Software blows whistle on computers in crime

By ADAM GIFFORD

Software that recovers evidence from computers - even burned ones - is helping to collar criminals and speed investigations.

Law enforcement officers and corporate security experts are honing their skills in the Encase program at a four-day course in Auckland, hosted by Telecom's network fraud unit and being run by John Colbert, formerly of the Los Angeles Sheriff's Office computer crime unit.

He works for Pasadena-based Guidance Software, which makes the software used by New Zealand police, Inland Revenue, Fisheries and Customs officers, the Serious Fraud Office, accounting firms and big companies.

Encase, which costs $US1860 ($4434) for a professional version licence, allows investigators to make a system image of a computer or other digital device and search it in depth, without affecting any data or settings on the original device.

Mr Colbert said that just tapping one button on a computer running the Windows 98 operating system could change more than 600 files, so it was vital to preserve the source data.

"We're finally catching up a little with the criminals on the technology side of things, and that is much needed by law enforcement," he said.

Encase includes viewers so any type of file format can be looked at in its original form.

"The old methodology was you made a clone of the drive, and once you double-clicked on a file you changed the last access date - the only way to get the original back was to go back to the original evidence, which is not preferable.

"The idea here is we work with an image and can open a file 100 times and never touch the data type, so it allows investigators to look through evidence a lot faster.

"For the first time in policing investigation history we can visit a scene and walk through it time and time again without changing a thing, so we can really get to the bottom of what happened."

John Thackray, a Yorkshire policeman on secondment to manage the New Zealand police electronic crimes unit, said Encase had been used in this country since it was released in 1998, and had been accepted by all courts.

"It's made the whole system very efficient, it saves time, it has secured the integrity of digital evidence and it has not only gained convictions but it has helped us eliminate people from inquiries more speedily," he said.

In one recent inquiry, Encase was used to recover deleted files from a computer the suspect had sold.

"The computer was out of circulation for 12 months and sold on, but we were able to extract 20,000 images relevant to a child molestation case. The information was there all along, but we didn't have the technology to deal with it before."

Mr Thackray said data had been recovered from hard drives taken from burned computers, and from floppy disks found floating in the sea.

Mr Colbert said Encase was helping private and corporate security to tie in with official law enforcement.

"In most cases of suspected fraud, companies want to investigate in-house without involving law enforcement.

"They want to do a proper investigation, and may have to fire someone.

"With Encase they can do the investigation and keep the system image. If the person comes back later and tries to claim wrongful dismissal, they can produce the evidence.

"Also, if we train these people in the private world to do it properly the first time, when they decide to bring in police later the file has been done correctly and it's evidence which can be produced in court," said Mr Colbert.

"The biggest problem I've had working with private fraud and security cases is that by the time they finally bring you the evidence they've destroyed it so badly it is not longer acceptable in court, or the method they used to collect it is not acceptable."

Telecom network fraud manager Garth Dutton said any large corporation was a target for unauthorised system intrusion from internal or external sources, and needed to keep up with the technology to counter it.