instruments used in the commission of this crime and should be seized as such. WHEREFORE, based on the facts, circumstances, the training of Affiant and the information noted in this document, Affiant asks for issuance of a warrant that will authorize him to search said suspected place and premises for said personal property and seize the same.

AFFIANT

Subscribed and sworn to before me by said Affiant on
25 day of May 2014

District Judge, High Court of Australia

Appendix B- Subpoena

Federal circuit court of australiaREGISTRY: ........................................................ | File number: P)YUG006/2014 | | COURT USE ONLY | | The last date for service of this subpoena is (refer to Notes 2, 3 &4 on page 4)27/09/2013 | | Documents must be produced to registry by: 14/10/2012 | | | | | Yuvaraj
Applicant
BANK WEST
Respondent
SUBPOENA

To (name) Bank West Organisation of (address) 75 Old Street
Oldtown State: NSW Postcode: 2002
YOU ARE ORDERED TO: (select one box only) Attend court to give evidence (see Part A for details of order) Attend court to give evidence and produce documents (see Part B for details of order) Produce documents to the Court (see Part C for details of order).

TAKE NOTICE: if you fail to obey this subpoena * a warrant may issue for your arrest * you may be liable to pay any costs occasioned by your failure to comply, and * if the matter relates to proceedings under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 * Date: 22 June 20134 Registrar: yuvaraj Registrar The last date for service of this subpoena is 27/06/2014 (See Notes 2, 3 & 4) Filed on behalf of | Yuvaraj, the applicant | Prepared by | Yuvaraj | Lawyer’s code | 33445 | Name of law firm | TheYuva | Address for service in Australia | Unit 12, 5 zz Street | Redfern | State | NSW | Postcode | 2106 | Email | yuva@gmail.com | DX | | Tel | 0492 111 111 | Fax | 04292920211 | Attention | |
Please read Notes 1 to 16 at the end of this subpoena

-------------------------------------------------
Part A. Details of order to attend court to give evidence
-------------------------------------------------
Date you must attend court: ............/............/...........
Time you must attend court: ...................... AM PM
Place you must attend court: .................................................................................................................
-------------------------------------------------
You must continue to attend from day to day unless excused by the Court or a registrar or until the hearing of this matter is completed.
-------------------------------------------------

-------------------------------------------------
Part B. Details of order to attend court to give evidence and produce documents
-------------------------------------------------
Date you must attend court: 30 June 2014
Time you must attend court: 9.30 AM PM
Place you must attend court: Court 6B, John Maddison Tower, 88 Goulburn Street, Sydney
-------------------------------------------------
You must continue to attend from day to day unless excused by the Court or a registrar or until the hearing of this matter is completed.
-------------------------------------------------

-------------------------------------------------
When you attend court, you must produce the books, documents and things described in the Schedule on page 3.

-------------------------------------------------
Part C. Details of order to produce documents to the Court
-------------------------------------------------
You must produce the books, documents and things described in the Schedule on page 3:
-------------------------------------------------
Date and time for production: On or before ...................... PM on ............/............/...........
Place: You must produce the books, documents and things described in the Schedule to an officer of the Federal Circuit Court of Australia, .......................................................................... registry,
-------------------------------------------------
(address of court) ..............................................................................................................................
-------------------------------------------------
............................................................ State: ................. Postcode: ................
-------------------------------------------------
Instead of attending court you may post or deliver the books, documents and things described in the Schedule to the Registry at the ‘address of Court’ specified above at least 2 days before the date for production specified above.
-------------------------------------------------
See Notes 11 and 12 for automatic release of documents.
-------------------------------------------------

-------------------------------------------------
This subpoena was issued at the request of the issuing party named in the footer on page 1.
DO NOT send subpoenaed documents to this person.
-------------------------------------------------
Subpoenaed documents must be produced to the Court, notwithstanding any objection being made.
-------------------------------------------------
The registrar will issue a receipt to the person producing the documents or things.
-------------------------------------------------

SCHEDULE (if insufficient space attach list) Books, documents and things you must produce from your possession, custody or control 1. a copy of this subpoena 2. a copy of any and all correspondence, including but not limited to emails, letters, memos, written records of telephone conversations and text messages, between Mr James and Staffs in MATM from 22 June 2013 to 30 June 2013 inclusive. * a copy of any correspondence including but not limited to emails, letters, memos, written records of telephone conversations and text messages, to the applicant from an officer or employee of the respondent relating to starting times. Note: You may, with the consent of the issuing party, produce a copy, instead of the original of a document Federal Circuit Court Rules 2001 – Rule 15A.02
Subpoena_FCC_0313.V1
Subpoena_FCC_0313.V1

