The UK's top e-cop believes the forensic backlog in seized IT kit poses a serious risk to ongoing criminal investigations. Deputy Assistant Commissioner Janet Williams, the national lead on e-crime for the Association of Chief Police Officers (ACPO), also sees the situation as unfair to those having to wait ages to get their …
no shit sherlock
about fucking time... had mine nicked a few years back - took them 9 months to figure out there was nothing on them and return them to me.
I know wheels turn slowly but christ.
I've been involved in and written commercial forensic software in the past. It has a lot in common with data recovery software (which funnily enough I also wrote).
A simple triage tool is going to be like a simple data recovery tool - we got a lot of recovery work off those things.
Some forensic software used to activate alarms just because a file extension was wrong. A classic was Wordperfect users. We actually won a couple of cases as the defense because we pointed out that there's nothing wrong in having a 'binary' file with an extension of .DOC. It just means that the software that the plods used didn't recognise the obsolete file format.
Forensics and DR /both/ need skill and intelligence to guide the software. Rely on some algorithm or - God forbid - heuristics and anything could happen.
Hope the copper knows not to touch the computer?
When I was burgled, the two attending fuckwits managed to touch both door handles on two doors multiple times even after it had been pointed out to them that everyone else in the house had managed to avoid doing so. As it took two days for someone who was qualified to spray said door handle with a can and then take a picture of it, it didn't really make much difference. It shouldn't be necessary to say that the burglar was never caught.
is probably all child porn cases. a triage tool will be simply looking through the filesystem hashing as it goes and checking the hashes against a database.
All fine and good as long as the hash databases are current, the files are not encrypted or in a format that the software doesnt understand, if not then stuff is going to get through.
"...Williams explains that there is a forensic backlog because more and more detectives and officers are seizing computers, and wanting to view what's on them in order to obtain evidence and intelligence. “Particularly in child abuse child pornography cases, there is most definitely that need,” she says..."
Yep, seizing PC's to look for CP is Top of the Pops round the Cop Shop. Look hard enough on 98% of average PC's and you can probably find something worth incriminating somebody with - and the cops know it. Funny how Ms Williams seems to put CP above all other forms of computer crime, though - one might imagine massive financial fraud, or perhaps even terrorism, might pique the interest of forensics just as much..? Apparently not.
I think we all understand now that if you are unlucky enough to get your PC/laptop/storage device confiscated by the rozzers you're almost certainly f*cked, whatever you may or may not have done online. Just the act of having a PC taken is enough to ruin you professionally and socially. Powerful stuff, this pre-crime policing.
Anyway, this is all just a PR softening up before the UK Forensics Service gets privatised - check out Private Eye, who've been anticipating just such a move for a while now.
The lady who
seems to do all the work speaks again; "but there might also be part of that which contains all your banking details, your diary etc." Which is what they are really after.
Lies, damn lies, and forensics.
Perhaps if IT-dyslexic plods weren't so keen on confiscating PCs at the drop of a hat in the first place, presumably in the hope of a cheap pinch, they wouldn't have such a backlog.
I'm sure that forensic examination of PCs is a necessary and sometimes vital part of the investigation of serious crime. I'm also convinced that this applies in a much smaller percentage of confiscations than the police would have us believe. Having had some small experience of forensic "experts" (many of whom I wouldn't trust to post a letter) I can't say I have much confidence in the results either.
Quick appoint a commissioner
"...new surveillance commissioner..."
I love that, there is a problem, people are complaining, and what happens is the minister involved will appoint a commissioner. That commissioner will 'represent' the complainants, he is the proxy the minister deals with instead of the complainants.
The commission deliberates, then produces a report saying "it's all good, no real problem", and the minister is off the hook.
The same trick is used when a right is conferred by an EU directive to remove that right from UK law. A proxy is used to take the right away from the person and give it to the Ministerially appointed toady commission.
Look, they seize computers where they wouldn't do a full search of the house. So it's an opportunistic crime, a fishing expedition. A computer is a collection of so much information in a neatly confiscatable package and so of course they will grab it. I don't think returning property ever enters into it, there's no requirement to return it in a time limit, so why would they bother!
The addition of Jacqui Smiths laws means that a) they can prosecute simply by finding a dirty picture of consenting sex if they can claim it's extreme, i.e. all mens computers. b) they can demand, or pretend to demand the decryption of anything without justification. So you can't protect your privacy right without committing a crime.... of protecting your privacy right!
It's a total power rush for them and its completely legal!
It's not like that Hampstead Deposit Box Heist where they needed diamond tipped drills and had to go shopping around for a naive judge! It's not like they had to hand back almost all of their £51 million haul either.
They get to grab a neatly package box of data for every crime, no matter how petty or unrelated, they get to fish for a conviction, no matter how unrelated and it's just so much easier than tackling crime!
Also WTF were the police doing acting for BSkyB in this case?
