Wednesday, 16 October 2013

Indecent images - The Dark side of the Web

‘Child pornography’ – perhaps the most emotive of criminal offences. ‘Association of Chief Police Officers’ (ACPO) statistics suggest that 84% of the overall case load for High Tech Crime Units across the UK involves indecent imagery and child abuse investigations. This area of crime is often seen as the ‘dark side of the web’ and as a result is perhaps the least discussed.
In cases of this nature the courts are concerned with the question of intent, creation, possession, dissemination, and the social context of any wrongdoing. As the most investigations of this nature involve computers, data storage devices, and Internet history records, the role of the technology expert witness is crucial.
Relevant acts in this field of crime are the Protection of Children Act 1999, Criminal Justice Act 2003, Sexual Offences Act 2003 and the newly released Coroners and Justice Act 2009. Specialist establishments also exist with the aims of preventing and managing the threat, including the Internet Watch Foundation (IWF) and the Child Exploitation and Online Protection Centre (CEOP).
The ‘Combating Paedophile Information Networks in Europe’ (COPINE) project originally created a ten point scale to grade the severity of images. In the case of R v OLIVER (2003), the Sentencing Advisory Panel (SAP) modified the COPINE typology and adopted a 1 – 5 grading system:
·  Grade 1: Images depicting nudity or erotic posing, with no sexual activity
·  Grade 2: Sexual activity between children, or solo masturbation by a child
·  Grade 3: Non-penetrative sexual activity between adult(s) and child(ren)
·  Grade 4: Penetrative sexual activity between child(ren) and adult(s).
·  Grade 5: Sadism or bestiality

Generally the custody threshold is reached when an individual is in possession of material graded above level two, although the courts will also consider other factors such as the quantity of images present, the quality of the material, the duration for which the material has been retained, whether there is evidence of distribution, and whether the individual has been responsible for actually creating the material. Sentencing can range from a fine or conditional discharge to nearing ten years imprisonment for the most cruel crimes.
Indecent imagery cases, like most crimes, may have common features (e.g. presence of illegal media on a computer) but the circumstances and context will always vary. As a result, the Judge and other authorities may need to adapt, modify or clarify the law in order to achieve a fair result. This interpretation of legislation leads to new lawful guidelines referred to as ‘Case Law’.
In the matter of R v BOWDEN (2000) it was accepted by the court that downloading or printing images from the Internet should be classed as ‘making’ a photograph due to the fact that a person is duplicating material through these actions. However, it must be taken into consideration whether a user meant to ‘make’ an indecent image or whether it may have been an accident. In certain instances, it may be the case that someone opened an Email attachment or clicked a link to download a file. Upon opening that item, the user could be presented with indecent or illegal content. The above happened during the case of R v SMITH in 2002, where the defendant was unlikely to have known that an Email attachment contained an indecent image. Because of this, he was not convicted of making or possessing indecent material.
In 1997 it was ruled that providing someone with a password to indecent material is essentially showing them that data in the R v FELLOWS & ARNOLD case. Sharing access to indecent images through authentication methods can also be classified as distribution of material. For this reason, both defendants were sent to prison based on evidence that they had both accessed the indecent images stored on their employers’ computer at Birmingham University.

The Increasing Importance Of Forensic Computing In Criminal Cases

In 1965 Gordon Moore wrote in Electronics Magazine his theory on the potential for computational evolution ˜increasing at a factored rate of double per year”.

Whilst his law has since been tempered based on actual industry development life-cycles, his prophetic statement still holds largely true and today there is almost no walk of life or industry where computers and information networks have not become deeply integrated and criminals have moved in step with technical advances, discovering ways in which to leverage IT to facilitate the commissioning of offences.

In many instances this is old, or conventional crime, perpetrated using new approaches that are reliant on technology. Postal fraud, for instance, has evolved to employ electronic communication channels, giving rise to waves of emails seeking to defraud recipients with promises of money and fictitious prizes (commonly known as ˜419 scams” as many of such notes tend to originate from the African continent and 419 is their penal code for wire fraud).