NOTES
Limit on number of subpoenas 1. Unless the Court directs otherwise, a party or independent children’s lawyer must not request the issue of more than 5 subpoenas in a proceeding.
Service of subpoena 2. Where this subpoena requires the person to attend court to give evidence, the issuing party must serve this subpoena personally on the person subpoenaed at least 7 days before the date for attending court 3. Where this subpoena requires the person to attend court to give evidence and to produce documents, the issuing party must serve this subpoena personally on the person subpoenaed at least 10 days before the date for attending court. 4. Where this subpoena requires the person to produce documents to the Court, the issuing party must serve this subpoena on the person subpoenaed at least 10 days before the date for producing documents.
Service of copy of subpoena 5. The issuing party must serve by ordinary service a copy of this subpoena on each other party, any interested person and any independent children’s lawyer in the proceeding within a reasonable time before attendance or production under the subpoena is required. 6. An ‘interested person’ means a person who might reasonably have an interest in the subject matter of the subpoena.
Cost of complying with subpoena 7. The person serving the subpoena must give the person subpoenaed conduct money sufficient for return travel between the place of residence or employment (as appropriate) of the person subpoenaed and the Court. The amount of conduct money must be at least $25. 8. If you are the person subpoenaed and you are not a party in the proceeding and you will incur substantial loss or expense in properly complying with the subpoena, you may apply to the Court for an order that the issuing party pay you an amount (in addition to conduct money) in respect of the loss or expense. If you wish to make such an application, you must, before complying with the subpoena, give notice to the issuing party that substantial loss or expense would be incurred in properly complying with the subpoena, including an estimate of the loss or expense.
Objection to production, inspection or copying of documents 9. The person required by this subpoena to produce documents or things may object to producing a document by completing filing and serving the attached Notice of Objection – Subpoena before the date specified in this subpoena for production. The documents or things identified in the subpoena must be provided to the registry before the date of production, even if the person required to comply with the subpoena lodges a Notice of Objection. 10. Any party or any interested person may object to inspection or copying of a document described in this subpoena by completing filing and serving the attached Notice of Objection – Subpoena before the date specified in this subpoena for production.

Automatic release of documents for inspection or copying (Part C) 11. Subject to any objection being upheld or an order of the Court and subject to the issuing party filing a notice of request to inspect in the approved form, each party and any independent children’s lawyer may, by appointment, inspect all documents produced in response to this subpoena and may take copies of all documents produced in response to this subpoena (other than a child welfare record, medical record, criminal record or police record). 12. A person who inspects or copies a document produced in response to this subpoena must: (a) use the document for the purpose of the proceeding only, and (b) not disclose the contents of the document or give a copy of it to any other person without the Court’s permission.

Child welfare, medical, criminal and police records 13. Child welfare records, medical records, criminal records and police records produced in response to this subpoena will be available for inspection by each party and any independent children’s lawyer, but these records will not be available for copying.
Child welfare records are records relating to child welfare held by a State or Territory agency mentioned in Schedule 9 to the Family Law Regulations 1984.
Note: For child welfare records, there may be restrictions on inspection imposed by protocols entered into between the Court and the relevant child welfare department
Criminal record means a record of offences for which the person has been found guilty.
Medical record means the histories, reports, diagnoses, prognoses, interpretations and other data or records, written or electronic, relating to the person’s medical condition, that are maintained by a physician, hospital or other provider of services or facilities for medical treatment.
Police record means records relating to the person kept by the police, including statements, police notes and records of interview.
Objection by person to inspection of medical records 14. If the documents to be produced under this subpoena include a person’s medical records, that person may, before the date stated for production, notify the Registrar in writing that he or she wants to inspect the records for the purpose of determining whether to object to the inspection or copying of the document by any other party. 15. If such notice is given: (c) that person may inspect the medical records and may, within 7 days after the date stated in the subpoena for production, object to inspection or copying of a document described in this subpoena by completing filing and serving the attached Notice of Objection – Subpoena, and (d) unless otherwise ordered, no other person may inspect the medical records until the later of 7 days after the date stated in the subpoena for production or the hearing and determination of the objection.

Time and date for hearing an objection 16. Any objection in relation to this subpoena will be heard before a Judge or Registrar. The Registrar will advise the parties and the objector of the time and date when they will be required to attend court for the hearing and determination of the objection.