The knock on the door you REALLY don't want to hear
It isn't just paedophiles. It is the accountant who thinks he is worth more than the company decides to pay him, and decides to create and pay fictitious invoices. It is the card-cloning gangs buying and selling mag stripes and card dumps. It is the drug dealers who think they are smarter than the police.
Or it is just the plain unlucky techie, who has been been swept up into a cybercrime investigation through no real fault of their own.
You're under arrest.
Everyone hopes it never happens to them. Mud sticks, especially where computer crimes are concerned. Contrary to popular belief, the 5am door knock is rarely used for e-crime suspects as they are usually in custody by the time the evidence collection happens.
The information that leads to your arrest is not dreamed up by some bored copper. Rather, it will likely come from one of two distinct avenues. It can be allegations made by individuals, or alternatively, it can be what the police call “intelligence-led” - where potential information comes from other police operations.
An example of intelligence-led investigations are where people who use their credit cards to purchase illegal porn are revealed. Sometimes evidence even comes from rape or murder cases. When such cases occur, computers are taken as they can contain a whole treasure trove of information, such as a suspect using Google to research “How poisons work” in preparation for carrying out a murder.
A computer crime suspect would be treated in the same manner as any other. They would be arrested, their homes searched, and they would be questioned about any evidence found during the search. This would be done under caution, with the famous rubric: "You do not have to say anything. But it may harm your defence if you do not mention when questioned something which you later rely on in court. Anything you do say may be given in evidence."
The type of police officer who seizes the offending items depends on the perceived complexity of the case and mitigating factors such as the expected level of knowledge of the user.
If the suspect is an average home user then a specially trained PC would pay a visit the home and seize any and all computer equipment and associated media on the premises. These officers, although not forensic experts, are trained in preserving and logging evidence into custody. The shocked residents sharing the house with the suspect would be treated to a hard door knock, a signed warrant and a house full of burly coppers collecting all the evidence they could find, ripping the place apart looking for anything incriminating. Not an ideal way to start the day, for sure.
Seized items are bagged with tamper proof ID and tags, clicking shut like the same cable ties we use to keep our own systems in order. The tag holds details such as item description and photographs of the evidence as it was seized. Inside the clear bags would be all the IT gear belonging to the suspect. Other attributes include the time and place of seizure, as well as case references and exhibit ID. Evidence is not just computers and disks, but can also be passwords on Post-It notes or scraps of paper, printouts or even financial statements. The potential mountain of IT paraphernalia will then be put in the back of a police van and driven away - just as we’ve seen on countless news and cop shows.
In situations where a business computer is involved the collection method can be very different. In cases such as these you can't take all the computers or the business would just fold.
Sometimes the police will be invited in by the business after financial irregularities or incriminating logs have been found and the individual has had their access keys and VPN access cancelled before being summarily marched off the premises, or if they are lucky, put on gardening leave. In such instances the suspect’s computer may be seized as evidence.
Other computers in the office would be cloned using a specialist software forensic tool such as EnCase in conjunction with a write blocker to preserve the integrity of the source disk. A write blocker is a hardware device that prevents any writes to the source disk. Any source disk that is written to is considered tainted evidence.
If police even suspect there might be illegal images on the computer in question, the computer will be removed for inspection. If a financial crime is suspected the police will still seize the equipment. Rarely is anything left behind.
You will then be taken to the police station.
Bedding down for the nightAfter all the items have been removed and the police have a better idea of the evidence available, a preliminary interview takes place with you, the suspect
You'll be questioned – but you're entitled to meal breaks. It's not like Law and Order...
Unlike some of the films and TV dramas you see, there are rules covering the welfare of the suspect and maximum interview length. In brief, you're entitled to meal breaks, under Part 12 of the Police and Criminal Evidence Act Code C. This is enforced by the custody officer, independently of the investigation team.
When you are arrested, the clock starts ticking. Unless you are arrested for terror-related offences, the police usually have 24 hours to question you. At this point they will decide if they wish to arrest you or detain you. A senior police officer can authorise your detention for up to 36 hours. In serious cases, a judge can approve extending your detention for up to four days.
The custody experience isn't the Hilton. After a thorough search you will be placed in your whitewashed cell, replete with appropriate scrawled graffiti. The cells and what few contents it has are all designed to be free from ligature points to try and prevent people from hanging themselves. This is why you have to take your shoes and belt off. And your tie, if we’re talking suspected financial crime.