Studies into the cost of cyber-crime, commissioned independently by the Department of Trade and Industry (DTI) reveal alarming trends in the abuse and misuse of technology. The average cost per security incident has risen to over £160,000 and nearly one in four businesses in the UK have suffered a serious hacker attack or virus outbreak. The impact of an information security breach can be so devastating to business operations that one in ten never actually recover and the shutters close permanently. To counter this growing threat, security and law enforcement agencies have adopted fresh approaches for dealing with high technology crime.

Forensic Computing is a relatively young science when compared to contact forensics such as fingerprint recognition which have roots that can be traced back to Edmond Locard, who in the early 1900s famously postulated the theory of evidence being left as ˜mutual exchanges of contact”. Whilst various descriptions exist in relation to this practice, the international survey undertaken by Hannen has been taken as the de-facto definition: ˜Processes or procedures involving monitoring, collection, analysis... as part of ˜a priori” or ˜postmortem” investigations of computer misuse”. It is important to appreciate that this definition takes a wider view than the conventional reactive description, where forensics was regarded purely as an incident response function. Hannen considers digital forensics as also taking a pro-active role in security, where it can be combined with intelligence and operational planning.

As a serious field of research, forensic computing studies only started to take real form in the early 1990s when, faced with ever increasing numbers of computers being seized at crime scenes and the potential for crucial evidence to be stored on a PC, various government agencies came together to host the International Conference on Computer Evidence (ICCE). Here many of the challenges facing law enforcement communities were aired and agreements forged to cooperate towards finding effective solutions.

Two years later, in 1995, the International Organisation for Computer Evidence (IOCE) was formed, and a further two years later the member states that comprise the G8 subscribed to the mission of IOCE, pledging support for the organisation. This was the catalyst required to stimulate research and development, and since then great advances have been made in all spheres of digital evidence management.

When working on a matter where the case will rise or fall on the strength of digital evidence, for example where an allegation of possession of indecent images has been made, it is important to commission an independent forensic examination of all evidence and digital materials. This places the evidence into the wider context of the offence and enables barristers to make directions to the court based on a fuller appreciation of matter.

Assuming material has been seized by the authorities, the state will usually conduct their own forensic assessments (typically undertaken by the regional police hi-tech crime unit), the results of which will be provided to legal representations. The mechanics of this process involve the ˜imaging” of the ˜target media” the process of making a forensically sound duplication of digital materials of interest (e.g. the computer hard drive). During this duplication process a ˜write-blocking” device will be employed to ensure the target media is not affected or corrupted in any capacity whilst its content is read and mirrored. The actual forensic analysis is then made upon the duplicated material, with the original placed into secure storage and maintained in the state in which it was seized. The forensic analyst will then peruse the imaged copy to identify materials of potential evidence value, extracting copies as necessary to form the basis of the expert report.

Looking at this from a defence perspective, a number of questions should be posed in relation to the digital evidence (based on the Daubert threshold test that evaluates the competency of evidence in the United States):

¢ whether the theories and techniques employed by the scientific expert have been tested;
¢ whether they have been subjected to peer review and publication; 
¢ whether the techniques employed by the expert have a known
error rate; 
¢ whether they are subject to standards governing their application;
¢ whether the theories and techniques employed by the expert enjoy
widespread acceptance.

Putting abuses of technology on a statutory footing, Britain has a suite of legislation that can be invoked, from the Computer Misuse Act 1990 to the Regulation of Investigatory Powers Act 2000.

Today digital forensics is an accepted science, and evidence duly secured in relation to best practices (in the UK these guidelines are outlined by the Association of Chief Police Officers) can be served in a court of law. Digital forensics are providing breakthroughs in all manner of high profile cases around the world, helping security and law enforcement agencies to catch offenders and secure convictions.

In the US, for example, the notorious BTK serial killer that had a reign of terror lasting over twenty five years in the Wichita areas, was ultimately tracked down after he sent a disk to a local radio station gloating at the police”s inability to catch him. Unique digital footprints embedded within the files were extracted by forensic specialists, and like a lone fingerprint, investigators now had a powerful lead all they needed was to match the file to the computer that had created it (much like having a fingerprint but not a suspect”s hand to match it with). Wichita Police then conducted a house to house search, taking file samples from every computer encountered. Back in the laboratory, the file footprints were compared to the sample disk posted by the BTK killer, eventually finding a match. This tied the floppy disk to Dennis Radar”s PC, a virtual smoking gun as far the prosecution were concerned. This digital evidence became a pivotal element of the State”s case and ultimately helped secure a conviction.

