What does it mean for Digital Forensics? 

The added security features on Windows Vista mean that law enforcement officers need to be even more thorough when seizing PCs.  Speaking at the E-Crime Congress in London on March 28^th, Eric T Ashdown (Director, Microsoft Trustworthy Computing) spoke about the additional security features put in place by Microsoft to enable added protection for both companies and private individuals who store sensitive data on their computers.

Included in the ‘Enterprise' and ‘Ultimate' versions of the software, the BitLocker Drive Encryption aims to address the threat of data theft from lost or stolen machines. It operates by either a cryptographic hardware chip or a USB device being required to access the content of the machine.  According to Microsoft "BitLocker prevents a thief who boots another OS or runs a software hacking tool from breaking Windows Vista file or performing offline viewing of the files stored on the protected drive".

This means that when a Police Officer or Digital Forensics expert arrives at the scene to seize a PC running Vista, they must be sure to search the premises fully for any external devices as they may be needed to access the PC. 

Microsoft deal with around 5,000 attacks on their system every day and filter over 3.8bn spam emails across their MSN network and Hotmail on a daily basis. Security is one of their prime concerns and this new technology is a testimony to their commitment to helping fight e-crime.

Find out more about Microsoft Vista.

In an effort to find out more about our current and potential customers, CCL-Forensics have been surveying them on the subject of outsourcing and what qualities are most important in an outsourcing partner.  The survey involved representatives from Police, Lawyers and Corporate Organisations and was aimed at giving us a clear view of the process undertaken by procurement by asking people to select all factors which they felt would factor in the decision making process.

Unsurprisingly, the most important factor was found to be Quality of Analysts with over 75% of respondents choosing this as their most desirable quality.  Reputation came a close second with the over two thirds of people taking this into consideration when outsourcing their digital forensic work.

Almost half of those we asked believed Pricing to be relevant, followed by Commitment to New Technologies with 35% ticking this option.  Company Stability was selected by a third of people, but Location was disregarded by most, only being chosen by six per cent of people we spoke to.

It is clear from these statistics and from the many conversations which we had throughout March that the reputation of a Digital Forensics company is its greatest asset.  That is why CCL-Forensics is committed to the training all of their analysts, having been awarded Investors in People in January this year.   They are also ISO 9001 Certified with a dedicated Quality Manager and experienced analysts who are vetted by a number of Expert Witness directories.

Theft of Intellectual Property, also known as IP Theft, has been in existence for hundreds of years but has been proliferated by the introduction of widespread use of the internet.  Intellectual Property includes Copyright, Designs, Patents and Trade Marks for creations including literature, music, art and recordings.

When an idea is published, it is automatically protected by copyright, making it illegal for anyone to attempt to steal the idea or make a forgery of the product.

The National IP Crime Strategy has been put in place to try and establish an accurate measurement of IP Crime levels in the UK.  It aims to identify areas of specific threat and harm and raise awareness amongst consumers.

A number of high profile organisations are collaborating on the project, including SOCA, Trading Standards and HM Customs.

Each year, the business software industry alone loses over £1 billion to IP Theft and many anti-piracy industry groups are now using the services of digital forensic analysts to help fight the battle against these criminals.

The people who are involved in IP Crime are often found to be dealing in other Crimes such as drugs and people trafficking and forensic analysis can help provide vital clues which point to these activities.  Unfortunately, criminals are fast becoming aware of the ability of investigators to uncover their tracks and are using tactics including hosting their sites in other countries and running websites for a short amount of time before closing it down and operating with a new address.

Earlier this month, the government announced a new section into the Copyright, Designs and Patent Act which give trading standards the authority to enter firms suspected of infringing copyright.  Tougher penalties and potential prison sentences have also been introduced to reinforce the serious nature of these crimes.  

A combination of these factors should hopefully lead to a reduction in these online crimes, which cause particular concern to organisations such as DVD manufacturers and record labels.  In the meantime, digital forensics is one of the best ways of confirming that a suspect has been involved in illegal activity.

Companies ranging from SMEs to Multinationals are worried about hackers and are keen to beat them to it when it comes to finding ways to penetrate their system.

The process of Ethical Hacking is a lengthy and time consuming procedure which requires the ‘hacker' to be meticulous throughout each stage of the investigation.  This can involve a number of different stages, depending on the needs of the organisation in question.

