Wednesday 16 October 2013

Indecent images - The Dark side of the Web

‘Child pornography’ – perhaps the most emotive of criminal offences. ‘Association of Chief Police Officers’ (ACPO) statistics suggest that 84% of the overall case load for High Tech Crime Units across the UK involves indecent imagery and child abuse investigations. This area of crime is often seen as the ‘dark side of the web’ and as a result is perhaps the least discussed.
In cases of this nature the courts are concerned with the question of intent, creation, possession, dissemination, and the social context of any wrongdoing. As the most investigations of this nature involve computers, data storage devices, and Internet history records, the role of the technology expert witness is crucial.
Relevant acts in this field of crime are the Protection of Children Act 1999, Criminal Justice Act 2003, Sexual Offences Act 2003 and the newly released Coroners and Justice Act 2009. Specialist establishments also exist with the aims of preventing and managing the threat, including the Internet Watch Foundation (IWF) and the Child Exploitation and Online Protection Centre (CEOP).
The ‘Combating Paedophile Information Networks in Europe’ (COPINE) project originally created a ten point scale to grade the severity of images. In the case of R v OLIVER (2003), the Sentencing Advisory Panel (SAP) modified the COPINE typology and adopted a 1 – 5 grading system:
·  Grade 1: Images depicting nudity or erotic posing, with no sexual activity
·  Grade 2: Sexual activity between children, or solo masturbation by a child
·  Grade 3: Non-penetrative sexual activity between adult(s) and child(ren)
·  Grade 4: Penetrative sexual activity between child(ren) and adult(s).
·  Grade 5: Sadism or bestiality

Generally the custody threshold is reached when an individual is in possession of material graded above level two, although the courts will also consider other factors such as the quantity of images present, the quality of the material, the duration for which the material has been retained, whether there is evidence of distribution, and whether the individual has been responsible for actually creating the material. Sentencing can range from a fine or conditional discharge to nearing ten years imprisonment for the most cruel crimes.
Indecent imagery cases, like most crimes, may have common features (e.g. presence of illegal media on a computer) but the circumstances and context will always vary. As a result, the Judge and other authorities may need to adapt, modify or clarify the law in order to achieve a fair result. This interpretation of legislation leads to new lawful guidelines referred to as ‘Case Law’.
In the matter of R v BOWDEN (2000) it was accepted by the court that downloading or printing images from the Internet should be classed as ‘making’ a photograph due to the fact that a person is duplicating material through these actions. However, it must be taken into consideration whether a user meant to ‘make’ an indecent image or whether it may have been an accident. In certain instances, it may be the case that someone opened an Email attachment or clicked a link to download a file. Upon opening that item, the user could be presented with indecent or illegal content. The above happened during the case of R v SMITH in 2002, where the defendant was unlikely to have known that an Email attachment contained an indecent image. Because of this, he was not convicted of making or possessing indecent material.
In 1997 it was ruled that providing someone with a password to indecent material is essentially showing them that data in the R v FELLOWS & ARNOLD case. Sharing access to indecent images through authentication methods can also be classified as distribution of material. For this reason, both defendants were sent to prison based on evidence that they had both accessed the indecent images stored on their employers’ computer at Birmingham University.


The Increasing Importance Of Forensic Computing In Criminal Cases

In 1965 Gordon Moore wrote in Electronics Magazine his theory on the potential for computational evolution ˜increasing at a factored rate of double per year”.

Whilst his law has since been tempered based on actual industry development life-cycles, his prophetic statement still holds largely true and today there is almost no walk of life or industry where computers and information networks have not become deeply integrated and criminals have moved in step with technical advances, discovering ways in which to leverage IT to facilitate the commissioning of offences.

In many instances this is old, or conventional crime, perpetrated using new approaches that are reliant on technology. Postal fraud, for instance, has evolved to employ electronic communication channels, giving rise to waves of emails seeking to defraud recipients with promises of money and fictitious prizes (commonly known as ˜419 scams” as many of such notes tend to originate from the African continent and 419 is their penal code for wire fraud).

Studies into the cost of cyber-crime, commissioned independently by the Department of Trade and Industry (DTI) reveal alarming trends in the abuse and misuse of technology. The average cost per security incident has risen to over £160,000 and nearly one in four businesses in the UK have suffered a serious hacker attack or virus outbreak. The impact of an information security breach can be so devastating to business operations that one in ten never actually recover and the shutters close permanently. To counter this growing threat, security and law enforcement agencies have adopted fresh approaches for dealing with high technology crime.

Forensic Computing is a relatively young science when compared to contact forensics such as fingerprint recognition which have roots that can be traced back to Edmond Locard, who in the early 1900s famously postulated the theory of evidence being left as ˜mutual exchanges of contact”. Whilst various descriptions exist in relation to this practice, the international survey undertaken by Hannen has been taken as the de-facto definition: ˜Processes or procedures involving monitoring, collection, analysis... as part of ˜a priori” or ˜postmortem” investigations of computer misuse”. It is important to appreciate that this definition takes a wider view than the conventional reactive description, where forensics was regarded purely as an incident response function. Hannen considers digital forensics as also taking a pro-active role in security, where it can be combined with intelligence and operational planning.

As a serious field of research, forensic computing studies only started to take real form in the early 1990s when, faced with ever increasing numbers of computers being seized at crime scenes and the potential for crucial evidence to be stored on a PC, various government agencies came together to host the International Conference on Computer Evidence (ICCE). Here many of the challenges facing law enforcement communities were aired and agreements forged to cooperate towards finding effective solutions.

Two years later, in 1995, the International Organisation for Computer Evidence (IOCE) was formed, and a further two years later the member states that comprise the G8 subscribed to the mission of IOCE, pledging support for the organisation. This was the catalyst required to stimulate research and development, and since then great advances have been made in all spheres of digital evidence management.

When working on a matter where the case will rise or fall on the strength of digital evidence, for example where an allegation of possession of indecent images has been made, it is important to commission an independent forensic examination of all evidence and digital materials. This places the evidence into the wider context of the offence and enables barristers to make directions to the court based on a fuller appreciation of matter.