In the UK the 2002 murders of Holly Wells and Jessica Chapman in Soham, Cambridgeshire, also saw digital forensics play a crucial, but largely unknown, role in the investigation. Technical analysts examined one of the girl”s mobile phone to identify where it was located when it had been turned off. Information on the nearest network communication tower tends to be stored in a phone”s memory and when the signal coverage of that tower is plotted, it is possible to identify the rough area (typically a few square kilometres) in which the phone was located when it was switched off. Having extracted this information from the handset, authorities had a rough idea of where to base their search; which ultimately led to the recovery of the two girl”s bodies.

Speaking in an interview several years after his pioneering research on the Manhattan Project where atomic reaction theory was developed, scientific visionary Oppenheimer explained that ˜the scientist is free to ask any question, to doubt any assertion, to seek for any evidence”. This thinking holds especially true when applied to the discipline of forensic computing in a legal context. Here experts may be instructed by either the prosecution or the defence, however, in either instance, they have a higher duty to the court. They are instructed as experts, but experts for the truth. It is important therefore to ensure that the experts instructed are duly qualified, experienced and independent.

Commenting on the nature of digital evidence, John Brown, Partner at Hogan Brown Solicitors, explained how the fragile nature of digital evidence can pose serious challenges to the investigator: ˜digital material is extremely volatile perhaps more delicate than its physical counterparts. It can be copied, amended, and transferred without almost any trace only experienced and qualified specialists should be employed to work in a digital forensic environment if the subsequent findings are to withstand the scrutiny of a court of law”. When working on a matter where the case will rise or fall on the strength of the digital evidence, perhaps where an allegation of possession of indecent images has been made, it is important to commission an independent forensic examination of all evidence and digital materials. It is also important that lawyers, when they try to find an expert witness choose someone with the necessary skills who is not only able to prepare an objective, unbiased report but also deliver oral testimony if required.
Forensic computing and the securing of digital evidence is a powerful tool in today”s fight against increasingly technically-savvy criminals. It is a discipline that continues to evolve and should remain high on the radar for both legal practitioners and law enforcement authorities.

Obscene Images & Media

The Essentials:

The Protection of Children Act of 1978 (as amended) defines what media is considered illegal by the British courts by establishing tests and definitions of ˜obscenity’. Due to the nature of these types of offences and the fact charges often relate to the abuse of minors, there is considerable social stigma attached to this sphere of law, making it an area rarely discussed or debated.

The Act forbids the creation, showing, distribution, possession for showing or distribution, and advertisement of obscene media. Whilst the Act was originally developed to consider photographic images, it has been subsequently amended so as to include ˜pseudo-images’, artificial or computer generated images. Possession of such material constitutes an offence under the Criminal Justice Act 1988.

To distinguish between child pornographic content, authorities rank material on a sliding scale of severity from one to five. This system is based upon the COPINE Typology and ranges from semi-nude/nude photographs (level one) through to penetrative sexual assault (level four) and sadism or bestiality (level five). Sentencing guidelines are based upon categorisation with tariffs reflecting the quantity of images, the severity of such, how long they have been held, whether the materials have been catalogued and organised, how the images were acquired/created, and whether they are a œtrophy of the offender’s own sexual abuse of a child.

In the United Kingdom the concept of obscene media is synonymous with ˜Operation Ore’ " the British arm of an international Police investigation started in early 2002 to combat child pornography. Despite criticisms of tainted evidence and fundamental failings to corroborate ˜facts’, it remains an important case study for targeted police activity. To date Operation Ore has resulted in over three and a half thousand arrests, destroyed distribution networks and sent out a powerful message to those that might commit offences of this nature.

Digital Evidence:

Forensic analysis of the computer systems and removable media (e.g. floppy disks and CDs) can help answer important questions as to how images came to be created or stored upon the system and what was done with them. Careful forensic examination of the evidence exhibits can provide insights into the following areas:

¢ Names & addresses of websites visited;
¢ File-Sharing application used to exchange media;
¢ Time & dates of last access to a specific file;
¢ Queries employed by the user on search engines such as Google;
¢ Attempts made to conceal or remove the media.

