What is it like to defeat cybercrime? A peek into
how computer forensics professionals help bring cybercriminals to justice.
Many people ask me about what it was like working
for law enforcement. More often than not, however, they are actually enquiring
about how computer crime is truly investigated. Whether it’s questions about
how accurately it is portrayed on TV, the constraints felt by the police, the
associated myths, or about how to find closely guarded tactics and secrets,
people seem to have a morbid fascination with the dark world of digital
forensics.
Before joining ESET, for nearly a decade I was a
computer forensics examiner for the UK police. My job was to perform deep
forensic analysis of computers, hard drives, phones and other devices that had
been instrumental in crimes, including murder, child abuse and fraud. With some
of the best
forensic tools at my disposal, I delved not only into these devices but,
metaphorically, into the lives of the suspects who had been locked up or
released on bail. Performing such an analysis could take anything from a day to
a few months, depending on what was required, the state and security of the
storage medium, or more importantly, the magnitude of the case.
From being able to locate a suspect’s Google search
history, their photo galleries, their online chats, and even their deleted
items, once I was into the devices, I was able to see a lot more than just the
data on the drives. Going through a person’s computer or phone is like going
through their minds – it is intense. And people would ask me things like, “is
it just like in the movies?” or, “can you really get something back that I have
deleted”?
Well, “yes and no” is the real answer to both these
questions. It’s never as quick as in the movies, but most of what you see is
usually possible – just not for every case. Deleted files can be retrieved so
long as they haven’t been overwritten. When deleting any data, it is
effectively like ripping the contents page out of a book – the information is
still there, you just don’t know what page it’s on.
Constraints
As well as difficulties coming in the form of
increasing dark web activity causing a headache for the police, the real
constraint in the lab came in the form of full-disk encryption. It is the biggest hurdle for computer examiners
and there are only a few measures to overcome it. First there is the National
Technical Assistance Centre (NTAC), part of the UK’s GCHQ, which would be on
hand to brute-force encrypted drives for the police. This could take any length
of time depending on the passcode. However, they had an incredible success rate
with the computer power behind them. It would always be magical to be handed
back a hard drive of previously encrypted contents with now full access after a
suspect has gone no comment or, better still, a suspect who would say that we
wouldn’t find anything illegal.
Usually, locked phones were never a problem,
though. Typically, they could be unlocked in-house with the best law
enforcement-supplied software, which the UK police still use. This was made
easier on phones that were not immediately updated to the latest operating
system.
The darker side of digital forensics
No job comes without its downsides but being able
to see absolutely any sort of material on a device comes with damaging side
effects to anyone. Luckily, anyone working in police digital forensics is given
counseling every 6 months. This is essential for anyone who comes in contact
with suspect devices and certain life-affecting material. Some people can have
repulsive and horrific images or videos on their devices and this needs to be
addressed by anyone who witnesses it. Although in my job I could potentially
see anything, I was there to locate the evidence before a specialist team, the
Paedophile OnLine Investigation Team (POLIT), would grade any indecent material
into a subrange of categories. The worst material located would naturally give
harsher sentences, but it would be down to the courts to determine jail time.
This was a disturbing, yet vital, part of the process that, in turn, would put
damaged individuals away from further offending.
I was once called to help investigate a murder
where the Major Crime Team already had a wealth of evidence but like in most
murders or suspicious deaths, there was digital evidence that required forensic
examination. After receiving a blood-stained laptop, I made a digital copy
(image) of the hard drive and delved into what was going on in the log files
near to when the alleged offence occurred. I did not expect to find anything,
let alone that the suspect had Googled “how do I get rid of a dead body” just
after the offense occurred. Of course,
anyone could have Googled that, right?
I was regularly called to court to discuss the
digital evidence I had uncovered in a whole range of cases. In 2014 I was
summoned to court for a case of possession of indecent images. The defendant
had gone “no comment” to all prior questions during interrogation and then
entered a not guilty plea. However, by just turning up as a professional
witness with my digital forensic experience, he pleaded guilty based on the
evidence I presented to the judge, jury and defense team. The defense would
wait to see what evidence the prosecution could produce. Indeed, they would
even attempt to attack or plead guilty only once they knew a digital forensic
examiner had solid unquestionable evidence beyond reasonable doubt for the
jury. In this particular case, I had his complete Google search history dating
back many years, not to mention his vast collection of indecent images in an
encrypted folder that I was able to extract and show the judge.
Sentencing
Many convicted criminals were given no prison time
or only short sentences for some offenses which, in the public’s eye, didn’t
match up with the crime being tried. The law enforcement’s job is to deliver
the best evidence available and help show that a defendant is guilty. The Crown
Prosecution Service, CPS, is the governing body that delivers the sentence. But
what would get a suspect off? This is the job of the defense and they were very
good at it.
Typically, the defense lawyer would wait to see all
the evidence that the prosecution has to offer and then try to attack it where
possible. Such attacks could be on witness statements or better still, via an
independent computer forensic examiner working for the defense in order to try
to muddy the evidence.
A typical answer to an offense would be the “Trojan
defense”, where the
suspect would claim he or she had no idea what was on the device and it must
have been the work of malware. It would sometimes take a lot of work to
disprove this particular counterargument. In some cases, this would even halt
the court process altogether until I would have time to work back on the
forensic image and prove otherwise.
Whilst preparing for court, I was given intense
court training by an incredible lawyer who works for both prosecution and
defense. He taught me the strengths and weaknesses a trial faces day in, day
out and the tactics used to try to win or dismiss a court case. I was shown the
tricks a lawyer could use as well as learning where to admit defeat. Such
tricks to gain an acquittal are still used in English court rooms today.
In the UK, the judge will usually want a unanimous
vote (12-0) or a majority vote (11-1 or 10-2) beyond reasonable doubt to
convict the defendant. This therefore opens the fact that the defense lawyer
need only overturn 3 jurors to get his or her way and gain a hung jury, which
may or may not in turn lead to a retrial. This can be accomplished using
psychology, manipulation and skill and using such tactics as getting the jurors
on the defense’s side, and to then agree with the defense.
Why do it?
So why do digital forensic examiners do what they
do? Because what they perform helps put
criminals away and without such forensic evidence, most cases would struggle with
classic CSI evidence alone such as fingerprints, etc. Forensic CSI examiners do
a fabulous job, but evaluation of digital evidence is growing in police forces
across the globe and is stretching police funding more than ever. There are
more digital devices coming in than the police can deal with and backlogs are
increasing daily – some jobs can take well over 12 months to be examined.
Am I glad to be out of it? This is another question
I receive a lot of the time and to be honest, I miss the community within the
police, which is like a family. What I don’t miss is the “not guilty” outcomes
on cases where I was sure they should be different. Nor do I miss the
constraints around encryption and dark web usage increasing, and I now get job
satisfaction from helping people and businesses protect themselves against
cyberattacks.
Additional reading
While the following is not strictly related to the
work of computer forensics experts, law enforcement worldwide has, over the
years, requested the assistance of ESET security researchers in helping crack
down on several large-scale cybercriminal operations. The researchers’
technical analyses have been instrumental in disrupting a number of such
criminal rings, including the 3ve
online ad fraud operation and the Gamarue
botnet.