9. Memorandum submitted by Mark Morris
1.1 This submission follows a request received
on 24 January 2006 in relation to two specific issues that form
part of a larger case put by police before the inquiry.
1.2 In the limited time available, the issue
of forensic analysis in relation to encrypted data will be addressed
and also, as requested, some comments will be made in respect
of the submission of Peter Sommer.
2. RELEVANT QUALIFICATIONS
2.1 I am Head of Forensics at LogicaCMG
plc and manage their Computer Forensics Investigation Service
2.2 LogicaCMG plc employs over 21,000 staff
in 36 countries, and is listed on both the London (FTSE 250) and
Amsterdam stock exchanges. The Company has a market capitalisation
of three billion Euros, and is a major global force in IT systems
and wireless telecoms.
2.3 As part of the Security Practice, CFIS
provides computer forensic, expert witness, consultancy and investigative
services to a wide range of clients such as Metropolitan Police
Service, Department of Trade and Industry, as well industries
in the nuclear, finance, transport and energy sectors. Forensic
processes are conducted in accordance with the principles of the
Association of Chief Police Officer's guidelines on the management
of computer-based evidencea document to which I have contributed.
The Security Practice holds ISO 9001 quality assurance standard,
has UKAS accreditation on its Evaluation Laboratories, CHECK accredited
penetration testers and is BS7799 complaint in designated areas.
All Security Services personnel are HM Government security cleared
to at least "SC" level.
2.4 Formerly, I was a detective on the Computer
Crime Unit at New Scotland Yard, before leaving in 1997 to work
in the private sector. I was involved in some of the major computer
crime cases of that decade, including the investigation of hacking
into the global networks of a number of private sector international
organisations as well as foreign government agencies. Such enquiries
led me to work with a number of overseas law-enforcement agencies,
and this complemented the training that I was, at this time, delivering
for Interpol and at the Police Staff College.
2.5 Since my employment in the private sector,
I have managed the forensic investigation teams on a number of
high-profile cases; most recently the DTI prosecution in relation
to the share tipping enquiry at the Daily Mirror.
2.6 By way of contrast, and balance, I am
also instructed as an expert witness to the Military, Civil and
Criminal Court by the Defence.
2.7 The views that I express are personal.
3.1 Much has already been documented with
regard to the forensic examination of computers, and it is not
the purpose of this submission to regurgitate the large amount
of material that is available in the public domain.
3.2 My submission is based on practical
experience of managing complex enquiries and dealing with the
forensic examination of computer media.
3.3 The existence of encryption on computer
media can be categorised into the following general classes:
Propriety encryption used by desktop
applications such as email clients and office applications.
Commercially available software encryption
Commercially available hardware encryption
Bespoke applications that can be
engineered to suit a particular requirement.
3.4 In addition, technologies such as steganography
and those involving drive volume manipulation (where the data
is hidden as well as maybe being encrypted) can cause the forensic
analyst sometimes insurmountable issues.
3.5 Whilst some encryption is easily broken,
the increasing complexity of readily available applications can
result in a lengthy period before the examination can have any
3.6 In the submission of Mr Peter Sommer,
it is stated at paragraph 7 "Once the computer is in the
hands of an examiner it is usually possible within a few hours
to establish whether there is likely to be material of interest
. . ." Whilst this may be the case in a simple investigation,
this statement does not reflect the issues faced in a complex
and serious enquiry. It may be the case, for example, that information
gleaned in an interview, many days after the initial arrests,
causes a re-examination of a piece of computer media.
3.7 Mr Sommer's statement also pre-supposes
that encrypted material is readily identifiableit is not.
3.8 Although forensic tools have rapidly
improved in terms of their power and speed, this has been matched
by the huge increase in the capacity of computer media as well
as the technical knowledge and ability readily available to serious
3.9 Mr Sommer continues (at paragraph 9)
"A fuller examination might take . . . about 20 hours. The
results at this time would certainly [be] more than enough for
an initial interview and/or arguments for applications for continued
detention." Again, this may be true for one or two desktop
computers, but this is not the case in a major enquiry. There
is a risk here of a gross over-simplification of the issues that
are faced by Police when investigating complex terrorist offences.
3.10 Where a number of arrests have been
made, Police are likely to have seized a variety of different
storage media which may require a number of different techniques
to be used in breaking encryption and/or protection. This can
range from simple personal identification numbers (PIN) on mobile
phone cards to powerful commercial encryption on hard disk drives.
In addition, biometric devices are increasingly common, and these
bring further issues for the forensic analyst.
3.11 A competent enquiry requires the evidence
to be looked at in its entirety, and the delay in attempting decryption
of data does not simply affect that one piece of evidence; rather
it has a negative effect on the whole picture that Police are
trying to build.
3.12 In a recent (non-terrorist) case that
we conducted, around 12 terabytes of data was seized and the forensic
imaging alone took around 30 man-days in machine time. It is not
that uncommon for Police (even in a residential environment) to
discover a computer network that in its capacity would exceed
that of a small business. Taken together with the increasingly
common situation of data being stored at a third party location
(via the Internet), I do not share the view that law-enforcement
are able to gain an overview of the forensic evidence within a
few days in the case of a complex enquiry.
3.13 Furthermore, the actual seizing of
the relevant exhibits may take in excess of one day, especially
where there may be a risk to life at the search scene.
3.14 At Paragraph 10, Mr Sommer states ".
. . it should be remembered that computers are used to search
the contents at great speed. . .". In some of the work I
have conducted, the best forensic tools available (running scripts
provided by Police) simply could not cope "in one go"
with the high volumes of data that we have had to process. The
data had to be "batch processed" and this causes further
delay. Accordingly, I disagree with the sentiments of his statement.
3.15 Furthermore the running of automated
key-word searches does not remove the need for the time-consuming
human elementwhere the results have to be analysed, placed
into context and possibly translated.
3.16 Whilst modern forensic tools seem impressive
in their speed and capability at examining data in the region
of one or two hundred gigabytes, there are far more complex issues
when searching data above this level. This is compounded when
the forensic examiner has to deal with issues such as rebuilding
forensic images of computer servers, and the sheer volume of data
can mean that even getting the data into an examinable condition,
can take several days.
3.17 Also, if there is a mixture of operating
systems and storage technologies, then any examination is further
3.18 Such issues are further compounded
when the investigation has to deal with an incomplete seizure
of evidence. It may be the case, in a complex enquiry, that the
successful decryption of data only points to the existence of
other sources of evidence, which are yet to be located and seized.
3.19 In another case undertaken in December
2005, it was discovered that the suspects had been careful in
saving all incriminating material to USB memory sticks, as opposed
to the hard disk drive. These (easily disposable) memory devices
had not been located by Police, and it was only through low-level
cluster analysis of the hard disk drive media that it was possible
to discover that they had even existed.
3.20 There are a number of ways to break
encryption, and it is not the intent of this report to deal with
the individual methods, whether technical or otherwise. The most
common forensic tool used by Police is not very effective in even
revealing encrypted data, and it is feared that many times such
evidence may be overlooked.
3.21 The Internet has, of course, circumvented
the ability of governments to reign in the availability of powerful
encryption technology, and the "honeymoon period" for
investigators is now over. It is now common to encounter some
form of encryption on computer media seized as part of a criminal
investigation, whereas five years ago, it was fairly unusual.
3.22 Suffice to say, the ability of the
technically able and organised criminal to defeat a successful
computer forensic examination through the use of encryption, has
never been more available. In a complex investigation, even the
most competent and well-resourced forensic laboratory can spend
many weeks attempting to discover, decrypt and analyse the entirety
of the computer-based evidence.