Assuming material has been seized by the authorities, the state will usually conduct their own forensic assessments (typically undertaken by the regional police hi-tech crime unit), the results of which will be provided to legal representations. The mechanics of this process involve the ˜imaging” of the ˜target media” the process of making a forensically sound duplication of digital materials of interest (e.g. the computer hard drive). During this duplication process a ˜write-blocking” device will be employed to ensure the target media is not affected or corrupted in any capacity whilst its content is read and mirrored. The actual forensic analysis is then made upon the duplicated material, with the original placed into secure storage and maintained in the state in which it was seized. The forensic analyst will then peruse the imaged copy to identify materials of potential evidence value, extracting copies as necessary to form the basis of the expert report.

Looking at this from a defence perspective, a number of questions should be posed in relation to the digital evidence (based on the Daubert threshold test that evaluates the competency of evidence in the United States):

¢ whether the theories and techniques employed by the scientific expert have been tested;
¢ whether they have been subjected to peer review and publication; 
¢ whether the techniques employed by the expert have a known
error rate; 
¢ whether they are subject to standards governing their application;
and 
¢ whether the theories and techniques employed by the expert enjoy
widespread acceptance.

Putting abuses of technology on a statutory footing, Britain has a suite of legislation that can be invoked, from the Computer Misuse Act 1990 to the Regulation of Investigatory Powers Act 2000.

Today digital forensics is an accepted science, and evidence duly secured in relation to best practices (in the UK these guidelines are outlined by the Association of Chief Police Officers) can be served in a court of law. Digital forensics are providing breakthroughs in all manner of high profile cases around the world, helping security and law enforcement agencies to catch offenders and secure convictions.

In the US, for example, the notorious BTK serial killer that had a reign of terror lasting over twenty five years in the Wichita areas, was ultimately tracked down after he sent a disk to a local radio station gloating at the police”s inability to catch him. Unique digital footprints embedded within the files were extracted by forensic specialists, and like a lone fingerprint, investigators now had a powerful lead all they needed was to match the file to the computer that had created it (much like having a fingerprint but not a suspect”s hand to match it with). Wichita Police then conducted a house to house search, taking file samples from every computer encountered. Back in the laboratory, the file footprints were compared to the sample disk posted by the BTK killer, eventually finding a match. This tied the floppy disk to Dennis Radar”s PC, a virtual smoking gun as far the prosecution were concerned. This digital evidence became a pivotal element of the State”s case and ultimately helped secure a conviction.

In the UK the 2002 murders of Holly Wells and Jessica Chapman in Soham, Cambridgeshire, also saw digital forensics play a crucial, but largely unknown, role in the investigation. Technical analysts examined one of the girl”s mobile phone to identify where it was located when it had been turned off. Information on the nearest network communication tower tends to be stored in a phone”s memory and when the signal coverage of that tower is plotted, it is possible to identify the rough area (typically a few square kilometres) in which the phone was located when it was switched off. Having extracted this information from the handset, authorities had a rough idea of where to base their search; which ultimately led to the recovery of the two girl”s bodies.

Speaking in an interview several years after his pioneering research on the Manhattan Project where atomic reaction theory was developed, scientific visionary Oppenheimer explained that ˜the scientist is free to ask any question, to doubt any assertion, to seek for any evidence”. This thinking holds especially true when applied to the discipline of forensic computing in a legal context. Here experts may be instructed by either the prosecution or the defence, however, in either instance, they have a higher duty to the court. They are instructed as experts, but experts for the truth. It is important therefore to ensure that the experts instructed are duly qualified, experienced and independent.

Commenting on the nature of digital evidence, John Brown, Partner at Hogan Brown Solicitors, explained how the fragile nature of digital evidence can pose serious challenges to the investigator: ˜digital material is extremely volatile perhaps more delicate than its physical counterparts. It can be copied, amended, and transferred without almost any trace only experienced and qualified specialists should be employed to work in a digital forensic environment if the subsequent findings are to withstand the scrutiny of a court of law”. When working on a matter where the case will rise or fall on the strength of the digital evidence, perhaps where an allegation of possession of indecent images has been made, it is important to commission an independent forensic examination of all evidence and digital materials. It is also important that lawyers, when they try to find an expert witness choose someone with the necessary skills who is not only able to prepare an objective, unbiased report but also deliver oral testimony if required.
Forensic computing and the securing of digital evidence is a powerful tool in today”s fight against increasingly technically-savvy criminals. It is a discipline that continues to evolve and should remain high on the radar for both legal practitioners and law enforcement authorities.


Obscene Images & Media

The Essentials:

The Protection of Children Act of 1978 (as amended) defines what media is considered illegal by the British courts by establishing tests and definitions of ˜obscenity’. Due to the nature of these types of offences and the fact charges often relate to the abuse of minors, there is considerable social stigma attached to this sphere of law, making it an area rarely discussed or debated.

The Act forbids the creation, showing, distribution, possession for showing or distribution, and advertisement of obscene media. Whilst the Act was originally developed to consider photographic images, it has been subsequently amended so as to include ˜pseudo-images’, artificial or computer generated images. Possession of such material constitutes an offence under the Criminal Justice Act 1988.

To distinguish between child pornographic content, authorities rank material on a sliding scale of severity from one to five. This system is based upon the COPINE Typology and ranges from semi-nude/nude photographs (level one) through to penetrative sexual assault (level four) and sadism or bestiality (level five). Sentencing guidelines are based upon categorisation with tariffs reflecting the quantity of images, the severity of such, how long they have been held, whether the materials have been catalogued and organised, how the images were acquired/created, and whether they are a Å“trophy of the offender’s own sexual abuse of a child.

In the United Kingdom the concept of obscene media is synonymous with ˜Operation Ore’ " the British arm of an international Police investigation started in early 2002 to combat child pornography. Despite criticisms of tainted evidence and fundamental failings to corroborate ˜facts’, it remains an important case study for targeted police activity. To date Operation Ore has resulted in over three and a half thousand arrests, destroyed distribution networks and sent out a powerful message to those that might commit offences of this nature.

