Athena Forensics Articles, written by our Forensics Experts
In a Changing World New Evidence Brings New Challenges
According to sources, pornography accounts for 68 million daily Internet searches (25% of all Internet searches), 12% of websites and 1.5 billion downloads a month. The sheer volume of people seeking such material is surprising. However, computers are a discreet, cheap and relatively effective method of accessing such material. The Internet allows users to freely share and download any type of pornography through a number of different sources including from commercial sites, where access is likely to cost money, or darker less well known areas of the Internet, where access is likely to be free.
Whilst we are not limited to such cases, the most common aspect of my work within criminal cases involves those where the Defendant has been charged with offences relating to pornography. For a number of years, a computer related pornographic offence normally involved the existence of indecent images of children, however, since its introduction as an offence on 26th January 2009, Athena Forensics have received instructions for a number of cases that include offences relating to extreme pornography.
Both types of material are freely available from a variety of Internet sources including websites and peer-to-peer software. The most common issues for a forensic investigator involved in cases of this type relate to the manner in which they were created on an item of evidence. Clearly, the existence of them on an individual's computer can be as a result of them being deliberately stored and this accounts for the majority of cases when the evidence is not contested. However, the mere existence of such files does not necessarily mean that they had been stored deliberately or that the user had intentionally sought them and exploring this possibility is one that is the most important and sometimes the most difficult within cases involving this type of evidence.
Over the past few years the use of peer-to-peer software has continued to increase allowing users to gain a variety of material, whether it be music, movies or pornography, from a single source. Basically, peer-to-peer software allows a group of user's to share files that are contained within designated ‘shared' folders on their computers with one another over the Internet. The content of those files is limited to the content of the folders that are ‘shared' by others. Whilst downloading can be varied in quality and speed, the increase in users makes it a more viable source of material and with an increase in use brings an increase in cases involving software of this type. There are a number of ways in which user's can isolate and download material from these sources; however, there are also a number in which files can be downloaded without a user being aware of the specific content of a given file.
Recently, I was instructed in a case that involved the downloading of files via peer-to-peer software called eMule and a number of images that were located within deleted areas of the hard drive. The Police had identified a number of partially and fully downloaded indecent images of children and a number of ‘text fragments' relating to similar material.
The Defendant claimed, in relation to the eMule software, that whilst he had occasionally encountered files that displayed ‘File Names' with references to indecent images of children, this had been during the pursuit of adult pornography and he had not deliberately downloaded any unlawful material. He was not aware of the presence or origins of any of the relevant material within the deleted areas of the hard drive.
During the investigation of the case, an examination was conducted of the hard drive and noted that, whilst a number of indecent images were within the deleted areas of the hard drive, they were within a close group of files within that region of the drive. It was then also possible to recover a web page that was found to have previously contained the images and identify that the page had contained both indecent images of children and adult pornography.
In addition to this, along with an examination of the evidential hard drive, the types of files that were available for download via eMule. The relatively basic manner in which the software identifies search results from a search string (keyword) can cause user's to be provided with results that may differ significantly in content from the material that was expected and even when downloaded the description given to a file can vary greatly from its content. The operation of the software allows users to download specific files individually or as part of a group of files.
When a search for a generic adult pornographic related term was conducted (‘nudist') over 600 results were returned of files that were available at the time. The names of the files returned were reviewed and approximately 10% were noted to contain references that were indicative of potentially containing indecent images of children. As these files are only viewable once they have been downloaded (whether it be partially or fully downloaded), the content of them could not be confirmed. However, clearly, there is a possibility that a user would be able to conduct a search for adult related material and then download the results as a group. The majority of files downloaded are likely to have related to the material sought, however, a significant portion may have comprised of unlawful material that was unrelated to the search.
A review of the evidence was conducted and this identified that the time/date stamps of files that were contained on the evidential hard drive also supported the assertion that images had been created as a result of a download that predominantly comprised of adult pornography. The partially downloaded files were noted to have been likely to have either been halted from downloading or were unavailable, in any event they had not completed. The report that followed resulted in the Prosecution dropping the case pre-Trial.
