Forensics: Computer Forensics – Police or Civil?

Historically computer forensics has always been lead by law enforcement. The technology, the methods, and the cases; all driven by criminal cases.

Who in the 1990’s would be able to afford, or even find, a computer specialist to investigate a HR issue within company? If the sales guy left, and took a the company contact list with him, then computer forensics would never be considered. In the police, things were different. In 1999 the now defunct National High Tech Crime Unit was created (now replaced by SOCA), police forces got funding for high tech crime units of their own and laws (in the UK) were created and amended to help the prosecution of those looking at child pornography on a computer. Not just those taking the pictures but those viewing the images.

These laws meant that thousands of new criminals were created and, combined with Operation Ore, more and more computer forensics work was created. The police were overwhelmed, so got bigger budgets. More people reported incidents of crime involving computers. The police were overwhelmed. The internet grew, and so did the offences, and so the police forensics units continued to grow.

In the UK as the police forces grew so did the industry of computer forensics dedicated to supporting the police. Many reputable companies make a huge proportion of their income from police work – which is outsourced. People many not be ware of this but, in the UK, the police regularly out source computer forensics work, including the child abuse investigations.

In addition to this, for every criminal case there is a defense lawyer, and therefore a defense expert witness.  This means that another industry of computer forensics specialists, defending people against prosecution, was created.

So from the police, to the companies conducting police work and those defending police work, there was an entire industry of forensics created, much of it from child abuse images.

This meant the software industry responded, and anybody attending an EnCase or FTK course would know this. The courses were heavily focused on recovering images and police work, with the vast majority of those attending courses working in law enforcement – this was a sensible decision by Guidance and AccessData.

Over the years computer forensics companies have expanded and moved into the areas of electronic discovery, civil investigations, and data theft investigations. But, because their original technology, training and staff, had a police basis these companies are often entrenched in law enforcement methodology and technology.

Even today, as we are hurtling towards 2010, many employers actively seek “ex-law enforcement” for computer forensics employment. It’s seen as the gold standard to measure the industry by.

But is it?

There is no doubt that the police standard of evidence handling are as high as they need to be, because they work in a criminal environment, rather than a civil. But are they the most effective? Are governments known for efficiency or bureaucracy?

What about technology? The police, as a standard use EnCase and FTK, and a few widgets. Civil companies can recover deleted files, keyword search, match hash values and all that good stuff. But while the civil sector has all of this, they also have a lot more.

• Civil companies are able to cluster together similar documents, to help find the key files.
• They can de-duplicate emails (which Encase or FTK cannot), therefore reducing the data set massively.
• Civil companies are able to have hundreds of people reviewing and marking documents, around the world, on the same case, securely, in a live environment.
• Technology is now deployed, in civil companies, to keyword search audio files and tape recordings, on the fly.
• Near de-duplicates can be identified, by civil companies, to further reduce the size of data sets.
• Concept searching is on the increase, and indexing is a de rigueur.

Most of these terms would never be used within law enforcement; so much so that the UK government states that they need 90 days to look at couple of computers and change the laws to detain people for that long. Law firms do that in a matter of days, and go to court on the results, because they are using far more advanced technology.

Civil companies are able to collect huge volumes of data. On the SANS twitter today there was the following statement:

• Chris discusses the largest seizure by police: 14 locations; 50 investigators; 33 computers; 44 mobile devices; 400 media #forensicsummit

That is not a lot of computers. The largest collection this author has been involved with had over 5,000 pieces of media, a couple of hundred, for one case, is certainly not unique. With others doing many many more  Some firms have imaged over a petabyte of data, for one case.

The big investigations, the really big ones, the Madrid bombing, the Madoff investigation, Enron, WorldCom, etc – these all have a major civil investigation technical component, if not entirely civil.

Change

There is a change on the EnCase courses, they are more “civil” friendly, but the course are still run, and dominated, by law enforcement demands. But with technology being led by the civil side, and the economics dominating the civil industry, is it not time to change our perspective on what the “gold standard” is?

Note: The author has worked on both sides of the argument.