Digital Evidence:

Forensic analysis of the computer systems and removable media (e.g. floppy disks and CDs) can help answer important questions as to how images came to be created or stored upon the system and what was done with them. Careful forensic examination of the evidence exhibits can provide insights into the following areas:

¢ Names & addresses of websites visited;
¢ File-Sharing application used to exchange media;
¢ Time & dates of last access to a specific file;
¢ Queries employed by the user on search engines such as Google;
¢ Attempts made to conceal or remove the media.

Forensic evaluations put the evidence into context and can reveal elements of the case that had previously been unconsidered " which in turn can create significant defence/prosecution case opportunities.
It is important to note that computer forensic consultants that provide expert witness services in respect of obscene images and media must be of the highest calibre and it is necessary for their facilities to be inspected and approved for the undertaking of such work by a Police authority.

Common Questions:

Q: If obscene images have been deleted from the computer can an individual still be charged with possession?

A: R v Ross Warwick Porter considered offences that related to the making of indecent photographs of a child under s1(1)(a) Protection of Children Act 1978 and of possessing indecent photographs of children contrary to s160(1) Criminal Justice Act 1988. However, the images in question had been deleted by the Defendant before his arrest and were retrieved by the authorities only with the support of specialist forensic technologies. As a result, the appeal was held and it is now generally accepted that if an individual cannot retrieve or gain access to obscene content, then they cannot be regarded as having custody or control of it.

Q: Can a forensic expert identify when a particular file was created or whether it was ever accessed, opened or modified?

A: Operations upon files and folders are recorded in ˜timestamps’, which provide three classes of information; when the file/folder was created, when it was last accessed, and when the file/folder was last modified. Timestamp data is recorded automatically by the operating system and specialist skills and technical understanding is required in order to change these time/date entries " and such tampering can normally be uncovered by astute investigators. In matters of obscene media, timestamps provide crucial evidence as to actions and put into context when they occurred. A compelling defence case can be constructed if it can be shown that obscene media identified upon a computer has never been accessed/viewed.

Q: Can images, which are essentially binary computer code consisting of 1’s and 0’, be considered obscene?

A: R v Fellows and R v Arnold (CACD Sep 1996) explored this legal argument and considered whether transformations upon the raw code, such as those that may be necessary to include the data in an e-mail, could affect the legal definition of obscene media. It was held that irrespective of format or transformations, if code can be reconstructed into material with characteristics that would liken it to an obscene photograph or movie, then for the purposes of the law that data would be regarded as obscene media.
Does making a file available for download indicate exposure or distribution?

A: Electronic files can take many forms; from newsgroup postings through to web pages, images or multi-media content such as movies. Such files can be made available for access or duplication using a variety of means (e.g. the inclusion of the file on a website or within a file-sharing application such as ˜Kazaa’). Compounding the legal positioning is the fact that after the initial set-up, the file may be accessed or manipulated without the knowledge or consent of the individual that has made it available. R v Arnold married the technical and legal arguments, making it clear that the individual responsible for making a file available also distributes it. After this process there may be no more action or intervention by the Defendant, however, the initial positive steps taken are binding and go towards facilitating distribution. Should a ˜receiving computer’ create a copy of the media, then this only adds gravity to the finding.

Q: Is it possible that a website with obscene content ˜popped up’ on the screen un- requested by the user?

A: Many cases involving obscene images and media relate to the accessing of websites that have been confirmed to house illegal material. It has sometimes been suggested by Defendants that a specific website was not directly requested and simply appeared un-requested on the screen during the course of browsing the Internet. For instance, the user is surfing website A, when suddenly pages for websites Y and Z appear on the screen " which have not been requested and may contain content quite unlike site A. In such cases a comprehensive forensic evaluation of the evidence can reveal if a site was explicitly requested or if a user had been looking for something else but had been directed automatically towards the website in question. Furthermore, it is possible to identify if a given site has been accessed repeatedly (which would challenge any defence that it was an accidental one-off visit) and which areas or categories of the site had been viewed.

Q: Understanding the ˜Trojan Horse’ or ˜Third Party’ Defence

A: There have been a number of high profile cases involving computer abuse/misuse, where the line of defence has been that the computing device had been under the control of an unknown third party. In many cases the assertion is that the computer has been infected by a virus or piece of malicious code that would allow the execution of programs or running of services without either the owner’s knowledge or consent. An extension of this theme is to suggest that the computer has been broken into by a Hacker, who used the device as a platform for perpetrating their crime(s). This has become known as the ˜Trojan defence’ and was applied successfully in the matter of R v Aaron Caffrey, who was charged with breaking into computer systems owned by the American port authority in Houston. It has been known for criminals to purposefully infect their computers with viruses and malicious code, laying the foundations for just such a defence should the need ever arise.

Q: The computer hard disk is second-hand " could the obscene media have originated with the former owner?

A: Hard disks, the main storage devices for data and files, are frequently changed between computers " especially when systems are being upgraded or current capacities have been reached and an additional (often cheap second hand) drive is added to increase space for file storage. Few users appreciate the capabilities of data recovery experts and as such tend to simply delete or format their drives before disposal or exchange. Unless a drive has been wiped in accordance with standards such as US DOD 5220.22, data can usually be easily retrieved using forensic techniques and sensitive materials may be left residing on a drive long after it has been thought removed by the owner. Whilst the Å“it was on the drive when I got it defence is sometimes considered by defendants, it is important to note that skilled forensic examiners will be able to identify times of creation for the images/media and patterns of access which would contradict their account.

Q: Obscene media is identified on a shared computer " can the material be attributed to an individual user?

A: The classic investigator mantra of ˜who’, ˜what, ˜where’ and ˜when’ are essential starting points. ˜Who’ considers all the individuals with access and opportunity to the system at the time of the offence " are passwords employed to access the system and/or is the computer in a locked office? ˜What’ explores the nature of the material (e.g. Lolita styled movies) identified, which may itself suggest a particular individual. ˜Where’ asks in what areas of the computer was the data stored " were they public folders accessible to all or restricted portions of the drive available only to authorised users? ˜When’ relies on timestamps and environmental evidence (e.g. personal alibis and/or looking at specific files on the computer that were accessed in and around the time of the offence) to tie many of the complimentary facts together in order to help attribute specific actions with an individual.

