Computer Crime Research Center

Footprints on the disk

Date: February 06, 2004
Source: Guardian Unlimited
By: Guardian Unlimited

Computer-derived evidence has become a feature of court proceedings. Ed Halliwell spoke to an expert whose job it is to interpret the findings for a jury

Provisions for computer-derived evidence have been part of English law since 1968, but it was not until last year that the potential impact of information technology on court proceedings became widely apparent.
The two most notorious judicial processess of 2003 - the Hutton inquiry and the Soham murder trial - both depended heavily on the intricate analysis of such material (email and mobile phone records respectively), and blow-by-blow coverage of each flagged to the public how effective computer forensics has become.

The mathematical precision of digital evidence is perfectly suited to the "who, where, when and what" requirements of judicial proof, and such is the proliferation of IT technology that it would now be unusual in a major investigation for no evidence of this kind to be submitted.
However, one of the problems facing courts is that the inner workings of computers are still a mystery to most people, including judges and juries. In most cases involving computerised records, the evidence has to be interpreted by an expert witness.

Neil Barrett is one such expert, a former computer science lecturer (he was appointed at the age of 22) who now works with the police to examine and recover "deleted" information from suspect computers, verify its accuracy and interpret it for the courts.

"The use of computer evidence is growing at an exponential rate," he says. "Mobile phone call locations and times, evidence related to emails that have been exchanged, or research carried out on the internet planning say, a jewellery shop robbery, all involve computerised records - and then there are out-and-out computer crimes, such as downloading paedophile material or hacking."

Barrett says that in his experience, judges and juries are unprepared for that type of evidence. For example, in the Harold Shipman case, the doctor had modified evidence on his computer but was caught out by the date time stamp on the records. "That obviously requires a jury to understand what a date time stamp is and how it can and cannot be modified. That requires someone who is an expert in computer technology to provide and interpret those contents for a jury."

Increasingly, computers seized from suspects act as a virtual crime scene. Many offenders remain unaware that internet usage leaves footprints that can be traced, and that files, emails and images can be recovered even after they have been "deleted". The diffiicult part of Barrett's job is not recovering the evidence, but wading through the material to find what is relevant. "We're looking at the whole contents of the hard disk - all the existing files and all the deleted files, and when you consider that one 1.4Meg floppy disk produces 500 sheets worth of A4 - a Jeffrey Archer, we call it in the business - you can imagine that a 20 or 30 gigabyte computer disk would produce several lifetimes of reading material. You've got to know how to express the search terms to find just what you want."

Barrett's evidence has helped convict murderers, armed robbers, hackers and paedophiles: his highest-profile job was investigating the contents of a laptop belonging to Paul Gadd (aka Gary Glitter). "The question we had to answer there was: 'Could the material found on his computer have been put there by someone else?'. To do that, we used what's called 'evidence of habituation'. That is, we showed that emails he sent that were not criminal, such as organising a concert, had exactly the same characteristic features as in the criminal material that was recovered."

The importance of computer forensics was recognised by the government in 2001, with the establishment of the National High Tech Crime Unit. The danger that computer crime, along with providing the means to catch the guilty, also provides the excuse to create a Big Brother infrastructure to monitor the innocent, is a widespread concern.

Barrett believes that this scenario is unlikely. "My response to people worried about government agencies snooping on their emails is to say, firstly, look at the volume of stuff that gets sent; and secondly, look at the levels of manpower available to cover it. There are about two dozen police officers in London responsible for computer crime of any kind, and it requires a minimum of two of them for each prosecution.

"It's true that most of what you do on the internet leaves some form of footprint, but for most of us it's going to be a very dull footprint. To analyse all the email that came out of your computer to suggest some criminal motive would take me several days of very, very close analysis - I'm not going to do that unless you've come into the sights of an investigator for a good reason."
· Traces Of Guilt, Neil Barrett's book detailing his investigations into computer crime, is published today by Bantam Press, £16.99.

Useful links
National Hi-Tech Crime Unit (UK)
Computer Security Institute
Computer Crime Research Centre
Cybercrimes - University of Denton School of Law
Original article

Add comment  Email to a Friend

Discussion is closed - view comments archieve
2005-09-01 18:14:53 - Very nice Gergana
Total 1 comments
Copyright © 2001-2013 Computer Crime Research Center
CCRC logo