It is up to you to make your own entertainment whilst the police carry out their investigations. If you were thinking about sleeping, it will be an uncomfortable experience. Again, everything is bolted down so you can't really get comfortable. You will have a mattress and pillow, made from wipe-clean plastic.
Unlike in the TV series you see, there will be long periods of just waiting. Then an interview. Then a return to the cell. This may happen several times. You will also be monitored and checked by the custody officer through the observation hatch, and if you're really lucky there'll be all-encompassing CCTV in the roof as well. You really will get to know how a goldfish in a bowl feels.
On the positive side, you do have a few rights whilst in custody. You have the right to have someone informed of your arrest. You have the right to free legal advice and also to know what you are being charged with as well as the more mundane things such as toilet and food breaks. And as we said earlier, you have the right to remain silent, although a court can later hold that against you if they so wish.
Somewhat controversially however, the police have the right to take photographs, DNA samples and fingerprints. Without your consent. You can only get these erased from police databases six years after your arrest, whether or not you are convicted or even charged with anything.
Talking to the nice policemenAhead of the interview the officer conducting it will review the evidence to hand, building a case around it. Asking the suspect to give a reason as to why the items collected during the search are in their possession is the first line of enquiry. One of the main aims of the initial interview is to shut down any potential “Get out of jail card”, such as claiming that evidence was planted or “I let my neighbour use my PC as his was broken”. It is also used to identify evidence that could potentially be used to mount any defence.
Interestingly, according to our police source, at this point, quite a few suspects will actually confess to their crimes and try to offer some mitigation as to why they committed them.
At this point, unless the alleged offence is particularly serious, the suspect will be bailed whilst a more thorough investigation takes place. A forensic investigation of a single PC can take several weeks. Conditions can be placed on the suspect, such as not using or owning computers whilst the investigation occurs. It is more common to just place restrictions on the use of a system: for example it may only be used at the suspect’s place of work, during business hours.
Digital forensicsA big issue with most e-crime units is the fact that they do not have enough resources to deal with all of the cases they are asked to investigate. The solution to this is to triage the content of the confiscated disks, also known as forensic preview. During the process of forensic preview a junior member of the team will do a basic investigation of what is contained on the disk, using a bit for bit copy of the original disk.
What is found is then put into a matrix to decide which cases should be given priority. The matrix takes into account the seriousness of the crime and the perceived intelligence gain. Each force has a different matrix with a different scoring according to localised priorities.
Before the preview is started the investigating forensics officers will look to the police officer in charge of the case for guidance as to what they are looking for.
When the forensic review is started, it is not just a random search for *.jpg or *.doc. It uses a suite of applications and processes that not only looks for images but also can be used to search for unique strings across the system, including slack space, temporary files, swap partitions and every inch of the hard drive. A customised dictionary is often used that can be tailored to the kind of investigation and crime the suspect is suspected of committing. For example, if someone were thought to be a drug dealer the investigator would use a dictionary that used the latest drug slang as well as more conventional drug terms.
If evidence is found, for example fragments of emails or text messages, the investigators can reach out to service providers to provide the required data. This is done by a police specialist called a SPOC (Single Point of Contact) who liaises with the service providers (mobile/internet/ISP etc) in question. A warrant is usually required to obtain this information and must be signed by a judge.
All this information is then passed to the case officer who reviews the evidence. All evidence needs to be collected in compliance with ACPO (Association of Chief Police Officers) guidelines for data collection.
The four principles of data collectionThe framework within which the e-crimes investigator are based around four major principles.
No action taken by the police should lead to a change in the source media. This is the main reason write blockers are used. Using the disk prior to a clone could lead to allegations of planting evidence.
Any action that is performed on the source media must be documented, along with potential issues that this may raise. For example, if the original media is destroyed and needs to be rebuilt in a specialised clean room.
An audit trail should exist and contain documentation of any and all procedures that the evidence undergoes. This is so that the process is repeatable and the outcome the same if the procedure is repeated.
Any actions taken must fully comply with the letter of the law. For obvious reasons if the law is not adhered to it could potentially open claims that could lead to the case being thrown out.
The good news is that if no evidence is found the seized items are returned to the owners. The bad news is that can take several months to happen. If illegal images (i.e. child pornography) are found on the disks, they will be shredded and destroyed without exception. The hardware will often be returned without hard drives.
Obviously looking at illegal porn is illegal, but the investigating officers aren't above the law. In order to get around this issue civilian investigative officers get special dispensation to view the images, but only in the confines of a work office context.
