NEWS FEATURE: Hacking the bad guys

Hacking the bad guys
Summary Description What happens when a computer is seized as part of a police investigation?

Author Simon Vandore

Publication Newswire

Editorial InformationArticle Location
Article Topic Consumer
Story Order
Story Group 010203
Post Date 31/01/2001 11:42 AM Status Posted Entered by Laura Kane on 31/01/2001 10:42 AM

ImagesLead Picture

Heading Image

Content
Introduction
You’ve seen it thousands of times on TV. At the crime scene, the detective carefully places the bloody knife or fragment of hair into a plastic bag for forensics. But what happens if the evidence is digital? Tracking digital fingerprints can be as important to modern police work as dusting for physical ones.

Body
Andrew Rosen is a forensic computer scientist and president of ASR Data Acquisition & Analysis, a US company that provides tools and training to legal, law enforcement and investigative organisations.
He regularly acts as an expert witness in US courts and recently visited Sydney to instruct Australian police officers in the latest techniques for gathering and preserving digital evidence.
"Unfortunately, virtually any type of crime that has existed in a traditional form has migrated to the Internet and the new electronic frontier," Rosen said. "Forensic computer science is analogous to using the yellow tape that says ‘crime scene, do not cross’, taking the photographs, making the measurements, collecting the bloody gloves and the fibre samples and all that sort of thing."
Timestamps on files, data recorded by operating systems, network server logfiles, and fragments of data that remain on a hard drive after deletion are all the electronic equivalent of ‘fingerprints’. Most people, including criminals, are unaware that clues like these even exist.
Police officers are gradually learning that the preservation of digital evidence can require even more care than physical evidence -- it’s not just a matter of cranking up a suspect’s PC and opening files. Special software tools are available which look at another hard drive and extract evidence without altering any data.
"The simple act of turning on a computer changes information on a hard drive," Rosen said. "If someone were arrested for, let’s say, sexual exploitation of a child, and they were thrown in jail and the police had a warrant and took a look at their computer, it’s very possible that by handling that computer improperly or even simply by turning it on to see what’s on it, they would produce data timestamp changes and other internal things such as the swapfile being changed. A court of law would require a lot of explanation as to why the computer has been interfered with while the suspect was in jail."
Forensic computer science is rarely used as the primary means of investigation. There is usually no substitute for good, solid police work of the traditional kind, and computer data is more likely to be a source of corroborating evidence than the basis of a trial.
"As we’ve seen in other cases, just having the bloody glove isn’t proof positive from a legal standpoint," Rosen said. "I think you could draw a loose
parallel with DNA technology, in that you’ve got physical evidence, you’ve got your suspect who has the scratches or the cuts or the bites or something of the sort, you’ve got the victim with some skin under their fingernails or some other potential connection to the suspect. How that skin came to be under the victim’s fingernails is a question that DNA technology cannot answer by itself. But in many cases it will prove that this is the DNA of a particular suspect."
During Bill Clinton’s impeachment trial, ASR was involved in examining Monica Lewinsky’s computer for evidence of email exchanges between it and the White House. Rosen has been called on to trace evidence against paedophile rings, and ASR is also involved in providing evidence in murder and fraud cases. The wide availability of high-end scanners and printers means tracing the origin of ‘questionable documents’, such as false immigration papers, counterfeit money and other forged material are also regular tasks for the company.
Keeping up with the Corleones
Rosen believes everyone associated with bringing charges against a suspect needs a good understanding of computer forensics to fully appreciate how the evidence supports the charges.
"It seems to me a lot of people are looking at the computer technology and saying ‘that should be the realm of the geeks’," he said. "But the reality is that law enforcement has repeatedly been given the task of adapting to new technologies. Things like the breathalyser tests or radar for traffic speeding -- these are all new technologies that are very complicated, but if law enforcement officers are the ones deploying this technology, I believe they should understand it intimately."
According to Rosen, computer crime squads should have a combination of computer specialists and officers from other backgrounds. Keeping up with the ‘bad guys’ takes some serious teamwork, because the ‘good guys’ rarely have access to the same standard of equipment.
