Reg comments158

You've been arrested for computer crime: Here's what happens next

The knock on the door you REALLY don't want to hear

Forensic toolkit to sniff out the evidence

Once of the best-known forensic toolkits is EnCase – but software used depends on the police force concerned (click to enlarge).

To help manage the search for data and information in a systematic way, forensic toolkits are used. The best known is EnCase but a single copy of this will run to thousands of dollars. Other less expensive alternatives to EnCase include WinHex and X-Ways. Both of these alternatives are developed by a company called X Ways software technology, based in Cologne, Germany. Their customers include not only US law enforcement types but KPMG forensics (Remember the naughty accountant example from earlier?) Toshiba and HP. There are several components that make up the suite of tools. All “modestly” priced. You can, however, download demo versions, if you would like to take them for a spin.

What is really clever is that the tools used will then take an image hash and store it in a database so that other investigators are not subjected to the same images repeatedly and makes the investigation more streamlined. The more advanced tools also export the entire disk to a searchable database system. Here multiple users can search for strings against the disks under investigation. This has obvious advantages over the one disk/one investigator methodology.

When the forensics team work with disks, they don't work on physical disks but on virtual disks created by the forensic toolkit. Other cool parts of if it include intelligence built into them that will allow the EnCase computer to detect that the disks are part of a RAID set and will mimic the controller and allow the RAID set to be reviewed as a whole. This technique has also been used for data recovery in non investigative situations.

Forensic toolkits are intelligent enough to also understand when a write blocker is used and will actually record its presence as part of the evidence acquisition log.

The decision to prosecute, or not

Once the investigation is complete, a report will be created, along with supporting evidence. This will then be passed to the Crown Prosecution Service who will review it and decide if there is a case to answer. The decision to prosecute is based on a number of factors including physical evidence, such as evidence of who was using the computer in a multi-user environment, ie, fingerprints on the keyboard. The ability to identify the user in a multi-user environment is critical. Whilst further investigation takes place the suspect can be bailed to reappear pending a decision.

Suspects are just too stupid

On the thorny topic of file encryption, the following facts may interest you:

Most suspects do not use encryption. Those that do often give up the key when asked. Not doing so is against the law. Also, some people are just too stupid. A forensic IT tech regaled us with the story of one suspect who used Bitlocker. Great. The only issue was that the suspect had the recovery USB stick sellotaped to the side of the pc, labelled "Bitlocker Recovery". Suffice to say he quickly decided cooperation was the best policy.

Usually if the suspect does not give up the encryption key, the police will have enough circumstantial evidence to build a case around the crime and let the CPS decide if there is a case to answer and if there is enough evidence for a prosecution to proceed. This is usually in the form of other media found or other non-computer-related circumstantial evidence.

The failure to give up encryption keys is in itself a hot potato. At the first pass of the Regulation of Investigatory Powers Act, which gave the police the power to demand passwords, it made sense for people who committed serious computer crime to not give up their encryption keys because they would get a maximum jail term of three years if no evidence could be collected. For possessing and distributing illegal pornography the sentence can easily be double that.

This lead to Conservative MP,Sir Paul Beresford calling for the maximum sentence for failure to provide encryption keys to be increased to ten years.

Interestingly, according to the Open Rights Group there were 19 refusals to decrypt data to date in the period 2012/2013. Of those 19, three were successfully prosecuted.

Depending on the crime the suspect is accused of, the police can and do make decisions to use system exploits to obtain access to the system. Although such a technique would probably not be used on a low level suspect, any hint of terrorism or similar levels of indirect danger would enable these exploits to be used.

For super high-value targets there are even more ingenious devices that allow a PC that is in a usable state to be secured by attaching a high capacity battery to the PC by removing the wall socket, using techniques to prevent power being lost. A dongle can even be attached to create a mouse movement to prevent the screen from locking or going to sleep whilst still preserving the integrity of the machine. If you get this treatment, you must be a super high value target.

But what if you know you’re innocent?

Unfortunately, this doesn't just happen to the bad guys. Knowing the process as detailed above can help you understand what will happen. The question of encryption keys is a minefield in itself and best left to the professionals. The best course of action for anyone really is to heed the warning when arrested and speak with your solicitor first before saying anything to the police. Your solicitor's advice will be worth its weight in gold.

Bootnote: I wish to say a thank you to Les and Tony at Fiasa Forensic Services for their assistance and guidance in writing this article

Biting the hand that feeds IT © 1998–2017