You've been arrested for computer crime: Here's what happens next
The knock on the door you REALLY don't want to hear
It isn't just paedophiles. It is the accountant who thinks he is worth more than the company decides to pay him, and decides to create and pay fictitious invoices. It is the card-cloning gangs buying and selling mag stripes and card dumps. It is the drug dealers who think they are smarter than the police.
Or it is just the plain unlucky techie, who has been been swept up into a cybercrime investigation through no real fault of their own.
What follows is a blow-by-blow account of what will happen if you, or someone you know, gets arrested for a computer-related crime. It is written with the guidance and help of an expert in IT forensics as well as a detective with over 20 years experience of dealing with the darker side of IT.
You're under arrest
Everyone hopes it never happens to them. Mud sticks, especially where computer crimes are concerned. Contrary to popular belief, the 5am door knock is rarely used for e-crime suspects as they are usually in custody by the time the evidence collection happens.
The information that leads to your arrest is not dreamed up by some bored copper. Rather, it will likely come from one of two distinct avenues. It can be allegations made by individuals, or alternatively, it can be what the police call “intelligence-led” - where potential information comes from other police operations.
An example of intelligence-led investigations are where people who use their credit cards to purchase illegal porn are revealed. Sometimes evidence even comes from rape or murder cases. When such cases occur, computers are taken as they can contain a whole treasure trove of information, such as a suspect using Google to research “How poisons work” in preparation for carrying out a murder.
A computer crime suspect would be treated in the same manner as any other. They would be arrested, their homes searched, and they would be questioned about any evidence found during the search. This would be done under caution, with the famous rubric: "You do not have to say anything. But it may harm your defence if you do not mention when questioned something which you later rely on in court. Anything you do say may be given in evidence."
The type of police officer who seizes the offending items depends on the perceived complexity of the case and mitigating factors such as the expected level of knowledge of the user.
If the suspect is an average home user then a specially trained PC would pay a visit the home and seize any and all computer equipment and associated media on the premises. These officers, although not forensic experts, are trained in preserving and logging evidence into custody. The shocked residents sharing the house with the suspect would be treated to a hard door knock, a signed warrant and a house full of burly coppers collecting all the evidence they could find, ripping the place apart looking for anything incriminating. Not an ideal way to start the day, for sure.
Seized items are bagged with tamper proof ID and tags, clicking shut like the same cable ties we use to keep our own systems in order. The tag holds details such as item description and photographs of the evidence as it was seized. Inside the clear bags would be all the IT gear belonging to the suspect. Other attributes include the time and place of seizure, as well as case references and exhibit ID. Evidence is not just computers and disks, but can also be passwords on Post-It notes or scraps of paper, printouts or even financial statements. The potential mountain of IT paraphernalia will then be put in the back of a police van and driven away - just as we’ve seen on countless news and cop shows.
In situations where a business computer is involved the collection method can be very different. In cases such as these you can't take all the computers or the business would just fold.
Sometimes the police will be invited in by the business after financial irregularities or incriminating logs have been found and the individual has had their access keys and VPN access cancelled before being summarily marched off the premises, or if they are lucky, put on gardening leave. In such instances the suspect’s computer may be seized as evidence.
Other computers in the office would be cloned using a specialist software forensic tool such as EnCase in conjunction with a write blocker to preserve the integrity of the source disk. A write blocker is a hardware device that prevents any writes to the source disk. Any source disk that is written to is considered tainted evidence.
If police even suspect there might be illegal images on the computer in question, the computer will be removed for inspection. If a financial crime is suspected the police will still seize the equipment. Rarely is anything left behind.
You will then be taken to the police station.
Sponsored: RAID: End of an era?