This case is not an exception. This year, we have seen an increase in the number of cases where, when questioned and given a suitable level of examination and investigation, have been found to be based upon evidence that does not provide the level of proof necessary for the Court. The investigation carried out by Police is governed by budget and, therefore, limited time is spent on any given case even though the findings of these examinations sometimes form the basis of the proceedings.
Whilst it is not particularly difficult to identify evidential data such as that found in these types of cases, it is difficult to trace the steps in which that evidence had taken during creation and to identify whether that evidence had been deliberately or unintentionally created. This part of an investigation requires time and that time is being increasingly governed by budget.
Increasingly we see individuals or companies instructed purely based on price rather than experience or ability. It is possible for anyone to reduce costs by limiting work on a case, however, what would the result be as far as leaving key evidence to go undetected? Is the evidence simply being processed or is it actually being examined and investigated?
Whilst the case mentioned above is not one that we would classify as particularly technical it is one that, if the evidence is not given the correct level of investigation, key points would be missed. Particularly in cases of this type, when a suspect claims that evidence produced by Police is incorrect a level of disbelief is often received whether those claims are valid or not. Without a correct level of investigation, any supportive evidence will go undetected and that would seem to be a regression of Justice.
Matthew Jackson,
Director, Senior Forensic Consultant and Expert Witness at Athena Forensics
The Dangers of the Online World
To most people, a computer could not be described as Dangerous. We use them on a daily basis to type letters, perhaps browse the Internet, play games or store holiday photos. However, for some, data contained on a computer or mobile phone can provide enough evidence to form the basis of legal proceedings against them.
As computer forensic specialists, Athena Forensics is currently involved in criminal and civil cases involving an array of different subjects, including corporate data theft and espionage, murder, drugs, fraud, theft, employee misbehaviour, child access applications and even probate. These are not just legal cases either; for example, we regularly we receive instructions relating to marriage disputes that involve computers and digital media.
Increased media attention over the past ten years in cases such as those within Operation Ore (relating to 7,000 individuals who allegedly subscribed to websites displaying sexual images of children) and more recently, terrorism and ‘happy slapping' incidents, have provoked a greater public interest in proceedings where digital evidence has formed a crucial part of the case.
Not only is there now a greater general awareness of the capabilities of digital evidence and its potential within legal cases, additionally, reports of websites containing indecent images of children are also continually rising each year (The Internet Watch Foundation reports that the number of websites confirmed as containing unlawful material has increased by 62% over the last three years). It would, therefore, appear that the use of this type of evidence is set to continue to rise.
Increasing resources are now being spent on examining data of this type as part of legal cases where previously it was thought unnecessary. In the past it was commonplace for a Police investigator to restrict an investigation to simply identifying ‘evidence'. Upon inspection of this investigation by an independent party, as part of a more in-depth review, it was frequent for the evidence as a whole to have been misinterpreted and the case against the Defendant was not as it first appeared.
Over recent years, the majority of criminal cases for which we received instructions have attracted greater attention from the Police. We now frequently encounter cases involving supportive evidence (such as user and/or Internet history) as well as the basic evidence that is relied upon as part of the Prosecution case. However, it seems inevitable that an increase in the number of cases limits what can be achieved within a Police Force's Hi-Tech Crime Unit. Even today we identify the presence of new and previously unconsidered relevant material within approximately 80% of the cases in which we are involved.
For the majority of the time, this is the result of the initial question asked of a Police Hi-Tech Crime Unit investigator, being "What's there?" The question "How did it get there?" is normally asked only when the Defence looks to respond to the initial allegations. Consequently, that question is normally answered until well after the case has been initiated.
