This report is in response to the Committee's notice of 25 November 2005. Its purpose is to promote the understanding of Computer forensics, encryptions and the investigative process thereof.

1.  INTRODUCTION

  This report has been produced from a computer forensic practitioner's perspective, to promote the understanding of computer forensics, encrypted data, the subsequent analysis & the investigative process. Its purpose is to assist the Committee with reference to Terrorism Detention Powers.

2.  QUALIFICATIONS AND EXPERIENCE

  I am the Technical Manager of the Digital Crime Unit LGC and specialise in the examination of computer and digital media equipment for forensic purposes. I have been involved in this type of work since 1992. A profile is attached and a full CV has been submitted [not printed].

3.  FORENSIC PROCEDURES

  The forensic examination of computer hard-disks has developed significantly over the last 13 years. In the early days, law enforcement agencies developed procedures in order to comply with the rules of evidence. In 1998 the Good Practice Guide published by the Association of Chief Police Officers (ACPO) laid down the principles relating to the forensic examination of computers and digital media. Today these standards are not only used by law enforcement agencies but also by many commercial and independent computer forensic investigators.

4.  COMPUTER HARDWARE TECHNOLOGY

  Computers have developed over the last 15 years at an alarming rate especially hard-disk sizes. In the early days computers investigated by law enforcement agencies normally contained only one small hard-disk. Today it's not unusual to find computers with two or three hard-disks of a vast size. Also with the cheapness of computer hardware it's not unusual to find users with more than one computer, laptops, removable hard drives, USB memory devices, digital cameras, GPS devices and vast amounts of writable CD ROM's and DVD's all of which require forensic examining. It's not unusual for an investigator to be tasked to deal with a large amount of data storage per suspect.

5.  FORENSIC IMAGING

  The forensic investigator having received a computer will, after initial physical examination, remove the hard disk(s) for imaging. This is the process where an exact copy of the hard drive is made with forensic tools. One of the main reasons for this is that a forensic examination will be made of the hard disk image itself and not of the original hard disk. This reduces the possibility of an allegation that the data evidence has been contaminated. It also allows the defence to receive an exact copy of the hard disk to view or dispute the evidence found. Imaging times can vary from less than an hour to many hours depending on the size of the hard-disk; often the process is allowed to proceed overnight. Some forensic software allows for the previewing of hard drives without imaging, however from experience although this might be satisfactory for initial indication, certain data such as encrypted data and steganography, can be missed. Normally the forensic investigator who has previewed a hard drive would go on to make a complete image and carry out a thorough examination.

6.  THE FORENSIC ANALYSIS

  The forensic examination can vary in the length of time it takes depending on the size and the content of the hard drive. A large hard drive with little data and few user files may only take a short period of time. However a small hard drive that is populated with 100,000s of files and programs and data in slack and unallocated space will take considerably longer. If I had to put a time on the forensic analysis of an average hard drive, say 80GB, then I would normally take between three to five days. If a suspect has taken specific steps to hide or remove data a more in depth analysis will be required which will take longer.

7.  ENCRYPTION ISSUES—A BRIEF OVERVIEW

  Data can be encrypted in a number of ways. Individual files or a volume which holds many files can be encrypted and stored on any data holding device alternatively whole hard drives can be encrypted.

  There are many programs available to users to encrypt data on computers. These are available either from the Internet (often free), computer magazines or are passed on by associates. The strength of encryption varies with the program used. This strength depends on two key factors, the type of encryption used (known as the algorithm) and the length of the key used. Them are two main types of encryption symmetric and asymmetric.

  Symmetric encryption requires that the same key, or password, be provided to all those who require access to the encrypted file. The key is the same for everyone. The weakness with this type of encryption is that an investigator can determine the key or with a powerful computer discover the password. Some can take a few seconds to discover and some can take many years.

  Asymmetric encryption requires the use of two keys: a public key and a corresponding private key. When a file is encrypted, the public key of the recipient is used to encrypt the file. The recipient provides the public key to the creator of the encrypted file. The only key that will decipher the file is the private key that is known only by the recipient. It's not unusual for a user of this type of encryption to remove the private key from the computer the encrypted file is on. The private key can be stored at a remote location on the internet, or on removable devices such as USB memory sticks and other computers. Despite its strength, it can still be possible to crack an asymmetric cipher using a brute force attack.

  Steganography is not actually a method of encrypting messages, but is a way of hiding data within something else, such as a graphic or sound file, to enable the data to be undetected. It has been known for suspects to encrypt the file using asymmetric encryption then use steganography to hide it further before sending it via an e-mail.

  During the forensic examination an investigator should determine whether any encrypted files, volumes or encryption programs exist on the hard drive. Often some encrypted files/volumes are found however others are missed because the investigator is not familiar with the techniques being used by the suspects.

8.  CRACKING ENCRYPTED FILES & VOLUMES

  The strength of the encryption used varies with the algorithm from 40 bit up to 2,048 bit. 40 and 56 bit algorithms are weak encryption. 40 bit will give one trillion (1,097,728,000,000) possible key combinations and 56 bit will give almost 72 thousand quadrillion (71,892,000,000,000,000).

  Although this type of encryption is often used it is more common to use a stronger algorithm such as 128 bit which will give = 339,000,000,000,000,000,000,000,000,000,000,000 (give or take a couple of trillion) possible key combinations.

  Cracking a 56 bit algorithm using one computer testing 1,000,000 keys per second could take up to 2,284,931 years. The same algorithm using 2000 computers could take up to 1.1 years.

