Almost monthly the news includes a press release from CEOP or the National Crime Agency relating to unlawful images and the individuals attempting to find such material. The Government has also recently publicised a policy in which Service Providers automatically block the ability for the user to access pornographic websites under the proviso that, rightly or wrongly, this will prevent children from accessing such material and will prevent adults, if they were so inclined, from accessing unlawful material.
Clearly, increased attention and the development of new detection techniques by the authorities will allow for the identification of such material on the Internet which would, in turn, lead to investigations by those authorities, often resulting in the seizure of computers and/or mobile phones from a suspect’s home.
However, the mere presence of an unlawful image on a computer or mobile phone is commonly becoming the only evidence used to form criminal cases involving such material or to support other Charges. Significant issues, such as, how they had been created are being asked, if at all, far later in the Court process. The presence of an image does not necessarily mean that the user had deliberately created it.
Having been involved in the examination of computer evidence, predominantly within legal cases, for over 12 years and experiencing the expectations of working both within a Hi-Tech Crime Unit of a Police Force and as an independent computer forensic investigator and Expert for Athena Forensics, I have seen the increase in use of digital evidence within criminal cases and the changes of the quality of the evidence that is relied upon over that time and, as a result, there is a continual movement from an original ingrained process whereby an Examiner would manually review the material in front of them to automated software based processes where the Examiner simply has to wait for results to be produced for them.
Almost all of the cases involving unlawful images are based upon the initial findings of the examination of the computer evidence by Police. Clearly, these initial findings are critical to the decision as to whether charges are made against an individual as well as what Charges are brought. However, the level of detail to which evidence is initially examined by Police is frequently lacking.
As an example, due to budgetary constraints and to reduce the backlog faced by Hi-Tech Crime Units, it has become frequent for software named C4P to be used by Police forces. This software automatically scans all data on a hard drive and identifies images, thereby reducing the amount of manual work involved in completing the examination of a computer. Where such an examination may previously have involved the manual review of many thousands of images, this process removes that need by comparing images on a hard drive against a database of ‘known’ images (images previously identified by that Examiner) by the software and, in the event of a match, that image is highlighted as being relevant or unlawful.
However, whilst the use of this software enables the ability to identify potentially unlawful material more quickly, there is still a need to carry out some manual tasks, including:
- The review the material identified to confirm its relevance.
- The requirement for the C4P database to be accurate and correct.
- The images present on a hard drive will still require review or material that is not contained within the C4P database will not be identified.
It is apparent that consideration, other than the existence of the images, is not being fully conducted. Questions such as the location of the images on the hard drive, notably, whether they were located within system/hidden directories or whether they were located within user defined areas of the hard drive, the time/date of creation of them or the origins of them or any other number of possibilities are not asked.
Therefore, individuals can be faced with charges that have resulted from the mere presence of images identified by automated software with no consideration or investigation as to the significance of those images by an Examiner.
One such case was one that I was instructed in earlier this year. A significant number of images had been identified by the Prosecution within backup files on one computer of several that had been examined. The material had been identified through the use of C4P and the report findings and material based upon the results of the use of that software. No further action had been taken and no further investigation of the images or other files on the hard drive had been conducted. The images were used to support other allegations that had been made against the Defendant.
A review of the computer evidence confirmed the presence of the material that had been identified using the C4P software and, whilst the content of a number of those images were highlighted as being questionable (e.g. the ages of the individuals and the nature of the images themselves), the examination also revealed the presence of a significant number of lawful pornographic images that were also contained within the same backup files. Evidence was also identified to confirm that those images had been copied to the hard drive at the same time and had originated from the same source. The Charges relating to those images were later dropped by the Prosecution prior to Trial.
Normally, the identification of evidence requires that any evidence has been investigated in order to determine its significance. Even if the Defendant accepts responsibility for the creation of images any number of processes can result in the duplication of images. For example, different system processes on a computer can result in the files, including unlawful material, being duplicated which is then reflected within the Charges. The duplication of files on a computer is not necessarily a manual action and can take place without any user interaction and once properly investigated can result in them being removed from the Charges, greatly affecting the sentencing outcome to reflect the actual actions and offences committed by that individual.
The simple instruction of an Expert can cause the Prosecution to review their findings and on occasion within the last 6 months, after months of investigation by Police and Charges being brought, that reconsideration has resulted in the Prosecution case not proceeding even before the computer evidence has been disclosed to us.
Due to the increased pressure on Police Hi-Tech Crime Units, further measures are being undertaken to process evidence more quickly. For example, the initial examination of evidence is now commonly being conducted within local Police Stations by relatively untrained Officers whose line of work is not normally the examination of computers or mobile phones.
Currently, it is normally the case that if any evidence is identified on a computer then it is then referred to the more specialist department, however, clearly, there is a danger that potential cases will currently be missed and it would not require too much imagination to presume that further developments would result in the additional work being seen as unnecessary. This already occurs with the evidence retrieved from mobile phones whereby generic techniques are adopted which results, on occasion, with significant material not being found.
Unfortunately, whilst there is a focus on highlighting, removing and identifying unlawful material on the Internet by authorities, those who face the challenges of examining and presenting evidence within any cases that occur as a result and the lawyers themselves are being driven to reduce costs in the ensuing legal process. These budget reducing attempts are already resulting in procedures being accepted now that were not previously and this will impact the presentation and investigation of computer based evidence. Meaning that whilst some cases will be missed others will be brought about wrongly or incorrectly which, surely, simply moves the cost of rectification elsewhere within the legal system.
Written for the Barrister Magazine by our Expert Matthew Jackson,
Director, Senior Forensic Consultant and Expert Witness at Athena Forensics