Forensic evaluations put the evidence into context and can reveal elements of the case that had previously been unconsidered " which in turn can create significant defence/prosecution case opportunities.
It is important to note that computer forensic consultants that provide expert witness services in respect of obscene images and media must be of the highest calibre and it is necessary for their facilities to be inspected and approved for the undertaking of such work by a Police authority.

Common Questions:

Q: If obscene images have been deleted from the computer can an individual still be charged with possession?

A: R v Ross Warwick Porter considered offences that related to the making of indecent photographs of a child under s1(1)(a) Protection of Children Act 1978 and of possessing indecent photographs of children contrary to s160(1) Criminal Justice Act 1988. However, the images in question had been deleted by the Defendant before his arrest and were retrieved by the authorities only with the support of specialist forensic technologies. As a result, the appeal was held and it is now generally accepted that if an individual cannot retrieve or gain access to obscene content, then they cannot be regarded as having custody or control of it.

Q: Can a forensic expert identify when a particular file was created or whether it was ever accessed, opened or modified?

A: Operations upon files and folders are recorded in ˜timestamps’, which provide three classes of information; when the file/folder was created, when it was last accessed, and when the file/folder was last modified. Timestamp data is recorded automatically by the operating system and specialist skills and technical understanding is required in order to change these time/date entries " and such tampering can normally be uncovered by astute investigators. In matters of obscene media, timestamps provide crucial evidence as to actions and put into context when they occurred. A compelling defence case can be constructed if it can be shown that obscene media identified upon a computer has never been accessed/viewed.

Q: Can images, which are essentially binary computer code consisting of 1’s and 0’, be considered obscene?

A: R v Fellows and R v Arnold (CACD Sep 1996) explored this legal argument and considered whether transformations upon the raw code, such as those that may be necessary to include the data in an e-mail, could affect the legal definition of obscene media. It was held that irrespective of format or transformations, if code can be reconstructed into material with characteristics that would liken it to an obscene photograph or movie, then for the purposes of the law that data would be regarded as obscene media.
Does making a file available for download indicate exposure or distribution?

A: Electronic files can take many forms; from newsgroup postings through to web pages, images or multi-media content such as movies. Such files can be made available for access or duplication using a variety of means (e.g. the inclusion of the file on a website or within a file-sharing application such as ˜Kazaa’). Compounding the legal positioning is the fact that after the initial set-up, the file may be accessed or manipulated without the knowledge or consent of the individual that has made it available. R v Arnold married the technical and legal arguments, making it clear that the individual responsible for making a file available also distributes it. After this process there may be no more action or intervention by the Defendant, however, the initial positive steps taken are binding and go towards facilitating distribution. Should a ˜receiving computer’ create a copy of the media, then this only adds gravity to the finding.

Q: Is it possible that a website with obscene content ˜popped up’ on the screen un- requested by the user?

A: Many cases involving obscene images and media relate to the accessing of websites that have been confirmed to house illegal material. It has sometimes been suggested by Defendants that a specific website was not directly requested and simply appeared un-requested on the screen during the course of browsing the Internet. For instance, the user is surfing website A, when suddenly pages for websites Y and Z appear on the screen " which have not been requested and may contain content quite unlike site A. In such cases a comprehensive forensic evaluation of the evidence can reveal if a site was explicitly requested or if a user had been looking for something else but had been directed automatically towards the website in question. Furthermore, it is possible to identify if a given site has been accessed repeatedly (which would challenge any defence that it was an accidental one-off visit) and which areas or categories of the site had been viewed.

Q: Understanding the ˜Trojan Horse’ or ˜Third Party’ Defence

A: There have been a number of high profile cases involving computer abuse/misuse, where the line of defence has been that the computing device had been under the control of an unknown third party. In many cases the assertion is that the computer has been infected by a virus or piece of malicious code that would allow the execution of programs or running of services without either the owner’s knowledge or consent. An extension of this theme is to suggest that the computer has been broken into by a Hacker, who used the device as a platform for perpetrating their crime(s). This has become known as the ˜Trojan defence’ and was applied successfully in the matter of R v Aaron Caffrey, who was charged with breaking into computer systems owned by the American port authority in Houston. It has been known for criminals to purposefully infect their computers with viruses and malicious code, laying the foundations for just such a defence should the need ever arise.

