The Register® — Biting the hand that feeds IT

Feeds

Plod punishes PC-reliant businesses

Innocent or not, you deserve to suffer

By Jane Fae Ozimek, 4th December 2008
  • print
  • alert

Agentless Backup is Not a Myth

As police begin the tedious task of sifting through Tory frontbench spokesman Damien Green’s computer effects, politicians and professionals have expressed concern that computer investigations are becoming a source of serious injustice, in need of reform and regulation.

If you are suspected of an offence that involves the use of a PC, then at some point it is likely that the police will make a visit and remove the offending computer, or other gadget, for forensic examination.

The problem arises from the lack of standard procedures across the 43 police forces in England and Wales and an unwillingness to facilitate access to an individual’s data. Depending on resource levels, forces can take between three and 18 months to examine and return a PC. In some cases, where a trial is pending, they can take even longer.

Meanwhile, anyone whose work or business resides mainly on their PC – their address books, accounts, product information – must sit back and see their life put on hold. Individuals who are merely accused of a crime can suffer severe financial hardship or be bankrupted as the legal process grinds slowly on. Even where the police eventually decide there is “no case to answer”, lives can be ruined - yet the government appears uninterested in doing anything about the issue.

We contacted various bodies in an attempt to gauge the scale of the problem. While forensic experts agree that the number of PCs brought in for investigation is growing, year on year, neither the police nor the Home Office collect the figures. This leads, bizarrely, to some police forces cutting back on resources for investigating PCs at the very time when they need more.

In the absence of precise figures, industry experts estimated that between 80 per cent and 90 per cent of investigations involve the police looking for child porn. Other reasons include IP theft, fraud, terrorism or, rarely, breaches of the Official Secrets Act.

Equipment is then stored by the police, pending examination by both prosecution and defence experts. According to Simon Steggles, MD of DiskLabs, an organisation offering a commercial forensic service to either side in such cases, direct examination is carried out on clones of the hard drive, rather than the original hard drive, in order to preserve the evidentiary value of the data. He said: "We forensically 'image' data using various methods such as Encase or Forensic ToolKit software or Image MASSter SOLO 3 hardware copier, which is a faster option with a theoretical 3Gb per minute transfer rate, although we normally get around 800Mb per minute.

"We check the digital fingerprint – the MD5 Hash, or checksum – of every copy before removing it: if a single comma or full stop has changed, it will fail the 'fingerprint' test and we will start the process again."

In other words, standard procedure already allows for individuals to regain access to their data. However, several experts we have spoken to all confirm that this can be problematic, citing police attitudes and obstructiveness, as well as a failure by the courts and the legal system to understand the issues involved.

Chris Huhne MP, Home Affairs Spokesman for the Lib Dems, said: "In complex cases it is vital that the police have the technological capability to carry out thorough investigations and that suspects cannot tamper with the evidence. However, it seems unnecessarily punitive to stop people from accessing important personal or business information for as long as 18 months. A system needs to be created that serves the best interests of justice as well as individual needs." ®

What you need to know about cloud backup

COMMENTS

House Rules Send Corrections
All Reader Comments (59)
Latest Comments
Kevin Baxtor

Re: TorMentor

Gee wizz, you give with one hand and take away with the other..............

You say:

"Presumably in the UK the alleged criminals are on bail until the examinations are complete so are at liberty to commit further crimes"

Shouldn't that be: "are at liberty to commit further (alleged) crimes"?

