Forensic
Computer ScienceForensic science is not just about fingerprints and bodies. Many court cases now
depend on evidence exhumed from computer disks.
Last month, Britain’s top computer
forensic specialists met privately for a seminar at the London School of Economics.
Defence and prosecution computer experts swapped notes on methods and cases they had
fought. With them were private investigators and police computer specialists from across
Britain who are already conducting hundreds of overt and covert computer raids every year.
In both overt and covert computer investigations (normally requested by a company that
suspects that staff may be engaged in fraud or computer misuse), the most common approach
is to arrive armed with a box the size of a small video recorder called Dibs - the Digital
Image Backup System. Dibs is connected to the computer’s printer terminal where it
then siphons out the entire contents of the suspect computer, writing them to an optical
disk. Dibs was designed just five years ago to meet the growing needs of the Metropolitan
Police’s then newly formed Computer Crime Unit. Most police forces now have their own
teams of civilian or uniformed computer specialists. Most have their own Dibs or hire one
when when a computer raid is planned.
Systems like Dibs or its main competitors, Vogon Authentec and the US-made Sydex, copy
computer data before the actual machines are removed from the premises, or the data or
hardware is changed. However, they don’t just copy the files that the user (or
operating system) sees. They copy every bit on the disk. Back at the laboratory,
investigative software can then recover whole or partial files that have been deleted or
hidden, perhaps months before.
We have nice forensic tools to use, says the director of computer
investigators Network International. His 70-strong London-based team are called out
several times a month to assist police and Customs officers on raids, or with analysing
computers they have seized. Other calls come in from solicitors who have obtained a
little-known court order called “Anton Piller”, which allows them to conduct an
unannounced civil raid on their targets, often in cases of alleged fraud or piracy. In
such cases, computers are often the major target.
After the investigators have looked at normal files, they use their special software to
gather all the “slack space” on a hard disk into a giant new file. This method
sweeps up not just detritus in unused sections of the disk, but also parts of normal files
that contain data originally stored by an earlier occupant of the same space.
These tools provide his teams with pieces for a “jigsaw puzzle”,
reconstructing what was stored in times past. Text search tools are used to spot
suspicious phrases or references. But this is when a prosecution case can go astray and
risk miscarriages of justice, says Sommer. “Lay people [in the computer sense, and
including judges, juries and magistrates] are full of wonder about what computer forensics
can do. They fail to understand the point at which experts are producing questionable
interpretations as opposed to unchallengeable fact.”
Searches involving computers are done under the same police powers and code of practice
as ordinary searches. Yet the effects on a business or homeworker whose computers are
taken away for months-long investigations can be devastating. Some have faced ruin as a
result - even if they are acquitted or charges are later dropped. Some forces will seize
computers no matter what. Others usually try to leave a business’s computers in
place, once they have copied all the evidence they want.
But, according to a leading defence computer expert and fellow of LSE’s Computer
Security Research Centre, scientific standards have not kept pace with the rapid advance
in computer forensic skills. From what I’ve seen, we are soon going to see cases
where computer forensic evidence is incorrectly used, with the result that people get
wrongly convicted of serious offences - just as happened to the Birmingham and Guildford
bombers. I fear that all the preconditions exist for forensically induced
injustice. Citizens are supposed to be protected against "unreasonable search
and seizure”. If police examine the contents of a suspect’s filing cabinet under
a search warrant, they should take only documents relevant to the alleged offence. Yet
when computers are involved, they automatically take everything.
New forensic methods need to be developed to provide proof that neither the police nor
defendants have tampered with computer evidence such as hard disks and storage media.
Defence specialists like Sommer worry that current practice is very variable, and usually
depends on proprietary gadgets and software whose inner workings are withheld from
courtroom scrutiny and independent scientific testing.
The most worrying kind of case, which has already occurred, is when a doctor or another
professional is accused of (say) financial fraud. The computer raid team will
automatically copy and take reams of confidential medical or privileged legal information.
At present, the law provides no special safeguards to stop such information being abused,
or to protect the third parties whose private information has been obtained.
Arguments can be as basic as to whether the copies made by the police are authentic.
One standard police forensic procedure is to make multiple copies and seal them, giving
one set to defence lawyers. Another is to cryptographically sign the CD-Rom copies. Police
claim that they prefer defence lawyers to attend when possible, thus limiting later court
claims that digital evidence has been adjusted and “improved” after seizure.
How To Cover Your Tracks
If you’re under investigation by private detectives, the first thing they will do
is remove and sift through your rubbish bags. Private disk investigators are no different.
The first place they’ll look is in the garbage left on disk. “Deleted”
files never normally leave; they just hang around until they are overwritten when another
file uses the space. If you’re worried about security, here’s what to do.
Paranoids start here: Windows 95 leaves a lavish trail of interlocking historical
records that can reveal what someone has been doing with their computer for months or even
years before. Microsoft does know this. Browse over to their Richmond HQ
(http://www.microsoft.com/windows/software/powertoy.htm) and you can have their
“Paranoia” package for free. A few quick clicks will delete all your cached
records and history files.
Use a washing machine: Some utilities, such as XTREE, will systematically go through
your disk and write “1”s or “0” on to all unused spaces. Norton
Utilities’ “wipefile” and “wipedisk” are similar. New versions of
the e-mail encryption program, PGP, also include a “wipe” utility. But few
disk-washing machines reach the unused spaces of disk “clusters” which another
file is only partially using.
Use a file encryption program.