One option is to carry out a full audit of the organisation's IT practice.  The investigator will look at how secure the system is and will chat to staff about the way in which they are able to access sensitive material and how they protect their access details.  They may even pose as a potential hacker and attempt to convince members of staff to allow them access.  The investigation process may also involve testing the system from a remote perspective by attempting to hack in over the internet.

The process attempts to unearth weaknesses and vulnerabilities by viewing the system through the eyes of the hacker.  The next step would be to assess appropriate targets, gather information about the network, test systems and services for known vulnerabilities and provide analysis and reporting.

It is also important that a penetration tester checks if they can erase or cover the marks that have been created in earlier stages of the test, so that they know what measures could be taken by a genuine hacker.

One of  CCL-Forensics' Senior Analysts, is a Certified Hacking Forensic Investigator and has completed a number of ethical hacking cases, please contact us for further information.

According to SOCA, the most damaging sectors of organised crime are drugs trafficking, organised immigration crime and fraud.   E-crime is seen as a ‘tool' for a number of areas of the criminal world and is increasingly being used to progress a variety of criminal acts, including the distribution of illegal images and goods across the UK and Europe.

One type of online crime which often requires the manpower of an organised gang is fraud.  In April 2006, the Government suffered the first annual fall in VAT revenue since the tax was introduced, largely due to MTIC (missing trader intra-community) fraud. This type of fraud falls into two main categories.

‘Carousel Fraud' is where goods have been sold on in the UK, and then get sold through a series of transactions to another county.  The same goods then re-enter the UK, but the fraudster will go missing without paying any VAT to Customs.   ‘Acquisition Fraud' involves the fraudster obtaining a VAT registration number for the purpose of purchasing goods VAT free from another country.  The goods are then sold in the UK at a VAT inclusive price, but the tax is never paid to customs and the fraudster disappears.

There is also the question of what could be described as more serious crimes, where criminals use the online world to launder money to fund other activities or to communicate with one another.  According to Bill Hughes, the director of SOCA, "people need to recognise that IT is not just used by specialised offenders to commit crime, but also by organised criminals engaged in conventional offences, such as drugs or people trafficking"

SOCA's aim is to try and combat these organised criminals, but they are facing a mammoth task in first identifying and then seeking out these elusive creatures.

A further complicating issue is the lack of evidence for e-crime, due to police reporting procedures, meaning that it is a challenge for any realistic statistics to be produced to document this phenomenon.

Despite these setbacks, the net is hopefully closing in on these gangs with a review of e-crime reporting pointing towards the emphasis being taken away from local police and being put in the hands of highly trained centralised units.  This proposed web portal will mirror the current system in the US, where victims of online crimes find it much easier to report problems.

Digital forensics is used by the Police to support prosecutions in all areas of crime, not just those traditionally thought of as involving e-crime, therefore it is imperative that solicitors are aware of the technical capabilities of forensic experts.  Mobile phone and computer evidence is now used in a range of cases ranging from drug smuggling to murder, with increasing regularity.  The types of evidence which can be useful tend to relate to the actions and movements of the suspects.  This can be in the form of emails, internet history, call records or text messages.

For example, the Managing Director of a large organisation was accused of sexually assaulting one of his staff and the prosecution employed an expert to examine both his computer and that of his alleged victim.  The prosecution claimed that a series of emails proved that the member of staff was being sexually harassed by the MD in the months leading up to his arrest.  The MD vehemently denied the charges against him; therefore his defence team employed their own independent digital forensic expert to investigate the two computers.  A thorough examination found that there were further emails which had been deleted; these were able to prove that the member of staff had been having a consensual sexual relationship with the MD for some time.  The accused was therefore found to be innocent and the charges against him were dropped.

Another important factor is that the presence of certain files is not enough to bring a charge against a computer user.  For example, in a case involving the downloading of indecent images, it needs to be established if the pictures were sought out by the user or if they had knowledge of their existence. This can be investigated by looking at a number of different areas such as internet history, which logs almost every click that is made, as well as any traces of files which have been downloaded or modified.  It is even possible to examine the words and phrases that have been typed into search engines such as Google.

There is a popular defence that is used to counter charges involving computer crime, which is commonly known as the Trojan Defence.  This can be used when there is a charge such as hacking or the downloading of indecent images, and is based around the fact that it can be claimed that the crime was the work of a ‘Trojan' or ‘pop-up'.  These devices are usually planted through a computer virus which resides unknown to the computer user and which can carry out actions such as initialising downloads.  The issue with this defence, whilst it can be an accurate and reliable source of evidence, is that it is difficult to prove beyond reasonable doubt where responsibility lies - with the computer user or the Trojan.  The mere presence of a Trojan does not mean that the accused is innocent and the prosecution will attempt to get a conviction by calling upon further forensic evidence.  This includes recording details of when certain files were opened and viewed, saved to a particular folder or even emailed to another person. 

