Everyone has felt the effects of the ‘Credit Crunch’ and the resulting recession, with ever-tightening budgets forcing people to rethink their working strategies and to ‘trim the fat’. Whilst the recession has had greater and lesser effects within different industries, heads of Hi-Tech Crime Units dealing with computer forensic investigations have been faced with holding smaller purses to address and combat constantly evolving digital crime, whilst trying to reduce backlogs, prioritise high-risk cases, keep staff adequately trained and software up-to-date, and maintain staff morale in what is already a difficult enough job.
In recent years, some Hi-Tech Crime Units have turned to ‘factory forensics’ to tackle the issue of far more work coming in than going out, which has seen investigators solely identifying indecent images of children in order to complete their computer forensic examinations. This has certainly resulted in a reduction of backlogs, however questions need to be raised regarding the quality of the investigation. This is by no means a slight on the skills of computer forensic investigators, who are under increasing pressure to produce results in far quicker times than before. Rather it is a question of whether or not all necessary avenues of investigation are being followed in order to secure an unbiased, honest result.
Is it enough to say that a computer contains indecent images of children?
The answer, unfortunately, is no. Hi-Tech Crime Units can no longer rely on simply stating indecent images of children are present on a computer or other medium, with the hope that that statement will secure a conviction. It is vital to at least attempt to identify the origins of these images and the reason for their presence, especially those found within locations not normally associated with manual user activity (i.e. My Picturesfolder, or user-created folders, etc).
This is where the dilemma of money versus time comes in; heads of Hi-Tech Crime Units need to strike a balance between a realistic amount of time that can be spent on a computer forensic investigation and the depth to which that investigation goes, in order to ensure the facts are identified and appropriate action can be taken.
More recently, some forces have taken to previewing exhibits (sometimes on-site) as a means of triage. In some forms this involves removing the hard drive from the suspect machine and connecting it via a write-blocker to a forensic workstation. The drive is then ‘previewed’ through computer forensics software (for example with C4P software) for the presence of relevant material, removing the forensic acquisition stage. In cases where no such material is found, the equipment is returned to the owner.
This has seen an even more dramatic decline in backlogs, however the steps taken during these previews to identify material of relevance to the investigations need to be considered carefully. Is evidence being overlooked, and if it is, is it enough to result in the wrong conclusion?
When entering into a situation where previewing is going to be utilised, it is vital that the computer forensic investigator goes prepared and informed (at least as much as possible); after all, the purpose of previewing is to quickly identify relevant evidence, thus giving the investigator a reason to seize the exhibit in order for a full and thorough computer forensic examination to be conducted. Going unprepared and with no idea of what to expect totally negates the purpose of previewing.
Chris Pogue’s blog contains links to his paper ‘Sniper Forensics’, presented at Defcon 18, where he discusses the importance of planning and preparing for an examination, and focussing examinations on key areas, rather than using ‘Shotgun Forensics’ and looking at everything.
As our real lives become more integrated with our digital presence, the requirement for computer forensic investigations increases, the evidence derived from which can often be vital in securing a conviction or proving innocence. Given the nature of the type of material in which this commonly involves and the impact on the lives of people in which an allegation alone can have, it is crucial to ensure that any such material has been investigated rather than simply identified.
