Computer forensic analysts - the consulting detectives of the digital world - are in big demand as computer-related evidence proves increasingly critical in solving crimes.
In the days of Raymond Chandler’s wise-cracking sleuth Philip Marlowe, the proverbial “smoking gun” was a trail of physical evidence. Now, due to the proliferation of computers, mobile phones, PDAs and lately iPods, that trail often includes a good deal of digital evidence. Sometimes a deleted e-mail or Internet bookmark, retrieved by experts from the hard drive, is the key to getting a conviction.
In South Dakota in 1999, for example, a woman was found drowned in her bath. An autopsy showed a high level of the sleeping pill Temazepan in her bloodstream. It looked like a typical suicide - until investigators took a close look at her husband’s computer. It turned out he had been researching painless killing methods on the Internet and taking notes on sleeping pills and household cleaners. Armed with that evidence prosecutors were eventually able to put him behind bars.
Law enforcement agencies across the world are realizing that computer-related evidence can prove crucial in catching all kinds of criminals, not just hackers. That’s why they are scrambling to hire officers skilled in computer forensics, the discipline of collecting electronic evidence. Here in Britain, the Metropolitan Police is currently advertising for new recruits in the field.
“Successful candidates will be involved in the analysis of computer-based media, advising officers on their findings, and giving evidence in court,” the recruitment team says. The qualifications required for entry level are degrees in computer science and/or information security. In America, the FBI manages and funds a growing number of computer forensic labs and is also looking to recruit more personnel. In 1984 the bureau’s “Magnetic Media Program” handled a total of three cases; last year, its labs handled more than 1,500 cases and trained more than 2,000 personnel.
Growing marketplace
There is also a good deal of scope for both skilled and budding computer analysts (here and in the U.S.) outside of police forces and government agencies, as now a large percentage of computer forensics work is outsourced due to increasing demand.
“The whole marketplace is growing exponentially,” says Andy Frowen, forensics director at CCL-Forensics, a Warwickshire-based firm supplying computer forensics services to ten police agencies across the UK. “There are two reasons for this growth - one, more and more people own PCs and are connected to the Internet, and two, the police are becoming increasingly aware that these devices can be used either to commit or facilitate crime.”
In the past, police would typically seize computer systems in connection with suspected pedophile or hacking offences - crimes committed on a computer. “Today,” says Frowen, “they seize computer systems in murder, rape and fraud cases where you wouldn’t normally equate the computer with the crime. Since computers are now such a part of everyday life, almost every crime at some point touches a computer.”
Imaging
Regardless of the nature of a crime, it is crucial to ensure the evidence stays intact - just like at a physical crime scene. This is why digital forensic examiners never work directly on suspects’ computers.
“Every time you look at a file on a computer, it changes - the date stamp, for instance, would register the day and time you opened the file, thus contaminating the evidence,” explains Neil Barrett, professor of criminology at the Royal Military College of Science, Cranfield University, and author of “Traces of Guild” (Corgi 2005). “We preserve digital evidence with a method known as imaging or freezing. A suspect’s hard drive is removed and put in a computer that is ‘write blocked’ and can’t write to the disk. A forensic image is then taken of that hard drive - an exact clone which can be examined to see whether it contains any incriminating evidence.”
The most widely used forensic software for viewing the contents of a cloned hard drive is EnCase, a proprietary Windows program that has been described as “the most court-validated software on earth.”
The key mantra for those in the computer forensics field is: delete doesn’t mean gone. Deleting a file, emptying the recycle bin (“trash can” on Macs), or even re-formatting your hard drive, will not necessarily get rid of information - or evidence. This is because computers continue to retain data even after it has been emptied from the recycle bin. This data, stored as hidden files, will only leave the system when the space it occupies gets overwritten by a new file - considering the average hard drive is now at least 40 gigabytes or more, overwriting a file could take years.
Not surprisingly, software is available commercially that both deletes and overwrites data in one swoop. One such program is the Privacy Suite from CyberScrub, which claims to “remove all evidence of our online activity, erase previously ‘deleted’ files, and securely destroy e-mail.” Programs like this do have legitimate uses. Sensitive data, such as passwords, bank details, tax and health records, even if deleted, would be at risk if you sold your computer or if others gained access to it. In one highly publicised example, the hard disk of a computer discarded from a high street bank was found to have the banking details of Sir Paul McCartney, including account number, sort code and balance.
Fragments left
Criminals can use this type of software to cover their tracks too. The only problem is it is time consuming.
“Erasing all tracks and traces using file wiping software can take around four or five hours, which makes it less attractive to criminals because they are put out of action for that time,” says Chris Vaughan, senior forensic analyst at Manchester-based computer forensics firm CY4OR. “And to remove everything the file wiping software has to know exactly where to wipe. If it doesn’t get this right, traces and fragments will be left, which can be pieced together like a jigsaw to provide an idea of the whole picture.”