  Cracking a 128 bit algorithm using one computer testing 1,000,000 keys per second could take up to 10,790,283,070,806,000,000,000,000,000 years. The same algorithm using 2,000 computers could take up to 5,395,141,535,403,010,000,000,000 years.

  Therefore it's not always practical to decrypt the encrypted file/volume by a brute force attack although it is possible.

  If a brute force approach is taken the forensic analyst may need to develop a specific "crack" for the particular encryption, if one has not been previously developed. The "crack" enables the brute force attack to commence.

9.  BIOGRAPHICAL PROFILING

  ***

10.  THE FUTURE

  New and stronger algorithms are being developed and will be freely available through various sources. The biggest problem forensic analysts will face in 2006 is the release of Microsoft new operating system called "Vista". This is due for release in September or October.

  One of the main features of Microsoft Vista is its enhanced security facility "Bit Locker" which used to be called "Full Volume Encryption".

  In brief "Bit Locker" will apply full hard drive encryption all the time. To decrypt the hard drive a "Startup key" will be required to log on to the computer. A startup key can either be physical (USB flash drive with a machine-readable key written to it) or personal (a PIN set by the user). The user inserts a USB Flash Drive key in the computer before turning it on. The key stored on the flash drive unlocks the computer. Without this key the data will not be accessible. The reason for this is physical security which prevents a thief who steals the PC or Laptop and then removes the hard drive from accessing its contents. What forensic analysts do to image the hard drive is to remove it from the computer to prevent anything being written to it. Therefore this facility will create problems for forensic analysis.

  The mobile phone will become more like a computer with the introduction of mini hard disks creating new challenges for the forensic analyst.

  Computers and data devices hold a wealth of intelligence which is not exploited enough by law enforcement agencies. Recently whilst at LGC a fraud case I was working on revealed data linked to the Middle East and certain terrorist groups. As a result this data was supplied separately to the Special Branch of the Police Force who submitted the computer for analysis. It proved so valuable that the data is now with the security services for further investigation. Law enforcement agencies must consider the intelligence available from the data devices seized.

11.  CONCLUSION

  This report has provided a very brief overview of Computer Forensics and encryption. It is evident that technology will continue to grow and the use of strong encryption will become more widespread amongst criminals as well as everyone else. The use of facilities such as the National Technical Assistance Centre (NTAC) by law enforcement agencies will be paramount in dealing with encrypted files and volumes. However forensic analysts must be trained to identify when encryption of any sort is present on data devices.

  Dealing with data on the many devices that are now seized by law enforcement agencies is a very time consuming job. If the forensic analysis is rushed relevant data can be missed.

  In my experience the only way to deal with encryption found on data devices is by way of Biographical Profiling which as stated earlier is a time consuming exercise.

  I would be happy to expand on the points covered in this report if required to do so.

12.  GLOSSARY OF TERMS

Bit

  A bit refers to a digit in the binary numeral system. A byte is a collection of bits, originally variable in size but now almost always eight bits.

Brute Force Attack

  In crypto-analysis, a brute force attack is a method of defeating a cryptographic scheme by trying a large number of possibilities; for example, exhaustively working through all possible keys in order to decrypt a message. In most schemes, the theoretical possibility of a brute force attack is recognized, but it is set up in such a way that it would be computationally infeasible to carry out. Accordingly, one definition of "breaking" a cryptographic scheme is to find a method faster than a brute force attack.

Hard Disk Drives and "Unallocated space"

  The computer stores data electronically in a storage device called a hard disc drive. This hard disc drive can be of a varying size, but is now more commonly in the region of 80-200 Gigabytes in size. This is very large, and vast amounts of data can be stored on the disc itself. As a guide, a compact disc (CD) can store just over one half of a gigabyte (0.5 GB or 500 MB) worth of data alone. When software, such as operating systems (Windows 2000) and word processor packages (Microsoft Office) are installed onto the hard disc, the data will take up the space it needs to install and be able to run. This space can then be called "allocated". Therefore, the unallocated file space relates to the space remaining on the hard disc that has not been used. However, if a file is deleted and deleted again from the "Recycle Bin" it is no longer accessible via the Windows operating system. The file itself has not been removed from the hard disc, it simply cannot be seen. It will remain on the hard drive unless the space it occupies is needed for re-use by the system. The file or the data from that file can be found using forensic recovery software, but the file itself is "said" to have been found in the "unallocated" file space.

Key

  A key is a piece of information that controls the operation of a cryptography algorithm.

Slack space

  Slack Space is the unused space on a hard disk between the end of a file and the end of the cluster that the file occupies. For example, on a drive with a 16 kb cluster size, there will be 5 kb of slack space at the end of an 11 kb file. The slack space is wasted, as it cannot be used by the computer for another file. This slack space can contain relevant data from previous deleted files.

Volume

  An area on the hard drive that has been formatted so that files can be stored within it. A hard drive may contain a single or multiple volumes. Each volume appears as if it is a single hard drive. In Windows, the first volume is normally referred to as "C:" while subsequent letters, such as "D:", "E:" etc, may refer to additional volumes or may identify devices such as a CD/ROM drive.

13.  PROFILE

David Lattimore

  I am a Technical Manager of the Digital Crime Unit of LGC specialising in the forensic analysis of computers, digital cameras, removable media and personal digital assistants (PDA's) for evidential data.

  A full CV has been submitted [not printed].

26 January 2006