"Criminals definitely have an advantage over law enforcement. They tend to be much better funded -- they have the proceeds of their crimes to buy the newest, fastest, fanciest equipment. And they do not have the constraints of having to operate within the law. What we seek to do with the training and the technology that we provide is level the playing field. If the bad guys have an advantage -- what they can do versus what the police can do -- then I think that law enforcement should at least have the tools and technology that enable them to counter that advantage."
Rosen warns that the worst is yet to come. "All the technology is in a constant state of evolution. Today’s cutting edge technology has not been fully exploited yet by either law enforcement or criminal enterprise."
Cracking the code
One of the biggest obstacles for those trying to extract evidence from computers is the widespread availability of modern encryption software.
"Encryption can really throw a monkey wrench into the process. If a criminal uses rigorous encryption on the contents of their computer, it’s far more secure than a physical strongbox, where you can just cut the lock off and have a look inside," Rosen said.
Despite the problems associated with strong encryption software, Rosen opposes government attempts to control it. "I believe that encryption should be available to the public and private sector, that we should fully exploit the capabilities of our technology," Rosen said. "The vast majority of the people who use encryption are in the corporate sector. We hear about people having their laptops stolen at airports. There is an important need for strong encryption so that the dangers presented by those scenarios can be greatly reduced.
"I also believe that private citizens should be able to communicate privately. If you create strong controls on encryption, that is a step towards an Orwellian society. If you regulate, it’s kind of like gun control in the States -- making guns illegal means that only criminals will have guns -- and the same kind of thing could happen with encryption. Encryption technology is available, the genie is out of the bottle. If it’s used for criminal purposes, you need to do something about the criminals, rather than trying to control the tools that they are using."
Few criminals are smart enough to cover up all their digital fingerprints, but Rosen is sure there are some who get away with it. "There’s an adage among law enforcement officers dealing with computer crime that says ‘we really only catch the dumb ones’. In other words, the smart, successful criminals are eluding detection and prosecution. But encryption technology is really not as big a bugaboo as it might seem. When law enforcement is aware of a criminal, often the information contained on their computer supports the police case.
"I’m not aware of any cases that have been completely dependent on evidence from the contents of somebody’s hard drive. Law enforcement has to have enough of a case to get a search warrant to take a look at the hard drive to begin with -- good, old-fashioned investigative techniques are always the precursor to actually looking at the contents of somebody’s drive."
Investigations into paedophile rings or child porn sites on the Internet often work this way, Rosen said. "Typically, when a server that contains client or subscriber information is taken down, the telephone records, the credit card charges and the content of the server are an abundant source of what is called ‘probable cause’ and give a legitimate reason to suspect that somebody has been accessing inappropriate materials over the Internet."
Although criminals can use encryption to hide evidence, Rosen pointed out that this can also damage a defendant’s case. "In many jurisdictions failure to comply with a lawful request for the password means judges will assume the worst. If I have a PGP disk, a 40M encrypted container, and I decline to provide the password to allow for the examination of its contents, then regardless of whatever constitutional rights I might enjoy, the assumption will be that I’m hiding something," he said.
"Although people enjoy the right not to incriminate themselves, the inferences that can be drawn from a suspect not cooperating tend to suggest we have the ‘probable cause’ we need to get a warrant. We know the suspect has paid for this service, that they accessed this service, that this is the type of material that was available from this service, so we don’t really need the suspect’s cooperation at that point. We’re going to make our case based on the evidence that we’ve already got without even looking at the computer."

Related MaterialsRelated Articles

Related Links

Bulletin Summary

WAP Summary

Cross-Publishing InformationShort Headline

Clipping Information

Corporate IT No This field should be marked 'Yes' for any story of interest to corporate readers
CIT Lead No Newswire Lead No Section Lead No (These fields are controlled by all those handy buttons and agents)