Computer forensics: Digital detectives

Feature by David Howells

Computer forensics are key to modern policing, but sophisticated security devices are testing their skills ever further, says David Howells.

Computer forensics are key to modern policing, but sophisticated security devices are testing their skills ever further, says David Howells.

If nothing else, this summer's alleged plot to bomb transatlantic aircraft has put into perspective the task that faces today's computer forensic specialists.

The resulting investigation has now seized a reported 400 computers, 200 mobile phones and 8,000 data storage devices, which contain an estimated 6,000 gigabytes of data. All this has to be examined. A daunting task, but an increasingly common one in the fight against cyber crime and terrorism.

As a police activity, computer forensics has existed for more than two decades. The first computer forensics unit was established in 1983, with the first major fraud investigation involving computer systems in 1987.

For many in the industry, a few key events put computer forensics at the heart of modern policing: the arrival of the Criminal Justice Act in 1994, the Data Protection Act of 1998 and Operation Ore in 2004, which that convicted more than 600 sex offenders in the UK and sparked a raft of investigations into internet pornography.

Over the past few years, computer forensic evidence has become a key component of criminal cases. David P Stenhouse, director of Navigant Consulting, outlines the advantages of using digital evidence:

"The one aspect of digital evidence, when compared to other types of evidence, is that it can be replicated down to the smallest particle: the byte. As opposed to a murder weapon, such as a firearm, digital evidence is replicated first and then the analysis is performed on the copy. The copy is the 'best evidence' in the analysis. An examiner can make an exact copy of a computer's hard drive, whereas a ballistics expert cannot make a duplicate firearm."

The courts treat digital evidence in the same way as any other that is presented to them. However, as A Bryan Sartin, managing principal of Cybertrust, points out, we are still a long way from a universal set of practices that can be applied internationally. "There are two things missing: a single commonly accepted standard and a uniform code for working together with law enforcement. More standards are being developed for this trade than it really needs. The problem is that there is no single accepted set of operating parameters that form a universal benchmark," he complains. "Quality of service across computer forensic providers varies dramatically as a result. On the other front, law enforcement takes a very different approach to working with the private sector from one country to another."

There is also a trend to employ more specialised officers who understand the systems they are interrogating and appreciate the wider considerations of evidence gathering. Stenhouse outlines the skills of a good forensic specialist.

"They should have ego whatsoever," he says. "They need writing skills, patience and a willingness to learn constantly about new software and user habits. But I would consider the most important skill to be the ability to explain complex information in simple terms.

"Because examiners are required to produce evidence, they need to know how to explain what they are producing. The industry is filled with extremely intelligent experts with strong computer backgrounds, but the ones who stand out are those who can take all that knowledge and explain it to people who do not have even the slightest knowledge of computers, and help them understand things," he adds.

As attacks rise, business needs to understand the importance of computer forensics. But it is likely to remain a very delicate and specialised skill, which only the largest organisations will be able to support with internal teams. For the rest, we must hope that law enforcement keeps up with technology and can deliver the evidence needed to convict criminals.


Nigel Jones, head of high-tech crime training, National Centre for Policing Excellence

Q: How did you get into computer forensics?

A: I spent 30 years in the Kent Police before setting up the High-Tech Crime Training Centre. Back in the mid-1980s we began to see fraudsters use computers, which also contained the evidence of the crime. At that time there was little information about how the police should deal with this. There were no rules or good practice, which meant it was left to individuals.

I first came across this kind of crime in a major fraud investigation that took place in 1987. We found most of the evidence was on computers. We were called in by the liquidators, who presented us with printed spreadsheets they said proved a crime had been committed.

My first reaction was to ask how they could prove that the information on the paper was on the computers they had. This was what really got me started in computer forensics. At this time there was no training for officers to improve their skills. It wasn't until 1989 that I recommended we have a computer forensics unit, which we finally got in 1993.

Q: Where did the law itself stand in relation to computer based evidence at this time?

A: Back then, computer-based evidence was treated just like any other evidence that was gathered. The Police and Criminal Evidence Act arrived in 1986 and recognised the potential for computer evidence, but typically in the hands of the victim. So, for example, a bank couldn't be expected to find every person who had created every record on a computer.

Q: Is it always on the shoulders of the police to prove that the evidence that has been collected from a computer is correct?

A: What we have to do is apply the normal rules of evidence. What you find is that there isn't an awful lot of difference between analogue or digital evidence. It's just that people don't understand it.

Q: What tools were available when you began to collect digital evidence?

A: In the early days, Norton Disk Edit was the favourite tool. As time went on, other products did come through. One of the early developments was a system called DIBS (Disk Image Backup System), which was created by a person who worked very closely with the Metropolitan Police. Don't forget that the Met had had a computer crime unit since 1983, so they were very early in the game. What the DIBS system tried to do was provide a black box approach and make the system policeman proof. For a time this was fine, but then technology began to change rapidly. Hard disks became much larger, and the systems we had could only image 2Gb of data.

We now have two or three systems on the market that have become leaders in their field. These tools have often been developed by law enforcement organisations asking companies with the expertise to develop a tool for a specific need.

This has worked well, as the police knew what evidential standard they needed while the security software development companies understood the technical system. So together we have been able to develop useful systems. We now have specific tools to gather specific types of evidence, such as internet history or peer to peer. Systems from Guidance Software and Access Data are good examples.

Q: What are the main problems facing computer forensics today?

A: Even in the early days we found that some of the seized computers were running the same forensic software the police were using. So the suspects were running it to see what data could be found if the police scanned their computers. People were also using systems such as Evidence Eliminator to wipe their hard drives of evidence. With upwards of 400Gb of data stored on a single hard disk nowadays, the volume of data is a huge problem.

