The Reg visits London Met Police's digital and electronics forensics labs
Met lab tour throws up issues around storage, encryption and privacy versus security
More than 90 per cent of crime has "a digital element," we were told as The Reg was welcomed into London Metropolitan Police's Central Communications Command Centre, near Lambeth Bridge on the Thames.
Not only does that mean an exponential increase in the amount of data stored, with the increasing seizure of phones, it also raises questions over privacy and security, and the role of encryption.
Not surprisingly, the Metropolitan Police force deals with the highest volume of digital forensics (it is after all the largest force in the country, with more than 30,000 officers).
In a tour of its labs, Mark Stokes, head of digital & electronics forensics at the Met, reveals the changing nature of his department's work.
Among its work, he points out a pile of CCTV footage that police are still trying to recover from Grenfell Tower – the 27-storey block where at least 70 people died after the high-rise public housing in the wealthy London suburb of North Kensington caught fire in June 2017. Over 100 officers and civilian staffers are still working on the criminal investigation while the public inquiry rolls on – and the forensic examination of evidence collected is an important part of that.
Not the actual Cityman... for security reasons, we didn't take snaps at Lambeth...
Stokes also shows us a machine that restores damaged chips from smartphones as well as a display of now-obsolete mobiles from the last decades.
Some of those relics include a Nokia handset from 1995, an HP PDA, with a built-in mobile phone, the original iPhone and most ancient of all a Mobira Cityman 1320 from the 1980s - which looks worthy of Gordon Gekko.
Stokes said he sees them as a visual reminder of how fast technology has moved on in a relatively short space of time.
“It’s funny when you think about it; digital forensics didn’t really exist 25 years ago,” he says.
At one point he picks up the motherboard from an old BlackBerry handset. "We used to see a lot of these after the London Riots [in 2011], but now we seldom see them."
Not only has the field grown rapidly, but Stokes believes police are getting to a point where it is very difficult for a person to go through all the data on a computer. He recently explored the use of machine learning or quantum computing as possible fields that might help at the (ISC)2 Secure Summit in London. Although he admits that the technology required is not yet here.
Because the volume of work is so huge, there's an emphasis on self-serve, he says. Most of the data retrieved from mobile phones occurs at station level.
"If it's from a victim, they can hand the phone over, download it and hand it back. Around three years ago if you said to someone we need to take away your phone and hand it back in a month, they would not be happy about it. So we've enabled more reporting of crime, but flip side of that is we have opened up a lot more demand and there is a lot more data to manage."
One answer to the data explosion is, of course, the long-talked-about shift to cloud. Stokes says the force processes around one terabyte of data every hour. “The volume of data is going to end up in petabytes.”
"At the moment we are working on a case with 200 computers we need to ingest data from. We don’t do that every day... so the cloud would make sense. We could ingest the data, index, review and analyse it, and when we are finished scale back down."
Consequently, it is considering Google, AWS and Azure. "At the moment a number of those aren't secure platforms in terms of the level of security policing requires, but they have moved into that space, offering secure cloud segmented away," he says.
"Microsoft call it a secure government cloud, data centres separate to public offering, although they have to get enough customers across government [to make it worthwhile]. Microsoft are doing some work with the MoD doing that cloud provision for them."
But while cloud could be an answer to some of the problems, it is also posing some issues from a legislation perspective.
Currently the Met cannot access remotely stored data – for example, on the Dropbox service. In order to do so, it would have to go through a Regulation of Investigatory Powers Act (RIPA) – the controversial Act that regulates the powers of public bodies to carry out surveillance and investigation, and the interception of communications. This process can be lengthy, he says.
He believes legislation has not yet caught up with the technology, because it wasn't envisaged that people would be sharing a lot of data remotely. "It's about having a conversation with the public around the necessity and the proportionality of that. And if everyone agrees that should drive some sort of balanced legislative change that allows that to occur."
Under changes in select cases individuals could be forced to hand over their passwords or face jail. But Stokes stresses that the use of such powers would have to be proportionate.
Another contentious challenge is encryption. Although Stokes is sceptical that it can ever be completely cracked – leaving aside the question of whether doing so would be desirable.
“If they have used good encryption and good password, that is the end of the day. But the reality is... if you are clever enough and want to do the work you will know how to cover your tracks."
He adds: "A lot of criminals are chaotic. You have your serious and organised criminals [who] will plan various things... but then you have the rest that is probably not even thought through properly. Digital systems leave traces... It would be very difficult to go into a house and not leave some kind of trace behind, and a digital system is exactly the same."
But that is not to say detection doesn't remain a challenge.
"At the moment, the encryption thing: we are concerned about it going forward. Security is getting harder... it is becoming more difficult. That is absolutely the case. But there are bits of legislation that allow us to get passwords from people, and hand them over. Obviously victims and witnesses are more than happy for us to have access to the device. We just have to be careful about what we extract."
Biometric passwords could help in this regard. "It is very easy for someone to say 'I forgot my password', whereas they can't say 'I forgot my face'!"
When it comes to the national biometrics database, he believes we are in the "relatively right space" because it is about people who have been convicted of crime. "If they are not, then the data is not retained. I think that is a reasonable balance, and as we move forward does the legislation change to give us a good proportional balance that is open to inspection by the public?"
Cops' use of biometric images 'gone far beyond custody purposes'READ MORE
What about the more controversial retention of custody images - which now contains 20 million images of people, many of whom have not been convicted.
"I can't comment directly on that. But I think going forward it is biometric and it should be treated in the same way as fingerprints potentially... certainly DNA and fingerprints are only retained if there has been a criminal conviction."
He adds: "And that probably needs to be where we are heading with other sources of biometric data in the future."
Facial recognition technology is still in early days, he says, something he points out in when showing us some screen examples of facial recognition profiling. In fact, most of it is still done manually using software, rather than through automation.
The most notable example of this going wrong was its use at the Notting Hill Carnival last year, which led to a wrongful arrest.
"I think as you get higher and better resolutions it will improve, but if you take a lot of the products we get on CCTV.. you wouldn’t find anything because they are fuzzy blobs."
Stokes reiterates that it is all about striking the right balance. "We are not prying, we are just trying to get the best and proportional evidence. We should manage how we control access to data and devices, with proper governance in place," he says.
"There is a necessity to develop systems and processes [so that] we work on that data in an evidentially sound manner. Everything we do has to be examinable by the court, and probed by barristers once we get to that point.
"Although we are in policing, we see ourselves as independent forensic professionals. We are not here to prosecute or defend, we are here to recover data and explain what that data means." ®