You've been arrested for computer crime: Here's what happens next

The knock on the door you REALLY don't want to hear

High performance access to file storage

Forensic toolkit to sniff out the evidence

Once of the best-known forensic toolkits is EnCase – but software used depends on the police force concerned (click to enlarge).

To help manage the search for data and information in a systematic way, forensic toolkits are used. The best known is EnCase but a single copy of this will run to thousands of dollars. Other less expensive alternatives to EnCase include WinHex and X-Ways. Both of these alternatives are developed by a company called X Ways software technology, based in Cologne, Germany. Their customers include not only US law enforcement types but KPMG forensics (Remember the naughty accountant example from earlier?) Toshiba and HP. There are several components that make up the suite of tools. All “modestly” priced. You can, however, download demo versions, if you would like to take them for a spin.

What is really clever is that the tools used will then take an image hash and store it in a database so that other investigators are not subjected to the same images repeatedly and makes the investigation more streamlined. The more advanced tools also export the entire disk to a searchable database system. Here multiple users can search for strings against the disks under investigation. This has obvious advantages over the one disk/one investigator methodology.

When the forensics team work with disks, they don't work on physical disks but on virtual disks created by the forensic toolkit. Other cool parts of if it include intelligence built into them that will allow the EnCase computer to detect that the disks are part of a RAID set and will mimic the controller and allow the RAID set to be reviewed as a whole. This technique has also been used for data recovery in non investigative situations.

Forensic toolkits are intelligent enough to also understand when a write blocker is used and will actually record its presence as part of the evidence acquisition log.

The decision to prosecute, or not

Once the investigation is complete, a report will be created, along with supporting evidence. This will then be passed to the Crown Prosecution Service who will review it and decide if there is a case to answer. The decision to prosecute is based on a number of factors including physical evidence, such as evidence of who was using the computer in a multi-user environment, ie, fingerprints on the keyboard. The ability to identify the user in a multi-user environment is critical. Whilst further investigation takes place the suspect can be bailed to reappear pending a decision.

Suspects are just too stupid

On the thorny topic of file encryption, the following facts may interest you:

Most suspects do not use encryption. Those that do often give up the key when asked. Not doing so is against the law. Also, some people are just too stupid. A forensic IT tech regaled us with the story of one suspect who used Bitlocker. Great. The only issue was that the suspect had the recovery USB stick sellotaped to the side of the pc, labelled "Bitlocker Recovery". Suffice to say he quickly decided cooperation was the best policy.

Usually if the suspect does not give up the encryption key, the police will have enough circumstantial evidence to build a case around the crime and let the CPS decide if there is a case to answer and if there is enough evidence for a prosecution to proceed. This is usually in the form of other media found or other non-computer-related circumstantial evidence.

The failure to give up encryption keys is in itself a hot potato. At the first pass of the Regulation of Investigatory Powers Act, which gave the police the power to demand passwords, it made sense for people who committed serious computer crime to not give up their encryption keys because they would get a maximum jail term of three years if no evidence could be collected. For possessing and distributing illegal pornography the sentence can easily be double that.

This lead to Conservative MP,Sir Paul Beresford calling for the maximum sentence for failure to provide encryption keys to be increased to ten years.

Interestingly, according to the Open Rights Group there were 19 refusals to decrypt data to date in the period 2012/2013. Of those 19, three were successfully prosecuted.

Depending on the crime the suspect is accused of, the police can and do make decisions to use system exploits to obtain access to the system. Although such a technique would probably not be used on a low level suspect, any hint of terrorism or similar levels of indirect danger would enable these exploits to be used.

For super high-value targets there are even more ingenious devices that allow a PC that is in a usable state to be secured by attaching a high capacity battery to the PC by removing the wall socket, using techniques to prevent power being lost. A dongle can even be attached to create a mouse movement to prevent the screen from locking or going to sleep whilst still preserving the integrity of the machine. If you get this treatment, you must be a super high value target.

But what if you know you’re innocent?

Unfortunately, this doesn't just happen to the bad guys. Knowing the process as detailed above can help you understand what will happen. The question of encryption keys is a minefield in itself and best left to the professionals. The best course of action for anyone really is to heed the warning when arrested and speak with your solicitor first before saying anything to the police. Your solicitor's advice will be worth its weight in gold.

Bootnote: I wish to say a thank you to Les and Tony at Fiasa Forensic Services for their assistance and guidance in writing this article

High performance access to file storage

More from The Register

next story
Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
Veep testifies for Samsung during Apple patent trial
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Big Content goes after Kim Dotcom
Six studios sling sueballs at dead download destination
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Alphadex fires back at British Gas with overcharging allegation
Brit colo outfit says it paid for 347KVA, has been charged for 1940KVA
Jack the RIPA: Blighty cops ignore law, retain innocents' comms data
Prime minister: Nothing to see here, go about your business
prev story


Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.