Peter Yapp, our regular cybersecurity contributor, looks at the growing importance of digital evidence and how to handle it.
Today, over 90% of all crime today has a digital element. Take a minute to absorb that. We live in such a connected world that even seemingly off-grid crimes can often be traced through digital breadcrumbs. But where does this information come from and how can lawyers use it?
I first dived into the world of digital forensics in 1992 when I worked at H.M Customs & Excise. Of course, it wasn’t called digital back then, it was ‘computer forensics’. The team was set up in about 1986 - shortly after the FBI Computer Analysis and Response Team (CART) in 1984 in the USA and the UK’s Metropolitan Police computer crime unit in 1985. My team of law enforcement officers and I in the team dealt with any and every electronic device seized. This type of evidence was referred to ‘computer’ (up to 1987), ‘electronic’ (1998), and then digital and cyber - with the widely accepted current term being ‘digital’.
What is digital evidence?
As I said at the start, over 90% of all crime is recognised as having a digital element. When you think about how much technology we use in our day to day lives, it’s easy to understand why.
Digital forensics started with the examination of Personal Computers, moved quickly into mobile phones and now covers SatNavs, washing machines, cars, smartwatches, Fitbits and even doorbells. With the extensive rollout of smart vehicles with Internet-enabled functions (and the arrival of autonomous vehicles) it has never been more important to secure devices evidentially. It is conceivable that fridges, coffee makers and smart lightbulbs will soon provide alibis or important evidence for criminal and civil cases.
Many Internet-enabled devices have sensors or actuators that generate data, sometimes autonomously and sometimes in response to human actions. This data can be about location (such as GPS), temperature, presence/absence, movement, steps taken, distance walked, time spent walking and calories burnt.
A digital forensic investigator will search for system activity logs showing details of events recorded by the device sensors and the commands sent by the user. They can then infer the time a door was opened or the instant when an alarm was disabled.
We are fast moving to a time when everything that we plug into an electrical socket will be connected to the internet as well. Any IoT (Internet of Things) device may provide the digital footprints that might track or capture activities, giving insights into the last moments of a murder victim, evidence of false alibis or inconsistencies in witness statements.
To give a dramatic example, in a murder investigation in the US state of Arkansas, an Amazon Echo device was found in the home of a suspected killer. Police obtained a warrant for Amazon to turn over audio and other records from the device. The police also looked at the suspect's smart water meter, which showed that more than 140 gallons of water were used on the night that the victim was murdered. Circumstantial certainly, but this could have been an attempt to wash away evidence.
The problem with digital evidence
Digital evidence, however, can be a double-edged sword. While there is an ever-increasing roll call of devices and places that can offer clues and information to help you prove or rebut a case, the challenge for lawyers is the transient nature of digital evidence. It was a problem identified in the early days of computer forensics and was why “image” copies of computers were obtained at the earliest opportunity, backed up by contemporaneous notes. The challenge was that just the act of turning a computer on could create a whole series of files at that time and date - potentially overwriting existing evidence and leaving the investigator open to accusations of planting or altering evidence.
The problem is compounded when you think we’re not just talking about evidence from physical electronic devices. Websites and web pages also needing to be secured as evidence at a particular date and time. A pdf of a web page without a corroborating statement is not enough - this type of data is easily changed and can also be altered over time.
Why is forensic collection so important?
As you would expect, the principles of IoT forensics need to be similar to any forensics practice - that is to identify, preserve (in a sound defensible manner), analyse, interpret and present any relevant data to an evidential court standard. A timeline is often constructed and the opportunity with digital evidence from multiple devices is that you can capture much more data than you can from the physical world.
However, collecting this data can be a challenge. Often it is not on the device itself but rather in the cloud or the device provider’s cloud platform. IoT forensic investigations have to allow for the complexity, diversity, and differences of IoT devices and ecosystems.
For example, IoT devices do not limit their communication to WiFi and Ethernet protocols but can use Bluetooth, ZigBee, Z-Wave, or even custom radio frequencies for communication between sensors and a base station. Analysing these devices requires more complex equipment and expertise.
A further consideration when obtaining data from IoT devices held in the cloud (often stored there for easy access and synched by associated smartphone applications) is identifying the cloud provider from the user’s phone and then employing legal means to obtain the requisite information or gaining authorised use of login details from the smartphone user. Remember that an analysis of the linked smartphone can produce evidence not available anymore on the IoT device itself (due to limited storage memory or efficiencies).
Another great example of digital evidence that can be uncovered is a trace in a configuration file showing the presence of a specific network printer that will tie a particular device to a location. Other examples are photographs and videos and their associated metadata recorded on devices where specific actions must be ascribed to a specific individual.
Another growing area of interest is vehicles. Already your car probably has a digital record of your home or business address, a list of recent places visited, your phone contacts, speed, braking and seatbelt use data. It is also possible to identify devices that have been attached to your vehicle’s computer. And already some cars come with web browsers that keep history, cookies and cache information.
With many of these devices, much of the fascinating data (event logs, user activities etc.) is stored in volatile memory (that vanishes if the device is powered down). Therefore, it is essential to secure as much of the data as possible in situ.
To highlight the art of the possible, a Norwegian student went wardriving (or rather warcycling) around Oslo on a bicycle and discovered that about a dozen popular models of Bluetooth headphones had not implemented MAC address randomisation, thus allowing tracking of their wearers.
Norwegian state broadcaster NRK then helped analyse the Bluetooth emissions from these audio headphones, contained within 1.7 million Bluetooth messages that were intercepted. The analysis was possible because Bluetooth devices generally broadcast their unique identities, but despite privacy advice to manufactures, none of the devices had address randomisation implemented. Without that randomisation, it was easy for the devices to be “pinged” (an electronic signal sent out and responded to) repeatedly, revealing their wearers' precise location as they travelled around the city.
With all this digital evidence, traces can be used to reconstruct activities in great detail, build a timeline and create a narrative - but an incorrect assumption or an overlooked event can lead to the wrong conclusion. For example, if you rely on evidence from a voice-controlled device, you need to ensure that additional analysis has been carried out to determine whose voice it was and whether the person was in the same room as the device or speaking via audio from somewhere else.
Getting hold of the device or smartphone that interacted with the IoT devices can provide a complete picture of an individual's presence in a particular place at a specific time. But even then, events recorded within associated applications do not necessarily mean the user was present. When geolocation information indicates that the device was at the scene when the crime occurred, you need additional analysis to be carried out to determine if the time was correct, the location information was accurate, and that someone else was not using the device at that time.
Unfortunately, our interconnected world and its digital devices rely on protocols and software code some of which was developed before digital security was an issue. We have effectively built upon digital sand and almost every device has a security vulnerability. For this reason, the potential criminal exploitation of devices must also be considered. An attacker may break into a system and change or delete digital information to protect themselves or implicate another. It’s therefore vital to engage an expert in this field before relying on digital evidence. But, gathered correctly, the information accessed can be vital.
Why is the forensic collection of digital evidence essential?