Mark Stokes, head of digital and electronics forensics services at the Met Police, keynote speaker at the (ISC)² EMEA Congress in London on Tuesday, detailed the techniques and technologies used to forensically investigate criminals who, he says, are increasingly reliant on smartphones, cloud services, hard disk drives (HDDs) and solid-state drives (SSDs) to hide their activities or crimes.
This deluge of data is becoming hard to investigate, says Stokes, who cited the increasing number of devices used(terrorists are said to have up to six mobile phones each on average), and this is happening in a digital economy which is already seeing the arrival of 1TB USB thumb drives and new US data centres hosting exabytes or Yottabytes of data.
“Recovering data becomes harder and harder,” he admitted at the conference.
“Data is obviously not just on the physical device…I don't really think anyone knows how much [data] is on the cloud or on the device,” he said with his presentation slides also noting data being held at ISPs – something that was recently in the news when Vodafone accidentally sent the records of 1,700 journalists to the Met under the RIPA act.
“Data will be distributed across the internet and that will bring a real complexity to policing. The evidence relating to a suspect might be in the UK or another country, or vice versa, so how do you pull that together in the digital forensics world? These all things we will have to unpick over the next ten years.”
As with most other law enforcement agencies – including Europol and most of its 28 associated member states, the Met Police uses EnCase to forensically examine devices to view and browse potential evidence files, folder structures and file metadata.
Yet in other areas the Met Police stands apart; Stokes detailed the use of an encryption breaking system (one he declined to mention) – which uses some 17kW of electricity – to crack and decipher passwords (and MD5 and SHA1 hashes)
Some social engineering and web crawling is also used, leading the team to have a “75 percent success rate at cracking passwords encrypted onto a hard drive.” One graphics card does the work of numerous web servers from ten years ago, offering four-times the power, according to Stokes.
But despite these advancing capabilities, the Met Police is facing severe disruptions. The UK law stipulates that suspects must be charged or released within 24 to 36 hours and the controversial RIPA law ‘may have to be adapted' for getting data residing in the cloud.
Currently, part 3 section 49 of the law allows for sentences of up to two years if a suspected criminal does not give up their encryption key or decryption of encrypted data, and this can rise to five years if deemed in the interests of national security.
Encryption is a major issue, and the Met Police is not alone in voicing concerns in this area. At a conference earlier this year in Washington, FBI director James Comey said that technology companies need to “take a step back, to pause to consider, I hope, a change of course. We also need a legislative and regulatory fix.” (The EFF has an interesting timeline on FBI and encryption).
Sometime later, the EC3 head Troels Oerting presented an assessment of encryption from a law enforcement perspective.
“The problem right now is, that there seems to be a confusion between anonymity and privacy. We all want and need privacy, but this doesn't mean anonymity,” he said in comments first reported by The Register.
He added: “Irreversible encryption will make it very difficult - maybe even impossible - for law enforcement to obtain evidence and I am not sure this reality is clear to all.”
“In any democratic society we need to provide law enforcement with a right to obtain information authorised by a judge, based on a clear suspicion, in cases involving serious crime or terrorism. This applies to the offline world and should also apply to the online world.
“Full encryption of communication and storage online will make life very easy for the criminals and terrorists and very difficult for law enforcement and law abiding citizens. We have to find the right balance between security and freedom - and this balance has to be set by citizens in a political and ethical discussion on the trade-offs.”
Nonetheless, encryption is increasingly finding its way onto new smartphones. Apple has deployed end-to-end encryption on iOS 8, while Google says more Gmail messages are encrypted end-to-end. Windows 8.1 started encrypting hard-drive by fault, and there are bound to be advances with Windows 10. Elsewhere tech-savvy individuals are increasingly using the likes of PGP, TrueCrypt, Microsoft's BitLocker and Tor to hide their communications.
Stokes said that encrypting passwords “will start to reduce our operational capabilities” but also admitted that “it's a balance between the public right to privacy and the need for law enforcement to police and proportionally recover data from those devices.”
He continued that the Police – and the senior IT security folks in the room – probably have different agendas when it comes to encryption: “Hopefully they use a very weak password, when we look at it. Hopefully, [for you] they use a very strong password. It's a conundrum.
Stokes added that while SSL is ‘probably not that secure' there will be other methods of encryption, not least in a consumer electronics market with new devices – like wearables – and established products like tablets that are now running full-fat operation systems.
During his presentation, Stokes said that approximately 30 percent of cases are child abuse cases (2009 to 2010 figures) and he says that 25 percent of criminals are non-UK nationals (otherwise known as Foreign National Offenders). Speaking afterwards to SCMagazineUK.com, he added that there were 36k forensics examinations in 2012/2013 but said that only 20 percent of cases are ‘complex' with deleted data that needs inspection. Most cases are combination of cyber-enabled and cyber-dependent crimes.
“The point here is that we are streamlining over next 18 months and are aiming for 80 percent of logical data to be recovered by a combination of police officers conducting controlled/limited examinations themselves and eight hubs around London staffed by technicians,” he said via email.
But Stokes added that – despite concerns over RIPA and Snowden's revelations – the Met Police is “very surgical” and “proportional” as there's ”too much to look at everyone's data”.
“It might sound like I am saying police gather lots of data, see what everyone's doing, but believe me - policing is not like that…What security services do, that's probably a discussion for another day.”
The group is on a hiring splurge for digital forensics team members though.
“What we're currently doing at the Met Police, and I think we're the only part public sector to do this, is expanding into digital forensics with 61 engineers and technicians at eight hubs in London assisting the front line recovering of data.”
“There's lots of passwords and encryption so we need to keep up.”