THE INDEPENDENT MAGAZINE FOR LEGAL PROFESSIONALS
Feature Archives
Offsite Links
Announcements

 

 

<< return to front page

 

Electronic Forensics in an International Environment

By Darren Michael BSc, Senior Electronic Forensic Examiner, Data Clinic

 

International computer crime has an enormous technical dimension that cuts across many leading edge technologies and platforms. This dimension raises an inordinate burden of proof that falls heavily upon the computer forensic scientists

The development of computers coupled with the ease and manner in which they can be interconnected and integrated with communications apparatus and networks has served to create a new infrastructure for the interchange of telemetry and multi media data. This infrastructure is complex and forms a vast ether (hence Ethernet) that now transports data from country to country and around the world. Transmissions are made by equipment such as personal computers , mobile phones, video and broadcast equipment via cables, terrestrial and satellite radio links that cross political and legislative boundaries with ease. Transmissions are traded on a commercial basis and are re-filed between service provider’s across time zone’s and countries in order to utilize the asset capacity to the full.

This infrastructure is now so vast and diverse it has become a vital global asset equivalent to oil, without which modern economies would become paralyzed. It is therefore an asset whose day to day management cannot be entrusted to humans alone and it cannot be turned off at will without severe political and business impact. It needs “blink of the eye” decision making to ensure its operation is efficient and requires the use of artificial intelligence to ensure it is smooth running and resilient to component failure. It is an asset upon which education, innovation and commerce thrive and develop via the use of computer based programs and programs that communicate with other programs to ensure it is utilized efficiently. It is an environment that has common building blocks and interconnect protocols deployed without technical constraints and is always available to anyone who wants to use it. Utilization is now truly international and reflects the whole of society and the influences for good and bad placed upon it are of equally biblical proportions. The worst in society has naturally seized the opportunity to make use of this asset and computer crime now has a new and obvious disturbing international dimension. The majority of the crimes and misdemeanors against the person however remain much as they have for centuries it is only the introduction of computers at the scene of the crime that has changed and the offences against the systems themselves is a new feature. It is a situation however that brings new legal and technological challenges.

In recognizing the growing threat and magnitude of international computer crime, governments have not been idle and there have been a number of initiatives in recent years to try to ensure that legal protection is harmonized amongst the international community Great strides have been made through international organizations to achieve a common approach to legislating against such crime and thereby mitigate against the existence of computer crime havens. Steps such as those taken by the Council of Europe select committee in the late eighties that reported a minimum list of offences (eight) necessary for a Uniform Criminal Policy and urging member governments to account for this list in future legislation. In recent times the Council of Europe has turned its attention to prosecution and the problems faced by enforcement agencies . In 1995 it adopted recommendations of search and seizure, the admissibility of evidence and that of international mutual assistance (Recommendation No-R 95 concerning problems of procedural law connected with information technology) Member state governments have subsequently agreed that efforts should be made to reach common understandings and definitions for criminal offences and appropriate sanctions for particular areas of crime, including computer crime. In the UK , Regulation of Investigatory Powers Act defines the obligations on service providers to retain and manage information and what bodies and representatives are allowed access to this information and under what circumstances, and this is reflected in similar acts throughout Europe. The International Cooperation Bill concerning crime identifies what steps can be taken to ensure criminals who operate internationally are brought to justice and also discusses matters of witness and evidence with implications for computer crime.

International computer crime also has an enormous technical dimension that cuts across many leading edge technologies and platforms. This dimension raises an inordinate burden of proof that falls heavily upon the computer forensic scientists. In their task they must use scientifically derived and proven methods for the preservation collection, validation, identification, analysis interpretation, documentation and presentation of evidence collected from complex computer equipment sources and also be able to demonstrate and facilitate the reconstruction of events found to be criminal or illegal. Within this basic remit there are also challenges of research, abstraction, quantity, translation and presentation where it is not always possible to seize equipment from live environments that are in effect vast crime scenes. The complexity of the technology and the transient nature of the data in networked environments renders the process of investigation and recording evidence time consuming, costly and if not expressed in a plausible manner, rightly vulnerable to claims of errors and malfunction.

As an example of the cross platform and international nature of computer crime the The Dataclinic Italian office reported that an Italian man was responsible for running a “dialer” fraud operation. The operation tricked users into running a virus, called “Marq-A”. Marq-A arrived in the form of an email with the subject line "The moment is cathartic", which directed users to download a supposed screen-saver called zelig.scr. Flavio Oreglio, one of the stars of the Italian TV show "Zelig", is the author of a book called "The moment is cathartic" and this will have encouraged some recipients to download the malicious program. When the screen-saver was run, the local phone number for accessing the Internet was changed to a premium-rate number based in Aruba, in the Dutch Antilles. When the telecommunications service provider call logs were examined it was found that more than 57,000 minutes were logged on the premium-rate number at an estimated call cost of €104,000 a percentage of which will have found its way to the perpetrators bank account. If the virus had been allowed to continue it is estimated over €1m could have been collected. Funds were first sent to a New York bank account, then transferred via Venezuela before ending up in an account belonging to a ghost company in Aruba.

There is an explosive growth in the number of actual computer crime incidents such as the one described above being reported. In 2003 the US Internet Crime Complaint Center (IC3), reported 120,000 online fraud complaints through its website, an increase of 60% over the 75,000 complaints received in 2002. Launched in May, 2000, the IC3 is run by the FBI and the National White Collar Crime Center a federally-funded, non-profit organization. The center's website provides cyber crime victims with a convenient route for reporting fraud. "IC3," handles a broad range of complaints including international money laundering, on-line extortion, intellectual property theft and computer intrusion, in addition to identity theft and the usual array of online scams. IC3 has a growing partnership with private sector and foreign and domestic law enforcement and has built a solid foundation to address modern pattern of computer crime. The center is based in West Virginia and employs 70 staff who analyze each complaint, register it in a database and send it on to the appropriate FBI office or local law enforcement agency for further investigation. The objective of centers such as these is to be reactive to crime and put a stop to these activities quickly. Activities which threaten public confidence in what should be the most beneficial technology to mankind.