So are criminals fighting a losing battle or are they getting one step ahead of the law?
“It’s rather bizarre,” says Neil Barrett, whose digital evidence gathering has led to numerous criminals being brought to book, including Paul Gadd (aka pop star Gary Glitter) who was convicted for child pornography activities. “The criminals should be one step ahead of us because all they need do is encrypt their files and we wouldn’t be able to get at them. Yet the people we catch rarely do this, even though encryption software is easily available. Maybe we’re only catching the idiots.”
Counseling
While computer forensics is used to gather evidence in a whole range of criminal activities, it is most commonly used in cases of child pornography. Which means forensic analysts have to look at images which could send even the most together person over the edge.
Emma Webb-Hobson, another forensic analyst on the team at CY4OR (and one of the few women computer forensic analysts), says she copes by cutting her mind off from the subject matter: “You put yourself in the zone, so you aren’t concentrating on it. You just get it done. The comforting factor is you are helping to stop this kind of crime.”
Unsurprisingly, seeing a counselor twice a year is mandatory at CY4OR. “Even if members of staff are feeling fine and dandy, they still have to go as part of our health and safety rules,” says Joel Tobias, managing director of CY4OR.
Because computer-related evidence is becoming a key part of evidence gathering, all those involved in the legal process need some level of technical knowledge. Neil Barrett, however, says that in his experience judges and juries are unprepared for digital evidence. In the Harold Shipman case, for example, the doctor had modified evidence on his computer, but was caught out by the date stamp on the records.
“That obviously requires a jury to understand what a date stamp is and how it can and can’t be modified. That requires someone who is an expert in computer technology to provide an interpretation in plain, non-technical English.”
Protect your innocence
And according to Jeff Fischbach, a Los Angeles-based computer forensic analyst who has worked closely with the LA computer crimes division of the FBI, a major downside in the current growth in digital evidence gathering is more people are being falsely charged than before. He points to one client who was charged with possessing child pornography on his computer. By analysing his hard drive, Fischbach was able to determine the images came from spam and pop-ups and not through any intentional effort on the part of the defendant.
“The shame of it all was that it never needed to happen. The man was in the last three years of his career and he spent his entire life savings defending himself, and nobody’s going to give it back to him. His wife and kids left him. But that’s what he had to pay to defend himself against a mistake.”
With the prevalence of spam and pop-ups, what can the innocent person do to protect themselves in the event that their computer is seized and analysed by police?
“Law enforcement agencies ask us to look for signs of intent - did somebody run multiple searches on Google for ‘child pornography’ or did they open and view an illegal image hundreds of times,” says CY4OR’s senior forensic analyst Chris Vaughan. “So the advice to anybody who accidentally gets a pop-up is to close it instantly and if possible delete the Internet cache. The same goes for spam that gets through spam filters - delete it. This will show that you didn’t want the material on your computer and that you didn’t look at it for longer than you needed to.”
The field of computer forensics is constantly evolving to keep pace with the new devices coming on to the market. Any device that can store data - be it a smartphone (mobile phone and PDA combined), iPod or even an Xbox - can be used to harbour indecent images, illegal software or fraudulent documents.
Criminals keen to take advantage of these new technologies, however, should take into account the words of US computer forensics expert John Mallery: “The only secure computer [or digital device] is one you never turn on, and you bury in the ground, six feet deep and cover with dirt.”
Jimmy Lee Shreeve
Box out possibilities
Bank robbery
At the site of a bank robbery in the US, investigators recovered demand notes that were written using a notepad application. Examining one suspect’s computer forensic analysts found that the thief had been careful to delete the files. Looking deep into the hard drive, however, they were able to find copies of the notes that were automatically made by the printer.
Computer forensics made a little too easy
Recovering digital data is not often a clean and simple task. But according to American computer forensics expert John Mallery, criminals do sometimes make it easy. “A methamphetamine dealer actually documented all of his sales on an Excel spreadsheet: name, customers, what they purchased, when they purchased it. Very good for law enforcement!”
Further information
Computer Crime Research Centre
Cybercrimes - University of Denton School of Law
About Jimmy Lee Shreeve
Jimmy Lee Shreeve is a writer and journalist living in Britain, but writing for newspapers and magazines around the world. He is author of a cult bestseller set around hoodoo, blues and rock and roll, published by St Martin’s Press. And is currently writing a true crime title called “Blood Rites,” which investigates the growing numbers of ritualistic murders, carried out by shamans and religious extremists, that have occurred in recent years in Africa, South America and even in England, Ireland and the U.S. Discover more at www.jimmyleeshreeve.com.