That's a civil matter, it's for BSkyB to sue the pubs for showing a football match from an overseas satellite feed, not for police to seize their kit as a criminal matter.
They flag up renamed extentions? that used to be my favourite trick for hiding stuff ...back when I was 8yrs old =p
But good to know all the same.
There is no one size fits all tool that can help the police. I can certainly see the need to take away computers, and I can see having the PC with all your email/files taken away would be a hindrance for that person.
But what's the solution? Getting the person's PC back ASAP (intact) is surely only going to help the guilty commit more crime. Getting the PC back sans data is no better than not having the PC, surely?
But this magic tool, it simply won't work effectively. That won't stop some dishonest company saying it does and fleecing the IT illiterate people making this decision.
The scale of the problem is just too large. Can I rename my jpgs to mp3 and a simple filename scanner will miss it? Let's say the tool clones a PCs hard drive for evidence, so if RAID up a few 2tb discs, what are they going to do with my 10tb volume? Factor in hiding data via encryption, or physically hiding a USB key somewhere ingenious, and it's obvious there is no quick fix and a proper investigation will take time/effort/intelligence.
I'm afraid the only way to deal with this fairly is to take away the suspect PCs and process them quickly, professionally, and in a manner that will hold up in court. They should not waste resources chasing the magic tool, and instead dedicate that cash to hiring more people, more space and going 24/7 if need be.
"And does every copper know not to touch a computer if they don't know what they're doing? “I would hope so"
Ummmm - no they don't. Seriously - they don't.
As a result, there are numerous PCs in the backlog that have not a snowball's chance in hell of being used as evidence in any court case. They just don't have the trained personnel they need, and they are unlikely to be able to get what they need as insufficient funds are being provided.
"But what's the solution? Getting the person's PC back ASAP (intact) is surely only going to help the guilty commit more crime. Getting the PC back sans data is no better than not having the PC, surely?"
Take a snapshot, return the original computer. If it wasn't worth investigating with urgency there is no urgent issue there that warrants holding the computer. If there is some urgency, then put it the top of the list to investigate it before returning it.
Of course that then leaves the problem of the snapshot, to which I say, if you don't get a prosecution, you don't have the right to retain it and the snapshot should be deleted.
How many of these PCs are simply taken away on a phishing excercise? You'd never get a search warrant on the basis of "lets have a butchers and see what we can fit them up for", on the other hand in the current police state we live in...
Anyway, can't they just clone the hard-drive and then hand the PC back?
Let them carry on with their lives?
"If we can extract what we require and at least let them carry on with their lives, surely we should be looking to do that.”
So Plod are thinking about maybe possibly graciously permitting people who have not been convicted of any offence (and may well be entirely innocent victims of a police fishing expedition) to carry on with their lives? As a special concession? How terribly generous of our almighty masters to do this for us humble peasants.
Actually, Rupert visited the EU Commission in 1997, just before they were about to review a report on monopolies in European media. Funnily enough, they then announced there was no problem with News Corp's various holdings around Europe and in the next breath they announced that piracy of satellite media would be a new criminal offence. That's democracy at work!
"Of course that then leaves the problem of the snapshot, to which I say, if you don't get a prosecution, you don't have the right to retain it and the snapshot should be deleted."
I assume the snapshot will be deleted at the same time as the person's DNA is removed from the PNC ??????
Sudden outbreak of common sense?
I don't agree that it was alright to just seize everything and sit on it indefinately ten years ago if it isn't now. But then I'm biased. Just image all storage bit-for-bit and record what hardware is in use. That should do it, for I would indeed expect a forensics lab to be able to deal with most common hardware of the last ten years or so. The thing about computing is that copying data is essentially free, and the thing about forensics is that they're apparently at least two decades out of date in just understanding the technology. And with the latter, they are doing essentially everybody a disservice.
She is not a top e-cop, she is the representative of an extreme right wing pressure group / private company that abuse their position to rip off the taxpayer and influence weak, spineless ministers, whilst topping up their generous saleries as "public servants" with payments from ACPO.
Not that I'm anti-ACPO but it should either be disbanded or all the coppers that are shareholders / spokespersons dismissed from their respective forces due to conflict of interests, as the old saying goes, no man can serve 2 masters.
Bill to the rescue?
Microsoft might be the solution provider. Google for "Microsoft COFEE".
Snapshots and Triage
This is a match made in heaven for the chronically stupid.
So you take a snapshot and return the equipment. Probably not the right thing to do if I have bomb diagrams, but kiddie porn, seriously. Real deal here folks, the police said so, and my prices just went up!
So let's try Triage ... which deletes, instead of redacts meta data as it should. This leaves holes that beg some really first class detective work, connecting dots and so forth. It also leaves the Authority Problem. It is easy to fill in "blanks" from another source, provided your friendly DBA in charge of Triage has left you enough "blanks" when he should have told you they were nulls; or not. If any prosecutor can indict a ham sandwich, then any computer set up for Triage can produce peanut butter and jelly to take the rap.