Q: How are computer forensic crime units staffed these days? Do officers have the technical skills they need, or are specialists used?

A: There has always been a debate about this. The question is whether it is better to make a technician into an investigator or to give an investigator the technical skills. My view is that you need both sets of skills within a team. The courses we run have a mixture of officers and civilian staff on them.

Q: More data is now moving off the desktop and on to the internet. How has this affected computer forensics?

A: We have certainly had to embrace these changes. Our courses cover this. For instance, when online storage needs to be interrogated, we are confronted by encryption, or someone might have an open PGP volume on their desktop computer when you search their house. If you pull the plug, you've lost that data. This move has complicated matters, but it doesn't mean it's the end of an investigation.

Q: What is the future of computer forensics?

A: I think that clearly the types and levels of security that are being developed - and not just by Microsoft - will make things more complex for the investigator. It is vital that you have robust training that allows the police to keep pace with these developments. We are finding that running a computer forensics unit isn't cheap, and that's where you come into conflict with the budget holders. If the police don't invest sufficiently in understanding and getting the best technology-based evidence, they will fall further behind.


Computer forensics hit the headlines when the technical detail of Microsoft's BitLocker/TPM encryption system was first outlined, inducing a shockwave that moved rapidly through law enforcement agencies.

At first, it seemed that Microsoft was enabling the criminal to make it virtually impossible for computer forensic specialists to decode data they believed was incriminating. Once the dust settled, however, a more measured view surfaced.

This was encapsulated by Chris Watts, computer forensics manager at data recovery specialist firm Vogon International: "If BitLocker were to be widely used, it could be bad news for law enforcement. It has to be pointed out, though, that the same was thought to be true when PGP (Pretty Good Privacy) came onto the market."

One way around this would be to build a back door into Vista that would enable the police to access data on suspects' computers. But this raises privacy issues and has been slammed by Microsoft itself. "The official line from high up is that we do not create backdoors," says Niels Ferguson, a noted cryptographer now working for Microsoft. "Some have suggest that we are working with governments to create a backdoor so that they can always access BitLocker-encrypted data."

Keith Cottenden, a senior forensic investigator at UK-based computer forensics firm CY4OR, also opposes a backdoor. "As computer forensic specialists, we are constantly developing our techniques to ensure that we are equipped to tackle changing technologies, including encryption.

"Microsoft claims that Windows Vista is designed to be the most secure version of Windows yet; the proposed BitLocker encryption feature is fundamental to this strategy. If Microsoft allows any engineering backdoors, then this operating system will be vulnerable; even an unpublished backdoor will be quickly identified."

But there is another side to encryption. Linking the encryption system to a chip on the motherboard, for example, will provide added security in cases where intellectual property material is concerned. However, it will only be a matter of time until someone figures out a way to circumvent it.

With Microsoft promoting BitLocker, and with powerful hardware companies such as Sony, AMD, Intel, IBM, Sun Microsystems and HP, which are behind TPM, on board, the next PC you buy could well contain the TPM chip. Of course, whether you want to use this is another matter entirely.

Also, this level of encryption and security does bring with it a responsibility. You might not want to run the risk of losing the encryption keys to mission-critical systems. BitLocker and TPM could simply be too complex and risky to use. As for the police, the jury is still out on what effect it will have on their ability to interrogate suspect computers.

The question remains: even if BitLocker were to make it onto the millions of desktops across the world as Microsoft is hoping, would anyone actually use it?


1: Don't panic!

It is easy to destroy evidence that could eventually lead to a conviction in the heat of the moment. Don't shut down your computers or change them in any way. It's essential that you preserve them in their original state.

2: Secure the area

If you can, try to remove the affected systems from your network and treat them and their surrounding area like a crime scene.

3: Take an audit

The security professionals will need detailed information about the system that has been attacked. Gather as much information as you can. Take a photo of the computer's screen. This will show the forensic team the exact state the system was in when you noticed the attack.

4: Call the professionals

Call in a computer forensics team. Ensure no one has had access to the systems before they arrive.

5: Collect your data

If you need to recover data from the machine, ensure that this is done by the computer forensics team. Their specialised tools will image the hard drive, but maintain its integrity which is essential as evidence.

6: Reinstall your systems

Once your hard drive has been imaged, you can install a new drive or reinstall your operating system and applications on to the existing drive.


Stephen Lamb, technical security advisor, Microsoft UK

Q: How did BitLocker and TPM originate?

A: It's been coming for some time. We have been talking about technologies such as these over the past three years, and probably longer than that within the development team. What we wanted to deal with was the risk there is if someone else has physical access to your computer.

Q: Computer users are notoriously lax when it comes to their security. Did you intend to offer a system that was one size fits all?

A: The technology we are talking about is really part of a defence and depth strategy. You can do a lot to secure a system, be it extra software or hardware. Systems such as TPM give some extra options. Giving people more choice doesn't necessarily make a system more secure, as they need time to get used to things. But you can do many of these things with Windows XP now.

Q: If BitLocker and TPM did become widespread on desktop PCs, would law enforcement agencies be prevented from interrogating one?

A: That's a very broad question. I know there has been a lot of discussion on the web about a malicious user who is trying to hide secrets, but we are only planning to put the BitLocker support in the Enterprise version of Windows Vista. That would enable the administrator to recover the secrets centrally. So if your machine was domain-joined, then the domain administrator would be able to recover all the information on the machine. In this scenario, there is very little difference between the BitLocker technology and what you can do today to encrypt files.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events