Q: The computer hard disk is second-hand " could the obscene media have originated with the former owner?

A: Hard disks, the main storage devices for data and files, are frequently changed between computers " especially when systems are being upgraded or current capacities have been reached and an additional (often cheap second hand) drive is added to increase space for file storage. Few users appreciate the capabilities of data recovery experts and as such tend to simply delete or format their drives before disposal or exchange. Unless a drive has been wiped in accordance with standards such as US DOD 5220.22, data can usually be easily retrieved using forensic techniques and sensitive materials may be left residing on a drive long after it has been thought removed by the owner. Whilst the œit was on the drive when I got it defence is sometimes considered by defendants, it is important to note that skilled forensic examiners will be able to identify times of creation for the images/media and patterns of access which would contradict their account.

Q: Obscene media is identified on a shared computer " can the material be attributed to an individual user?

A: The classic investigator mantra of ˜who’, ˜what, ˜where’ and ˜when’ are essential starting points. ˜Who’ considers all the individuals with access and opportunity to the system at the time of the offence " are passwords employed to access the system and/or is the computer in a locked office? ˜What’ explores the nature of the material (e.g. Lolita styled movies) identified, which may itself suggest a particular individual. ˜Where’ asks in what areas of the computer was the data stored " were they public folders accessible to all or restricted portions of the drive available only to authorised users? ˜When’ relies on timestamps and environmental evidence (e.g. personal alibis and/or looking at specific files on the computer that were accessed in and around the time of the offence) to tie many of the complimentary facts together in order to help attribute specific actions with an individual.

Q: Can Hash Codes, used to demonstrate integrity of evidence exhibits, be challenged?

A: Hash codes are the result of mathematical functions that allow the creation of unique serial numbers that are associated with specific files or file-systems. Should even the slightest modification of these files/file-systems be made, the serial number will change, highlighting the presence of revisions and that the integrity of the data may no longer be relied upon. Computer forensic investigators rely heavily on hash codes, particularly those created using the MD5 algorithm, to show data integrity and match copies of images from one source to another. However, recent research has identified sophisticated attacks that, whilst highly technical in nature, show that under certain circumstances it may be possible to modify data and not affect the resulting hash codes. From a legal standpoint this raises the possibility that digital evidence exhibits could be tampered with and the modifications go unnoticed.

Q: I'm a lawyer with a client that's been charged with a serious offence that involved alleged downloading of obscene material. He maintains his innocence. Where can I get help?

A: It is essential that you find an expert witness with the necessary skill set who not only understands the legislative framework but who also has the technical ability to thoroughly examine the hardware, prepare a comprehensive report and follow it up with testimony, if required. Many expert witness directories are available - particularly online - and X-Pro often publishes experts' profiles that include recommendations from lawyers that have used them in the past.

Did you know?

In software piracy cases involving the creation of copyrighted material, careful analysis of the computer can reveal how many times a ˜ripping application’ (program used to clone DVDs) has been run.

The Home Office is currently consulting on possible activation of provisions contained within Part III of the Regulation of Investigatory Powers Act 2000 that would empower authorities with the right to force the disclosure of encryption keys and passwords from a suspect that has taken steps to secure digital information and files.

The Importance Of SIM Cards:

There are more mobile telephones in the UK then there are people this pervasive technology impacts on almost all areas of industry and life. Unsurprisingly, mobile communications have enabled old crime to be effected in new ways and mobile telephones are increasingly forming a part of criminal prosecutions, where linkages between individuals or evidence of being at the scene of the crime is provided by an analysis of the digital evidence available within the mobile phones.

At the heart of every mobile telephone is the Subscriber Identity Module (SIM), a small fingernail sized chip, responsible for service with a telecom network provider.