A picture to engender confidence.
The Mugshot of Janet Williams hardly inspires confidence although she might scare off people she meets with.
I love all this security as it makes people alert to just how nosy civil servants, police and governments are. It also lets their intended victims, the innocent computer owners, check out the alternate methods of storing data, which are the best encryption programs, etc.
Get out of UK and US mailboxes and don't bookmark or autofill usernames/passwords, either. Use browsers such as NoTrax so there is nothing to trace.
Dual booting is good with Wincrap for the cops and a hidden access to the other partition for the working OS.
Police electronic forensics
Your story about "Police sitting on forensic backlog" Hampshire Constabulary have an in house forensics facility at Netley in Hampshire they have an enormous backlog of computers( mine included) this backlog has in my opinion been deliberatley created because Hampshire Constabulary choose to send all electronic foresnic s work there to save money I guess but they can and are allowed to contract out work to other facilities but they choose not to I have heard of a man who after 12 monthes had to hire a lawyer to have his mobile phone returned this situation is a disgrace . Also all of the people with computers at Netley are on Police Bail P A C E states that police bail is used while further enquiries are made I feel that a computer sitting on a shelf for monthes on end is NOT making further enquiries I beleive that the Police are abusing the bail system. Steven Say
Deliberatley made backlog? Oh Yes!!!
Hampshire Constabulary have an in house electronics facility at Netley, there they have a mountain of computers (including mine ) awaiting inspection they CAN outsource work but they won't so the mountain gets bigger they could reduce the back log overnight if they wanted to but to save money and piss eveyone off they won't do it P.C Politics gone mad one person had to hire a lawyer to get his phone back 12 monthes after having it confsicated. ALSO most people with computers awaiting inspection are on police bail P A C E states that police bail is for them to conduct further enquiries WHAT enquires is that what a computer on a shelf means? Don't think so I believe the police are abusing the bail system.
List of subversives
"Rely on some algorithm or - God forbid - heuristics and anything could happen."
Damn right. I'm no expert on this sort of thing, but the notion that my liberty might be in the hands of the same sort of script that supposedly 'protects' me from spam emails would be terrifying.
"but there might also be part of that which contains all your banking details, your diary etc." Which is what they are really after."
Of COURSE they are... Because out of sixty-odd million people, your life is just THAT important...
Don't get me wrong: I don't deny that Labour have come up with some fairly scary general surveillance powers. That's a problem, and one it's right to highlight. But Know Your Enemy. Respond to real threats, not imagined ones. Think about it: the public complain incessantly about how the lack of police resources means they can't respond with blue lights and sirens to every complaint of 'nuisance youths' (read: children and teenagers playing or hanging out in a public street); yet that same public is more than happy to take it as read that the police are obsessed with obtaining, analysing and storing every last detail of each of our lives. Presumably there are actually a lot more police than 'They' will admit, but they're all being hushed up and kept busy in secret bunkers trawling through all this data?
Do you honestly believe that the average street bobby cares that much about your niece's wedding photos or your Christmas card list?
@ Steven Say:
"Hampshire Constabulary ... CAN outsource work but they won't so the mountain gets bigger they could reduce the back log overnight if they wanted to but to save money and piss eveyone off they won't do it"
'Outsource'? So privatisation of the criminal justice system's a *good* thing now?
Incidentally, there are a lot of references around here to 'child porn'. Call me fussy, but I personally go with the notion that there's no such thing as 'child porn'. 'Porn' is short for 'pornography', and it can be anything from cheap titillation to art. What's being referred to here is the violent sexual abuse of children, and it's nothing whatsoever to do with 'porn'.
Reply to Mithvert.
Nobody is saying thay privatisation of the Criminal justice system is a good thing but the police have always been able to use private companies to examine computers and they do just that when they want to, what is important here is that innocent people are being deprived of their property and being kept on bail for long periods of time, surely it makes sense for the police to take urgent action and do whatever it takes to clear the backlog even if that does mean using private companies, or should we all sleepwalk into a police state where they can get away with treating the public anyway they want to.?
Life imitating art?
Good to see stereotypes being conformed to: http://happyasamonkey.wordpress.com/2009/11/11/computer-forensics-in-the-geek-press-a-taxonomy/
Happy as a monkey? put your peanuts down and get on with removing the pile of outstanding forensic work waiting for you.
- Breaking Fad 4K-ing excellent TV is on its way ... in its own sweet time, natch
- Was Earth once covered in HELLFIRE? No – more like a wet Sunday night in Iceland
- First Irish boy band U2. Now Apple pushes ANOTHER thing into iPhones, iPods, iPads
- Top Gear Tigers and Bingo Boilers: Farewell then, Phones4U
- Updated iOS 8 Healthkit gets a bug SO Apple KILLS it. That's real healthcare!