04-09 Digital First Responder_a443cdddd6ed3760fdb987ec2b2a5ac3.pdf
Document Details
Uploaded by FancyRhodium
Tags
Full Transcript
OFFICIAL Unit 4 Lesson 9...
OFFICIAL Unit 4 Lesson 9 Digital First Responder Learning Aim: The learner will be able to explain the responsibilities of a first responder to an incident or crime that has a digital element Learning Outcomes: On successful completion of the lesson, Introduction students will be able to:- The aim of this input is not to make you a specialist cyber investigator but to get you 1. Explain the difference between cyber- thinking about technology, cybercrime, cyber- dependant and cyber-enabled crime enabled crime and how we as police officers can and should professionally respond to 2. Identify popular ‘Apps’ and the key incidents which have a digital element and information that you need to gather from take the appropriate and lawful action to them investigate it. While initially you might think that only 3. Explain the NPCC principles of digital specialist roles are exposed to digital evidence seizure technology or that it is only relevant within complex criminal investigations more and 4. Define the golden rule of digital crime scene more frontline officers are coming across searching traditional crimes which have a digital element. As an operational officer it is essential you are aware of the potential risks and, of course, opportunities that exist around technology. 1 th Amended 25 April 2024 v.6 OFFICIAL OFFICIAL Unit 4 Lesson 9 Digital First Responder Digital Investigations Technology is now a key component of modern life It is inevitable that as an operational officer you will conduct inquiries where digital devices or data will form part of your investigations You need to understand your duties as a first responder, how to correctly identify, handle and secure digital evidence. You must also be aware of where you can get specialist support. Cyber-Dependant vs Cyber-Enabled Crime Cybercrime is a crime type and is not a crime itself. Several definitions exist, but it is essentially:- 1. the commission of; or 2. the attempted commission of a crime using the internet or by otherwise accessing a computer device, network or system. Note:- A computer includes a laptop, smart phone, tablet, smart TV or other internet enabled device. Cybercrime can be divided into three categories, namely:- Cyber-Enabled - The commission or attempted commission of traditional crimes such as theft, fraud, extortion, threats etc. using the internet, or by otherwise accessing a computer system, device or network Cyber-Dependant - Commission or attempted commission of crime in order to compromise a computer device, network or system where the devices are both the tool for committing the crime and the target of the crime. Enquiries with Cyber Element – These can be “traditional” crimes (i.e. neighbourly dispute, assault, theft etc.) however the line of enquiry may involve seizure of cyber data, e.g. CCTV from a hard drive, video footage of an incident captured on a smart device, messages of an evidential nature passed via email or message etc. Despite digital criminality now having been part of the global law enforcement landscape for a number of years there can still be some confusion between what is cyber-dependant and what is cyber-enabled crime. 2 Scots Criminal Law: Introduction and Investigation OFFICIAL OFFICIAL Unit 4 Lesson 9 Digital First Responder These are distinct and separate crime types and it is important to understand the key differences. Cyber-dependant crime is defined as crime that can ONLY be committed using a computer or Internet Communications Technology (ICT) device. Example:- An individual with some basic computer programming skills uses their computer to take control of a number of other machines on the internet without the owner’s permission. The individual then forces the machines they have control of to ‘attack’ the computer system of a local company by flooding their computer system with massive amounts of data which causes it to crash. This is called a Denial of Service (DOS) attack and it prevents the company and their customers using the network until the attack is stopped. In practice the majority of cyber-dependant crime is committed by utilising one computer or ICT device to target another. When such an incident is reported to the police this is generally investigated by specialist units within Police Scotland. Cyber-enabled crimes are those that may be committed WITHOUT ICT devices but are changed by the use of ICT devices in terms of scale and reach. Examples:- Drug Dealing Whilst on social media an individual comes across a business page which is selling cannabis baked into different foods and sweets. The individual reaches out to the business and buys some of this product which arrives via a postal courier to their home address. Products can be paid for via traditional card payments or through Cryptocurrency. The business is committing the traditional crime of drug dealing – s.4(b) Misuse of Drugs Act 1971 – supply or offer to supply a controlled drug to another – which has become a cyber-enabled crime to do exploitation of technology to effect the scope and reach of their supply. Grooming A 12 year old child has a PlayStation 5 which he plays online with no restrictions. A sex offender adds him as a friend and notices that on his ‘Bio’ he has linked his social media accounts. The offender researches the child and creates fake accounts to persuade the child to send over indecent images of that child. 