Identifying the basic origins of a file is normally relatively straightforward. For instance, the location of the file normally provides the biggest clue; the activity surrounding its creation is another indicator.However, clearly, the presence of a file and even the identification of its origins do not confirm that the accused deliberately caused its creation nor was aware of its presence. To examine that point normally requires far greater levels of investigation, including the piecing together of items of data in order to build a history of that given file and the activity associated with it.
Identifying the basic origins of a file is normally relatively straightforward. For instance, the location of the file normally provides the biggest clue; the activity surrounding its creation is another indicator.However, clearly, the presence of a file and even the identification of its origins do not confirm that the accused deliberately caused its creation nor was aware of its presence. To examine that point normally requires far greater levels of investigation, including the piecing together of items of data in order to build a history of that given file and the activity associated with it.
When dealing with cases involving indecent images of children, for instance, there are various methods for an image to have been created on a computer hard drive, including, but not limited to, websites accessed whilst browsing the Internet, received e-mails and peer-to-peer software, such as KaZaA. Within each of these originating sources several possible mechanisms can cause the creation of a file without the deliberate and intentional actions of the user.
One such example is a case in which I was involved within the last 18 months. This related to a 19-year old male who, like most 19-year olds, lived at home with his parents. However, unusually, this young man faced allegations of making and possessing 9 static and 11 moving indecent images of children. The images had been stored in two folders within his ‘user' profile on the family's home computer. After two years of investigation by the Police, that included an examination of the family computer by the Force's Hi-Tech Crime Unit and an externally sourced expert computer consultant as well as a number of interviews and Court appearances, the accused still had not made any admissions of guilt and claimed that he was simply unaware of the presence of the images.
The Prosecution relied upon the fact that the unlawful images were contained within manually created folders of the Defendant's ‘user' profile and they also identified the presence of keyword searches for terms that were likely to result in the creation of unlawful material.
I examined the case and noted that the 9 static images had arrived via a small number of web pages containing legitimate adult pornography and had been created automatically by image downloading software. This software, I noted, had searched for and downloaded any images present on any web page that it encountered. A number of further observations were made as to the apparent lack of awareness of the user regarding the presence of the images following their creation.
The 11 moving images had appeared to have originated via the peer-to-peer software named Limewire. The software had been used to download a significant amount of pornography, including these unlawful moving images. Furthermore, a review of the operation of the software confirmed that dubious keyword searches had been conducted and these specific images had been downloaded to a folder that was located within the ‘user' profile of the accused.
It was only after a careful review of the system activity that was contained on the hard drive did it transpire that another user of the computer had been frequently accessing the folder containing the target images and had been viewing its contents, including the unlawful images. After 9 months of our involvement and nearly three years of investigation, the case was eventually dropped shortly before the set Trial date.
This case is not an exception. In approximately 20% of the cases in which we are involved we have been responsible for identifying crucial new evidence that has caused the case to be withdrawn. Due to the level of examination required to recognise such evidence, this figure is unlikely to diminish. For the Police, an examination of this detail is irrelevant for the majority of cases. Having previously worked within at a regional Hi-Tech Crime Unit, I noted that while I was there, for approximately 85% of the cases in which evidence was identified, the Defendant would plead prior to Trial. Only a small percentage of cases involved a Trial and even fewer were party to a review by an independent examiner.
Cases involving files encountered and downloaded via websites are also frequent areas of misunderstanding. The presence of a web page or file on a hard drive can be the result of intentional user access, or alternatively, the operation of one of a number of different scripts and software. These scripts can cause the user's Internet browser to be automatically forwarded to web pages containing certain material or cause certain files to be added to the hard drive without the user's knowledge.
As even legitimate websites contain scripts, the majority of computer users will have experienced (and may have found annoyance in having to close them) ‘pop-up' windows. These are normally used to forward a user to an advert that often will comprise of a service vaguely relating to the content of the page that was visited (e.g. the autotrader website regularly contains pop-up scripts to websites for car loans or car manufacturers). However, identifying the presence of these types of scripts and software is often difficult. Furthermore, once a suspect item has been found, making the determination as to its nature, ability and activity can be even more complicated.
