Tuesday, August 23, 2011

The Dangers of the Online World


To most people, a computer could not be described as Dangerous. We use them on a daily basis to type letters, perhaps browse the Internet, play games or store holiday photos. However, for some, data contained on a computer or mobile phone can provide enough evidence to form the basis of legal proceedings against them.

As a computer forensic specialist I am currently involved in criminal and civil cases involving an array of different subjects, including corporate data theft and espionage, murder, drugs, fraud, theft, employee misbehaviour, child access applications and even probate. These are not just legal cases either; for example, I regularly receive instructions relating to marriage disputes that involve computers and digital media.

Increased media attention over the past ten years in cases such as those within Operation Ore (relating to 7,000 individuals who allegedly subscribed to websites displaying sexual images of children) and more recently, terrorism and 'happy slapping' incidents, have provoked a greater public interest in proceedings where digital evidence has formed a crucial part of the case.

Not only is there now a greater general awareness of the capabilities of digital evidence and its potential within legal cases, additionally, reports of websites containing indecent images of children are also continually rising each year (The Internet Watch Foundation reports that the number of websites confirmed as containing unlawful material has increased by 62% over the last three years). It would, therefore, appear that the use of this type of evidence is set to continue to rise.

Increasing resources are now being spent on examining data of this type as part of legal cases where previously it was thought unnecessary. In the past it was commonplace for a Police investigator to restrict an investigation to simply identifying 'evidence'. Upon inspection of this investigation by an independent party, as part of a more in-depth review, it was frequent for the evidence as a whole to have been misinterpreted and the case against the Defendant was not as it first appeared.

Over recent years, the majority of criminal cases for which we received instructions have attracted greater attention from the Police. We now frequently encounter cases involving supportive evidence (such as user and/or Internet history) as well as the basic evidence that is relied upon as part of the Prosecution case. However, it seems inevitable that an increase in the number of cases limits what can be achieved within a Police Force's Hi-Tech Crime Unit. Even today we identify the presence of new and previously unconsidered relevant material within approximately 80% of the cases in which we are involved.

For the majority of the time, this is the result of the initial question asked of a Police Hi-Tech Crime Unit investigator, being "What's there?" The question "How did it get there?" is normally asked only when the Defence looks to respond to the initial allegations. Consequently, that question is normally answered until well after the case has been initiated.

Identifying the basic origins of a file is normally relatively straightforward. For instance, the location of the file normally provides the biggest clue; the activity surrounding its creation is another indicator. However, clearly, the presence of a file and even the identification of its origins do not confirm that the accused deliberately caused its creation nor was aware of its presence. To examine that point normally requires far greater levels of investigation, including the piecing together of items of data in order to build a history of that given file and the activity associated with it.

Identifying the basic origins of a file is normally relatively straightforward. For instance, the location of the file normally provides the biggest clue; the activity surrounding its creation is another indicator. However, clearly, the presence of a file and even the identification of its origins do not confirm that the accused deliberately caused its creation nor was aware of its presence. To examine that point normally requires far greater levels of investigation, including the piecing together of items of data in order to build a history of that given file and the activity associated with it.

When dealing with cases involving indecent images of children, for instance, there are various methods for an image to have been created on a computer hard drive, including, but not limited to, websites accessed whilst browsing the Internet, received e-mails and peer-to-peer software, such as KaZaA. Within each of these originating sources several possible mechanisms can cause the creation of a file without the deliberate and intentional actions of the user.

One such example is a case in which I was involved within the last 18 months. This related to a 19-year old male who, like most 19-year olds, lived at home with his parents. However, unusually, this young man faced allegations of making and possessing 9 static and 11 moving indecent images of children. The images had been stored in two folders within his 'user' profile on the family's home computer. After two years of investigation by the Police, that included an examination of the family computer by the Force's Hi-Tech Crime Unit and an externally sourced expert computer consultant as well as a number of interviews and Court appearances, the accused still had not made any admissions of guilt and claimed that he was simply unaware of the presence of the images.

The Prosecution relied upon the fact that the unlawful images were contained within manually created folders of the Defendant's 'user' profile and they also identified the presence of keyword searches for terms that were likely to result in the creation of unlawful material.

I examined the case and noted that the 9 static images had arrived via a small number of web pages containing legitimate adult pornography and had been created automatically by image downloading software. This software, I noted, had searched for and downloaded any images present on any web page that it encountered. A number of further observations were made as to the apparent lack of awareness of the user regarding the presence of the images following their creation.

The 11 moving images had appeared to have originated via the peer-to-peer software named Limewire. The software had been used to download a significant amount of pornography, including these unlawful moving images. Furthermore, a review of the operation of the software confirmed that dubious keyword searches had been conducted and these specific images had been downloaded to a folder that was located within the 'user' profile of the accused.

It was only after a careful review of the system activity that was contained on the hard drive did it transpire that another user of the computer had been frequently accessing the folder containing the target images and had been viewing its contents, including the unlawful images. After 9 months of our involvement and nearly three years of investigation, the case was eventually dropped shortly before the set Trial date.

This case is not an exception. In approximately 20% of the cases in which we are involved we have been responsible for identifying crucial new evidence that has caused the case to be withdrawn. Due to the level of examination required to recognise such evidence, this figure is unlikely to diminish. For the Police, an examination of this detail is irrelevant for the majority of cases. Having previously worked within at a regional Hi-Tech Crime Unit, I noted that while I was there, for approximately 85% of the cases in which evidence was identified, the Defendant would plead prior to Trial. Only a small percentage of cases involved a Trial and even fewer were party to a review by an independent examiner.

Cases involving files encountered and downloaded via websites are also frequent areas of misunderstanding. The presence of a web page or file on a hard drive can be the result of intentional user access, or alternatively, the operation of one of a number of different scripts and software. These scripts can cause the user's Internet browser to be automatically forwarded to web pages containing certain material or cause certain files to be added to the hard drive without the user's knowledge.

As even legitimate websites contain scripts, the majority of computer users will have experienced (and may have found annoyance in having to close them) 'pop-up' windows. These are normally used to forward a user to an advert that often will comprise of a service vaguely relating to the content of the page that was visited (e.g. the autotrader website regularly contains pop-up scripts to websites for car loans or car manufacturers). However, identifying the presence of these types of scripts and software is often difficult. Furthermore, once a suspect item has been found, making the determination as to its nature, ability and activity can be even more complicated.

As digital media increases in capacity it allows users to store more data but also increases the possibility of software or anomalous mechanisms causing the creation and movement of files. This brings with it a corresponding increase in the amount of resources and time required to examine the greater number of processes and, clearly, the amount of data to be examined in order to identify such mechanisms.

Additionally, the increased use in the court room, within both criminal and civil proceedings, of digital evidence brings with it a greater need for the presentation skills required to provide simple explanations of a subject that can not only be difficult to comprehend but also to convey accurately, clearly and without prejudice.

Clearly, the prevalence of digital technology will increase as it becomes even more accessible, usable and capable. This will undoubtedly result in a continuous increase in the number of cases involving and relying on digital evidence as well as increasing the pressure on Police Forces to examine and collate evidence from a larger number of items of digital media.

My concern is that, as nearly happened with the case of the 19-year old highlighted earlier, potentially, the critical facts of such cases will go unnoticed and items of evidence will be missed as a result of the restricted budgets and timescales placed upon a computer examiner. In this regard, the dangers of computers and the online world, for an increasing number of unsuspecting individuals, could be great.

0 comments:

Post a Comment