THE INDEPENDENT MAGAZINE FOR LEGAL PROFESSIONALS
Feature Archives


 

 


It Is Far Harder To Stay Clean In A Dirty World Than It Is To Get Dirty In A Clean One.

The recent spate of prosecutions for possession of child pornography proves the maxim once again. Nowhere, it seems, are otherwise law-abiding citizens more likely to commit serious offences than from behind the flickering monitors of their home computers.

 

By Dr. Hamilton Wallis, Chairman, Fields Associates

But how confident are we that the Police are getting it right? That those selected to live for a year or longer under the constant finger of suspicion while awaiting trial, are something more than just innocent e-bystanders?

As a computer forensic investigator, I’m not so sure. It is not the myriad of malicious marketing scripts that we are exposed to on the Internet that I am concerned about, nor even the way some programmes seize control of our web browsers and force them to illicit websites. I am not even concerned about the way certain scripts, unbeknown to us, are designed to add unlawful files to our hard drives. No, there is something else I am concerned about. I am concerned about the recent policy adopted by Police Forces across the country to only permit defence experts limited access to forensic evidence files or ‘clone’ copies of the seized data. I am concerned about the way this policy affects defence investigations, and the way it hinders analysts in doing their job.

Last year, over three quarters of the cases I was instructed on were defeated when errors in Prosecution arguments were exposed. These included the case of a thirty eight year old father of two who had been charged on 14 counts of ‘making’ indecent photographs of children. He seemed like a reasonably pleasant man (they often do) who maintained his innocence despite what appeared to be some overwhelming evidence to the contrary. A Police examination of his computer had revealed the presence of a substantial library of indecent static and moving images of children that were sorted and archived in numerous purpose built folders appropriately named for the task. He accepted that he was the only user of the machine and was in some difficulty when asked to explain the origin or presence of the material in question. In interview, he even accepted that he must have been the recipient of three particular images emailed to him just prior to the seizure of the machine. A forensic expert acting for the Police later observed that the file attributes suggested the images were both received and viewed by the same user within minutes of each other. A copy of the forensic evidence files - digital reproductions of the original media acquired by Police analysts - was immediately requested in order to verify the strength of the evidence.

The request was initially denied. Such refusals to cooperate are now common in cases involving child pornography, with Police Forces across the country routinely refusing to supply copies of the evidence files acquired during the investigation. Common responses received to requests for the same are often accompanied by an offer to “nip around to the High Tech Crime Unit when you get a spare hour to look at what we’ve found”. It is not always easy, or political, to explain that defence experts have no interest in what has been ‘found’ (save for the occasions when we are asked to advise on issues relating to ‘age’ or ‘indecency’). Our interests lie elsewhere, in the locations of data files, the construction of the system registry, the distribution of data fragments, and anything else that may provide some clue as to the history of an otherwise meaningless collection of zeros and ones. All of which, in the case of my client facing 14 counts of making indecent images, leads me to my ultimate goal - that of determining the process or processes responsible for the presence of any given file on the target computer.

I reviewed my new case. The request for the evidence files was resubmitted, but again, no luck. The situation presented a huge problem. Modern hard drives contain massive quantities of data that represent entire crime scenes in themselves. To understand just how much data is involved one should bear in mind that approximately 800 pages of text would occupy less than 1 Mb of storage space. An 80 Gb drive (not uncommon these days) could contain the equivalent of 66 million pages of data. This would translate to a pile of paper over 22,000 feet (about 4 miles) high. And of course, there’s one further problem: data on a hard drive cannot be ‘erased’. It is ‘written’ to magnetic disks called ‘platters’ by ‘read/write’ heads that do not enjoy the capacity to ‘erase’. The only way data can be removed from the platter is by overwriting it with new data.

For a police forensic analyst looking for evidence in a suspected child pornography case, this can be a bonus. A simple programming script can be left to search automatically for known graphic file signatures with the ensuing results examined at leisure. But for an independent forensic practitioner like myself, the job goes much further. It involves examining the overall integrity and continuity of the digital evidence, locating data fragments capable of proving or disproving the defence case, as well as assessing the merits of the interpretations and opinions drawn from both sides of the argument. In practical terms this involves systematically searching through the contents of the hard drive using successive automated programming scripts. Though these searches are often quick to initiate (10 minutes), they can take hours to complete. And since the criteria for any given search often relies on the results of a previous search, the process of tracing a specific data fragment can take hundreds of hours to complete. Of course, this doesn’t mean that an investigation need incur excessive costs. The forensic examiner working from his own facilities can initiate the search quite quickly, leaving him free to work on other assignments.

But just imagine for a moment what happens when this option is denied. Let’s say the investigator lives a modest 60 minutes drive from the High Tech Crime Unit (HTCU), and is told that he can carry out his investigation under Police supervision. Is it really reasonable to expect him to travel for an hour, wait for the evidence files to load and verify (1-3 hours), initiate a 10 minute search, then drive back again while the computer takes 8-10 hours to do its job? Then repeat the whole process another 200 times! And more importantly, who pays the bill?

In the case of my thirty eight year old father of two, there was a sudden breakthrough. The email containing the three indecent images of children appeared to arrive on the target computer three days after the defendant’s arrest. Eventually, the evidence files were released.