3 Scots Criminal Law: Introduction and Investigation OFFICIAL OFFICIAL Unit 4 Lesson 9 Digital First Responder This is the traditional crime of s.12(A) Protection of Children and Prevention of Sexual Offences (Scotland) Act 2005 – intentionally arranging or facilitating the involvement in pornography of a child under the age of 18, or in any case under the age of 13 – which has been cyber-enabled as they have used technology in order to facilitate the child to produce obscene images. Threats A child is having issues with bullying at school. Whilst at home the child accesses their social media and finds threatening messages on their messaging accounts from the same person that is bullying them saying that they will be stabbed if they come into school tomorrow. This is the common law crime of threats that has become a cyber- enabled crime as the bully has used a social media platform to carry out the threat without requiring their phone number or address. This could also be dealt with via S.127(1) Communications Act 2003 whereby a message or other such matter that is grossly offensive or of an indecent, obscene or menacing character; or cause any such message or matter to be so sent through an electronic communications network. Even relatively minor incidents can have a digital element, for example a neighbour dispute which would previously have played out over a boundary fence between households may now take place in text messages or on social media. A fight between children after school will be discussed on their mobile phones and probably posted to Twitter or TikTok by those watching and filming it. We need ensure we are aware of these potential evidential streams both from an inculpatory (implying guilt) and exculpatory (increases probability of innocence) perspective when we are asked to consider how we will investigate. 4 Scots Criminal Law: Introduction and Investigation OFFICIAL OFFICIAL Unit 4 Lesson 9 Digital First Responder No Boundaries Online The use of technology removes many of the traditional geographic limitations of certain types of criminality. Some of the most common cyber-enabled crimes are simple frauds where relatively small amounts of money are taken, identity details are stolen, or non-existent goods are ‘sold’ but never delivered. The distances present significant challenges for law enforcement as does the relatively minor nature of the criminality relative to the amount of investigations required to achieve a resolution. Digital Footprint Using any digital device, particularly an ICT device will leave some form of digital footprint depending on what it is and what you are using it for. This footprint will be unique and as identifiable in many cases as DNA or fingerprint information. We will look at devices in more detail later in the lesson notes but for now consider the amount of information that people share across the most popular social media platforms or ‘apps’ (applications). We all leave a digital footprint and it is important that you understand what this means both in terms of opportunities around witnesses, suspects or accused but also in terms of your own personal security. In the Intelligence input we looked at the type of information of value to law enforcement when carrying out investigations:- Lifestyle information Associations Employment Financial Communications used Places frequented Images All these and more are all incredibly useful to have which previously could have been challenging to obtain. Now this type of detailed 5 Scots Criminal Law: Introduction and Investigation OFFICIAL OFFICIAL Unit 4 Lesson 9 Digital First Responder information is freely shared by many people on their social media platforms, consciously or unconsciously depending on how tech aware they are. Investigating Digital Crime Investigating crime where there is a digital element is no different to traditional investigations, the same principles of identifying, seizing and submitting evidence applies. The following are different strands of digital investigations that may or may not be relevant in an inquiry, again you are not expected to be an expert in every one of these elements but having an understanding of their potential importance will assist you as a first responder. Open Source - social media, general searching, apps Digital Devices - ICT, mobile phones, communications Digital Media - video, images, audio Telematics - vehicle data (telemetry), infotainment Currency - online banking/payment, crypto