Peter, tell us a bit about yourself. What is your background and your current role?
I read law at Oxford and had a first career in book publishing. At that time although we all knew what a computer was most of us thought it unlikely that we would ever use one, let alone have so many in our houses that we lost count. I specialized in egg-head non-fiction. One of my authors was a research scientist at the National Physical Laboratory and wanted a guinea pig to see how far an “arts” graduate would cope with a computer. That started me off and fired my imagination. In a move to get a bit of practical electronics knowledge I took the amateur radio license exam, then a more difficult task than it is today.Once I had my license I found that many fellow hams were becoming interested in home computing so that I learnt a lot fast. Another author was editor of one of the early hobbyist PC magazines and invited me to write for the readership. I was able to review and borrow the first commercial personal computers – and teach myself more.
In the meantime I became a publisher – Information Provider – on BT’s pioneering but ultimately unsuccessful public access information service Prestel; it was valuable experience for when the Internet and the World Wide Web started up.
Wandering on to one of the bulletin boards of the time I found a group of network explorers – today we’d call them them recreational hackers, – but the motive was curiosity, not fraud and destruction. The Computer Misuse Act didn’t arrive until several years later. One of my fellow BBS users was a publisher who wanted a book on the subject – I was initially skeptical that it could be done without attracting trouble but within a week of being dismissive I found I had a contract to be an author. That became The Hacker’s Handbook; it got into the best-seller list and is still, at least for people of a certain age, apparently fondly remembered.
One result was a request to do investigations; another was to write a more respectable and thoughtful book – DataTheft. One strand of the consultancy work was risk analyses for insurers.
On the strength of the second book academics at the London School of Economics invited me in for a chat. Soon I was ensconced as a part-time Research Fellow, then a Senior Research Fellow and finally a Visiting Professor. I helped design and teach their “computer security” course. I “validated” the UK’s first Computer Forensics MSc – at Shrivenham – and have also held posts at the Open University, de Montfort University and now at Birmingham City.
By the mid-1990s I started to get requests to act as an expert witness obviously my law degree helped.
Today there are three strands to my work: I am a part-time academic, designing and teaching courses, the bulk of the income comes from expert witness activity and I am also involved in public policy work.
I have been fortunate in the range of expert instructions I have been offered: teenage global hacks and DDoS, terrorists, paedophiles, pornographers, fraudsters, allegations of state corruption (South Africa’s Jacob Zuma), allegations against British soldiers in Iraq (Al-Sweady Inquiry), the international courts’ examination of the assassination of Lebanon’s Prime Minister Rafic Hariri as well as civil cases involving Internet defamation, website theft, and “take-downs”. Some of these cases had significant innovative qualities. I have been instructed in two well-known Asperger’s hacker extradition cases – Gary McKinnon and Lauri Love (the latter case is still under appeal). And also a number of traditional crimes where the role of digital evidence was critical if not obvious – narcotics trafficking, immigration fraud, crash for cash insurance scams, firearms offences and multiple murder.
The public policy work has involved consultancy for, among others, the National Audit Office, the Audit Commission, the Home Office, the old Financial Services Authority, the European Commission OECD and United Nations . In addition to giving evidence to Parliamentary Select Committees I have worked for them – 15 years ago on e-commerce and e-signatures, last year for the Joint Lords and Commons Committee on the Draft Investigatory Powers Bill – now an Act.
How did you first become interested in digital forensics?
Shortly after the Hacker’s Handbook was published one of the large firms of corporate investigators told me of a bank that had suffered an internal fraud and that the perpetrator had committed suicide. What was left was a pile of 5.25 inch floppies which they hoped might enable recovery of lost funds. In fact they were a mix of Apple and IBM PC disks. There were no real forensic tools available. I probably broke all the rules during my examination. But I could see that this could be a profession that would soon become important. After a while I met others with similar interests but it was probably another 10 years before things began really to heat up.
You've put together a survey to solicit opinions from the digital forensics community regarding the effectiveness of ISO 17025 for digital evidence in UK courts. Could you give us an overview of the survey – who is behind it, and what are its aims?
Actually it’s a group of us. Geoff Fellows and I were the Joint Lead Assessors for digital forensics for the now-abandoned scheme under the Home Office-sponsored Council for the Registration of Forensic Practitioners which, as the name implies, was concerned with the competence of individuals who gave expert evidence. Later both of us and others involved in the survey were at one stage involved in advising the Forensic Science Regulator.
But we have become aware of deep unhappiness about the ISO 17025 scheme. It’s a one-size-fits-all approach across the whole of forensic science but the emphasis is on conventional laboratories where a series of single tests are deployed. Digital Forensics is often about whole scenes of crime – PCs and smartphones.