Q: Can Hash Codes, used to demonstrate integrity of evidence exhibits, be challenged?

A: Hash codes are the result of mathematical functions that allow the creation of unique serial numbers that are associated with specific files or file-systems. Should even the slightest modification of these files/file-systems be made, the serial number will change, highlighting the presence of revisions and that the integrity of the data may no longer be relied upon. Computer forensic investigators rely heavily on hash codes, particularly those created using the MD5 algorithm, to show data integrity and match copies of images from one source to another. However, recent research has identified sophisticated attacks that, whilst highly technical in nature, show that under certain circumstances it may be possible to modify data and not affect the resulting hash codes. From a legal standpoint this raises the possibility that digital evidence exhibits could be tampered with and the modifications go unnoticed.

Q: I'm a lawyer with a client that's been charged with a serious offence that involved alleged downloading of obscene material. He maintains his innocence. Where can I get help?

A: It is essential that you find an expert witness with the necessary skill set who not only understands the legislative framework but who also has the technical ability to thoroughly examine the hardware, prepare a comprehensive report and follow it up with testimony, if required. Many expert witness directories are available - particularly online - and X-Pro often publishes experts' profiles that include recommendations from lawyers that have used them in the past.

Did you know?

In software piracy cases involving the creation of copyrighted material, careful analysis of the computer can reveal how many times a ˜ripping application’ (program used to clone DVDs) has been run.

The Home Office is currently consulting on possible activation of provisions contained within Part III of the Regulation of Investigatory Powers Act 2000 that would empower authorities with the right to force the disclosure of encryption keys and passwords from a suspect that has taken steps to secure digital information and files.

The Importance Of SIM Cards:

There are more mobile telephones in the UK then there are people this pervasive technology impacts on almost all areas of industry and life. Unsurprisingly, mobile communications have enabled old crime to be effected in new ways and mobile telephones are increasingly forming a part of criminal prosecutions, where linkages between individuals or evidence of being at the scene of the crime is provided by an analysis of the digital evidence available within the mobile phones.

At the heart of every mobile telephone is the Subscriber Identity Module (SIM), a small fingernail sized chip, responsible for service with a telecom network provider.

Digital Evidence From SIM Cards:

Despite limited memory capacity, the SIM contains a wealth of information that, when considered in context, can greatly aid lawyers in their case preparations:

¢ Stored telephone numbers/contacts.
¢ Listings of ˜Last Dialled Numbers”.
¢ Text messages received, sent, drafted or deleted.
¢ General location information from last use.
¢ References to overseas network providers that have been used.

Common Questions:

Q: Could the SIM card have been cloned?

A: SIM cards produced after June 2002 employ the COMPv2 algorithm which provides a number of technical and security safeguards to prevent unauthorised modification. Despite media reports, the cloning of modern SIM cards is an extremely rare practice.

Q: Can my PIN code be cracked?

A: SIM card information can be locked using a four digit ˜Personal Identification Number”. RIPA contains provisions to force disclosure of passwords, however, it is usually easier to request a ˜Phone Unlock Key” (PUK), enabling PIN settings to over- ridden, from the Data Protection Officer (DPO) at the relevant network provider.

Q: PAYG SIMs are untraceable!

A: With ˜Pay As You Go” (PAYG) there is no formal contract with a network provider (e.g. Orange) to enable a customer look-up, however, ˜Call Data Records” (CDRs) are still available from the network provider, providing information as to patterns of communication, calls to/from, time/dates etc. By mapping this information to known acquaintances of the defendant, considering the evidence in the context of other material (such as messages recovered from the telephone handset) and undertaking Cell Site Analyses (CSAs) 3 it is possible to prove/disprove ownership of a handset.

Q: Does the SIM reveal who I’ve been in touch with?

A: Even without the disclosure of Call Data Records (CDRs) from the network provider, the SIM provides a plethora of useful information relating to contacts in the form of ˜Last Numbers Dialled” (LND) and sections of the ˜Contacts Directory”. Numbers that haven”t been saved may still show up in the LND.

Q: Can a telephone handset be uniquely identified?

A: Mobile phone handsets are assigned unique 15-digit numbers, known as the International Mobile Equipment Identifier (IMEI), which is passed to the network provider before communication services can be utilised. This serial number allows specific handsets that have been stolen or blacklisted to be blocked from a network irrespective of what SIM card is inserted. Defences suggesting that a given handset has been ˜found” and is not owned by the suspect are unlikely to hold water if Call Data Records (CDRs) show a pattern of usage that indicate the owners identity.

Q: What about sending anonymous texts?

A: They are not really that anonymous... If they are being sent via an internet service, there is typically a log retained by the site provider as to the computer IP address that sent the specific message this can ultimately be tied by to an Internet Service Provider (ISP), and in turn a specific subscriber. If anonymous texts have been sent from a mobile telephone typically a PAYG handset/SIM the uniquely assigned International Mobile Subscriber Identifier (IMSI) code embedded in the SIM can be used in concert with CDRs to provide compelling evidence as to the sender identity.

Q: Can deleted text messages & numbers be recovered?

A: Data content (especially multimedia formats) is primarily stored on the handset or on a removable memory stick. The general rule of thumb is that any data that has been deleted can be recovered, however, if it has been over-written it does make the process more complex and the chances of success reduce with every over-write.

Q: Is possession of multiple SIM cards indicative of wrongdoing?

A: Not at all - many individuals are discovering that they can benefit greatly from the free text and talk allowances granted on mobile phone contracts by having two or more SIMs (typically with different network providers). Adapters are available to connect multiple SIMs to a handset simultaneously.

Q: Where can lawyers find an expert in this field?

A: There are plenty of expert witness directories out there - especially online. But if you are trying to find an expert witness make sure that he or she has the necessary skills not only to analyse the equipment and data and prepare an unbiased, objective report, but also has experience delivering oral testimony, should that be required. A recommendation from a fellow professional will help in making your choice.