Advice on the relevance of the above to your specific inquiry can be sought from Digital Media Investigators (DMI) which are a cadre of officers who, in addition to their core role, can be consulted for assistance with all aspects of digital enquiries. The DMI cadre is overseen by the Detective Inspector at the Internet Investigations Unit and across the divisions there are around 50 officers trained to support local officers with strategic, tactical and practical advice. Applications Applications or ‘Apps’ are common across personal computer (PC), laptops, tablets and mobile devices and are the programs that let us communicate, play games or access content locally or across the internet. They are designed to be user friendly and accessible; most people will be familiar with the concept of tapping or clicking a recognisable icon to access software even if they don’t understand fully how they work. 6 Scots Criminal Law: Introduction and Investigation OFFICIAL OFFICIAL Unit 4 Lesson 9 Digital First Responder When you install any app on your device it will embed itself and start to gather data. The amount of data gathered can vary considerably, however in most cases it is significant and as it happens in the background or out of sight it is not always clear how much information the user is allowing the app to access. The type of information gathered can include:- Personal details - name, date of birth, gender Location information - current and previous locations visited Associations - contacts held within device, linked users within app or within other apps Communications - Telephone number, email address, calls made, messages exchanged Imaging - Photos in app, in other apps, on device, stored on cloud Financial - Bank information, credit/debit card details, transactions The app gathers this information as its purpose is to generate revenue for its publisher. It does this by taking the data it collects from you and then sells this to advertisers who can then target you with products that it assesses based on your lifestyle or interests you will buy. It really is as simple as you don’t get anything for free, and where there is no cost for an app YOU (or more accurately your data) are the commodity. Commonly Used Apps Apps come and go in terms of use and popularity however for some time the biggest three in the western world are Facebook, Twitter and Instagram. All three of these apps are social media platforms where people share comments, images and videos publicly or among a group of friends. It is highly likely that as you undertake inquiries you may be advised that information of evidential or intelligence value may be held on one of these platforms. It is important that you understand the part you play in ensuring that the relevant details are captured. 7 Scots Criminal Law: Introduction and Investigation OFFICIAL OFFICIAL Unit 4 Lesson 9 Digital First Responder Unless you have been given specific training in terms of open source research, you will not be expected to carry out detailed inquiry or forensic examinations of devices or data. You will however be expected to be have sufficient confidence and awareness as a ‘first responder’ to:- identify key information note relevant detail secure a device/data without compromising it call the appropriate support just as you would for any other more specialised crime scene. Social Media The majority of social media investigations will be carried out by either specially trained ROSIE (Research Open Source Internet and Evidence capture) officers or by officers within the IIU (Internet Investigations Unit). The operating model used to carry out this type of investigation will be covered later within the notes but for now let’s look at the key information you should try and capture from Facebook, Twitter and Instagram In order to conduct effective evidential capture of information from social media it is important to identify what type of content we are looking for, when it was posted, and the accounts involved. The time(s) and date(s) of relevance should be identified to you by a witness or the reporter of the criminality, the more accurate you can be in identifying the relevant time when a post was made or an interaction occurred the easier it is for the specialists to progress the inquiry. You should also try and identify the accounts involved both in terms of a witness/complainer and the potential suspect/accused. While some users might know these details and are able to recall them in details others may need guidance, below are examples of what information to capture across each application where possible. As a general rule across any type of social media inquiry you should not, unless explicitly told otherwise by a supervisor, personally access someone’s social media account yourself, task any associate or family member who has access to do it and on no occasion should you ever use your own device to carry out any form of research. 