Digital Evidence From SIM Cards:

Despite limited memory capacity, the SIM contains a wealth of information that, when considered in context, can greatly aid lawyers in their case preparations:

¢ Stored telephone numbers/contacts.
¢ Listings of ˜Last Dialled Numbers”.
¢ Text messages received, sent, drafted or deleted.
¢ General location information from last use.
¢ References to overseas network providers that have been used.

Common Questions:

Q: Could the SIM card have been cloned?

A: SIM cards produced after June 2002 employ the COMPv2 algorithm which provides a number of technical and security safeguards to prevent unauthorised modification. Despite media reports, the cloning of modern SIM cards is an extremely rare practice.

Q: Can my PIN code be cracked?

A: SIM card information can be locked using a four digit ˜Personal Identification Number”. RIPA contains provisions to force disclosure of passwords, however, it is usually easier to request a ˜Phone Unlock Key” (PUK), enabling PIN settings to over- ridden, from the Data Protection Officer (DPO) at the relevant network provider.

Q: PAYG SIMs are untraceable!

A: With ˜Pay As You Go” (PAYG) there is no formal contract with a network provider (e.g. Orange) to enable a customer look-up, however, ˜Call Data Records” (CDRs) are still available from the network provider, providing information as to patterns of communication, calls to/from, time/dates etc. By mapping this information to known acquaintances of the defendant, considering the evidence in the context of other material (such as messages recovered from the telephone handset) and undertaking Cell Site Analyses (CSAs) 3 it is possible to prove/disprove ownership of a handset.

Q: Does the SIM reveal who I’ve been in touch with?

A: Even without the disclosure of Call Data Records (CDRs) from the network provider, the SIM provides a plethora of useful information relating to contacts in the form of ˜Last Numbers Dialled” (LND) and sections of the ˜Contacts Directory”. Numbers that haven”t been saved may still show up in the LND.

Q: Can a telephone handset be uniquely identified?

A: Mobile phone handsets are assigned unique 15-digit numbers, known as the International Mobile Equipment Identifier (IMEI), which is passed to the network provider before communication services can be utilised. This serial number allows specific handsets that have been stolen or blacklisted to be blocked from a network irrespective of what SIM card is inserted. Defences suggesting that a given handset has been ˜found” and is not owned by the suspect are unlikely to hold water if Call Data Records (CDRs) show a pattern of usage that indicate the owners identity.

Q: What about sending anonymous texts?

A: They are not really that anonymous... If they are being sent via an internet service, there is typically a log retained by the site provider as to the computer IP address that sent the specific message this can ultimately be tied by to an Internet Service Provider (ISP), and in turn a specific subscriber. If anonymous texts have been sent from a mobile telephone typically a PAYG handset/SIM the uniquely assigned International Mobile Subscriber Identifier (IMSI) code embedded in the SIM can be used in concert with CDRs to provide compelling evidence as to the sender identity.

Q: Can deleted text messages & numbers be recovered?

A: Data content (especially multimedia formats) is primarily stored on the handset or on a removable memory stick. The general rule of thumb is that any data that has been deleted can be recovered, however, if it has been over-written it does make the process more complex and the chances of success reduce with every over-write.

Q: Is possession of multiple SIM cards indicative of wrongdoing?

A: Not at all - many individuals are discovering that they can benefit greatly from the free text and talk allowances granted on mobile phone contracts by having two or more SIMs (typically with different network providers). Adapters are available to connect multiple SIMs to a handset simultaneously.

Q: Where can lawyers find an expert in this field?

A: There are plenty of expert witness directories out there - especially online. But if you are trying to find an expert witness make sure that he or she has the necessary skills not only to analyse the equipment and data and prepare an unbiased, objective report, but also has experience delivering oral testimony, should that be required. A recommendation from a fellow professional will help in making your choice.

Did you know?

The SIM card will often contain a reference to the last network base station that it communicated with before being disconnected from the telecoms network.

If the SIM card has been used overseas, it is possible to retrieve a reference code from the card that will indicate which national/regional network provider was used.

Language preferences can be stored on SIM cards useful intelligence for investigators which can open up new avenues of enquiry.

