6.2.20

How to catch a cybercriminal: tales from the digital forensics lab




What is it like to defeat cybercrime? A peek into how computer forensics professionals help bring cybercriminals to justice.
Many people ask me about what it was like working for law enforcement. More often than not, however, they are actually enquiring about how computer crime is truly investigated. Whether it’s questions about how accurately it is portrayed on TV, the constraints felt by the police, the associated myths, or about how to find closely guarded tactics and secrets, people seem to have a morbid fascination with the dark world of digital forensics.

Before joining ESET, for nearly a decade I was a computer forensics examiner for the UK police. My job was to perform deep forensic analysis of computers, hard drives, phones and other devices that had been instrumental in crimes, including murder, child abuse and fraud. With some of the best forensic tools at my disposal, I delved not only into these devices but, metaphorically, into the lives of the suspects who had been locked up or released on bail. Performing such an analysis could take anything from a day to a few months, depending on what was required, the state and security of the storage medium, or more importantly, the magnitude of the case.

From being able to locate a suspect’s Google search history, their photo galleries, their online chats, and even their deleted items, once I was into the devices, I was able to see a lot more than just the data on the drives. Going through a person’s computer or phone is like going through their minds – it is intense. And people would ask me things like, “is it just like in the movies?” or, “can you really get something back that I have deleted”?

Well, “yes and no” is the real answer to both these questions. It’s never as quick as in the movies, but most of what you see is usually possible – just not for every case. Deleted files can be retrieved so long as they haven’t been overwritten. When deleting any data, it is effectively like ripping the contents page out of a book – the information is still there, you just don’t know what page it’s on.

Constraints
As well as difficulties coming in the form of increasing dark web activity causing a headache for the police, the real constraint in the lab came in the form of full-disk encryption. It is the biggest hurdle for computer examiners and there are only a few measures to overcome it. First there is the National Technical Assistance Centre (NTAC), part of the UK’s GCHQ, which would be on hand to brute-force encrypted drives for the police. This could take any length of time depending on the passcode. However, they had an incredible success rate with the computer power behind them. It would always be magical to be handed back a hard drive of previously encrypted contents with now full access after a suspect has gone no comment or, better still, a suspect who would say that we wouldn’t find anything illegal.
Usually, locked phones were never a problem, though. Typically, they could be unlocked in-house with the best law enforcement-supplied software, which the UK police still use. This was made easier on phones that were not immediately updated to the latest operating system.

The darker side of digital forensics
No job comes without its downsides but being able to see absolutely any sort of material on a device comes with damaging side effects to anyone. Luckily, anyone working in police digital forensics is given counseling every 6 months. This is essential for anyone who comes in contact with suspect devices and certain life-affecting material. Some people can have repulsive and horrific images or videos on their devices and this needs to be addressed by anyone who witnesses it. Although in my job I could potentially see anything, I was there to locate the evidence before a specialist team, the Paedophile OnLine Investigation Team (POLIT), would grade any indecent material into a subrange of categories. The worst material located would naturally give harsher sentences, but it would be down to the courts to determine jail time. This was a disturbing, yet vital, part of the process that, in turn, would put damaged individuals away from further offending.

Related reading: What makes a cybercriminal?
I was once called to help investigate a murder where the Major Crime Team already had a wealth of evidence but like in most murders or suspicious deaths, there was digital evidence that required forensic examination. After receiving a blood-stained laptop, I made a digital copy (image) of the hard drive and delved into what was going on in the log files near to when the alleged offence occurred. I did not expect to find anything, let alone that the suspect had Googled “how do I get rid of a dead body” just after the offense occurred. Of course, anyone could have Googled that, right?

I was regularly called to court to discuss the digital evidence I had uncovered in a whole range of cases. In 2014 I was summoned to court for a case of possession of indecent images. The defendant had gone “no comment” to all prior questions during interrogation and then entered a not guilty plea. However, by just turning up as a professional witness with my digital forensic experience, he pleaded guilty based on the evidence I presented to the judge, jury and defense team. The defense would wait to see what evidence the prosecution could produce. Indeed, they would even attempt to attack or plead guilty only once they knew a digital forensic examiner had solid unquestionable evidence beyond reasonable doubt for the jury. In this particular case, I had his complete Google search history dating back many years, not to mention his vast collection of indecent images in an encrypted folder that I was able to extract and show the judge.

Sentencing
Many convicted criminals were given no prison time or only short sentences for some offenses which, in the public’s eye, didn’t match up with the crime being tried. The law enforcement’s job is to deliver the best evidence available and help show that a defendant is guilty. The Crown Prosecution Service, CPS, is the governing body that delivers the sentence. But what would get a suspect off? This is the job of the defense and they were very good at it.

Typically, the defense lawyer would wait to see all the evidence that the prosecution has to offer and then try to attack it where possible. Such attacks could be on witness statements or better still, via an independent computer forensic examiner working for the defense in order to try to muddy the evidence.

A typical answer to an offense would be the “Trojan defense”, where the suspect would claim he or she had no idea what was on the device and it must have been the work of malware. It would sometimes take a lot of work to disprove this particular counterargument. In some cases, this would even halt the court process altogether until I would have time to work back on the forensic image and prove otherwise.
Whilst preparing for court, I was given intense court training by an incredible lawyer who works for both prosecution and defense. He taught me the strengths and weaknesses a trial faces day in, day out and the tactics used to try to win or dismiss a court case. I was shown the tricks a lawyer could use as well as learning where to admit defeat. Such tricks to gain an acquittal are still used in English court rooms today.

In the UK, the judge will usually want a unanimous vote (12-0) or a majority vote (11-1 or 10-2) beyond reasonable doubt to convict the defendant. This therefore opens the fact that the defense lawyer need only overturn 3 jurors to get his or her way and gain a hung jury, which may or may not in turn lead to a retrial. This can be accomplished using psychology, manipulation and skill and using such tactics as getting the jurors on the defense’s side, and to then agree with the defense.

Why do it?
So why do digital forensic examiners do what they do? Because what they perform helps put criminals away and without such forensic evidence, most cases would struggle with classic CSI evidence alone such as fingerprints, etc. Forensic CSI examiners do a fabulous job, but evaluation of digital evidence is growing in police forces across the globe and is stretching police funding more than ever. There are more digital devices coming in than the police can deal with and backlogs are increasing daily – some jobs can take well over 12 months to be examined.

Am I glad to be out of it? This is another question I receive a lot of the time and to be honest, I miss the community within the police, which is like a family. What I don’t miss is the “not guilty” outcomes on cases where I was sure they should be different. Nor do I miss the constraints around encryption and dark web usage increasing, and I now get job satisfaction from helping people and businesses protect themselves against cyberattacks.

Additional reading
While the following is not strictly related to the work of computer forensics experts, law enforcement worldwide has, over the years, requested the assistance of ESET security researchers in helping crack down on several large-scale cybercriminal operations. The researchers’ technical analyses have been instrumental in disrupting a number of such criminal rings, including the 3ve online ad fraud operation and the Gamarue botnet.