What then followed was a classic case of denial until faced by overwhelming evidence. The Police three times categorically refused to accept that the target machine had been accessed before being handed over to experts at the High Tech Crime Unit. My subsequent investigation lasted three months and involved over 300 separate searches, by which time it was conclusively proven that the defendant’s computer had been used on 18 occasions post-seizure. Evidence indicated it had been connected to the Internet, used to visit child pornographic websites, used to send and receive emails, and used to download ZIP archive files which were later ‘unzipped’, spilling their illicit contents onto the defendant’s hard drive. It later emerged that the machine had been accidentally used as part of a Police operation to catch Internet paedophiles - before being handed over to forensic officers for analysis!



The defendant had been lucky - the release of the evidence files relating to his case allowed a thorough investigation to be conducted in which his innocence was eventually established. This would not have been possible under the present Association of Chief Police Officers (ACPO) guidelines. These state that forensic evidence files relating to cases brought under the Protection of Children Act should not be supplied to defence experts. Furthermore, it is most unlikely that the additional costs incurred by an ‘off-site’ investigation (approximately £200K) would have been met by the Legal Services Commission. So why were the Association of Chief Police Officers (ACPO) guidelines introduced, and why are the Police now refusing to supply copies of these files? The reason, we are told, is the wording of the legislation itself.

The Protection of Children Act came about in response to a perceived flood of child pornography sweeping the country in the late seventies. The Act provided for the prosecution of those possessing, distributing, advertising or making indecent photographs of children. At the time of processing, the drafters of the bill clearly anticipated that situations could arise in which individuals would have a legitimate reason for ‘possessing’ or ‘distributing’ such material. Consequently, statutory defences were included to protect those engaged in academic research or those operating within the criminal justice system. What the Act did not anticipate however, was the arrival of the Internet, and the way it would be applied to new technologies. Thus, no statutory defence exists for the act of ‘making’ an indecent image of a child - an event that occurs each time an indecent image is created on the monitor of a computer.

In many respects, the Protection of Children Act pre-empted some of the social problems the Internet would later bring. Today, a majority of prosecutions arising from it are linked to a variety of computer related activities. It’s not easy to argue against the need for such legislation. No medium has the potential to ‘normalise’ otherwise abhorrent behaviour more than the Internet, while the need to protect society’s most vulnerable must remain an ongoing social priority. But my own experience, and the shared experiences of many computer forensic practitioners, is that deficiencies in the Act enable the Police to refuse to hand over ‘cloned’ copies of the evidence on the grounds that they could themselves then be accused of breaching the Act itself.

Quite simply, this argument is absurd. Each time the Police pursue an investigation into child pornography they start by taking a forensic image (or clone copy) of the target media. This act effectively ‘makes’ another version of each indecent image present on the media. Similarly, when they ‘back up’ the forensic files to optical disk (as each Police Force has to do) they effectively ‘make’ yet another version of each indecent image present. Later, when the images are viewed at the High Tech Crime Unit, the Police forensic investigator ‘makes’ another version for each indecent image he causes to be created on the computer monitor. Again, when the Police print out the images for the CPS, the same ‘making’ act occurs. And so on. Put simply, the Protection of Children Act is worded in such a way as to render unlawful many of the activities necessary to build or defend a case involving child pornography. And as we all know, there is no statutory defence to the act of ‘making’ an indecent image of a child.

Yet despite all this, the Police continue to refuse to hand over these files because, they say, they could be accused of ‘supplying’. And in a final twist of irony we note, that should such an accusation ever occur, a statutory defence exists for their protection. The alternative - that of insisting that the defence examination (i.e. ‘making’ of further images) is carried out under Police supervision and direction - offers them no such protection.

Of course, not all of these refusals succeed: some Judges grant court orders, others decline to get involved, some Prosecutors ‘encourage’ the Police to comply, and sometimes the Legal Services Commission simply approves a massive expenditure, often in excess of £60K per case, just to move things forward. But more often than not, forensic analysts simply accept the limitations imposed on their investigations. In a climate of moral panic and near hysteria over child pornography, no one, least of all a male forensic practitioner, wants to be seen asking for material that includes copies of indecent images of children. Often, in the absence of support from the instructing solicitor, many analysts see their investigations reduce to little more than an observational confirmation of the presence of indecent material on the seized media. And if they ‘insist’ on full access, it is not unheard of for judges to ‘insist’ that the defence team find themselves someone else to ‘look’ at the evidence.

Yet none of this has dampened my enthusiasm for computers. I believe passionately in their ability to enrich people’s lives, to improve the education of the young, to increase confidence, and to keep the old active and interested. But if like me, you use these machines, then be very careful. Odds are, some data exists on your computer that you either know nothing about, or cannot explain the presence of. Furthermore, it is incredibly easy for recovered data to be misread. Mix in the sometimes frenzied and often contradictory regulations now surrounding imagery of children, and we are all at potential risk. And if you are unlucky enough to be accused of possessing an unlawful string of binary code, do not imagine for a moment that you will be treated fairly. Just find yourself a good forensic analyst, one with a proven track record and an insatiable desire to get to the bottom of every case. Because while the Internet continues to provide us all with the opportunity to explore a myriad of new worlds, not all of these are ‘clean’. And we all know that it is far harder to stay clean in a dirty world than it is to get dirty in a clean one.

http://www.fieldsassociates.co.uk

 
 
 
Search WWW Search The Barrister