As digital media increases in capacity it allows users to store more data but also increases the possibility of software or anomalous mechanisms causing the creation and movement of files. This brings with it a corresponding increase in the amount of resources and time required to examine the greater number of processes and, clearly, the amount of data to be examined in order to identify such mechanisms.
Additionally, the increased use in the court room, within both criminal and civil proceedings, of digital evidence brings with it a greater need for the presentation skills required to provide simple explanations of a subject that can not only be difficult to comprehend but also to convey accurately, clearly and without prejudice.
Clearly, the prevalence of digital technology will increase as it becomes even more accessible, usable and capable. This will undoubtedly result in a continuous increase in the number of cases involving and relying on digital evidence as well as increasing the pressure on Police Forces to examine and collate evidence from a larger number of items of digital media.
My concern is that, as nearly happened with the case of the 19-year old highlighted earlier, potentially, the critical facts of such cases will go unnoticed and items of evidence will be missed as a result of the restricted budgets and timescales placed upon a computer examiner. In this regard, the dangers of computers and the online world, for an increasing number of unsuspecting individuals, could be great.
Matthew Jackson,
Director, Senior Forensic Consultant and Expert Witness at Athena Forensics
Digital evidence and legal proceedings
When it comes to submitting digital evidence for use in a trial, the same levels of care need to be applied as with non-digital evidence, say Matthew Jackson, Director and Senior Forensic Consultant at Athena Forensics.
Crime is a part of human life and, for a crime to be resolved, investigators have to reconstruct the crime scene and analyse the actions of both the suspect and the victim so that any evidence can be identified and used to support and legal proceedings.
As technology has evolved, criminals are now able to use new methods to commit traditional crimes and develop new types of crimes. Crimes committed through the use of technology still require the same principles of investigation, though the scene can now be a virtual environment that must be secured and examined as digital evidence.
Digital evidence is information or data of an evidential value that is stored on or transmitted by a computer or digital device and can be defined as follows:
'Any data stored or transmitted using a computer that support or refute a theory of how an offense occurred or that address critical elements of the offense such as intent or alibi' (Casey, E., Dunne, R. (2004) Digital Evidence and Computer Crime Forensic Science, Computers and the Internet. St. Louis: Academic Press).
A wider array of devices are capable of holding larger amounts of data and digital evidence can be found on an increasing number of types of storage media, including, computer hard drives, mobile phones and removable media such as memory cards.
As an expert witness and Digital Forensic Consultant I am finding that digital evidence is becoming more prevalent within a wider range of both criminal and civil cases including murder, unlawful images, child care cases, commercial and employment disputes. These cases can require the examination of evidence to determine whether it had been used to commit or facilitate a crime as well as to identify supportive material for either side of a legal case.
In order for digital evidence to be admissible in court a number of criteria must be met, including, ensuring that the evidence has not been altered and that an auditable trail has been kept relating to the storage and investigation of the evidential device or media. The key points of the handling and investigation of digital evidence is provided as follows:
- Actions taken to secure and collect digital evidence should not affect the integrity of that evidence;
- Persons conducting an examination of digital evidence should be trained for that purpose;
- Activity relating to the seizure, examination, storage, or transfer of digital evidence should be documented, preserved, and available for review.
(U.S. Department of Justice (2004) Forensic Examination of Digital Evidence: A Guide for Law Enforcement, Washington).
The nature of digital devices therefore makes them particularly susceptible to damage or corruption. Due to the constant requirement for devices to be physically smaller in size yet bigger in capacity, the components become ever smaller and more delicate, therefore, even storing the devices in an unsuitable environment can cause the corruption and loss of some or all of the data present.
Therefore, to ensure its integrity, a ‘chain of custody’ relating to the evidence should be established. This usually amounts to a paper trail detailing the whereabouts of all evidential sources during custody, along with the details of individuals having access to it, when and any actions taken with it. This, along with a comparison and review of the digital media itself should allow for the acceptance by an independent examiner that a given item of media has not been corrupted or compromised following seizure.
