You've been arrested for computer crime: Here's what happens next
The knock on the door you REALLY don't want to hear
Bedding down for the night
After all the items have been removed and the police have a better idea of the evidence available, a preliminary interview takes place with you, the suspect.
You'll be questioned – but you're entitled to meal breaks. It's not like Law and Order...
During the police interview a suspect is entitled to legal representation – normally a solicitor – who would advise them as to what they are charged with, offer them guidance on how to proceed, and sits in the interview to monitor the police interviewers.
Unlike some of the films and TV dramas you see, there are rules covering the welfare of the suspect and maximum interview length. In brief, you're entitled to meal breaks, under Part 12 of the Police and Criminal Evidence Act Code C. This is enforced by the custody officer, independently of the investigation team.
When you are arrested, the clock starts ticking. Unless you are arrested for terror-related offences, the police usually have 24 hours to question you. At this point they will decide if they wish to arrest you or detain you. A senior police officer can authorise your detention for up to 36 hours. In serious cases, a judge can approve extending your detention for up to four days.
The custody experience isn't the Hilton. After a thorough search you will be placed in your whitewashed cell, replete with appropriate scrawled graffiti. The cells and what few contents it has are all designed to be free from ligature points to try and prevent people from hanging themselves. This is why you have to take your shoes and belt off. And your tie, if we’re talking suspected financial crime.
It is up to you to make your own entertainment whilst the police carry out their investigations. If you were thinking about sleeping, it will be an uncomfortable experience. Again, everything is bolted down so you can't really get comfortable. You will have a mattress and pillow, made from wipe-clean plastic.
Unlike in the TV series you see, there will be long periods of just waiting. Then an interview. Then a return to the cell. This may happen several times. You will also be monitored and checked by the custody officer through the observation hatch, and if you're really lucky there'll be all-encompassing CCTV in the roof as well. You really will get to know how a goldfish in a bowl feels.
On the positive side, you do have a few rights whilst in custody. You have the right to have someone informed of your arrest. You have the right to free legal advice and also to know what you are being charged with as well as the more mundane things such as toilet and food breaks. And as we said earlier, you have the right to remain silent, although a court can later hold that against you if they so wish.
Somewhat controversially however, the police have the right to take photographs, DNA samples and fingerprints. Without your consent. You can only get these erased from police databases six years after your arrest, whether or not you are convicted or even charged with anything.
Talking to the nice policemen
Ahead of the interview the officer conducting it will review the evidence to hand, building a case around it. Asking the suspect to give a reason as to why the items collected during the search are in their possession is the first line of enquiry. One of the main aims of the initial interview is to shut down any potential “Get out of jail card”, such as claiming that evidence was planted or “I let my neighbour use my PC as his was broken”. It is also used to identify evidence that could potentially be used to mount any defence.
Interestingly, according to our police source, at this point, quite a few suspects will actually confess to their crimes and try to offer some mitigation as to why they committed them.
At this point, unless the alleged offence is particularly serious, the suspect will be bailed whilst a more thorough investigation takes place. A forensic investigation of a single PC can take several weeks. Conditions can be placed on the suspect, such as not using or owning computers whilst the investigation occurs. It is more common to just place restrictions on the use of a system: for example it may only be used at the suspect’s place of work, during business hours.
A big issue with most e-crime units is the fact that they do not have enough resources to deal with all of the cases they are asked to investigate. The solution to this is to triage the content of the confiscated disks, also known as forensic preview. During the process of forensic preview a junior member of the team will do a basic investigation of what is contained on the disk, using a bit for bit copy of the original disk.
What is found is then put into a matrix to decide which cases should be given priority. The matrix takes into account the seriousness of the crime and the perceived intelligence gain. Each force has a different matrix with a different scoring according to localised priorities.
Before the preview is started the investigating forensics officers will look to the police officer in charge of the case for guidance as to what they are looking for.
When the forensic review is started, it is not just a random search for *.jpg or *.doc. It uses a suite of applications and processes that not only looks for images but also can be used to search for unique strings across the system, including slack space, temporary files, swap partitions and every inch of the hard drive. A customised dictionary is often used that can be tailored to the kind of investigation and crime the suspect is suspected of committing. For example, if someone were thought to be a drug dealer the investigator would use a dictionary that used the latest drug slang as well as more conventional drug terms.
If evidence is found, for example fragments of emails or text messages, the investigators can reach out to service providers to provide the required data. This is done by a police specialist called a SPOC (Single Point of Contact) who liaises with the service providers (mobile/internet/ISP etc) in question. A warrant is usually required to obtain this information and must be signed by a judge.
All this information is then passed to the case officer who reviews the evidence. All evidence needs to be collected in compliance with ACPO (Association of Chief Police Officers) guidelines for data collection.
The four principles of data collection
The framework within which the e-crimes investigator are based around four major principles.
No action taken by the police should lead to a change in the source media. This is the main reason write blockers are used. Using the disk prior to a clone could lead to allegations of planting evidence.
Any action that is performed on the source media must be documented, along with potential issues that this may raise. For example, if the original media is destroyed and needs to be rebuilt in a specialised clean room.
An audit trail should exist and contain documentation of any and all procedures that the evidence undergoes. This is so that the process is repeatable and the outcome the same if the procedure is repeated.
Any actions taken must fully comply with the letter of the law. For obvious reasons if the law is not adhered to it could potentially open claims that could lead to the case being thrown out.
The good news is that if no evidence is found the seized items are returned to the owners. The bad news is that can take several months to happen. If illegal images (i.e. child pornography) are found on the disks, they will be shredded and destroyed without exception. The hardware will often be returned without hard drives.
Obviously looking at illegal porn is illegal, but the investigating officers aren't above the law. In order to get around this issue civilian investigative officers get special dispensation to view the images, but only in the confines of a work office context.
Any images that are found are categorised on a scale of 1 to 5. 1 is the lower end of illegal through to 5 at the extreme end of the scale.
Sponsored: The Nuts and Bolts of Ransomware in 2016