8 Scots Criminal Law: Introduction and Investigation OFFICIAL OFFICIAL Unit 4 Lesson 9 Digital First Responder Facebook You can see from the following that the user display name is “Ben Davies” however a search of Facebook for Ben Davies will return in excess of 3000 potential matches. Where possible if you can note the more specific account detail shown circled in red from the top bar of a browser this will assist in pinpointing the account. The information of relevance is the end part i.e. davies.ben.2 Depending on the technical awareness of the person providing the information or the passage of time this may be challenging, where you are unable to get this level of detail it is still useful to pick out as much relevant information as you can e.g. on the above example we could note that Ben Davies has a blue matrix style Facebook banner picture and their profile picture is a cartoon martial artist in a white suit with red headband. This type of information would assist an internet investigator in identifying the account or at least narrowing the search. Note:- The browser section at the top of the Facebook page where the unique username is found is what is also known as the URL or Universal Resource Locator. 9 Scots Criminal Law: Introduction and Investigation OFFICIAL OFFICIAL Unit 4 Lesson 9 Digital First Responder 10 Scots Criminal Law: Introduction and Investigation OFFICIAL OFFICIAL Unit 4 Lesson 9 Digital First Responder Twitter Twitter is slightly easier to extract information from in terms of account details as the persons unique user name is appended to almost every interaction they have with the system. You can see from the following example that the user name @int_ben appears not only in the top browser bar, similar to Facebook, but is repeated under the account details which shows the display name “Ben Davies” but it also appears in every ‘tweet’ that the user sends, it will also show up in any post that they ‘like’, ‘retweet’ or ‘comment’ on. Again noting additional details which can assist the internet specialists is useful and you should get as much as you can, in this case the ‘kung fu panda’ profile picture and the detail that the account was created when the user “Joined June 2011” may be useful to ensure that we have identied the account properly. 11 Scots Criminal Law: Introduction and Investigation OFFICIAL OFFICIAL Unit 4 Lesson 9 Digital First Responder 12 Scots Criminal Law: Introduction and Investigation OFFICIAL OFFICIAL Unit 4 Lesson 9 Digital First Responder Instagram Instagram follows the same format with the easiest way to get the unique username being to get it from the URL, in this case smithjdigital Again, there are images that we could identify to an internet specialist that could potentially assist them in confirming they have the right account to start capturing evidence from or to request additional information. 13 Scots Criminal Law: Introduction and Investigation OFFICIAL OFFICIAL Unit 4 Lesson 9 Digital First Responder 14 Scots Criminal Law: Introduction and Investigation OFFICIAL OFFICIAL Unit 4 Lesson 9 Digital First Responder Digital Devices Earlier in this lesson we identified that computers, phones and tablets are the most common devices you are likely to come across investigations or enquiry however these are not the only devices that could be relevant. As our lives become more and more digitally integrated there are a range of other devices that could assist you in building up a clearer picture around an inquiry or investigation, below are some examples:- Smart TV - Could have a variety of applications installed e.g. Netflix and Amazon Prime which may provide additional account details that would confirm nominal information, email address, telephone number or even financial information. Amazon Alexa - Linked to an Amazon account which will have nominal, address, email address, telephone number and financial information. There may also be other apps or accounts linked to the device and in some cases potentially even audio recordings. Game console - As above most modern consoles require user accounts with nominal, address, contact and financial information linked. These can also demonstrate times when someone was within an address and actively playing. People can utilise messaging and communications with the console where contact or contestation of interest may be stored locally or on a remote server. Fitness tracker/software - Garmin, Apple Watch and similar connected devices can have account information linked as above but more importantly can provide historical or live GPS (Global Positioning System) data which can show where a person is or has been. Often this information is gathered passively without user involvement and again could be stored locally, on an alternative device or even published on a web platform. 