As the level of understanding of the operation of computers and mobile phones has developed within legal cases, those investigating cases involving digital evidence have a better awareness of the methods of seizure and handling. Previously it was not uncommon to find cases where the digital evidence had been switched on and operated by a ‘curious’ investigating officer to ‘see what was there’.
Thankfully, far greater emphasis is now placed on audit trails and storing the evidence correctly and, today, such activity by untrained individuals is now rare. The adherence to computer evidence guidelines is crucial to ensuring that the evidence considered is all that was available and basing an examination on flawed evidence that is only partially complete.
As a forensic investigator, I was recently involved in a case that highlights the importance of ensuring the completeness of digital evidence. The case involved an unemployed middle-aged man who lived on his own and kept himself to himself, though, used his computer to talk to other people within chat rooms.
He had been in contact with one of his online friends via a chat room for eight months before they asked for him to do them a favour and cash a cheque that their elderly mother was unable to do. His expenses were to be covered and he saw no problem with then transferring the money to the mother’s account. Unfortunately, he did not even think that the cheque could be fraudulent until he found himself in a police station and being interviewed on suspicion of attempting to cash a fraudulent cheque.
He provided police with his version of events; fortunately, they had also seized his home computer. They examined the computer and found evidence to indicate that the defendant had been in contact with the individual, yet found no evidence to support the origins of the cheque or the story behind it. He was subsequently charged with fraud and was due to appear for trial at Crown Court.
Given the partial evidence identified by the police, the defendant’s solicitors understood the situation sufficiently to know that a second opinion should be conducted of the computer hard drive to determine whether the evidence of any chat logs could be found on the computer.
It was only after a careful review of the deleted areas of the hard drive, along with the use of data recovery software that chat log activity was identified that supported the defendant’s version of events. The log proved that the defendant and his friend had conversed on a number of occasions and it also confirmed the origins of the cheque. After months of investigation, after the identification of this evidence, the case was dropped on the morning of the trial.
Had the computer evidence not been sufficiently protected and secured following seizure and the data present altered in any way, whether it be by use of the hard drive or improper handling of the drive, the relatively small piece of crucial evidence may have been lost and the defendant’s version of events could not have been supported.
During the examination process of digital evidence it is standard procedure for the evidence to be connected to a suitable system using write protecting hardware so that no alteration or access to the original device is possible.
Due to the volatility of digital evidence it is best practise to take a forensic ‘image’ of the hard drive or storage device that consists of an exact byte-by-byte copy of all data and space, both live files and deleted information, which is present on the device. This forensic image then forms the basis of the investigation and analysis and the original exhibit can then be securely stored.
At the start of the forensic copying process, the device is assigned an acquisition hash value (most commonly an MD5 hash value). Once the evidence has been forensically acquired (imaged, similar to copied) the evidence is assigned a verification hash value.
Currently, it is believed that the hash value mechanism indicates that the acquired evidence is a complete and accurate copy of the data contained on the original device and that if the acquisition and verification hash values match then no alteration of the evidence can have taken place.
Various types of hash value exist, including, HAVAL, MD5 and SHA. The forensic arena has adopted the MD5 hash as a method of proving that one file is identical to another or an item of digital evidence has not been altered since its original acquisition. The MD5 hash value was developed from 1991 by Professor Ronald L. Rivest.
As the MD5 algorithm is based on a 128-byte data block, it would appear that there is the possibility that the data on an item of digital media could be manipulated, yet the MD5 hash value not be altered. Given this, I am currently undertaking research to attempt to verify whether an item of digital evidence can be altered without changing its MD5 hash value.
This will enable the adoption of a technique to allow for the alteration of digital evidence without changes to the assigned hash value. The result of this research may be that it is possible to alter an item of digital evidence sufficiently to make the current hashing techniques unreliable in court.
Matthew Jackson,
Director, Senior Forensic Consultant and Expert Witness at Athena Forensics
|