Any images that are found are categorised on a scale of 1 to 5. 1 is the lower end of illegal through to 5 at the extreme end of the scale.
Forensic toolkit to sniff out the evidence
Once of the best-known forensic toolkits is EnCase – but software used depends on the police force concerned (click to enlarge).
To help manage the search for data and information in a systematic way, forensic toolkits are used. The best known is EnCase but a single copy of this will run to thousands of dollars. Other less expensive alternatives to EnCase include WinHex and X-Ways. Both of these alternatives are developed by a company called X Ways software technology, based in Cologne, Germany. Their customers include not only US law enforcement types but KPMG forensics (Remember the naughty accountant example from earlier?) Toshiba and HP. There are several components that make up the suite of tools. All “modestly” priced. You can, however, download demo versions, if you would like to take them for a spin.
What is really clever is that the tools used will then take an image hash and store it in a database so that other investigators are not subjected to the same images repeatedly and makes the investigation more streamlined. The more advanced tools also export the entire disk to a searchable database system. Here multiple users can search for strings against the disks under investigation. This has obvious advantages over the one disk/one investigator methodology.
When the forensics team work with disks, they don't work on physical disks but on virtual disks created by the forensic toolkit. Other cool parts of if it include intelligence built into them that will allow the EnCase computer to detect that the disks are part of a RAID set and will mimic the controller and allow the RAID set to be reviewed as a whole. This technique has also been used for data recovery in non investigative situations.
Forensic toolkits are intelligent enough to also understand when a write blocker is used and will actually record its presence as part of the evidence acquisition log.
The decision to prosecute, or not
Once the investigation is complete, a report will be created, along with supporting evidence. This will then be passed to the Crown Prosecution Service who will review it and decide if there is a case to answer. The decision to prosecute is based on a number of factors including physical evidence, such as evidence of who was using the computer in a multi-user environment, ie, fingerprints on the keyboard. The ability to identify the user in a multi-user environment is critical. Whilst further investigation takes place the suspect can be bailed to reappear pending a decision.
Suspects are just too stupidOn the thorny topic of file encryption, the following facts may interest you:
Most suspects do not use encryption. Those that do often give up the key when asked. Not doing so is against the law. Also, some people are just too stupid. A forensic IT tech regaled us with the story of one suspect who used Bitlocker. Great. The only issue was that the suspect had the recovery USB stick sellotaped to the side of the pc, labelled "Bitlocker Recovery". Suffice to say he quickly decided cooperation was the best policy.
Usually if the suspect does not give up the encryption key, the police will have enough circumstantial evidence to build a case around the crime and let the CPS decide if there is a case to answer and if there is enough evidence for a prosecution to proceed. This is usually in the form of other media found or other non-computer-related circumstantial evidence.
The failure to give up encryption keys is in itself a hot potato. At the first pass of the Regulation of Investigatory Powers Act, which gave the police the power to demand passwords, it made sense for people who committed serious computer crime to not give up their encryption keys because they would get a maximum jail term of three years if no evidence could be collected. For possessing and distributing illegal pornography the sentence can easily be double that.
This lead to Conservative MP,Sir Paul Beresford calling for the maximum sentence for failure to provide encryption keys to be increased to ten years.
Interestingly, according to the Open Rights Group there were 19 refusals to decrypt data to date in the period 2012/2013. Of those 19, three were successfully prosecuted.
Depending on the crime the suspect is accused of, the police can and do make decisions to use system exploits to obtain access to the system. Although such a technique would probably not be used on a low level suspect, any hint of terrorism or similar levels of indirect danger would enable these exploits to be used.
For super high-value targets there are even more ingenious devices that allow a PC that is in a usable state to be secured by attaching a high capacity battery to the PC by removing the wall socket, using techniques to prevent power being lost. A dongle can even be attached to create a mouse movement to prevent the screen from locking or going to sleep whilst still preserving the integrity of the machine. If you get this treatment, you must be a super high value target.
But what if you know you’re innocent?
Unfortunately, this doesn't just happen to the bad guys. Knowing the process as detailed above can help you understand what will happen. The question of encryption keys is a minefield in itself and best left to the professionals. The best course of action for anyone really is to heed the warning when arrested and speak with your solicitor first before saying anything to the police.
Your solicitor's advice will be worth its weight in gold.
Bootnote: I wish to say a thank you to Les and Tony at Fiasa Forensic Services for their assistance and guidance in writing this article