Did you know?

The SIM card will often contain a reference to the last network base station that it communicated with before being disconnected from the telecoms network.

If the SIM card has been used overseas, it is possible to retrieve a reference code from the card that will indicate which national/regional network provider was used.

Language preferences can be stored on SIM cards useful intelligence for investigators which can open up new avenues of enquiry.

Sunday 13 October 2013

Social media forensics & Madeleine McCann

The disappearance of Madeleine McCann remains unresolved. The 3-year-old went missing from a holiday apartment in Praia da Luz in 2007. Since 2011 thirty Metropolitan Police Officers, headed by Detective Chief Inspector Andy Heywood, have been trawling through thousands of witness statements and documents at the cost of £5 million, hoping to unearth a vital clue that will resolve the case.

Last week we learned that phone records could hold the key, but let’s consider the role of social media. First, some clarity… Social media refers to the means of interactions among people in which they create, share, and exchange information and ideas in virtual communities and networks. Since 2007 the role of social media in both personal and professional circles has grown from strength to strength. Let’s take a look at three popular services –

Facebook™ is a networking service launched in February 2004 and provides a social media platform for over one billion active users. It is used for both personal and professional networking, with an increasing number of organisations using it as an important part of their outreach strategy to interact with customers. Half a petabyte of new content – from messaging to media – is uploaded every single day - equivalent to about 110,000 DVDs worth of data, so one can imagine the difficulties faced in harvesting and processing such information.

Tumblr™ is a micro-blogging platform and social networking website owned by Yahoo! The service allows users to upload text posts, images, video, quotes, or links to form a short-form blog (web log). Tumblr™ hosts over 110 million blogs and 80 million new posts are created every day.

Twitter™ is another microblogging service but primarily geared towards short text based "tweets" which are limited to 140 characters. The service is used to provide swift/concise updates, and has been popularised through the adoption by celebrities. Tweets can now include links to images or multi-media content. Nearly 400 million new tweets are posted online every single day.

How can this help with the investigation into the disappearance of Madeleine McCann?

Firstly the authorities could consider a complex data mining operation to look at historical social media records and potentially identify either clues or witnesses.

So where to begin?

Text based searches would be the obvious approach, to seek out content based on keywords. The degree of coverage of this incident in the international media would suggest that the keyword parameters would have to be carefully constructed so as to limit results to that which may be potentially relevant (e.g. instances where ‘mccann’, ‘evidence’, and ‘police’ occurred in the same message or sequence of messages). The potential for a huge number of false positives is of course the concern, but these could be limited by applying date range filters or mining only across accounts registered to users in Portugal (at the risk of missing tourists).

Most social media posts – from the humble tweet to a photograph uploaded to Facebook – can include location information. This is commonly known as a geotag and may be applied to the content by the camera device or the social media service. Such tags take the form of latitude/longitude co-ordinates – in the case of the Praia de Luz, this would be 37.0972° N, 8.7434° W. Combing through current or old social media records for such tags would help identify people who have been in the relevant area. Combine this with a filter for the date range of late April / early May 2007, and the results would suggest people in the right area at the right time to potentially assist with the investigation. It may be that these are parties who need to be excluded from the current investigation or perhaps they witnessed something they considered innocuous but could be vital in the wider context of the investigation.


Note: Law enforcement labs and members of prosecuting authorities are welcome to request free licences to the following toolkits: www.facebookforensics.com, www.tumblrinvestigator.com and www.twitterinvestigator.com

Thursday 10 October 2013

Madeleine McCann - Phone Records, Forensics & big data

Madeleine McCann, aged 3, disappeared from a holiday villa in the Portuguese resort of Praia da Luz on the evening of the 3rd May 3 2007. Despite one of the largest publicity campaigns and worldwide searches in history, she remains missing. Her parents, Gerry and Kate, have led a campaign to find their daughter, refusing to give up hope.

In 2011, Prime Minister David Cameron, ordered a fresh review of the original Portuguese police investigation and drafted in thirty Scotland Yard detectives to help sift through the vast volumes of information and witness statements. So far, just over half of the forty thousand pieces of information collected by the Portuguese authorities have been assessed, but progress is being advised as being positive.

Now there have been similar stories in the press over the years, but what makes this one so interesting is its renewed focus on digital forensics. Investigators believe telecommunication records could hold the key to solving the case and are focussing their search on thousands of mobile phones, thought to belong to people who were in Praia da Luz in the days leading up to, during, and after Madeleine's disappearance.

Detective Chief Inspector Andy Redwood, who's leading the inquiry, says officers are trawling through a 'substantial amount of data' and have so far identified 41 persons of interest. With around three thousand people living in the Algarve holiday resort, and thousands more visiting during the holiday season, this task is neither straightforward nor complete. This exemplifies ‘big data’ and the complexities of effectively data mining to find those crucial (digital) needles in the haystack.

In fact, DCI Redwood admits his team have been unable to attribute (link to a named individual) a 'large number' of mobile numbers, largely due to the fact that six years have now passed and a considerable number were bought on a 'pay-as-you-go' basis. This reflects an increasingly common practice for individuals travelling overseas to buy a cheap PAYG SIM from a local vending machine or shop, so as to avoid roaming charges and benefit from local call/data rates.

Call Data Records, sometimes referred to as ‘billing records’, will show the timing, volume and patterns of communications activity. The numbers dialled, the duration of voice calls, numbers that have been sent text messages, and instances of access to voicemail. The content of the spoken conversations or the typed details of a specific text message, will not be available, but the broader picture of activity can still be important.

Then there's the issue of tracking down the thousands of holidaymakers that were in the Algarve resort where Madeleine McCann was staying when she vanished. Scotland Yard have already made contact with thirty one police forces across the world to help them piece together the records and make contact with the owners of foreign mobiles.

A powerful investigative technique is being applied to mobiles of interest – Cell Site Analysis. The intention is to identify mobile devices that engaged telephone masts in and around the Algarve holiday resort on the days surrounding the incident. The users of these devices can then be tracked down and interviewed – one of the owners may prove to have seen/heard something that could take the investigation in a whole new direction.

