Independent :: 01 June 2005
Forget leaving fingerprints at the scene of the crime. Today’s police know that the hard evidence they find on your hard drive can put you behind bars, says Jimmy Lee Shreeve
http://news.independent.co.uk/world/science_technology/story.jsp?story=643152
Computer forensic analysts – the detectives of the digital world – are in big demand. Electronic evidence is proving critical in solving crimes, with the proliferation of computers, PDAs, mobile phones and even iPods.
An internet bookmark or deleted e-mail can be vital to securing a conviction. In South Dakota, a woman was found drowned in her bath with high levels of temazepam in her blood. It looked like suicide – until investigators looked at her husband’s computer and found he’d been researching painless killing methods online. With this evidence, prosecutors were able to convict him.
Law-enforcement agencies have realised that electronic evidence can help catch all kinds of criminals, not just hackers, and are scrambling to hire skilled people. In Britain, the Metropolitan Police is advertising for recruits. “Successful candidates will be involved in the analysis of computer-based media, advising officers on their findings and giving evidence in court,” the advert says.
In the US, the FBI manages a growing number of computer forensics labs. In 1984, the bureau’s magnetic media programme dealt with three cases; last year, its labs handled more than 1,500.
“The whole market is growing exponentially,” says Andy Frowen (pictured above), a director of CCL-Forensics (www.ccl-forensics.com), a Warwickshire company supplying computer forensic services to 10 UK constabularies. “More people own PCs and are connected to the internet, and the police are increasingly aware that these devices can be used to commit or facilitate crime.”
In the past, equipment was usually seized in connection with suspected paedophile or hacking offences. But today, says Frowen, “they seize computers in murder, rape and fraud cases. Almost every crime at some point touches a computer.”
It’s crucial that the evidence stays intact, so digital forensic examiners never work directly on suspects’ computers. “Every time you look at a file, it changes – the date stamp, for instance, would register the day and time you opened the file, contaminating the evidence,” says Neil Barrett, a professor of criminology at Cranfield University and the author of Traces of Guilt (Corgi, 2005).
“We preserve digital evidence using a method known as ‘imaging’ or ‘freezing’. A suspect’s hard drive is removed and put in a computer that is ‘write blocked’ and can’t write to the disk. A forensic image is then taken of that hard drive – an exact clone that can be examined.”
The most widely used software for this is EnCase (www.guidancesoftware.com), a proprietary Windows-based program. The mantra is: delete doesn’t mean gone. Deleting a file, emptying the bin or even reformatting a hard drive will not necessarily get rid of evidence. This is because computers retain data even after it has been deleted.
Not surprisingly, software is available that deletes and overwrites data. One such program is the Privacy Suite from CyberScrub (www.cyberscrub.com), which claims to “remove all evidence of online activity, erase previously ‘deleted’ files, and securely destroy e-mail”. Such programs have legitimate uses – bank details or health records would be at risk if you sold your computer or others gained access to it.
Criminals can use this to cover their tracks, but it is time-consuming. “It can take four or five hours, which makes it less attractive to criminals because they are put out of action for that time,” says Chris Vaughan, the senior forensic analyst at the Manchester computer forensics firm Cy4or (www.cy4or.co.uk). “And to remove everything, the file-wiping software has to know exactly where to wipe. If it doesn’t get this right, traces will be left.”
So are criminals staying one step ahead of the law? “It’s bizarre,” says Barrett. “The criminals should be one step ahead of us, because all they need do is encrypt their files. Yet those we catch rarely do this. Maybe we’re only catching the idiots.”
Computer forensics is most commonly used in cases of child pornography, which means forensic analysts have to see upsetting images. Emma Webb-Hobson of Cy4or says she copes by cutting her mind off from the subject. “The comforting thing is that you’re helping to stop this kind of crime,” she says.
Many in the legal process now need some technical knowledge. In the Harold Shipman case, the doctor had modified evidence on his computer and was caught out by the date stamp on the records. “That obviously requires a jury to understand what a date stamp is and how it can and can’t be modified,” Barrett says. “That requires someone to provide an interpretation in plain English.”
Jeff Fischbach, a US computer forensic analyst, says one downside in digital evidence-gathering is that people are being falsely charged. A client was charged with possessing child porn on his computer, but Fischbach showed that the images came from spam and pop-ups.
What can an innocent person do if their computer is seized by police? Vaughan says: “Law enforcement agencies ask us to look for signs of intent – did somebody run multiple searches for ‘child pornography’, or open and view an illegal image hundreds of times?”
“So the advice to anybody who accidentally gets a pop-up is to close it instantly and, if possible, delete the internet cache. The same goes for spam that gets through filters – delete it. This will show that you didn’t want the material and didn’t look at it for longer than you needed to.”
The field of computer forensics is constantly evolving to keep pace with new devices. Any device that can store data can be used to harbour indecent images, illegal software or fraudulent documents.
But criminals should heed the words of the computer forensics expert John Mallery: “The only secure computer [or digital device] is the one you never turn on, bury in the ground and cover with dirt.”
*********
Further to this lot, I’ve been keeping pages about the authorities progress with surveillance techniques, as they pertain to protest, direct action on social struggles and environmental matters. Here are the direct links ::
Big Brother Awards: http://tash.gn.apc.org/big_brother.htm
surv – start: http://tash.gn.apc.org/surv_10.htm
surv – watched: http://tash.gn.apc.org/watched1.htm
surv – face recog: http://tash.gn.apc.org/face_rec.htm
surv – Nomad: http://tash.gn.apc.org/nomad_10.htm
surv – mayday 2000&1: http://tash.gn.apc.org/surv_mday1.htm
Digital / evidence: http://tash.gn.apc.org/digital_man.htm