In many instances old, or conventional crime is perpetrated using new approaches that are reliant on technology. Postal fraud, for instance, has evolved to employ electronic communication channels, giving rise to waves of emails seeking to defraud recipients with promises of money and fictitious prizes (commonly known as ‘419 scams’ as many of such notes tend to originate from the African continent and 419 is their penal code for wire fraud).
Studies into the cost of cyber-crime, commissioned independently by the Department of Trade and Industry (DTI) reveal alarming trends in the abuse and misuse of technology. The average cost per security incident has risen to over £160,000 and nearly one in four businesses in the UK have suffered a serious hacker attack or virus outbreak. The impact of an information security breach can be so devastating to business operations that one in ten never actually recover and the shutters close permanently. To counter this growing threat, security and law enforcement agencies have adopted fresh approaches for dealing with high technology crime.
Forensic Computing is a relatively young science when compared to contact forensics such as fingerprint recognition which have roots that can be traced back to Edmond Locard, who in the early 1900s famously postulated the theory of evidence being left as ‘mutual exchanges of contact’. Whilst various descriptions exist in relation to this practice, the international survey undertaken by Hannen has been taken as the de-facto definition: ‘Processes or procedures involving monitoring, collection, analysis… as part of ‘a priori’ or ‘postmortem’ investigations of computer misuse’. It is important to appreciate that this definition takes a wider view than the conventional reactive description, where forensics was regarded purely as an incident response function. Hannen considers digital forensics as also taking a pro-active role in security, where it can be combined with intelligence and operational planning.
As a serious field of research, forensic computing studies only started to take real form in the early 1990s when, faced with ever increasing numbers of computers being seized at crime scenes and the potential for crucial evidence to be stored on a PC, various government agencies came together to host the International Conference on Computer Evidence (ICCE). Here many of the challenges facing law enforcement communities were aired and agreements forged to cooperate towards finding effective solutions.
Two years later, in 1995, the International Organisation for Computer Evidence (IOCE) was formed, and a further two years later the member states that comprise the G8 subscribed to the mission of IOCE, pledging support for the organisation. This was the catalyst required to stimulate research and development, and since then great advances have been made in all spheres of digital evidence management. When working on a matter where the case will rise or fall on the strength of digital evidence, for example where an allegation of possession of indecent images has been made, it is important to commission an independent forensic examination of all evidence and digital materials. This places the evidence into the wider context of the offence and enables barristers to make directions to the court based on a fuller appreciation of matter.
Assuming material has been seized by the authorities, the state will usually conduct their own forensic assessments (typically undertaken by the regional police hi-tech crime unit), the results of which will be provided to legal representations. The mechanics of this process involve the ‘imaging’ of the ‘target media’ – the process of making a forensically sound duplication of digital materials of interest (e.g. the computer hard drive). During this duplication process a ‘write-blocking’ device will be employed to ensure the target media is not affected or corrupted in any capacity whilst its content is read and mirrored. The actual forensic analysis is then made upon the duplicated material, with the original placed into secure storage and maintained in the state in which it was seized. The forensic analyst will then peruse the imaged copy to identify materials of potential evidence value, extracting copies as necessary to form the basis of the expert report.
Looking at this from a defence perspective, a number of questions should be posed in relation to the digital evidence (based on the Daubert threshold test that evaluates the competency of evidence in the United States):
• whether the theories and techniques employed by the scientific expert have been tested;
• whether they have been subjected to peer review and publication; • whether the techniques employed by the expert have a known error rate;
• whether they are subject to standards governing their application; and
• whether the theories and techniques employed by the expert enjoy widespread acceptance.
Putting abuses of technology on a statutory footing, Britain has a suite of legislation that can be invoked, from the Computer Misuse Act 1990 to the Regulation of Investigatory Powers Act 2000.
Today digital forensics is an accepted science, and evidence duly secured in relation to best practices (in the UK these guidelines are outlined by the Association of Chief Police Officers) can be served in a court of law. Digital forensics are providing breakthroughs in all manner of high profile cases around the world, helping security and law enforcement agencies to catch offenders and secure convictions.
In the US, for example, the notorious BTK serial killer that had a reign of terror lasting over twenty five years in the Wichita areas, was ultimately tracked down after he sent a disk to a local radio station gloating at the police’s inability to catch him. Unique digital footprints embedded within the files were extracted by forensic specialists, and like a lone fingerprint, investigators now had a powerful lead – all they needed was to match the file to the computer that had created it (much like having a fingerprint but not a suspect’s hand to match it with). Wichita Police then conducted a house to house search, taking file samples from every computer encountered. Back in the laboratory, the file footprints were compared to the sample disk posted by the BTK killer, eventually finding a match. This tied the floppy disk to Dennis Radar’s PC, a virtual smoking gun as far the prosecution were concerned. This digital evidence became a pivotal element of the State’s case and ultimately helped secure a conviction.
In the UK the 2002 murders of Holly Wells and Jessica Chapman in Soham, Cambridgeshire, also saw digital forensics play a crucial, but largely unknown, role in the investigation. Technical analysts examined one of the girl’s mobile phone to identify where it was located when it had been turned off. Information on the nearest network communication tower tends to be stored in a phone’s memory and when the signal coverage of that tower is plotted, it is possible to identify the rough area (typically a few square kilometres) in which the phone was located when it was switched off. Having extracted this information from the handset, authorities had a rough idea of where to base their search; which ultimately led to the recovery of the two girl’s bodies.
Speaking in an interview several years after his pioneering research on the Manhattan Project where atomic reaction theory was developed, scientific visionary Oppenheimer explained that ‘the scientist is free to ask any question, to doubt any assertion, to seek for any evidence’. This thinking holds especially true when applied to the discipline of forensic computing in a legal context. Here experts may be instructed by either the prosecution or the defence, however, in either instance, they have a higher duty to the court. They are instructed as experts, but experts for the truth. It is important therefore to ensure that the experts instructed are duly qualified, experienced and independent.
Commenting on the nature of digital evidence, John Brown, Partner at Hogan Brown Solicitors, explained how the fragile nature of digital evidence can pose serious challenges to the investigator: ‘digital material is extremely volatile – perhaps more delicate than its physical counterparts. It can be copied, amended, and transferred without almost any trace – only experienced and qualified specialists should be employed to work in a digital forensic environment if the subsequent findings are to withstand the scrutiny of a court of law’. When working on a matter where the case will rise or fall on the strength of the digital evidence, perhaps where an allegation of possession of indecent images has been made, it is important to commission an independent forensic examination of all evidence and digital materials. It is also important that lawyers, when they try to find an expert witness choose someone with the necessary skills who is not only able to prepare an objective, unbiased report but also deliver oral testimony if required.
Forensic computing and the securing of digital evidence is a powerful tool in today’s fight against increasingly technically-savvy criminals. It is a discipline that continues to evolve and should remain high on the radar for both legal practitioners and law enforcement authorities.
Find More Expert Witness Articles