Crimewatch will be airing a special on the Madeline McCann investigation this evening – with exclusive interviews, fresh evidence, and a scene reconstruction.

We would welcome the thoughts of other practitioners and experts in this field on the forensic evidence in this case and other avenues of investigation that could be explored.



** Note: Afentis Forensics have had an involvement in this investigation and whilst open debate and discussion is encouraged, please could comments keep in mind the sensitivity and emotive nature of the matter.

Friday 13 September 2013

Telephone Record Evidence

Telecommunication evidence’ is the broad term used to describe any data/information retained or otherwise available from the communication service provider (CSP, such as ‘T-Mobile’ and ‘Orange’), and which has probative value for investigative or legal purposes.
‘Call Data Records’ (CDRs), sometimes referred to as ‘Call Detail Records’ (CDRs), are statements that provide information relating to the usage of the telecommunication services provided by a given operator by a specific user.
The following information would be created and retained by the telecommunications operator during the normal course of business operations:
o    Called telephone number or numbers;
o    Name(s) and address(es) of the subscriber(s) or registered user(s);
o    Date and time of the start and end of the communication;
o    Telephone service used, e.g. voice, conference call, ‘Short Message Service’ (SMS), Enhanced Media Service or ‘Multi-Media Service’ (MMS);
o    ‘International Mobile Subscriber Identity’ (IMSI) of the calling and called party;
o    ‘International Mobile Equipment Identity’ (IMEI) of the calling and called party;
o    Location label (Cell ID) at the start and end of the communication;
o    Data mapping between Cell IDs and their geographical location at the start and end of the communication.
The information detailed above may be available for disclosure only following due authorisation by the relevant ‘POLICE & INTELLIGENCE LIAISON OFFICER’ at the telecommunication operator and/or in response to an Order of the Court.
The information detailed above will typically be retained for twelve (12) months following point of creation, to facilitate billing and comply with regulatory requirements.
The ‘EUROPEAN TELECOMMUNICATIONS STANDARDS INSTITUTE’ (ETSI) specification for GSM event and call data provides detailed definitions for a variety of records needed in the administration of subscriber related event and call data.
‘Call Data Records’ (CDRs) can be analyzed for a variety of purposes and can provide considerable assistance to investigators and defence specialists. For instance, a service provider may use them to understand the calling patterns of their subscribers and the performance of the network.
In the context of an investigation, assessment of CDRs can be used to identify contact and communication between given individuals, potentially proving relationships and/or involvement in a conspiracy. CDRs can also be used to assist in the first stage of ‘cell site analysis’; the identification of the specific cell station used to handle a communication session.
Such information can be translated into geographical locations for the cells involved in communication sessions, which in turn assists in appreciating the general locale from which calls were made/received.


ACPO Guide Electronic evidence

The fragile nature of digital evidence, coupled with the complexity and skill required to conduct an assessment that will bear the scrutiny of a court of law, makes it important to independently validate and verify the findings of the forensic assessor.
One of the fundamental tenants ‘Best Practice’ for the evaluation of electronic evidence – including telecommunication data – is that assessments are made on forensically sound and digitally perfect copies of the original media.
This ensures that the target media cannot be tainted or corrupted, and that the original material is retained as Best Evidence for record, independent verification, and presentation in Court.
The first European-based body dedicated to electronic evidence was the ‘FORENSIC COMPUTING GROUP’, formed in 1997 in the United Kingdom. This comprised of various investigative agencies and forensic science units involved in digital evidence. It also had representation from the ‘ASSOCIATION OF CHIEF POLICE OFFICERS’ (ACPO) ‘COMPUTER CRIME WORKING GROUP’.
In 1999 the ACPO Computer Crime Working Group became the first international body to draft Good Practice “guidelines” for the search, seizure and examination of electronic evidence. In particular, these guidelines define the minimum levels of standard for the preservation and analysis of electronic evidence exhibits.
The guideline documents (ACPO Guide Electronic Evidence) have been refined and expanded upon since their original conception, to the current version released in 2010, however, the same core set of principles have remained consistent throughout.
The UK authorities, in consultation with industry experts, have created a ‘GUIDE FOR COMPUTER BASED EVIDENCE’ which defines minimum levels of standard for the preservation and analysis of electronic evidence exhibits. The ACPO Guide Electronic Evidence is built upon four (4) main principles:
o    PRINCIPLE 1: No action taken by Police or their agents should change data held on a computer or other media which may subsequently be relied upon in Court;

o    PRINCIPLE 2: In exceptional circumstances where a person finds it necessary to access original data held on a target computer that person must be competent to do so and to give evidence explaining the relevance and the implications of their actions;

o    PRINCIPLE 3: An audit trail or other record of all processes applied to computer based evidence should be created and preserved. An independent third party should be able to examine those processes, assess an exhibit, and achieve the same result;

o    PRINCIPLE 4: The Officer in charge of the case is responsible for ensuring that the law and these principles are adhered to. This applies to the possession of and access to, information contained in a computer.

Whilst the ACPO Guide Electronic Evidence was originally drafted for assisting in the investigation of computer based crime, it is widely acknowledged in the forensic community that the principles are to be adhered to for all assessments involving digital material, including all forms of electronic evidence, including telecommunication records/evidence.


Regulation of investigatory powers act 2000

An investigation into people trafficking across European borders, a requirement to tap and listen in on the conversations of a known drug baron, intercepting emails within a paedophile ring, attempting to crack a terrorist’s encrypted drive containing plans for attacks. What does each of these scenarios have in common?

They all require the support of a legislative tool known as the Regulation of Investigatory Powers Act (RIPA).

The RIP Act, commonly referred to as RIPA, was introduced in the year 2000 in order to establish much needed protocols concerning communications data. The act covers interception, acquisition and disclosure of communications, surveillance and human intelligence sources as well as the investigation of electronic data protected by encryption. From a digital investigators point of view, the most relevant of these topics are information encryption and acquisition/disclosure issues.

