Case study: Deep inside the Serious Fraud Office's digital forensics unit

Feature by Richard Thurston

The SFO invited SC Magazine for a sneak preview of its recently revamped digital forensics unit, where scientists were hard at work dissecting and interrogating the latest mobile devices

Deep inside London's legal quarter, a camera is fastened tightly over the latest mobile device, scrutinising every move the Serious Fraud Office is taking in its digital forensics unit.

There is no room for error. If the unit's forensic scientists leave even the smallest electronic fingerprint on any one of the 100 mobile devices it receives each month, whole court cases can be dismissed through lack of reliable evidence.

With the growing internet savvy of the nation's criminals, the SFO is keen to wise up to the threat. Its digital forensics unit (DFU) completed a long-awaited revamp earlier in the summer under head of department Keith Foggon (pictured) and it's now ready to embrace the mobile age. It deals with the full remit of SFO cases from financial fraud to terrorism and murder.

The specialised nature of the work of the 21-strong DFU appears to baffle many of the SFO staff who work outside the unit, but its contribution in tackling a broad range of fraud cases is growing rapidly.

Typically, the DFU's multi-skilled scientists examine in detail PC hard drives and mobile devices to extract whatever information they can on the movements and actions of the criminal concerned. They use a range of specialist software to retrieve information which would otherwise be unobtainable. Some sort of information is retrievable from each device, even if the criminal has removed the SIM.

Watching every move

The point of the camera is to watch every move on the device to prove that the SFO made no changes and that it complies with every step of the recognised forensic guidance produced by the Association of Chief Police Officers (ACPO).

“Everything needs to be done according to the guidelines because if it goes to court, someone could question what we've done,” said Foggon.

But the absolutely essential need for applying ACPO's rigid procedures does not faze him. "We have to retain the integrity of the data so we need to be careful. But we don't have to think that, at every stage, are we legally compliant. Doing this is now second nature," said Foggon, who was brought on board a year ago to slash a mounting backlog of forensic analysis, a queue which had risen to “several years” but is now down to nearer two months.

Despite Foggon's apparently laid-back attitude, the unit's procedures appear to be among the most watertight in the country. Desk surfaces are entirely free from paper, with most evidence now recorded digitally. The DFU's internal networks are segregated entirely from the internet and in some cases even from the rest of the SFO's resources.

The forensics unit processes an incredible amount of data, and, when it is finished, it destroys all physical media with ferocity. Hard drives are wrecked with a degausser while USB sticks - of which thousands pass through the unit each year - are smashed before being thrown out.

Outsourcing deals, where private companies used to retrieve data from devices on behalf of the SFO, have now been brought in-house.

But one of the SFO's many policies has raised a few eyebrows. Foggon is all too aware of the severity of the latest Government data breaches, where top secret documents have been removed from Whitehall and left on public commuter trains. But despite the exposure of this information, Foggon is prepared to let staff carry out forensics work from home.
"It's possible using SSL VPN or something like that," Foggon revealed. "Workers are only viewing data - it's not transferred. And the end user has their drive encrypted. All data doesn't leave the site,” he said.

The data is stacking up

The Serious Fraud Office's biggest case at the moment is utilising the benefits of the internet in a big way. Operation Holbein, the codename for a massive price-rigging investigation in the pharmaceuticals sector is focusing on practices which are estimated to have cost the NHS as much as £2bn.

The SFO has been collecting evidence on Holbein for a period spanning several years: evidence that now stretches to 3.7million documents and an incredible 300TB of data, which sits on a towering rack of servers in SFO headquarters. Operation Holbein now has its own 20-strong PC suite totally segregated from the rest of the DFU's operations.

But it's back in the mobile phone suite where most of the interest is. It's the handsets themselves which are giving the unit a small headache. Whereas most PCs are based on a common architecture, mobile phones run on multiple operating systems, meaning the DFU's scientists need a diverse set of both skills and software to retrieve information.

"The problem with mobile devices is that they are different from PCs. The desktop PC now is pretty much the same as for the last five or six years," said Foggon. "The rate of change in mobile devices is massive. Consequently, we need to keep up to speed with all the ways these devices can communicate."

Unfortunately for the DFU, the situation is only going to get worse with the release of devices based on Google's Android mobile platform later this year, and the expanding proliferation of satnav devices, which the DFU is only just starting to get to grips with.

The other product giving the unit a headache at the moment is the popular iPhone, which, since Apple released a firmware upgrade, can't be examined in detail.

There's a growing list of devices criminals have been using: PSPs, PS3s, Wiis and XBoxs have all been seized for forensic analysis by the Serious Fraud Office in the last few months. But despite the honourable intentions of the DFU's staff, they receive little help from device manufacturers, who frequently turn the cold shoulder and offer little assistance towards forensic examination of their devices.

“The criminals that we deal with are usually very rich, very greedy people with a lot of skills, who want the latest and greatest to protect this,” Foggon said. “But they are always a little bit behind. We are always carrying out tests so when a device comes in, we have already seen it.”

With the rapid evolution of mobile devices, that's a bold claim. But with an increasingly knowledgeable forensic operation at the DFU, few in the criminal underworld can be totally confident their data cannot be retrieved.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events