Back in 2001 a young British hacker, was charged with carrying out a denial of service attack on the computers of the port of Houston, Texas. The port's webserver was frozen, and ISP logs traced the source of the attack to the suspect's computer.  A forensic examination of the computer showed no trace of a Trojan. However, at his trial, it was simply argued that a Trojan could have been responsible, and that the prosecution could not prove its case beyond a reasonable doubt.  The accused walked free.

Mobile phone evidence is used slightly differently in court and its main function is usually as supporting evidence.  From a defence point of view, the forensic report is commonly used to disprove or cast doubt onto an eyewitness testimony.  Michael C. Dorf, Professor of Law at Columbia University, has conducted research into eye witness testimony and concluded that "numerous psychological studies have shown that human beings are not very good at identifying people they have seen once....studies revealed error rates of as high as fifty per cent."  On the other hand, he found that "circumstantial evidence is often extremely reliable", this includes digital forensic evidence.

In one recent case a young woman was involved in a serious road accident, which caused significant harm to the driver of the other vehicle.  Eye witnesses claimed that the young woman was using her mobile phone in the moments leading up to the crash and she was charged with causing GBH by dangerous driving.  The woman insisted that this was not the case and the defence submitted her mobile phone to be analysed.  The phone was examined and call records and text messages were recovered.  These indicated that the woman was not using her phone at the time of the incident and the case was subsequently ruled to be an accident. 

Civil cases are also becoming more reliant on digital evidence and similarly the focus for the defence must be on ensuring that any facts presented are the result of a full and independent examination.  Theft of Intellectual Property is one area of the law where computers are examined as a matter of course.  The following case study showcases how forensics could be used to counter any allegations of IP theft by an employer.   

An ex-employee of a large manufacturing company was accused by his former bosses of Theft of Intellectual Property.  They claimed that he had copied their customer database prior to leaving the company in order to help him set up his own business in competition.  The ex-employee denied that this was the case and his lawyers put forward that both his work and home PCs be submitted for forensic analysis by an independent organisation.  The analyst found no evidence of the database on his personal computer and there was no sign of an external device being used on his work machine around the time of his departure.  Subsequently, the case against him was dropped.

It is vital to remember that, just like traditional forensics evidence, digital evidence is extremely fragile and can be easily lost if the appropriate precautions are not followed.  When a device is seized it must be handled with extreme care and in line with certain procedures which must be documented throughout the course of the investigation.  Although there are currently no strict laws governing digital forensic practices at the moment, digital forensics laboratories tend to operate within the Association of Chief Police Officers guidelines.

It would also be advisable to closely examine the procedures that were followed by the prosecution as well as the credentials of their forensic expert witness.  The most thorough way of doing this is to commission an independent expert of your own to come up with an alternative interpretation.  When doing this, in order to assist the investigation as much as possible, it is useful to be able to give a detailed brief of what you are looking for to the analyst working on your case.  A good digital forensic analyst will then offer guidance to make sure you get the most out of your investigation and will help ensure that the electronic evidence they find will become a key part of your case.

Mobile Phone Forensics is increasingly becoming an integral part of many criminal and civil cases and perpetrators are becoming wise to the fact that their phone will be automatically seized by Police on arrest.
Some may even be taking extra care to delete any incriminating text messages upon receipt and to regularly erase their call records.

Unfortunately for them, developments in mobile phone forensic software mean that this deleted information can be retrieved as part of the forensic analysis process in most circumstances.
It is already possible to retrieve data from a SIM card and from several of the more popular and older handset makes.  There have been a number of recent cases where the recovery of deleted text messages and other data has proved to be the vital clue in a criminal case.

This is because many people do not realise that digital forensics companies are now able to recover this type of information and believe that they have destroyed all incriminating evidence by deleting data such as call lists, text messages, contacts and photos form their mobile phone.
One recent case involved a man who had plotted with his mistress to murder his wife.  They sent details of their plan to one another by text messages, with the defendant ironically simultaneously messaging his wife in an attempt to create himself an alibi.  The suspect believed that he had deleted all traces of his actions from his mobile phone, however sophisticated forensic techniques were able to recover this damning evidence.

