Feeds

Death of an expert IT witness

Computer forensics infighting

  • alert
  • submit to reddit

3 Big data security analytics techniques

The Home Secretary's plans to recruit top-flight computer forensic experts to work on complex cases as part of reforms of the police service may suffer a hitch.

An acrimonious dispute has erupted between the UK's leading computer crime experts. On his web site, Jim Bates, MD of Computer Forensics and a long-time police expert, attacks the professional competence of Peter Sommer and Nicholas Webber, two highly-experienced expert witnesses in the field of forensic computing.

Though UK libel laws stop us from reporting his comments, the spat raises a interesting issue. There is no formal way of deciding who is a forensic computer expert. Among the small pool of people who consider themselves leaders in this field, and are called on by the police to assist with cases, there is an argument about who is competent to perform this work.

Home Secretary David Blunkett wants civilian investigators, especially those in IT, to work as part of elite investigation squads. The government White Paper outlining the police reforms states: "Too few officers currently have the necessary skills to deal with the most complex IT-based crime."

But if they don't have the IT skills, how do they know which expert to trust to help their investigation and build a prosecution case - especially when there's infighting amongst established and experienced experts? And if there's no formal mechanism to find a computer expert, how does the defence get someone who's good and who they can trust?

Qualifications

Dr Neil Barrett, technical director of Information Risk Management and a former senior consultant with Bull, has worked with the police for more than 10 years. He's unhappy with the way computer experts are drafted into police inquiries and believes the Home Office reforms will formalise the process.

Barrett became involved with police investigations after he was asked to train officers at the Bramshill police training college. This got him known in the right circles, he says. "Right now the way it works is accidental. A trusted senior officer might know the right person to lean on in a particular area."

But "there are a whole load of people known to be incompetent. I know I'm competent but how do I prove it to other people? What we need is a way of being able to say 'what qualifies me to give this expert opinion'."

Barrett was the forensic computer expert in the prosecution of Raphael Gray, aka Curador, who claimed he hacked into sites and gained access to customer databases in order to expose lax security.

The 19 year-old published a roll of shame of ecommerce firms he had broken into on the Internet and also posted what purported to be credit card details for Bill Gates (although the latter claim was subsequently debunked). And his Web sites also offered free credit card details. Gray was sentenced to a psychiatric and community service rehabilitation order of three years.

Barrett declines to name experts he doesn't rate. But Jim Bates, MD of Computer Forensics, has no such qualms. Computer Forensics sells forensic software and services - a landmark product was DIBS (Disk Image Backup System) forensic imaging software which takes a copy of a PCs hard drive and RAM, without altering the original. It was "designed to be plod-proof," said Bates. Development came out of a liaison with the Computer Crime Unit at New Scotland Yard and the first product went on sale in 1991.

Forensic

Bates has assisted police investigations and says 50 per cent of Computer Forensics work is with the police. He has set up a web site for DIBS users and to highlight his dissatisfaction with rival forensic computer experts.

On one page, he writes about what he considers flaws. within "the English legal system there is no specific mechanism for challenging the competence of the expert witness.

"In such a new field as computer forensics" virtually anyone with a little knowledge of computers finds it easy to convince lawyers, barristers and judges that they are an "expert" and their opinions are valid and reliable.

He criticises the work of two leading forensic computer experts - Peter Sommer and Nicholas Webber, and details his opinions of cases that he and they have been involved with.

Sommer is a visiting research fellow at the London School of Economics and under the pseudonym Hugo Cornwall he wrote the Hacker's Handbook in 1985. Sommer's CV says his legal expert witness activity "has included computer forensics and contract analysis of a failed nationally-based central station alarm system, a wrongful dismissal claim where the client had been accused of planting a logic bomb in his employer's computer system, allegations of software piracy via BBSs, the Internet on CD-ROMs, and charges of international computer intrusions into US military sites."

He was also involved in the Wonderland Club investigation - a large-scale conspiracy to distribute paedophile images, and was the defence expert for Raphael Gray, aka Curador.

Webber was also involved in the Wonderland case. He was used in the BBC Panorama programme, which looked at the techniques used to trace the paedophiles. He was described only as a computer consultant and described how "we worked out a technique where we could actually watch them live on the Internet", and the trace them back first to their ISPs and them to their homes.

But Bates is not impressed with them. "The stuff on the website - I didn't put it there lightly. I don't like the idea of going out rubbishing people, but it is an important issue."

The UK forensic computer expert scene is small and the people in it know each other personally or by reputation. Bates says he's only come across eight or ten he'd be happy to come up against in court, on a competence basis.

Postgraduate

Sommer and Webber are unhappy with Bates' site which is not hosted by a UK ISP so it wouldn't be easy to shut down, if they wanted to do it. "It's not worth suing him (Bates)," said Sommer, confident of his reputation and track record.

He says "the police are perfectly capable of deciding whether an expert is competent." He acknowledges the police system for recruiting experts isn't perfect but thinks it's as good as it'll get. "They [the police] try you out on something small first, they know how to identify good people." If the expert isn't competent "it'll get shown up in court".

Barrett, Webber, Sommer and Bates disagree on how to accredit someone as a forensic computer expert. Webber thinks it will take the formation of an ethical standards body, like the BMA for doctors, with no commercial interest in the matter, which would then vouch for its members.

Barrett has high hopes for a postgraduate qualification in forensic computing from the Royal Military College of Science. The course starts in January and Barrett, who will lecture, thinks the qualification could be a base level for all forensic computer experts.

Sommer, who will be an external assessor to the course, does not think this will work. Alhough he welcomes the course, he feels the speed of change in computer technology makes it difficult for the qualification to vouch for someone's competence in the future.

"The thing which makes computer forensics unique is that everything changes so fast. An academic course takes a long time to get accredited."

So for Sommer the system ain't broke. "Like a lot of things in life, certain things are extremely difficult to do. We have to recognise it's the nature of the beast we're not going to get a prefect system."

Bates is working on a proposal which will combine an industry vouching for its members who will have passed a form of competence test. He doesn't have any particular authority to get his ideas accepted but, "nobody does, that's the problem", he said. He believes that as an expert witness 99 per cent of your testimony is fact and one per cent is professional opinion.

But the police may be coming up with their own solution. The National High Tech Crime Unit, formed specifically to tackle tech crimes, has been going for six months and hasn't used a civilian yet. "We have 40 officers who are all extremely IT literate. It's not been a requirement at this stage," said a spokeswoman. Dr Neil Barrett is listed as one of the few expert advisors to the unit on his company's web site. ®

Related Links

Home Office press release
Home Office Police Reform White Paper
Police Reform website
Peter Sommer's CV
Transcript of BBC's Panorama w0nderland programme
Forensic Computing MSc/Postgraduate Diploma from the Royal Military College of Science.

Related Stories

Welsh hacker pleads guilty to deception and theft
'Bill Gates' hacker escapes jail
Pedo porn ring gets slap on wrist
Paedophile says why he loves the Net
Demon coughs up damages in Godfrey libel case

3 Big data security analytics techniques

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Arts and crafts store Michaels says 3 million credit cards exposed in breach
Meanwhile, Target investigators prepare for long process in nabbing hackers
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.