Criminal IT: How good security helps convict cybercriminals

COMMENT In cybercrime cases, computers often act as 'witnesses' providing digital evidence for or against the accused. But, asks Neil Barrett, how can we know whether to trust machines for this essential task?

Evidence is a slippery commodity, especially when it comes in digital form.

Evidence literally means 'that which can be seen' and the criminal courts recognise a wide variety of different forms. First of all, it can be direct or it can be circumstantial, meaning it either establishes a particular point or it establishes a circumstance from which the point might be inferred.

Second, it might be original or it might be hearsay, meaning it is either reporting something immediately observed or something which has been reported.

Third, it can be oral, real or documentary - meaning it is something said by a witness, either from the witness box or in the form of a written statement; something which can be physically examined by the jury; or it is a document whose contents the jury are asked to accept.

And finally, the evidence can be factual or it can be expert in nature.

In terms of 'ordinary' cases, this distinction is relatively straightforward. Take a murder, for example, in which someone is knifed in a particular house. A witness who sees the defendant actually use the knife on the victim and then gives testimony in court is giving direct, original, oral evidence; and the knife itself, shown to the jury, is real evidence. A diary entry in which the defendant describes his plan to murder the victim, by contrast, would be circumstantial, documentary, hearsay evidence. And the testimony of a doctor who states that the wounds inflicted on the victim were consistent with the knife would be expert evidence.

In cases in which digital evidence recovered from a computer is presented, however, it is never quite so clear cut. The computer itself might be considered as real evidence: it can be shown to the jury, though it is doubtful that the members of the jury would be any the wiser after having seen it. The contents of the computer might be considered as a form of documentary evidence and the testimony of those forensic technicians who copied the computer would be oral. Beyond that, though, the digital evidence becomes slightly more confusing.

Most obviously, there is the very issue of what can be 'seen', since digital evidence is by its very nature binary patterns in magnetic, optical or electronic form, needing to be interpreted and translated - with obvious questions as to its accuracy - before it can be put before the jury. A single floppy disk, for example, represents some 500 pages of text, perhaps all of it needing to be made available to the court. Imagine the problems of presenting the contents of a 50GB hard disk drive.

These problems can be addressed after a fashion, even if just by means of printing out the relevant portions and allowing the defence access to the rest. But what of the evidential aspects of that information? How does it stand as 'evidence'?

First, are the files recovered from the computer to be considered original or hearsay? The point is an important one because, other than in special circumstances, hearsay evidence is generally considered to be inadmissible in criminal courts. Consider the computer as a 'witness' of some kind. The contents of the various files - such as emails, documents and the like - consists of things which, in some sense, the computer has 'heard' the user say to it; and which, again in some sense, the computer has accurately remembered. Textual content of files must therefore be considered a form of documentary hearsay. In contrast, the time stamps, log file entries and other material produced by the computer as a result of its normal operation - programs acting without user intervention - might be considered as having been 'witnessed' by the computer directly: these might be considered as original documentary evidence.

Many of the main matters of any criminal case featuring file contents are therefore going to hinge on how reliable the computer might be considered as a 'hearsay witness': does it indeed accurately 'remember' the things said to it by its human user and attribute them correctly?

In cases of ordinary evidence, it is this reliability and accuracy which might persuade a court to accept hearsay evidence from a witness reporting on behalf of someone else. In the case of computer evidence, the court needs to be persuaded of the reliability of the computer records themselves - and in most cases, this hinges on the question of reliable identification of the user.

Recent cases have highlighted the fact that computers can be influenced by viruses and Trojan horses and even that the computer records might be influenced by the presence of a keylogger so as to allow a hacker or other intruder access to the computer. Between my fingers typing these words and the Word application which records them there is a huge range of different programs, not all of which I know intimately. If even a simple document such as this is potentially affected by unknown sequences of instructions, then what of a more important document relevant to a criminal prosecution? How sure can we be that the evidence of guilt contained on a computer should be relied upon?

The answer is that we need to work very hard on analysing the activity on the computer. We need to isolate and to understand the programs involved. We need to examine any computer closely for possible interference - whether from an intruder or from rogue software instructions. We need constantly to question computer-derived evidence if we are to accept that what it tells us about the user is to be relied upon.

Computers contain a wealth of information about the activities of their users - information which we seek to apply as evidence in computer crime cases but which must be constantly questioned.

The more reliable the security of the computer systems, the more reliable that information - and therefore the more reliable the evidence that we wish to present. But without adequate security that information is called into question and the prosecution begins to suffer.

If we wish to rely on computers in our business and our private lives, we need to be sure of the evidential quality of that information. And that means we have to be sure of the information security. It's a huge task but one which our digital society demands.