The problem with recovering information from mobile phones lies with the sheer volume of mobile phone manufacturers and the frequency with which the latest models are released.  This provides forensics laboratories with the continual challenge of trying to ‘keep up' with technological developments.
The latest version of computer forensics' most popular software, EnCase, is set to include a package focused on mobile phone analysis for the first time and it will be eagerly received by the forensics community and law enforcement agencies.

There are countless incidents of mobile phones being used as evidence in cases ranging from minor drug dealing and petty theft to rape and murder.  They provide vital data, from where they have been to who they have been speaking to and everything in between.

The analysis of a suspect's mobile phone can often lead to new clues to a case being discovered and the recovery of deleted data will strengthen the evidence available even further.

Corporate identities can also be stolen, according to recent government research conducted by Business Link.  They warn that it may be possible to submit forms to Companies House that will change the registered address of a business or even appoint new company directors. 
This means that they could open a business bank account, take out loans and order goods to be delivered; potentially ruining the credit rating of the business.

One way in which criminals can get their hands on company information is by trawling through discarded or recycled hard drives.  Some organisations renew their systems as often as every other year and old PC's are not always disposed of securely.
Obtaining one of these hard drives is an experienced fraudsters dream, as they will be able to find a variety of useable information for their ‘latest scam', even if the previous owner believed they have wiped the contents.

The only way to be sure of avoiding this is to forensically wipe the data from the hard drive.  This has the major benefit that it allows the hard drive to be reused.  If it is resold, then some of the cost of ownership can be recovered and, in addition, the recycling of the product will have obvious benefits to the environment.
A data wiping service will use sophisticated forensic techniques to completely overwrite all information on the hard drive. It is recommended by the government to wipe clean the hard drive before it is discarded, sold, or donated as a security measure.
This would need to be carried out by a professional organisation as, contrary to popular belief, simply formatting hard drives does not erase any of the information stored on the machine.  Similarly, the process of manually ''deleting'' files only removes information about how to locate the file on your drive.  The contents remain hidden and safely stored until they are overwritten and, even then, traces of the data often still remain.

The solution for unrecoverable erasure and, consequently, protection from fraud is to ''wipe'' the file or drive. It is a repetitive process of overwriting all 1's, then all 0's over the file contents. This process must be conducted using forensically approved techniques.set by the Department of Defence and are recommended for all recycled machines that have been used by businesses or where important financial and personal information has been stored.

The investigation of almost every crime now involves the analysis of mobile telephone information.  The importance of this type of evidence in criminal cases was highlighted by the Holly Wells and Jessica Chapman case where evidence from Cell Site Analysis (CSA) was essential to the conviction of Ian Huntley.

Put very simply, CSA allows the phone's location to be pinpointed on a map. This is due to the fact that when a phone is used it send a signal to a phone mast (a cell) and this allows a location to be significantly narrowed down. In the Soham case the Prosecution were able to prove that Jessica's phone effectively "said goodbye" to the network via a particular mast - which served a very small area in Soham- but included Ian Huntley's house!

Actual offences involving text messages on mobile phones are also on the increase and can include the sending of threatening and distasteful messages, sexual or racial harassment. With an astonishing 100 million text messages sent a day (MDA, 2006) the potential for wrong doing is huge.

The increased capability of phones and PDA's with regards to downloading and browsing the internet, ( 40.7 million users being recorded as using this function on their phones in the 3^rd quarter of 2006 (MDA, 2006)) means that the phone has now become an invaluable addition to a paedophiles ‘tools of trade'.  
Added to this is the fact that second most popular site accessed via mobile phones are ‘Chat Logs', raising concerns regarding offences such as grooming or distribution of indecent images.

Recent terrorism investigations have placed a strain on the resources of prosecution bodies to analyse all of the mobile telephones in conjunction with the billings data available from the network providers. (Billings' Analysis takes all the call record data provided by the network provider and then by using specialist software patterns of behaviour and relationships can be determined.)

Companies like CCL-Forensics Ltd provide these highly specialised Mobile Phone Forensics investigative services to Police Forces, Public Sector organisations and as totally independent expert witnesses, Defence Solicitors.

Whilst most Police Forces have some internal capacity for this work they are often overloaded and constantly have their priorities changed to focus on the most recent serious crimes.  A reliable and experienced third party can often be the best solution either on a regular or ad hoc basis, particularly when a fast turnaround is required.

The unavoidable link between phone usage and vital clues about users' actions, preferences and associates creates an ever increasing need for mobile phone forensics experts, able to recover and interpret the new fingerprints.