Feeds

You've been arrested for computer crime: Here's what happens next

The knock on the door you REALLY don't want to hear

Choosing a cloud hosting partner with confidence

Forensic toolkit to sniff out the evidence

Once of the best-known forensic toolkits is EnCase – but software used depends on the police force concerned (click to enlarge).

To help manage the search for data and information in a systematic way, forensic toolkits are used. The best known is EnCase but a single copy of this will run to thousands of dollars. Other less expensive alternatives to EnCase include WinHex and X-Ways. Both of these alternatives are developed by a company called X Ways software technology, based in Cologne, Germany. Their customers include not only US law enforcement types but KPMG forensics (Remember the naughty accountant example from earlier?) Toshiba and HP. There are several components that make up the suite of tools. All “modestly” priced. You can, however, download demo versions, if you would like to take them for a spin.

What is really clever is that the tools used will then take an image hash and store it in a database so that other investigators are not subjected to the same images repeatedly and makes the investigation more streamlined. The more advanced tools also export the entire disk to a searchable database system. Here multiple users can search for strings against the disks under investigation. This has obvious advantages over the one disk/one investigator methodology.

When the forensics team work with disks, they don't work on physical disks but on virtual disks created by the forensic toolkit. Other cool parts of if it include intelligence built into them that will allow the EnCase computer to detect that the disks are part of a RAID set and will mimic the controller and allow the RAID set to be reviewed as a whole. This technique has also been used for data recovery in non investigative situations.

Forensic toolkits are intelligent enough to also understand when a write blocker is used and will actually record its presence as part of the evidence acquisition log.

The decision to prosecute, or not

Once the investigation is complete, a report will be created, along with supporting evidence. This will then be passed to the Crown Prosecution Service who will review it and decide if there is a case to answer. The decision to prosecute is based on a number of factors including physical evidence, such as evidence of who was using the computer in a multi-user environment, ie, fingerprints on the keyboard. The ability to identify the user in a multi-user environment is critical. Whilst further investigation takes place the suspect can be bailed to reappear pending a decision.

Suspects are just too stupid

On the thorny topic of file encryption, the following facts may interest you:

Most suspects do not use encryption. Those that do often give up the key when asked. Not doing so is against the law. Also, some people are just too stupid. A forensic IT tech regaled us with the story of one suspect who used Bitlocker. Great. The only issue was that the suspect had the recovery USB stick sellotaped to the side of the pc, labelled "Bitlocker Recovery". Suffice to say he quickly decided cooperation was the best policy.

Usually if the suspect does not give up the encryption key, the police will have enough circumstantial evidence to build a case around the crime and let the CPS decide if there is a case to answer and if there is enough evidence for a prosecution to proceed. This is usually in the form of other media found or other non-computer-related circumstantial evidence.

The failure to give up encryption keys is in itself a hot potato. At the first pass of the Regulation of Investigatory Powers Act, which gave the police the power to demand passwords, it made sense for people who committed serious computer crime to not give up their encryption keys because they would get a maximum jail term of three years if no evidence could be collected. For possessing and distributing illegal pornography the sentence can easily be double that.

This lead to Conservative MP,Sir Paul Beresford calling for the maximum sentence for failure to provide encryption keys to be increased to ten years.

Interestingly, according to the Open Rights Group there were 19 refusals to decrypt data to date in the period 2012/2013. Of those 19, three were successfully prosecuted.

Depending on the crime the suspect is accused of, the police can and do make decisions to use system exploits to obtain access to the system. Although such a technique would probably not be used on a low level suspect, any hint of terrorism or similar levels of indirect danger would enable these exploits to be used.

For super high-value targets there are even more ingenious devices that allow a PC that is in a usable state to be secured by attaching a high capacity battery to the PC by removing the wall socket, using techniques to prevent power being lost. A dongle can even be attached to create a mouse movement to prevent the screen from locking or going to sleep whilst still preserving the integrity of the machine. If you get this treatment, you must be a super high value target.

But what if you know you’re innocent?

Unfortunately, this doesn't just happen to the bad guys. Knowing the process as detailed above can help you understand what will happen. The question of encryption keys is a minefield in itself and best left to the professionals. The best course of action for anyone really is to heed the warning when arrested and speak with your solicitor first before saying anything to the police. Your solicitor's advice will be worth its weight in gold.

Bootnote: I wish to say a thank you to Les and Tony at Fiasa Forensic Services for their assistance and guidance in writing this article

Business security measures using SSL

More from The Register

next story
Hey, Scots. Microsoft's Bing thinks you'll vote NO to independence
World's top Google-finding website calls it for the UK
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
Apple CEO Tim Cook: TV is TERRIBLE and stuck in the 1970s
The iKing thinks telly is far too fiddly and ugly – basically, iTunes
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Huawei ditches new Windows Phone mobe plans, blames poor sales
Giganto mobe firm slams door shut on Microsoft. OH DEAR
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
OECD lashes out at tax avoiding globocorps' location-flipping antics
You hear that, Amazon, Google, Microsoft et al?
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.