With friends like you....................ect

0
0
TorMentor

Why removing original material is bad

I have no sympathy whatsoever for the the police suffering problems when storing seized equipment after having discovered examinations are carried out in situ in other countries - eg.Western Australia's SIMPLE (Simple Image Preview Live Environment) see

http://news.zdnet.com/2100-3513_22-190993.html . Presumably in the UK the alleged criminals are on bail until the examinations are complete so are at liberty to commit further crimes. Furthermore I would have thought removing a disk without leaving the owner a forensically uncontroversial record of its contents - eg. MD5 hash of the drive image plus hashes of every single file - would leave police evidence vulnerable to challenge. After all (Anon Copper) how hard is it to alter the timestamps on a file with a hex editor if one wants to? Her arguments about keeping the original equipment for court hold no water either. If a copy is to be analysed and "pulled apart" then another copy can have been made. As many clones as are needed in fact: just as long as they all preserve the set of hashes then they can be considered identical. If copies of documents are acceptable evidence then surely copies of digital information should also be? This is just another example of legal understanding lagging decades behind the requirements of the current situation.

Whilst I don't feel the delays amount to extra-judicial punishment, they obviously create unnecessary hardship. The Liberty 'Your Rights' website includes, in it's definitions of rights regarding retention of seized property, the following: "Lawfully seized articles may be retained so long as is necessary, for example, for production in court, but the articles cannot be kept for use as evidence in a trial or for forensic examination if a photograph or copy would suffice". I suspect there are other rights issues being contravened here too; for example the right to work.

False accusations and misinterpreted evidence eg.assuming guilt if the credit card or ip matches, abound in this backwater of technological ignorance too. It is high time the government looked at these issues & regularised it for the good of populace and policing.

0
0
Anonymous Coward
Anonymous Coward

@ John

By no means is it a "so what" issue, I never sought to imply that at all. It is fascinating, and an emerging part of the criminal law. But the issue of retention of original copies of data is a real one. You're correct, drives are cloned and the copy is pulled apart, subjected to data recovery, searched and everything else else that can be thought of to uncover whatever information may be present and/or hidden.

But its still the original that's presented to the court. In many respects that's WHY a copy is used for searching, so the original files, their location on the disk and time stamps are all retained because be assured, the defence brief WILL cast doubt on the validity of any evidence where the original file has been modified in any way, including the last accessed timestamp.

The PACE codes of practice grow at every edition and yet there is no specific section dealing with the collection, duplication and retention of digital information. If there were then I'm sure there is nothing the police would like better than to be able to clone the PC and all information on it in some sort of "certified" fashion and exhibit the copy as evidence. But its not something the courts will accept, the defence will agree or the Judiciary will readily understand. They still want the murder weapon and not a facsimile.

I know for a fact that one force anyway has a code of practice regarding data evidence. ACPO too has pondered it long and hard, the EHCR aspect in particular causes many a headache. But at the end of the day the constraint is what the court will accept, not what's best for the police and ultimately the victim.

Its a safe bet to say that the instances of high-tech crime and evidence are on the increase, and I wouldn't envy the task of anyone actually trying to find figures on it but I would be equally confident saying the amount of cases, and therefore instances of seizures, are minuscule compared with "old fashioned" crimes like rape, assault, theft, burglary. And the resources for dealing with these crimes are equally minuscule compared with those other offences. I have personal experience of trying to find the right resources to progress investigations involving computers.

Perhaps we were both too glib with how much background information on the subject we have?

0
0

More from The Register

breaking news
Number of cops abusing Police National Computer access on the rise
Only a telegram from the Queen can get you off it
129
breaking news
Jailed LulzSec hacker Cleary coughs to child porn images, will be freed soon
Some images of infants as young as six months
68
NSA whistleblower to tech firms, Obama: 'Grow a pair!'
Ed Snowden: Email tracking grabs 'IPs, raw data, content, headers, attachments, everything'
66
breaking news
Ecuador: All right, Julian, you CAN stay on our sofa - it's your human right
Minister and Wikileaker share cosy chat in tiny London flat
65
SCO vs. IBM battle resumes over ownership of Unix
Zombie lawsuit back and wants to suck the brains out of Linux
117
Google flings another £1m at online child sex abuse vid CRACKDOWN
See, see, we're trying, ad giant tells Daily Mail UK.gov
41
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Not just telcos, THOUSANDS of companies share data with US spies
It's all perfectly legal, trust us
68