VSJ – November 2002 – Work in Progress

Last month, Jim Bates, the IAP President, described the facts behind a court case in which he was engaged as a computer forensic expert by the defence. You may recall that the case was about the downloading of Internet paedophiliac pornography and that it hinged on the inability of the prosecution to prove who had downloaded what to where. Here, he draws some conclusions about how things might have been done better and what issues need to be addressed at the design stage to ensure there is a clear audit trail.

Some points of interest that arose during my analysis of the material concerned the excellent report prepared by the MoD Computer Investigation Unit. No observations had been made concerning possible contamination of the material and no comment was made about the origin of image files other than that they were downloaded from the Internet. I spoke to the senior investigator and she pointed out that her remit was simply that the officers in the case were ‘looking for pornography’. She had booked the hardware in on a Tuesday and the indicated seizure date (no time was recorded) was given as the previous day. Although she was aware that the computer was a networked machine, she was given no information about the network configuration. So her conclusions and comments were not incorrect but they were incomplete when considered in the wider scheme of things. In fact it must be said that she and her team appeared to be the only ones in this whole sorry saga who had done a proper job.

Looking on the positive side, there are several hard-won lessons and vital questions that can be learned from this case. Firstly, when a network is conceived and configured, consideration must be given to possible illegal or unacceptable activity once the network is operating. A number of questions need to be answered at this time. Amongst them (not necessarily in order or priority) are: –

  1. Is there room within the configuration for some form of monitoring, which may detect and report any illegal activity?
  2. Is the configuration such that an individual can be held responsible for the contents or activity of a specific machine?
  3. Can personnel introduce unknown software? Suckers, defraggers, file shredders, unmonitored passwords and similar devices may confuse or destroy a forensic analysis and make reconstruction difficult if not impossible.
  4. Have clearly laid out backup procedures been set up and is there a system for regular testing and monitoring of backups?
  5. Are personnel properly informed about their rights and responsibilities concerning computer-based material?
  6. Will it be possible to uniquely identify machines responsible for illegal activity?
  7. In the Roper case, the illegal activity was passive in that there was no attempt to corrupt machine operation. This is not always so and it is vital that network architects put in place an effective system of disaster recovery procedures in the event of an active, destructive attack on their systems.
  8. Are all relevant personnel kept up to date with current security procedures?

Should illegal or unacceptable activity be detected, a course of action will need to be determined and adhered to.

  1. Before starting any investigation of computers, consider where the worst-case scenario might lead. If it is to criminal action then secure forensic procedures must be implemented right from the start by isolating and securing the data before examination and accurately noting the time and circumstances surrounding it. Even possible civil or disciplinary proceedings would certainly benefit from this approach to avoid needless suspicion or actions for unfair dismissal.
  2. Once there is any suggestion of illegal activity, act swiftly. Computer evidence can be extremely volatile and what was there today may have melted away by morning.
  3. Once any in-situ investigation begins it is vital that accurate notes are taken about who does what and when. Copies of these notes should be passed to the forensic investigator(s).
  4. Accurate dates and times of equipment seizure are vital to the forensic investigator who needs to consider the possibility of contamination or compromise on the material under examination. Similarly, accurate peripheral information concerning use and access (particularly on networks) is essential if a correct picture of events is to be expected.

One final point, not directly arising from the Roper case, is too often ignored. Consider these questions: –

  1. No matter how technically adept your investigators (at all levels) may be, are they aware of the laws of evidence?
  2. Having brilliantly recovered and analysed gigabytes of data, can they then produce firm and valid conclusions and observations? More important still, can they present their evidence in a simple, clear and concise report – and are they prepared to face cross-examination in court?

[Interesting project or development? Let us know at eo@iap.org.uk!]

Comments are closed.