Forensic Computer Science
Forensic science is not just about fingerprints and bodies. Many court cases now depend on evidence exhumed from computer disks.
Last month, Britain's top computer forensic specialists met privately for a seminar at the London School of Economics. Defence and prosecution computer experts swapped notes on methods and cases they had fought. With them were private investigators
and police computer specialists from across Britain who are already conducting hundreds of overt and covert computer raids every year.
In both overt and covert computer investigations (normally requested by a company that suspects that staff may be engaged in fraud or computer misuse), the most common approach is to arrive armed with a box the size of a small video recorder called
Dibs - the Digital Image Backup System. Dibs is connected to the computer's printer terminal where it then siphons out the entire contents of the suspect computer, writing them to an optical disk. Dibs was designed just five years ago to meet the growing
needs of the Metropolitan Police's then newly formed Computer Crime Unit. Most police forces now have their own teams of civilian or uniformed computer specialists. Most have their own Dibs or hire one when when a computer raid is planned.
Systems like Dibs or its main competitors, Vogon Authentec and the US-made Sydex, copy computer data before the actual machines are removed from the premises, or the data or hardware is changed. However, they don't just copy the files that the user
(or operating system) sees. They copy every bit on the disk. Back at the laboratory, investigative software can then recover whole or partial files that have been deleted or hidden, perhaps months before.
We have nice forensic tools to use
, says the director of computer investigators Network International. His 70-strong London-based team are called out several times a month to assist police and Customs officers on raids, or with analysing computers they have seized. Other calls come in
from solicitors who have obtained a little-known court order called 'Anton Piller', which allows them to conduct an unannounced civil raid on their targets, often in cases of alleged fraud or piracy. In such cases, computers are often the major
target.
After the investigators have looked at normal files, they use their special software to gather all the
'slack space' on a hard disk into a giant new file. This method sweeps up not just detritus in unused sections of the disk, but also parts
of normal files that contain data originally stored by an earlier occupant of the same space.
These tools provide his teams with pieces for a 'jigsaw puzzle', reconstructing what was stored in times past. Text search tools are used to spot suspicious phrases or references. But this is when a prosecution case can go astray and risk
miscarriages of justice, says Sommer. 'Lay people [in the computer sense, and including judges, juries and magistrates] are full of wonder about what computer forensics can do. They fail to understand the point at which experts are producing questionable
interpretations as opposed to unchallengeable fact.'
Searches involving computers are done under the same police powers and code of practice as ordinary searches. Yet the effects on a business or homeworker whose computers are taken away for months-long investigations can be devastating. Some have faced
ruin as a result - even if they are acquitted or charges are later dropped. Some forces will seize computers no matter what. Others usually try to leave a business's computers in place, once they have copied all the evidence they want.
But, according to a leading defence computer expert and fellow of LSE's Computer Security Research Centre, scientific standards have not kept pace with the rapid advance in computer forensic skills.
From what I've seen, we are soon going to see cases where computer forensic evidence is incorrectly used, with the result that people get wrongly convicted of serious offences - just as happened to the Birmingham and Guildford bombers.
I fear that all the preconditions exist for forensically induced injustice.
Citizens are supposed to be protected against "unreasonable search and seizure'. If police examine the contents of a suspect's filing cabinet under a search warrant, they should take only documents relevant to the alleged offence. Yet when computers
are involved, they automatically take everything.
New forensic methods need to be developed to provide proof that neither the police nor defendants have tampered with computer evidence such as hard disks and storage media. Defence specialists like Sommer worry that current practice is very variable,
and usually depends on proprietary gadgets and software whose inner workings are withheld from courtroom scrutiny and independent scientific testing.
The most worrying kind of case, which has already occurred, is when a doctor or another professional is accused of (say) financial fraud. The computer raid team will automatically copy and take reams of confidential medical or privileged legal information.
At present, the law provides no special safeguards to stop such information being abused, or to protect the third parties whose private information has been obtained.
Arguments can be as basic as to whether the copies made by the police are authentic. One standard police forensic procedure is to make multiple copies and seal them, giving one set to defence lawyers. Another is to cryptographically sign the CD-Rom
copies. Police claim that they prefer defence lawyers to attend when possible, thus limiting later court claims that digital evidence has been adjusted and
'improved' after seizure.
How To Cover Your Tracks
If you're under investigation by private detectives, the first thing they will do is remove and sift through your rubbish bags. Private disk investigators are no different. The first place they'll look is in the garbage left on disk.
'Deleted'
files never normally leave; they just hang around until they are overwritten when another file uses the space. If you're worried about security, here's what to do.
Paranoids start here: Windows 95 leaves a lavish trail of interlocking historical records that can reveal what someone has been doing with their computer for months or even years before. Microsoft does know this. Browse over to their Richmond HQ (http://www.microsoft.com/windows/software/powertoy.htm)
and you can have their 'Paranoia' package for free. A few quick clicks will delete all your cached records and history files.
Use a washing machine: Some utilities, such as XTREE, will systematically go through your disk and write
'1's or '0' on to all unused spaces. Norton Utilities' 'wipefile' and 'wipedisk' are similar. New versions
of the e-mail encryption program, PGP, also include a 'wipe' utility. But few disk-washing machines reach the unused spaces of disk
'clusters' which another file is only partially using.
Use a file encryption program.