PACE: Section 22

Section 22 of PACE gives the police powers to retain evidence that they have seized, under Section 19 or 20, for as long as they need.

Section 22 PACE

PACE: Section 20

Section 20 of PACE, Police and Criminal Evidence Act,  gives the police the power to seizes computers that could contain information, if they come under Section 19.

The powers apply, like Section 19, i.e. if they are on the premises they can seize it if they believe it contains evidence.

This is needed as data is not “property” or an “item” so the law specifically describes it in Section 20

Section 20 (MoJ)

PACE: Section 18

Section 18 allows a constable (in uniform or otherwise) to enter and search any premises occupied or controlled by a person who is under arrest for an indictable offence if he has reasonable grounds for suspecting there is on the premises, other than items subject to legal privilege, that relates to that offence or some other arrestable offence connected with or similar to that offence.

A constable may conduct such a search before taking the person to a police station and without the written authority of an other inspector rank or above if the presence of that person at a place other than a police station is necessary for the effective investigation of that offence.

Section 18 (MoJ)

Case Law: Photography

On Thursday 21st May 2009, there was an interesting court case relating to photography, resulting in the police being required to delete photographs.

The emphasis should  be on “required” rather than “forced”.

The case revolves around pictures being taken of Andrew Wood, a member of a group which protests against the arms trade – Campaign Against Arms Trade (CAAT) – peacefully, without the violence associated with direct action groups.

Mr Wood was photographed as he left a meeting, by police photographers; they came very close to him to take his picture, the impression given is they were almost “paparazzi style” photographs. Mr Woods who has never been charged, arrested, or apparently linked to any violence, felt that the police should not retain this data. A case with clear echoes of the S and Marper v UK case.

Mr Wood the took a series of legal actions to get the photographs deleted, which the police initially refused to. Unlike the Marper case, where the UK courts supported the police and the case had to go to the ECHR before the DNA was deleted, the case was decided in favor of Mr Woods by the appeal courts in the UK.

Two out of three judges agreed there had been a disproportionate interference in the human right to privacy by the police,  and so were ordered to destroy the photographs. The right to privacy in the UK is guaranteed by Article 8 of the Human Rights Act.

The police don’t have to delete the data for a month, while they have the chance to consider an appeal to the House of Lords.

Mr Wood as photographed as he left the AGM of Reed Elsevier PLC, the parent company of Spearhead Exhibitions Ltd which runs the arms fairs for the industry. As Andrew Wood had a share in the company he was allowed to attend the meeting, and so was not committing any crime by being there.

Lord Justice Dyson stated that  “The retention by the police of photographs taken of persons who have not committed an offence, and who are not even suspected of having committed an offence, is always a serious matter…..The only justification advanced by the police for retaining the photographs for more than a few days after the meeting was the possibility that the appellant might attend and commit an offence at the Defence Systems and Equipment International fair several months later…..But in my judgment, even if due allowance is made for the margin of operational discretion, that justification does not bear scrutiny …”

Lord Collins of Mapesbury, the other agreeing judge, stated that ”There was a very substantial police presence. When I first read the papers on this appeal, I was struck by the chilling effect on the exercise of lawful rights such a deployment would have …It is plain that the last word has yet to be said on the implications for civil liberties of the taking and retention of images in the modern surveillance society….This is not the case for the exploration of the wider, and very serious, human rights issues which arise when the State obtains and retains the images of persons who have committed no offence and are not suspected of having committed any offence.”

The Met response to the photography was “Overt photography helps us build a picture of who is involved in planning and organising any potential disorder or crime. It may also provide us with evidence that would be beneficial to any legal proceedings.

“There is nothing secretive or covert about the way we do this, and this practice is very well known and understood in protester circles. The Metropolitan Police will continue to do everything necessary to maintain order on London’s streets.

“The findings of this judgment provide a valuable set of guidelines for us to continue to work within and we are pleased that the Court of Appeal has found our use of overt photography to be lawful.”

If the police will delete the data, even if they are ordered to by the court, is a different matter.