Obtaining Communications Data

Section 22 with due authorisation and a warrant, any public authority can obtain communications data from a Communications Service Provider (CSP), such as T-Mobile or AOL. The definition of a public authority covers government bodies, the police, as well as local councils or enforcement departments such as Trading Standards.

Communications related data can may be seized by a requested by a public authority for several reasons or in different scenarios. The most immediate of these would be a threat to national security, public health, prevention of injury to a person’s mental or physical health and the prevention of a crime. However, the RIP Act also covers less serious circumstances where charges may need to be collected or assessed by government and for any issues relating to the general well-being of the United Kingdom economy. Authorisation will be valid for one month and no further data can be legally collected after this time period without further authorisation.

Collection and Investigation of Encrypted Data

Encrypted data can be a significant hurdle to digital forensics and can bring an investigation to a total standstill. In the event that encrypted documents, drives, e-mail, conversation logs or other forms of electronic media are discovered, procedures must be followed in accordance with RIPA.
Under section 49, a disclosure requirement must be imposed by an authorised personan authorised person must impose a disclosure requirement if suitable grounds for doing so are met. In terms of encrypted information, a disclosure requirement must be used when there reasonable belief or evidence to suggest that a person has the key to decrypt communications data. Again, threats to national security and crime can help provide further need for measures to decrypt protected information.

Disclosure requirements must describe the encrypted data for which the requirement has been created, on what grounds it has been issued, the time allowed to comply with the notice and information regarding the authorised person providing the notice. Total secrecy surrounding a disclosure notice must be adhered to under section 54 of the RIP Act. Any ‘tipping off’ can result in a person facing imprisonment or a fine.
If a person knowingly fails to comply with a disclosure requirement and does not provide the necessary authority with the key to encrypted data, that person may be subject to two years imprisonment or a fine under section 53 of RIPA. This is commonly a difficult area in digital evidence as encrypted communications may have the potential to imprison a suspect for more than the two years for not providing a key. Those who do not comply with the RIP Act when intercepting, obtaining or otherwise dealing with evidence will be liable to criminal or civil proceedings.

Facebook Evidence

Facebook™ is a social networking service that allows users to interact with other Internet users, sharing media and messages.

A user is able to contact other individuals by adding them to their ‘friends list’, which enables them to be able to write on other friends’ walls (i.e. a space for public commentary) and leave tags on photographs. Users are also able to communicate by sending instant messages which can sometimes be stored on the user’s machine and messages, similar to emails.

The owner of the account is able to adjust privacy settings so as to restrict what information is publically accessible and what details may be viewed only by friends. Much like conventional email correspondence, sent and received messages are unable to be edited and are stored on the Facebook™ servers in their original format until deleted by the user of an account. This material is the basis for facebook evidence.

Correspondence made via Facebook™, including media files uploaded to the website or shared, are stored permanently on the respective account.

It is necessary for the user to manually select items of correspondence or specific files for deletion in order to have them removed from the account. Alternatively, a user may close their entire account in order to have all correspondence or media files erased. Deleted data files or accounts are no longer available to members of the public, online friends or the original account owner; however, all of this content remains archived by Facebook™ for a period of ninety (90) days .

Facebook™ recommends that investigators contact their organization as soon as a requirement for acount information is known. This way current accounts or erased content can be preserved for a further ninety (90) days, to allow adequate time for service of legal applications.

The Facebook™ unit responsible for managing requests for account information and related facebook evidence, the unit is titled the ‘Security Department and Custodian of Records’:

FACEBOOK™ INC
SECURITY DEPARTMENT / CUSTODIAN OF RECORDS
1601 CALIFORNIA AVENUE
PALO ALTO, CA 94304

FAX: (650) 644 3229
EMAIL: SUBPOENA@FACEBOOK™.COM

The following three types of requests can be made:

•             Preservation Requests
Following notification of a specific User ID, Username or e-mail address, existing account records and erased archive material will be preserved for ninety (90)days.

•             Formal Legal Requests
Records will be provided pursuant to formal compulsory legal process issued under US law.

•             Emergency Requests
Where there is a credible risk of bodily harm or death, immediate assistance will be provided to investigating authorities, even in the absence of legal process/orders. It should be noted that whilst the above references state that formal legal facebook evidence requests “issued under US law”, in the experience of the author the Facebook™ organization will readily assist any request for information from any lawful authority or country, as long as supported by their respective legal process.

Whilst internal procedures vary between Police forces, this position may be verified by contacting the relevant Hi-Tech Crime Unit (HTCU) and/or Single Point of contact (SPoC) for clarification on their approach to securing disclosure of facebook evidence, account information and related records. Subject to receiving a lawful request for information, Facebook™ can provide the following records:

•             Basic Subscriber Information
Previously referred to as ‘neoselect’ , these records will include the User Identification Number, account email address, time/date of account creation, associated telephone number(s), and time/date of logins for the past 72hours.

•             Expanded Subscriber Content
Previously referred to as ‘neoprint’, these records will include all profile contact information, status updates, files/photographs that have been shared, messages posted on other individual’s walls, listings of friends and group memberships, and event reminders.

•             User Photographs
Previously referred to as ‘photoprint’, this will include all photographic media uploaded by the account holder as well as photographs from third parties which have been tagged as featuring the account holder.

•             Messaging Correspondence
Incoming (received), outgoing (sent), and draft email equivalent communications.

•             Internet Logs
Commonly referred to as ‘IP’ logs, this content will assist in demonstrating the time/date that a user account was accessed as well as provide enough information to trace the physical address of the computing device used to make the account access.


The above facebook evidence records will generally be served via email in the form of Adobe Portable Document Format (PDF), so that the content cannot be easily modified.

