Digital forensics leads the fight against cyber-crime

Andrew Sheldon discusses how there is considerable danger in allowing digital forensic triage to be carried out in haste or in ignorance

Contributed by Andrew Sheldon MSc, chief technical officer, Evidence Talks
Contributed by Andrew Sheldon MSc, chief technical officer, Evidence Talks

In 2015 the Office for National Statistics figures included data on cyber-crime for the first time, with the crime rate for England and Wales soaring to more than 11.6 million offences as a result. An estimated 5.1 million online fraud incidents and 2.5 million cyber-crime offences were contained in the figures, and these were in stark contrast to a fall in the underlying crime rate, which was down by eight percent in the previous year.

“The rise and rise of cyber-crime” is, even in a climate of political upheaval and social realignment, still a headline-grabber on a regular basis. For example, in the kind of personal scam barely known five years ago, dating fraud increased by 10 percent from 2014 to 2015 and now accounts for around £33 million a year in the UK alone. In one astonishing case, a newly divorced mother signed over £1.6 million in a matter of weeks. Victim support organisations such as Scam Survivors estimate that 90 percent of members on some dating sites are scammed and there have been extreme cases where the victims have taken their own lives.

A Detica report in partnership with the Office of Cyber Security and Information Assurance in the Cabinet Office entitled ‘The cost of Cyber-Crime” published in 2011 put the cost to the UK economy at £27 billion and growing.

In September 2015, the then Home Secretary Theresa May said, “We want… to free up officers' time to focus on the jobs only they can carry out. At the same time, we want to encourage those with skills in particular demand, such as those with specialist IT or accounting skills, to work alongside police officers to investigate cyber or financial crime and help officers and staff fight crime more easily.”

What might be a more realistic approach would be to recruit from the substantial ranks of recently retired police officers, many of who have first-hand experience of the value and use of digital forensics, all of whom are well-versed in the business of fighting crime.

A further source of relevant talent is the well trained and knowledgeable IT support technicians working in major corporates who, through their organisations' Social Responsibility Policy, could be seconded for regular, short periods or on-demand (using an Uber-type model) to support officers in meeting key operational needs.

There are innumerable case studies from around the globe where providers work with specialist crime teams who know their requirements, understand the criminal fraternity they are dealing with and can provide informed feedback on the speed and efficiency of the systems they're using. The answer is to empower front-line investigators themselves so that neither time-poor specialist officers nor well-meaning amateurs need to get involved.

There is considerable danger in allowing digital forensic triage to be carried out in haste or in ignorance. While most organisations in both the public and the private sectors have disaster recovery plans in place, many of these are not entirely fit for purpose, resulting in actions being taken on digital systems that undermine the objectives and success of the response. Typically, the kind of events that will require forensic examination include:

  • E-Discovery and E-Disclosure
  • Investigations into inappropriate systems use resulting in policy breaches
  • Support of civil litigation or employment law activities
  • Data loss or compromise of statutory information security obligations
  • Investigations into criminal activity such as fraud, theft, hacking and malware.

And of course the landscape is not a static one. Most organisations are affected by a series of market dynamics and continuing advances in technology require monitoring and reaction.  Like all systems, incident response procedures need to constantly evolve; in dealing with the criminal fraternity this includes responding to the changing tactics and methods of law-breaking that go on.

Ideally, regular reviews need to take place covering all the following:

  • Current human resourcing
  • Current digital security, disaster recovery and contingencies
  • Policies and procedures
  • Analysis and review of historical incident responses and outcomes

Reassuringly, the highly specialised proprietary software and hardware that is available offers the capability with a modicum of training to mix information from parts of the net and interrogate the full range of digital devices used by criminals. This gives crime-fighters all the weapons needed to advance quickly to producing evidence quality data.

These techniques extend from abuse of corporate systems and misuse of intellectual property to the most serious cases of people trafficking and child abuse.

The Office for National Statistics head of crime, John Flatley, has said, “It has been argued that crime has not actually fallen but changed, moving to newer forms of crime…”

It is against this backdrop that the case forever closes co-operation between those who develop forensic triage technology and those charged with protecting the public and the corporate community from the effects of cyber-crime is made.

Empowering investigators to carry out what has previously been the preserve of specialists proliferates the power of forensic triage, significantly increases the chance of successful prosecutions and helps improve the pace of investigation through to securing evidence quality data.

Contributed by Andrew Sheldon MSc, chief technical officer, Evidence Talks

Sign up to our newsletters