Sunday, 13 October 2013

Social media forensics & Madeleine McCann

The disappearance of Madeleine McCann remains unresolved. The 3-year-old went missing from a holiday apartment in Praia da Luz in 2007. Since 2011 thirty Metropolitan Police Officers, headed by Detective Chief Inspector Andy Heywood, have been trawling through thousands of witness statements and documents at the cost of £5 million, hoping to unearth a vital clue that will resolve the case.

Last week we learned that phone records could hold the key, but let’s consider the role of social media. First, some clarity… Social media refers to the means of interactions among people in which they create, share, and exchange information and ideas in virtual communities and networks. Since 2007 the role of social media in both personal and professional circles has grown from strength to strength. Let’s take a look at three popular services –

Facebook™ is a networking service launched in February 2004 and provides a social media platform for over one billion active users. It is used for both personal and professional networking, with an increasing number of organisations using it as an important part of their outreach strategy to interact with customers. Half a petabyte of new content – from messaging to media – is uploaded every single day - equivalent to about 110,000 DVDs worth of data, so one can imagine the difficulties faced in harvesting and processing such information.

Tumblr™ is a micro-blogging platform and social networking website owned by Yahoo! The service allows users to upload text posts, images, video, quotes, or links to form a short-form blog (web log). Tumblr™ hosts over 110 million blogs and 80 million new posts are created every day.

Twitter™ is another microblogging service but primarily geared towards short text based "tweets" which are limited to 140 characters. The service is used to provide swift/concise updates, and has been popularised through the adoption by celebrities. Tweets can now include links to images or multi-media content. Nearly 400 million new tweets are posted online every single day.

How can this help with the investigation into the disappearance of Madeleine McCann?

Firstly the authorities could consider a complex data mining operation to look at historical social media records and potentially identify either clues or witnesses.

So where to begin?

Text based searches would be the obvious approach, to seek out content based on keywords. The degree of coverage of this incident in the international media would suggest that the keyword parameters would have to be carefully constructed so as to limit results to that which may be potentially relevant (e.g. instances where ‘mccann’, ‘evidence’, and ‘police’ occurred in the same message or sequence of messages). The potential for a huge number of false positives is of course the concern, but these could be limited by applying date range filters or mining only across accounts registered to users in Portugal (at the risk of missing tourists).

Most social media posts – from the humble tweet to a photograph uploaded to Facebook – can include location information. This is commonly known as a geotag and may be applied to the content by the camera device or the social media service. Such tags take the form of latitude/longitude co-ordinates – in the case of the Praia de Luz, this would be 37.0972° N, 8.7434° W. Combing through current or old social media records for such tags would help identify people who have been in the relevant area. Combine this with a filter for the date range of late April / early May 2007, and the results would suggest people in the right area at the right time to potentially assist with the investigation. It may be that these are parties who need to be excluded from the current investigation or perhaps they witnessed something they considered innocuous but could be vital in the wider context of the investigation.

Note: Law enforcement labs and members of prosecuting authorities are welcome to request free licences to the following toolkits:, and

Thursday, 10 October 2013

Madeleine McCann - Phone Records, Forensics & big data

Madeleine McCann, aged 3, disappeared from a holiday villa in the Portuguese resort of Praia da Luz on the evening of the 3rd May 3 2007. Despite one of the largest publicity campaigns and worldwide searches in history, she remains missing. Her parents, Gerry and Kate, have led a campaign to find their daughter, refusing to give up hope.

In 2011, Prime Minister David Cameron, ordered a fresh review of the original Portuguese police investigation and drafted in thirty Scotland Yard detectives to help sift through the vast volumes of information and witness statements. So far, just over half of the forty thousand pieces of information collected by the Portuguese authorities have been assessed, but progress is being advised as being positive.

Now there have been similar stories in the press over the years, but what makes this one so interesting is its renewed focus on digital forensics. Investigators believe telecommunication records could hold the key to solving the case and are focussing their search on thousands of mobile phones, thought to belong to people who were in Praia da Luz in the days leading up to, during, and after Madeleine's disappearance.

Detective Chief Inspector Andy Redwood, who's leading the inquiry, says officers are trawling through a 'substantial amount of data' and have so far identified 41 persons of interest. With around three thousand people living in the Algarve holiday resort, and thousands more visiting during the holiday season, this task is neither straightforward nor complete. This exemplifies ‘big data’ and the complexities of effectively data mining to find those crucial (digital) needles in the haystack.