Wednesday 11 September 2013

An introduction to Cell Site Analysis

The Soham murders involving Jessica Chapman and Holly Wells was one of the most high profile cases to be reported and documented in the last ten years. Cell site analysis played a critical part in the investigation throughout and ultimately helped to convict Ian Huntley of murder.
Cell site analysis aims to determine the geographical location of a mobile phone through analysis of data records, transmit and receive beacons (cell sites) and signal strength of a specific area. Although not an exact science, it is a technique that can be applied by expert witnesses to help defend or prosecute a suspect during a case relying on mobile phone evidence.
Statistics show that in December 2008, over 75 million mobile phones were active in the United Kingdom alone. This figure confirms a larger portion of mobile phones today than there are people (estimated 62,041,708). It is therefore no wonder that Cell Site Analysis (CSA) is an increasingly important forensic and investigative technique used in the UK today.
During the investigation in Soham, Police questioned all males about their whereabouts at the time of Holly and Jessica’s disappearance and asked for a contact mobile number. Ian Huntley initially insisted that he had been out of Soham at the time that the alleged incident occurred. However, phone records and cell site analysis in the area suggested that Huntley’s phone had been used in the vicinity of his home and that one of the girls phones had been switched off in the same area around the time of disappearance. The combination of this evidence, general policing and the investigation eventually lead to the sentencing of Ian Huntley.
Cell sites, or ‘masts’, are often placed on tall buildings or on masts in order to achieve the best coverage possible. Whilst some masts have antennae that transmit in three directions (full 360 degrees), some may only transmit in one and produce limited directional coverage. The cell site analysis expert must therefore determine what type of mast has been used in order to collect the most reliable results possible during an investigation. Each antennae in use by a cell site will also have a unique reference that is recorded and included on mobile phone data records (with the exception of network O2 who reference cell sites but not individual antennae). These unique references form the basis for cell site analysis and confirm what mast was in use by a suspects mobile phone and when.

Although cell sites have the ability to transmit over large distances, signal quality can be less effective or entirely blocked by tall buildings, condensed objects and other obstructs. Users in these ‘black spots’ may experience a decrease in communications quality or a complete halt to mobile phone services. In these instances, a mobile phone could connect to another large cell site with better coverage or to smaller cell sites known as picocells, microcells and femtocells if one were available. Picocells, microcells and femtocells are placed in black spots and other difficult areas (such as train stations) in order to provide a good service that a large cell site cannot achieve. Although each provides a slightly different type of service, they all allow for basic mobile phone communication such as short message service (SMS) and conversations.

Friday 16 August 2013

eDiscovery and Forensic Accounting

In a world where technology is constantly evolving and being utilised, computer forensic techniques and E-discovery play an increasingly important role in forensic accounting. Fraud, in particular, is a problematic area of crime that commonly requires both computer forensic and forensic accounting expertise.
E-discovery is the process of identifying, preserving and presenting electronically stored information that may be relevant to criminal or civil litigation. In fraud, E-discovery is rapidly being depended on by forensic accountants and the Court to recover evidence that may not have been found through analysis of non electrical evidence such as paperwork.

E-Discovery of relevant evidence

Metadata is detailed information stored in relation to an electronic item when it is opened, saved or created by a user on a computer device. Some metadata cannot be viewed without the use of specialised analysis tools. Therefore, it must only be recovered by an experienced investigator using computer forensic techniques.

Metadata is crucial when analysing potentially relevant items on an electronic exhibit. It can reveal time and date attributes, the original and last author of an item, its save path, the program used to create or open the file and more. Dates of access are especially significant due to their ability to indicate the last time a file or item may have been opened by a computer user.

Documents located on an exhibit may contain invoice, trading or bank account details that can ultimately be linked with a suspect or confirm the innocence of a person. Spreadsheets are a popular and commonly used type of document for storing financial details that can provide a wealth of information regarding the activities of a suspect. Upon recovering potentially significant documents for a fraud case, findings can be sent to a forensic accountant for further analysis.

Internet history can also provide an investigator with evidence regarding online banking or other financial activities. When a user enters form data such as banking details to access their account online, this information is sometimes stored on the drive in different forms. It is then possible through use of forensic techniques to identify relevant information that could be useful to forensic accountants such as sort codes or account numbers. Internet history records can be attributed to individual users using a computer system.

Communication between a suspect and others potentially involved in a fraud case can be uncovered through analysis of instant messaging programs or Email messages. Instant messaging programs are increasingly popular and some social networking sites such as MySpace and Facebook incorporate their own ‘chat’ tools into their websites. In the instance that suspects were through to have been communicating over social networking sites, it is sometimes possible to recover fragments of conversation or their online profiles. Such information could aid a forensic accountant if the conversation was money or fraud related.

Other instant messaging programs can be installed to a computer device rather than through an online application. In these instances, it is sometimes easier to recover conversation logs if they have been saved to an exhibit. Files can also be transferred between contacts over an instant messaging client that could potentially aid an investigation if the item is relevant to the case (invoices, bank statements etc).

Emails provide an examiner with Email addresses that a suspect has been using as well as detailed correspondence. This correspondence may be able to confirm whether a person has been posing as someone else, attempting to involve potential victims into a fraudulent operation or details of illegal activities. Another aspect of Email includes attachments which may contain relevant files to a fraud case. In the event that potentially significant attachments are found, a record should be kept of the Email address that sent the Email containing the attachment, the recipient of the Email and what the attachment contained. This detailed summary and the attachments can then be sent to the forensic account who determines whether they are relevant or not in terms of finance.

Emails and instant messaging can provide detailed information on those who may be involved in a fraudulent operation, especially in situations where invoices or bank account details reveal a different name of address from that of the original suspect. Although these details may be fake as part of the operation, such data can still help a forensic accountant piece together an entire chain of events.

After exhibit investigation

All recovered information is then sent to a forensic accountant for further analysis after it has been exported from the exhibit in a forensically sound manner. If the forensic accountant obtains new information from analysing the electronic items and they suspect that more related data may be located on the drive, the investigator can return to the exhibit and retrieve the information if possible.

Conclusion

Forensic accountancy commonly depends on the expertise of computer forensic investigators to retrieve potentially relevant information to a fraud case from an electronic exhibit. Investigators are able to recover hidden information from an exhibit in a forensically sound manner so that any material retains perfect integrity. An increasing use of technology would indicate that more people will use computer devices and related programs to commit fraud.