THE INDEPENDENT MAGAZINE FOR LEGAL PROFESSIONALS
feature archives


 

 


THE LAYERS OF THE ONION
Computer science is a strange subject, being a hybrid of straightforward physical sciences

Gordon Stephenson, Managing Director, Vogon computer forensics

 

A computer is portrayed as a combination of electronics and electro-mechanical equipment, such as the central processing unit, which is supported by various electronics and transitory memory, plus various devices such as a keyboard, CD reader, and disk drive. At the heart of a PC is its ability to load an operating system from a disk and waken up the peripheral devices of the system.

WHAT HAS ALL THIS TECHNO-NONSENSE GOT TO DO WITH THE LAW?

The answer is, if you are able to acquire the right level of comprehension of the layers of software, firmware and hardware which control and ultimately store computer information; then your ability as a lawyer or barrister in any civil litigation, and indeed many criminal cases, will be increased significantly in value.

The heart of a commonplace desktop or laptop PC, is generally a variant of Microsoft’s operating systems. An operating system manages the resources of the computer, providing central control over the various aspects of a system, such as more than one program being able to generate screen output simultaneously.

Looking at any aspect of data storage, such as a disk drive, we encounter many levels of abstraction. There are the relatively trivial aspects provided to a user, so that you may simply ‘Save’ a document to your system, or ‘Save and Send’ an email. Alternatively you may ‘destroy’ some information no longer required, using software promising ‘secure erasure’. Maybe your client has used software promising the elimination of incriminating information?

Perhaps your organisation uses a ‘secure erasure’ service. Maybe nothing appears to be on a disk drive other than some client correspondence, or a game. However, there may be something more sinister – who knows? I am certain that most people are unaware of what may be present on their system and have absolutely no idea what can be recovered from data storage devices.

In the defence of a client, perhaps the opponent’s evidence looks overwhelming, and the odds are against you and entering into negotiation on the outcome would appear to be prudent. I would suggest that you should often think again. This is every bit as true in a civil case as it is in a criminal case.

Initially, based upon a computer experts report, it may appear a client is a child pornographer. However, the ‘expert’ reporting on the computer evidence may have completely misunderstood digital information from the investigation software used, and the alleged evidence has turned into digital debris.

 

PEELING OFF THE OUTER SKIN

When a user powers up a PC and the Windows operating system loads, a large number of files are changed, temporary files are created, and space initialised. On the surface the changes may appear to be minor, but they are in actual fact, swift, dramatic and permanent. The last access dates and times of a whole raft of files will be changed to ‘now’. The process of turning on a PC is such, that it is virtually impossible to disguise such a major process. It would be crazy for anyone to attempt to do so, although we still on occasion see this happen. This is usually the result of an accidental power-on, followed by a denial of the event. Even worse, accidentally turning on a computer system will inadvertently load programs and may even invoke a virus, trojan or other malicious code.

 

AVOID CRYING – COVER YOUR EYES

In a somewhat similar way to rose coloured specs, the superficial investigation of data uti misguided. This situation occurs frequently in our work and we often see conclusions that are, frankly, ridiculous.

 

IT’S ENOUGH TO MAKE YOUR EYES WATER Attempts to destroy electronic information are frequently amateurish, as are some instances we see, where electronic information is used as supporting or rebuttal evidence.

  • We have recovered electronic evidence from a not-so-technical, ‘Technical Director’s’ attempts at erasing his employer’s servers and then systematically went through his company’s backup tapes re-initialising each in turn.
  • A disgruntled former employee who stole his company laptop was brought to justice, after having forgotten that when he originally installed Microsoft Office, he used the company name. This name was embedded in all of the documents produced after he left the company.
  • A group of criminals believed that if they could not recover destroyed information then no one else could. This misconception proved their undoing when we recovered the evidence they thought they had erased.

We have also seen evidence of more energetic cover-ups: Throwing a laptop from a ninth floor window, burning down a building in an attempt to cover up a fraud, through to attempting to rip up diskettes as police raided the premises.

All involved were literally stunned at quite how durable computer storage actually is – paradoxically it has that strange mix of being both easily changed and damaged, as well as being extremely persistent.

IGNORANCE OR BLIND FAITH?

Serious full time computer professionals assume that they understand certain specialist areas – indeed people who develop quite often the most trivial of skills, with some aspects of computer systems, are given titles like ‘Unix Guru’. Undoubtedly at some level of knowledge, the person has a degree of understanding considerably greater than many others – if he changes to a different circle of experiences, he may retain his ‘Guru’ tag, but all too often may be no better than the man on the Clapham Omnibus.

I have never considered myself to be a ‘Guru’ in anything, but know of a great number of UNIX ‘Gurus’ who all became very quiet when they discovered that I have written a large number of disk and tape device drivers for many operating systems, including Unix implementations. Although a quite complex programming area, it certainly did not make me a Unix Guru.
I was aware that I was creating a level of abstraction between the operating system and the hardware. I knew then that it was one of many software abstractions. I now know that there are many levels of hardware abstraction, that are in general terms of no interest, unless you consider yourself competent in computer forensics, or work in areas such as true data recovery; at this point they become vitally important.

The forensic systems in use in the UK, including Vogon’s, have all been developed for relatively unskilled users, who have little or no understanding of computer technologies. These systems function at a similar level as a breathalyser – they tell you if the process has probably worked and protect the primary source of evidence from any alteration or contamination. They require little skill to use. If you elect to give a blood sample, then a qualified doctor will be called upon to take this and the sample will be sent to an approved chemical laboratory, which will apply blind procedures on calibrated equipment, following very strict rules to determine the breakdown of any chemicals which are present.

With computer based evidence, the data secured as an ‘evidential’ copy is sadly all too often analysed in a very limited manner, by people who have at best, some superficial skills used in conjunction with a simple investigations package. The results can be alarming in both defence and prosecution work and it is common to observe a complete lack of impartiality and understanding, hidden behind ill-founded conclusions.

 

THE INNER LAYERS

Sorry chaps, but we seem to keep hitting against another area for interesting debate. For example, aspects of the law, which through the use of computer evidence, we find holes which need to be plugged. Our normal bugbears are problems associated with civil search and seizure orders, either self-inflicted by a ‘Guru’ lawyer, or by his client, or perhaps a team effort assisted by the bench. One day we may publish a book of search & seizure conditions...

 

Our experiences with English and Scottish legal systems have been interesting, to say the least, and now generally with most larger law firms we need no longer be concerned if we go into court and encounter computer-literate magistrates and judges in the UK.
If you want to commit a crime and make use of technology, keeping away from the more technically advanced countries is advisable. Venture into some other parts of the world however and awareness of electronic evidence is very poor.

THE FINAL LAYER
The change in the legal profession in relation to electronic evidence has been impressive over the past decade. Those who were pupils 10 years ago, doing background work for their silks, used computers in university. The majority have retained their computer knowledge for use in administrative work. This shows in the more assured manner in which they handle electronic based information, whether evidence or disclosed materials.
Some lawyers we have known for a long time, almost 15 years with our company’s legal firm in Wokingham, now have personal email addresses and cannot comprehend operating without a word processor and email system. I even know a contract lawyer who knows how to use Excel!

 
   
Search WWW Search The Barrister