Professor outlines some of the dangers in using digital data as evidence


News image


Prof Bill Buchanan has outlined some of his thoughts on the usage of digital information in criminal investigations in his blog (here), and which has been used for the basis for an article in the Scotland on Sunday on 20 July 2014 (here).

Please note, in these articles, Bill does not pass judgement on the rights or wrongs of the Data Retention and Investigatory Powers Bill, and only focuses on the fragility of digital data. A future blog entry will look at this in more detail.

Blog text

Digital Information is really just a bunch of 1s and 0s. It is fragile, and often can be changed while it is stored, transmitted or even processed. Basically all the information what we see is converted from these 1s and 0s, and often provided in a way which can be easily compromised. I thus see the usage of digital evidence gathering provides investigators with new ways to quickly investigate, and also to provide corroboration to traditional evidence. I’d like to thus outline seven scenarios, which show how fragile digital information is.

Crime Scenario 1 (Defence: It wasn’t my computer). In this case Bob is at home, and his ISP has detected that he has been accessing illegal content. Bob is arrested, and says that it was someone else in his work. In this case, most home networks use NAT (Network Address Translation) which maps one or more private IP addresses (such as,, and so on) to a single public IP address. Thus all the data packets received by the ISP will have the same IP address, no matter the computer that generated the request. Thus is is not possible to lock-in on the physical address of the computer, as the physical address cannot be determined from the data packets. So just IP addresses alone cannot be taken as a single source of evidence.

In a company environment, again, the IP address alone cannot be taken as a creditable single source, as it can be spoofed. In this case, Alice waits for Bob to log-off, and then sets her computer to a static address which matches Bob’s computer, and then accesses the material, and Bob gets the blame. If we were to use the physical too as a trace, again, the physical address (normally known as the MAC address) is also easily spoofed.

Crime Scenario 2 (Defence: Someone accessed my machine and did it). In this case, Bob’s computer has illegal content on it, and he claims that he had no idea how it got there. In this case, most computers are networks, and once they join a network that can be connected to. Often guest shares or guest accounts can be used to create a connection. If not, there’s a whole lots of malware kits that Eve can use to gain remote access to the machine. In this case Eve sends a link to Bob to access a PDF document. He views it, and it actually setups up a remote access method for Eve, and she can do whatever she wants on his machine. If Bob hasn’t patched his machine, he has become vulnerable to this. So in defence he just says that he doesn’t trust Microsoft for their patches, and it was their fault. If the PDF one doesn’t work, she tries a Java exploit, if that doesn’t work, it’s a Flash compromise … and she keeps trying.

Crime Scenario 3 (Defence: Someone stole my user account details). Bob is arrested for trying to take money from someone else’s account and put it into an off-shore account. The bank says that he logged in, and transferred the money. With this, Eve has send Bob a trick email which asks him to login and check some details. He logs in, but it doesn’t work, but the next time it is fine. After this Eve has his login details, and can go ahead and login on his behalf. Bob has no idea that anything has went wrong, but the first site was a spoof-site, and captured his login details for his bank, and then redirected to the main site, for which the login worked. To make the spoof site look real, Eve has scrapped the images, text and style sheets from the bank site, so it all look real.

Crime Scenario 4 (Defence: The bot did it). In this case, Bob has been attacking a remote site, and is arrested. His defence is that it wasn’t him, but it was a bot on his machine. In most cases, this defence is not strong, but there is always a chance that a bot on the computer did generate the malicious activity. Just because no malware is found on a machine at the point of investigation, doesn’t mean that it wasn’t there at sometime in the the past.

Crime Scenario 5 (Defence: My computer automatically went to it).
In this case, Bob has been detected by his ISP in accessing some criminal material. He is arrested, and says that he knew very little about it, and has basically accessed his bank but ended up viewing the criminal material. For this one, we have to look at details at domain name servers (DNSs), and to Internet gateways. Unfortunately, the Internet has been created with very little creditability in the information that is passed. So when Bob starts his computer, Eve has broadcasts the MAC address of her computer, and pretends to be his Internet gateway and also his DNS server. All Bob knows is that when he accesses his bank, he sees the wrong site. In fact, Eve has poisoned his domain name look-ups, and she resolves his domain requests to the wrong IP address, which is logged on the ISP.

Crime Scenario 6 (Defence: I didn’t send the email). In this case we have Bob who is send abusive emails to Alice, and she forwards them onto the Police saying that he is abusing her. Bob is then arrested saying that he knew nothing about it. In this case, the email system we have setup has no credibility, and anyone can send an email saying that they are anyone they want to be. Thus Eve uses her own SMTP server, within a private network, and send the email. In fact the email contents just contain headers of:

To: From:

and there is no way of actually telling it was from Bob. So? Email really can’t be used as a fully creditable source of evidence. If can be used to timeline, but you cannot ever confirm that the send is actually who it says in the “From:” field.


The text from the article is here:

COMPUTER data cannot be fully trusted as criminal evidence, an IT security expert has warned, as a bill which allows the state access to online records was last week rushed through the UK parliament.

Professor Bill Buchanan, who is involved with training Police Scotland in how to analyse technological evidence, said that digital information can often can be changed while it is stored, transmitted or even processed.

He warned that digital data should be taken as “one part of the jigsaw” rather than the focus of an investigation.

Last week, the Data Retention and Investigatory Powers Bill was passed to allow the security services access to people’s phone and internet records.

The bill was rushed through the Commons lower chamber in one day, which attracted criticism from MPs and privacy campaigners alike. It was debated in the House of Lords the following day.

It has been argued that the bill will allow investigators urgent access to counter-terrorism information. The law would require phone and internet firms to store emails and phone calls for 12 months and will allow the police 
and security services investigating serious crimes to access details of whom a person spoke to, and when – but not the content of their communication.

But Buchanan said that computer data, which is often used in police investigations, can be easily manipulated.

“Digital information is really just a bunch of 1s and 0s. It is fragile, and often can be changed while it is stored, transmitted or even processed,” he said.

“Basically all the information that we see is converted from these 1s and 0s, and often provided in a way which can be easily compromised.”

He pointed to potential ­scenarios where, if a hacker is a work colleague or acquaintance and can get access to a person’s computer, the IP ­address which identifies each computer can be easily 
altered, or “spoofed” – making it look like the person has ­accessed or opened certain information when this has ­actually been done by someone else. This would making it 
easy to “frame” an innocent person.

“If you open a phishing email, such as a fake one claiming to be from Her Majesty’s Revenue and Customs, it downloads a bot on to your computer.

“That can then take screen shots of whatever you do. If someone can get access to your machine – even remotely – they can plant evidence on it,” said Prof Buchanan.

He said he feared that many MPs would not have a comprehensive knowledge of digital evidence.

“DNA and so on is a well known science but when it comes to digital information people are not aware of the technology,” he added.

Mandy Haeburn-Little, director of the Scottish Business Resilience Centre, said she employed “ethical hackers” – also known as “white hats” to do whatever they could to combat, and also understand, the work of cyber criminals.

“They constantly fight the forces of evil and seek out what is happening and who is doing what,” she said.

She added: “Police Scotland has an excellent cyber unit and works extremely hard to ensure that round the clock, Scotland is secure as it can be,” she said. “It is a constant battle for all of us.”

The bill is supported by the three main parties, but opposed by civil liberties campaigners.

[Read More]

Associated people

William Buchanan
Director of CDCS
+44 131 455 2759
Electronic information now plays a vital role in almost every aspect of our daily lives. So the need for a secure and trustworthy online infrastructure is more important than ever. without it, not only the growth of the internet but our personal interactions and the economy itself could be at risk.