In order to support the initiatives that help the reporting and investigation of international computer crime. There are also complementary initiatives such that those who are involved in criminal or civil proceedings can place matters before the courts with confidence and clarity. The European Commission having recently sought to address these issues by supporting the development of a framework of best practices for practitioners of forensic computing in an internet environment ie Cyber Tools On-line Search for Evidence. (CTOSE) The purpose of the framework being to demonstrate that evidence collected from networked computer systems for a particular case is reliable and admissible within the relevant legal systems. This structured approach permits parties to judge more readily how to corroborate matters. The EC project involved all of the larger states of the European Union and also several of the smaller ones, and involved representatives from outside the European Union. The aim being to develop agreed procedures for use by computer experts leading to the highest possible likelihood that the acquired evidence was able to corroborate a particular argument and also to be convincing and acceptable to outside agencies, such a civil or criminal court. Attention was paid to respective legal boundaries, the privacy and security of the persons involved as well as of those investigating. A pan-European viewpoint guided the development with particular attention paid to legislation in France, England, Italy and Belgium.


The methods employed by data controllers when collecting data about a specific subject and the rules of evidence were clearly defined. Methods and procedures of search without polluting a database and permitted access for law enforcement services and dispute resolution were also defined. These issues are of such importance in computer networks because inadmissible evidence could be not only considered as of no use for a trial, but can pollute the subsequent proceedings based on it, thus rendering proceedings null and void. The CTOSE framework is therefore consistent with the imperative that the collection of evidence must always adhere to the criteria of admissibility, authenticity, accuracy and completeness. CTOSE framework offers integrated functionality across the whole spectrum of groups which have a stake in the process of evidence handling, be it on the part of organizations, IT, law enforcement or the legal establishment. The framework is based on technical specifications which are license-free, platform-independent, easy to use and flexible to adapt to different technological environments and tasks of varying complexity, the CTOSE framework is thus the only framework to be comprehensive across the entire chain of evidence handling, flexible across different types of organisations as well as portable across countries. It is therefore essential it quickly gains recognition and acceptance.

2. Practical Issues.

Harmonisation of the CTOSE framework with a common toolset which is easy to learn and accessible to experienced and less experienced users such as the legal profession will improve communication issues within an computer forensic project. The existing toolsets are robust and reliable but in experienced hands without a framework of project support the findings they produce can be vulnerable . “Dataclinic staff have seen this first hand when handed a police computer forensic examiners statement to review” . The forensic software had performed correctly and uncovered a file that was considered crucial. The examiner was accredited to use the software, but having recovered the file leapt to conclusions about how the file came to be on the computer in question without carefully building a body of information that supported these assumptions. This small example exemplifies the problem of a lack of current international standards and a framework for the training of forensic examiners. “Training in a particular software package although essential is no guarantee that the examiner has the necessary authority and grounding to prepare evidence for a court of law.” The full context of the evidence is essential and this requires in many cases a team of experts from different disciplines working together to corroborate the facts.

The emergence of the new field of forensic computing has developed to different degrees throughout the international community and this serves to militate against continuity, language being one of the major difficulties that serve to delay and confuse investigations. “The computer forensic investigator is rapidly becoming a man in a suitcase with unreasonable time and budget constraints placed upon him and I envisage this situation becoming more acute in the foreseeable future.”

Also hampering the international reliability of computer forensic evidence is the lack of acknowledgment by the bodies that oversee the development of practices and standards in the traditional forensic disciplines. Neither the Forensic Science Service in the U.K., National Forensic Science Technology Centre in the U.S.A, or the National Institute of Forensic Science in Australia for instance cover the field of electronic or computer forensics. It may be that the emergence of this new field has happened so rapidly and in such a fragmented way that the existing forensic community has yet to come to grips with it.

 

  

However, on the positive side a number of University Computer Science Departments are offering post graduate courses in computer forensics which should fill the growing void. The National Institute of Standards and Technology (NIST) has resources that are helpful to anyone interested in the relative fitness for purpose of forensic computer software and hardware that is available. The NIST computer forensic tool testing program applies a set of standard tests to forensic imaging software . The testing is specific to a particular version or release of a program and any changes to the software version or release requires retesting. This site gives clear easy to understand reports on the forensic imaging software and reports any circumstances in which the software fails and the nature of the failure. When, for example, reading an expert statement or report the NIST reference enable the legal practitioner to quickly check if imaging software with any known problems was used and whether the report explains how these problems may have been mitigated. The NIST is now also beginning to test software and hardware that is designed to prevent any changes to computer disks being examined using the same thorough methods. At the time of writing this article only the write block software written by the royal Canadian Mounted Police had been tested but no doubt others will follow soon.
In dealing with selecting the right company to handle a forensic investigation it is essential to select a company with global expertise and extensive resources. The company must also have skilled technologists working alongside experienced investigators and project coordinators preferably with a good working knowledge of the law. “ Forensic Computing involves sensitive and delicate issues that must be handled discretely and carefully with professional integrity of the highest order this can never be understated.

Darren Michael BSc.
Smart Card Security Consultant
Senior Electronic Forensic Examiner
Email: darren.michael@ieee.org
Phone: +44 (0) 870 742 4008

http://www.dataclinic.co.uk
---

 

 

 



   
Search WWW Search The Barrister