In fact, DCI Redwood admits his team have been unable to attribute (link to a named individual) a 'large number' of mobile numbers, largely due to the fact that six years have now passed and a considerable number were bought on a 'pay-as-you-go' basis. This reflects an increasingly common practice for individuals travelling overseas to buy a cheap PAYG SIM from a local vending machine or shop, so as to avoid roaming charges and benefit from local call/data rates.

Call Data Records, sometimes referred to as ‘billing records’, will show the timing, volume and patterns of communications activity. The numbers dialled, the duration of voice calls, numbers that have been sent text messages, and instances of access to voicemail. The content of the spoken conversations or the typed details of a specific text message, will not be available, but the broader picture of activity can still be important.

Then there's the issue of tracking down the thousands of holidaymakers that were in the Algarve resort where Madeleine McCann was staying when she vanished. Scotland Yard have already made contact with thirty one police forces across the world to help them piece together the records and make contact with the owners of foreign mobiles.

A powerful investigative technique is being applied to mobiles of interest – Cell Site Analysis. The intention is to identify mobile devices that engaged telephone masts in and around the Algarve holiday resort on the days surrounding the incident. The users of these devices can then be tracked down and interviewed – one of the owners may prove to have seen/heard something that could take the investigation in a whole new direction.

Crimewatch will be airing a special on the Madeline McCann investigation this evening – with exclusive interviews, fresh evidence, and a scene reconstruction.

We would welcome the thoughts of other practitioners and experts in this field on the forensic evidence in this case and other avenues of investigation that could be explored.

** Note: Afentis Forensics have had an involvement in this investigation and whilst open debate and discussion is encouraged, please could comments keep in mind the sensitivity and emotive nature of the matter.

Friday, 13 September 2013

Telephone Record Evidence

Telecommunication evidence’ is the broad term used to describe any data/information retained or otherwise available from the communication service provider (CSP, such as ‘T-Mobile’ and ‘Orange’), and which has probative value for investigative or legal purposes.
‘Call Data Records’ (CDRs), sometimes referred to as ‘Call Detail Records’ (CDRs), are statements that provide information relating to the usage of the telecommunication services provided by a given operator by a specific user.
The following information would be created and retained by the telecommunications operator during the normal course of business operations:
o    Called telephone number or numbers;
o    Name(s) and address(es) of the subscriber(s) or registered user(s);
o    Date and time of the start and end of the communication;
o    Telephone service used, e.g. voice, conference call, ‘Short Message Service’ (SMS), Enhanced Media Service or ‘Multi-Media Service’ (MMS);
o    ‘International Mobile Subscriber Identity’ (IMSI) of the calling and called party;
o    ‘International Mobile Equipment Identity’ (IMEI) of the calling and called party;
o    Location label (Cell ID) at the start and end of the communication;
o    Data mapping between Cell IDs and their geographical location at the start and end of the communication.
The information detailed above may be available for disclosure only following due authorisation by the relevant ‘POLICE & INTELLIGENCE LIAISON OFFICER’ at the telecommunication operator and/or in response to an Order of the Court.
The information detailed above will typically be retained for twelve (12) months following point of creation, to facilitate billing and comply with regulatory requirements.
The ‘EUROPEAN TELECOMMUNICATIONS STANDARDS INSTITUTE’ (ETSI) specification for GSM event and call data provides detailed definitions for a variety of records needed in the administration of subscriber related event and call data.
‘Call Data Records’ (CDRs) can be analyzed for a variety of purposes and can provide considerable assistance to investigators and defence specialists. For instance, a service provider may use them to understand the calling patterns of their subscribers and the performance of the network.
In the context of an investigation, assessment of CDRs can be used to identify contact and communication between given individuals, potentially proving relationships and/or involvement in a conspiracy. CDRs can also be used to assist in the first stage of ‘cell site analysis’; the identification of the specific cell station used to handle a communication session.
Such information can be translated into geographical locations for the cells involved in communication sessions, which in turn assists in appreciating the general locale from which calls were made/received.