Another concern is that the requirements for tool testing sit badly with the realities of the fast-changing IT landscape – which forensics must follow because the bad guys are innovators – and the heavy reliance on forensic analysis software suites which contain large amounts of “knowledge”. Do we not follow up criminal investigations where we lack the fully-tested tools? Many practitioners tell us that Good Practice Guides and the existing Criminal Procedure Rules – where experts have an over-riding duty to the court and where courts order pre-trial meetings between opposing experts – meet many of the practical problems. A yet further concern is the cost of accreditation – both in preparation to be assessed and in fees to the assessor. This has particular impact on small firms – highly experienced investigators are leaving the arena.
But the aim of the survey is to test the informal mutterings so that we have a firmer idea of what the problems are. Arguably this is activity which the Forensic Science Regulator should have undertaken but has not. Thereafter, and depending on survey results, we’ll decide how to act. The survey is still open: https://goo.gl/forms/yc4gihUSRgkjEGve2
I want to stress this is a group effort and I only have a degree of visibility because of my past experience, because as an academic I hope I know how to structure a “fair” survey and because I have the necessary experience with civil servants, politicians, senior police and the media (for the last several years I have done 40-50 tv and radio interviews each year).
What changes do you think need to happen in the legal system – both in the UK and internationally – to keep up with developments in digital forensics?
On the whole and particularly now that the new Investigatory Powers Act has brought about much-needed clarification the substantive law is in a good place. I am sorry that intercept evidence is still inadmissible. I hope that the laws on Equipment Interference and Technical Assistance Notices will be enough to deal with many crypto problems. Recent changes in the Criminal and Civil Procedure Rules have also helped define what the courts expect from expert forensic evidence. The outstanding problem remains getting evidence from overseas; the current Mutual Legal Assistance Treaty (MLAT) route is far too slow. I know the UK and US governments are working on methods to speed things up. But there is a constant battle with notions of sovereignty. People are deeply worried that a foreign police officer can carry out investigations direct without involving local partners.
You've also recently released The Digital Evidence Handbook on Kindle. Tell us more about the book and its intended audience.
It’s aimed at users of digital evidence as opposed to professional practitioners. Time and again I see criminal and civil cases being lost because of lack of reliable digital evidence. Often it’s not tendered at all though it must have existed, or it is contaminated or too easily subject to alteration. There is also ignorance of what professionals can and can’t achieve. I have adopted what I hope is an accessible style and have designed it as a semi-reference book, making the most of ebook facilities of searching and hyperlinking; the aim is to make it easy for the audience to use.
Potential customers include IT support folk, physical security professionals, journalists and lawyers. The lay public should also benefit by learning some of the easy evidence acquisition and production procedures – for emails, web-pages, social media, photos and the like. But I am also anxious that readers realise when they need to call in digital forensics professionals. The book is a bit of gamble both in audience targeting and in the decision to keep the price very low. Details can be found here.
You're a Professor of Digital Forensics at Birmingham City University – in your experience, what are some of the most common misconceptions held by students in this discipline?
It’s not just the “techie” stuff; students need to understand legal obligations and restrictions and also that what is required are abilities to explain clearly and accurately to a lay audience and to work well with others – clients, lawyers and law enforcement. A further requirement is to mindful of costs. Customers want answers which relate to the overall legal problem they face – most of the time they don’t regard themselves as funding abstract research, however interesting. University teaching of digital forensics has some common features with medical school – research is important but the main requirement is to turn out reliable practitioners.
What do you see as the main emerging problems?
I suppose I could say “cloud acquisition” and “Internet of Things” artefacts but the greatest problem is that payment for publicly funded work is so poor. Fees and hourly rates have been cut as part of a general “austerity” program but without thought of the consequences. If we all believe cybercrime is a growing threat then we need evidence to prosecute it. Digital forensics specialists operate in a market place which also includes the opportunities for privately-funded civil work and more general cybsecurity consultancy – for which there is also a shortage of immediately-available professionals. The classic response to market shortage is to offer more money. Already experienced professionals are declining routine public instructions – and that applies to both prosecution and defence work. The numbers of new entrants from the universities may provide the Home Office and Ministry of Justice with a temporary illusion; once the novelty has worn off, will those new entrants by now trained further at public expense, stay in the public sector or will the prospect of a 4-fold salary increase tempt them into private cyber-security?
Forensic Focus readers have personally nothing to fear but I worry about the quality of digital evidence that will be offered to the courts. Governments are often bad at timely interventions – they wait until the urgency is manifest by which time remedies are much more expensive and may be impossible.
Finally, when you're not working, what do you enjoy doing in your spare time?
Gardening, walking, reading books printed on paper. I certainly need to get away from monitors and keyboards.
Peter Sommer is an expert witness and digital forensic practitioner who has been working in the field since 1985. You can fill in the survey here, and buy a copy of his ebook here.