I was just wondering, has anyone come across any forensic firms that use Webex or similar to allow clients to see a draft report or seized files that client can get quick access and advise on future course of action? Obviously, security is the major concern and it would not be suitable for cases with very sensitive content but it could be useful.
Given the security implications, I'd explicitly avoid WebEx or any other hosted service for this - having said that, there are plenty of ways that you could do this sort of thing retaining servers in-house (or in-data-centre anyhoo) to assure the security.
Done properly, it would be considerably more secure than e-mailing a client a draft and talking them through it on the phone …
If anybody is thinking about implementing this, I'd be interested in discussing the security implications and risk analysis with you - (if you're UK LE, I'd be happy to help you put together a security case for your accreditor …)
( Clearly for unlawful material this would be tantamount to distribution, and wouldn't be a good idea … )
Just to be devils advocate and and not that I would use such a solution for KP cases but why is this, if done properly and securely between authorised parties, tantamount to distribution?
What is different between streaming a video or showing a picture across a secure connection and doing the same from a server to a PC in the lab? Where is the distribution element? is this different from me handing a hard copy to an authorised party? that is also distribution!
again not advocating that we go out and do that but could be an interesting intellectual exercise
Done properly, it would be considerably more secure than e-mailing a client a draft and talking them through it on the phone …
Password protected zipped reports/files - easy.
With regard to WebEx type services they are intended as one-to-many broadcasts. Wouldn't one-to-one connections be sufficent (obviously I don't know pbeardmore's circumstances though)? If so, how about sending out a remote desktop invite or using something like DropBox? Classification of material dependent, natch.
Paul,
I see your point - I guess that, IMHO, the issue with the electronic option is that it would travel over a public network - you wouldn't send such material by Royal Mail - even on an encrypted disk - so I would see this to be the same, similarly, if you are giving a copy over, you are at that point handing over one copy, whereas in the electronic version, you are creating multiple copies of the material - as we are well aware, simply viewing on a machine can leave sufficent remnants to be an issue … ( and again would be creating copies and then retaining them ). And there would also be a massive emphasis on authentication and authorisation of an user - not only on the technical side ( biometrics perhaps ? ) but also to be assured that a given person does actually have authorisation to access a given resource of unlawful material.
Conceivably, if you were to (a) have a private network accredited for the transit of such material and (b) you were using stateless thin clients that couldn't retain data and © your identification proceedures were adequate _then_ it would be possible - which is what you are saying - if done properly and securely …
In reality, the only difference between _us_ distributing and _them_ distributing ( given they have access to the same network, the same technology of encryption, authentication and authorisation ) is a legal _right_ or _need_ to do it. From a professional perspective, I would be reasonably confident in creating a "secure" network using encryption ( conversely remember that encryption is only valid for a period of time - not forever - someone sniffing your connection potenially has a library of CP the second a flaw is found in the algorithm &/or they have a computer fast enough to try all possible keys ), I would be more concerned about ensuring that someone beyond my sight was using the system appropriately, not delegating to someone else, that they ensure that the room they use isn't in public, that the door is locked, etc.
The wording of the Protection of Children Act (1978) is such on distribution
"For purposes of this Act, a person is to be regarded as distributing an indecent photograph or pseudo-photograph if he parts with possession of it to, or exposes or offers it for acquisition by, another person."
If you are doing a webcast where you are talking through a selection of images to someone who isn't authorised, because they are evesdropping, have been delegated without authority or have accidentally walked into the wrong room - I think that a valid case for distribution exists.
This is my opinion, and where I stand on the intellectual excercise - I'm not a lawyer, but my experience of the law is that it is an a*s - such that someone handing in a disk of extreme material can be prosecuted for possession … http//
Cheers,
Si
Password protected zipped reports/files - easy.
And how have we communicated the password here ? The UK Phone system is only rated up to RESTRICTED level communications, which, lets face it, isn't exactly great - phone taps are easy. A VPN link would really be much better - setup using public key cryptography - but even then, as above it's only a _delay_ in decryption, not a prevention. ( It may be a looooong delay, but think how good WEP was for a while, one technical flaw and the whole lot is open … Given the resources of some of the people who might be interested in reading draft versions of criminal or anti-terrorist work I'd be erring on the side of caution ).
You've also the issue of the fact that the end machine may not be secure … E-mail certainly isn't …
( Remember I'm more paranoid than most 😉 comes with the job ! )
And how have we communicated the password here ?
I send them by SMS. Or telepathy. Depends how I feel. wink
The UK Phone system is only rated up to RESTRICTED level communications, which, lets face it, isn't exactly great - phone taps are easy. A VPN link would really be much better - setup using public key cryptography - but even then, as above it's only a _delay_ in decryption, not a prevention. ( It may be a looooong delay, but think how good WEP was for a while, one technical flaw and the whole lot is open … Given the resources of some of the people who might be interested in reading draft versions of criminal or anti-terrorist work I'd be erring on the side of caution ).
You've also the issue of the fact that the end machine may not be secure … E-mail certainly isn't …
Fom a personal perspective I don't tend to work with LE clients, more HR departments, compliance officers, etc and the this level of protection tends to be reasonable for most scenarios. Easy and straightforward for them to deal with, while not easy and straightforward for most potential tamperers.
( Remember I'm more paranoid than most 😉 comes with the job ! )
Sure does! And that's why you're my first port of call if we need info sec advice!
Thanks for the input, I fully realise it's not suitable for all cases and as with many posts, the topics veers towards CP which I hinted at that we do not get involved in
I am dealing here with much more every day material (business documents, spreadsheets, memos, invoices, leaflets etc), so the need to be paranoid is not so pressing.(although alsways good to be careful)
With clients around the UK and bail dates sometimes in the diary, it struck me as a potentially useful tool to be able to guide the client around the initial results and discuss the way to progress the investigation. Also, we have found that on many occasions, the client does not have the right software to open up a file in it's native environment where as, during a Webex, they are watching us viewing the file at our end. And as for sending a zipped folder, when we are dealing with VOB files of movies, would be nice just to play the VOB over a Webex just to show the content
Jonathan, as you are in the UK and mention working with HR departments and compliance officers, you are probably aware of the requirement in the Data Protection Act to have "regard for the state of technological development" when you consider your treatment of personal data (for example, the contents of those password secured zip files) - how do you feel about sending passwords via sms now that the difficulty of attacks on the security of cellphone transmissions has been reduced to the level of script kiddies (down largely to the thorough trouncing of the A5/1 encryption algorithm). Do you feel happy that you are using an "adequate level of protection" in these circumstances?
Horses for courses. I'm internal corporate so unless (fingers crossed I don't) I come across CP material then it's more about breach of contract of one kind or another rather than criminal cases.
I've used Webex to get an engineer from across the pond to view some 3rd party drawings and specifications that I didn't understand, we got to inclusion/elimination of files and create some relevant search terms pretty quickly. And have used Webex in company dispositions to ID which material (mostly on a folder-by-folder basis) what material we could let go and what we needed to keep.
Have never used Webex where I've turned up "plain vanilla" adult material, mainly because I just don't know who else might happen_to_accidentally_view at the other end.
Cheers