Select Committee on Home Affairs Written Evidence

9.  Memorandum submitted by Mark Morris


  1.1  This submission follows a request received on 24 January 2006 in relation to two specific issues that form part of a larger case put by police before the inquiry.

  1.2  In the limited time available, the issue of forensic analysis in relation to encrypted data will be addressed and also, as requested, some comments will be made in respect of the submission of Peter Sommer.


  2.1  I am Head of Forensics at LogicaCMG plc and manage their Computer Forensics Investigation Service ("CFIS").

  2.2  LogicaCMG plc employs over 21,000 staff in 36 countries, and is listed on both the London (FTSE 250) and Amsterdam stock exchanges. The Company has a market capitalisation of three billion Euros, and is a major global force in IT systems and wireless telecoms.

  2.3  As part of the Security Practice, CFIS provides computer forensic, expert witness, consultancy and investigative services to a wide range of clients such as Metropolitan Police Service, Department of Trade and Industry, as well industries in the nuclear, finance, transport and energy sectors. Forensic processes are conducted in accordance with the principles of the Association of Chief Police Officer's guidelines on the management of computer-based evidence—a document to which I have contributed. The Security Practice holds ISO 9001 quality assurance standard, has UKAS accreditation on its Evaluation Laboratories, CHECK accredited penetration testers and is BS7799 complaint in designated areas. All Security Services personnel are HM Government security cleared to at least "SC" level.

  2.4  Formerly, I was a detective on the Computer Crime Unit at New Scotland Yard, before leaving in 1997 to work in the private sector. I was involved in some of the major computer crime cases of that decade, including the investigation of hacking into the global networks of a number of private sector international organisations as well as foreign government agencies. Such enquiries led me to work with a number of overseas law-enforcement agencies, and this complemented the training that I was, at this time, delivering for Interpol and at the Police Staff College.

  2.5  Since my employment in the private sector, I have managed the forensic investigation teams on a number of high-profile cases; most recently the DTI prosecution in relation to the share tipping enquiry at the Daily Mirror.

  2.6  By way of contrast, and balance, I am also instructed as an expert witness to the Military, Civil and Criminal Court by the Defence.

  2.7  The views that I express are personal.


  3.1  Much has already been documented with regard to the forensic examination of computers, and it is not the purpose of this submission to regurgitate the large amount of material that is available in the public domain.

  3.2  My submission is based on practical experience of managing complex enquiries and dealing with the forensic examination of computer media.

  3.3  The existence of encryption on computer media can be categorised into the following general classes:

    —  Propriety encryption used by desktop applications such as email clients and office applications.

    —  Commercially available software encryption tools.

    —  Commercially available hardware encryption tools.

    —  Bespoke applications that can be engineered to suit a particular requirement.

  3.4  In addition, technologies such as steganography and those involving drive volume manipulation (where the data is hidden as well as maybe being encrypted) can cause the forensic analyst sometimes insurmountable issues.

  3.5  Whilst some encryption is easily broken, the increasing complexity of readily available applications can result in a lengthy period before the examination can have any success.

  3.6  In the submission of Mr Peter Sommer, it is stated at paragraph 7 "Once the computer is in the hands of an examiner it is usually possible within a few hours to establish whether there is likely to be material of interest . . ." Whilst this may be the case in a simple investigation, this statement does not reflect the issues faced in a complex and serious enquiry. It may be the case, for example, that information gleaned in an interview, many days after the initial arrests, causes a re-examination of a piece of computer media.

  3.7  Mr Sommer's statement also pre-supposes that encrypted material is readily identifiable—it is not.

  3.8  Although forensic tools have rapidly improved in terms of their power and speed, this has been matched by the huge increase in the capacity of computer media as well as the technical knowledge and ability readily available to serious criminals.

  3.9  Mr Sommer continues (at paragraph 9) "A fuller examination might take . . . about 20 hours. The results at this time would certainly [be] more than enough for an initial interview and/or arguments for applications for continued detention." Again, this may be true for one or two desktop computers, but this is not the case in a major enquiry. There is a risk here of a gross over-simplification of the issues that are faced by Police when investigating complex terrorist offences.

  3.10  Where a number of arrests have been made, Police are likely to have seized a variety of different storage media which may require a number of different techniques to be used in breaking encryption and/or protection. This can range from simple personal identification numbers (PIN) on mobile phone cards to powerful commercial encryption on hard disk drives. In addition, biometric devices are increasingly common, and these bring further issues for the forensic analyst.

  3.11  A competent enquiry requires the evidence to be looked at in its entirety, and the delay in attempting decryption of data does not simply affect that one piece of evidence; rather it has a negative effect on the whole picture that Police are trying to build.

  3.12  In a recent (non-terrorist) case that we conducted, around 12 terabytes of data was seized and the forensic imaging alone took around 30 man-days in machine time. It is not that uncommon for Police (even in a residential environment) to discover a computer network that in its capacity would exceed that of a small business. Taken together with the increasingly common situation of data being stored at a third party location (via the Internet), I do not share the view that law-enforcement are able to gain an overview of the forensic evidence within a few days in the case of a complex enquiry.

  3.13  Furthermore, the actual seizing of the relevant exhibits may take in excess of one day, especially where there may be a risk to life at the search scene.

  3.14 At Paragraph 10, Mr Sommer states ". . . it should be remembered that computers are used to search the contents at great speed. . .". In some of the work I have conducted, the best forensic tools available (running scripts provided by Police) simply could not cope "in one go" with the high volumes of data that we have had to process. The data had to be "batch processed" and this causes further delay. Accordingly, I disagree with the sentiments of his statement.

  3.15  Furthermore the running of automated key-word searches does not remove the need for the time-consuming human element—where the results have to be analysed, placed into context and possibly translated.

  3.16  Whilst modern forensic tools seem impressive in their speed and capability at examining data in the region of one or two hundred gigabytes, there are far more complex issues when searching data above this level. This is compounded when the forensic examiner has to deal with issues such as rebuilding forensic images of computer servers, and the sheer volume of data can mean that even getting the data into an examinable condition, can take several days.

  3.17  Also, if there is a mixture of operating systems and storage technologies, then any examination is further delayed.

  3.18  Such issues are further compounded when the investigation has to deal with an incomplete seizure of evidence. It may be the case, in a complex enquiry, that the successful decryption of data only points to the existence of other sources of evidence, which are yet to be located and seized.

  3.19  In another case undertaken in December 2005, it was discovered that the suspects had been careful in saving all incriminating material to USB memory sticks, as opposed to the hard disk drive. These (easily disposable) memory devices had not been located by Police, and it was only through low-level cluster analysis of the hard disk drive media that it was possible to discover that they had even existed.

  3.20  There are a number of ways to break encryption, and it is not the intent of this report to deal with the individual methods, whether technical or otherwise. The most common forensic tool used by Police is not very effective in even revealing encrypted data, and it is feared that many times such evidence may be overlooked.

  3.21  The Internet has, of course, circumvented the ability of governments to reign in the availability of powerful encryption technology, and the "honeymoon period" for investigators is now over. It is now common to encounter some form of encryption on computer media seized as part of a criminal investigation, whereas five years ago, it was fairly unusual.

  3.22  Suffice to say, the ability of the technically able and organised criminal to defeat a successful computer forensic examination through the use of encryption, has never been more available. In a complex investigation, even the most competent and well-resourced forensic laboratory can spend many weeks attempting to discover, decrypt and analyse the entirety of the computer-based evidence.

previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries index

© Parliamentary copyright 2006
Prepared 3 July 2006