15 Scots Criminal Law: Introduction and Investigation OFFICIAL OFFICIAL Unit 4 Lesson 9 Digital First Responder Open Source Research Open source research is carried out within Police Scotland according to the Manual of Guidance on Internet Investigation and in accordance with ECHR. Human Rights HR The Regulatory Powers (Scotland) Act 2000 (RIPSA) and the European Convention of Human Rights (ECHR) you learned about previously has links to open source research. The main purpose of RIPSA is to ensure that the relevant investigatory powers are used in accordance with the ECHR. Article 8 of ECHR relates to an individual’s Right to Respect for Private and Family Life and it is imperative that all action taken by Police Scotland complies with these provisions. A clearly defined tiered approach is in place to ensure that only action that is proportionate, necessary and for a valid policing purpose is taken. That those who carry out any inquiry do so professionally and with the appropriate authorities in place. Open Source Tier Model Tier 1 - Where the majority of our open source research sits. Carried out by ROSIE trained officers who are authorised to carry out basic internet searches and capture intelligence/evidence from OPEN social media profiles or sites. Tier 2 - Internet research which is more intrusive and requires a Dedicated Surveillance Authority (DSA) to give the conduct legality. This would be carried out by trained officers from the Internet Investigations Unit and would be used where profiles are locked, OR where you require to COVERTLY carry out research OR where an account is used that’s not immediately identifiable as a Police Scotland account. NO COMMUNICATION is allowed with anyone in this tier. 16 Scots Criminal Law: Introduction and Investigation OFFICIAL OFFICIAL Unit 4 Lesson 9 Digital First Responder Tier 3 - Covert Internet Investigation using fully backstopped accounts and hardware that are not attributable to Police Scotland. In some cases, a fake profile or identity will be assumed, and a ‘legend’ built to communicate online. This work is carried out only by highly trained personnel under the strictest conditions and with both a DSA and potentially both CHIS (Covert Human Intelligence Source) authority and a Conduct and Use authority in place detailing exactly what the operative can and cannot do. NPCC Principles Electronic Based Evidence National Police Chiefs Council (NPCC) Good Practice Guide for Electronic Based Evidence covers this subject in some detail. Importantly they identified and require officers to be aware of the four principles of handling electronic based evidence which are:- Principle 1 - No action taken by Police should change data held on a computer or storage media which may subsequently be relied upon in court. Principle 2 - Where it is necessary to access the original data then the person so doing must be competent to do so and explain their actions. Principle 3 - An audit trail or record of processes applied should be kept so as an independent examination can achieve the same result. Principle 4 - The person in charge of the investigation has overall responsibility for ensuring that the law and principles are adhered to. It is important when you are the first responder at any incident you keep these principles at the forefront of what you do. Your initial actions can have a significant impact on how digital evidence or opportunities can be used as the inquiry develops. 17 Scots Criminal Law: Introduction and Investigation OFFICIAL OFFICIAL Unit 4 Lesson 9 Digital First Responder Computer Based Electronic Evidence As we have covered computers, mobile telephones and other electronic devices are more and more being used in the commission of crime and may contain vital evidence of this crime and the perpetrators. This is valuable evidence and should be treated in the same manner as traditional forensic evidence. When seized and recovered in the correct manner it will produce evidence that is both compelling and may be critical to the case. Computer Based Electronic Evidence can be described as:- “Digital evidence that can be obtained from computers, mobile telephones and other storage devices.” Considerations:- Latent Evidence i.e. has to be searched for It is fragile and can easily be altered, damaged Specialist software and equipment may have to be used to identify and extract it Failure to identify its presence timeously or handle it properly may render it unusable Digital Crime Scene Searching and Seizure Advice When searching any crime scene where digital evidence may be present, it is important to ensure you comply with the principles listed above. In general terms, do not handle or interrogate devices as this has the potential to change the data held within or in some cases wipe the device completely. Key Information KI The golden rule is:- Where a device is switched off DO NOT switch it on. 18 Scots Criminal Law: Introduction and Investigation OFFICIAL OFFICIAL Unit 4 Lesson 9 Digital First Responder If a device is on:- Record the information showing on the screen or display in the most appropriate way you can, video, photograph using police equipment or note what you see in your notebook. Pull the power lead from the back or remove battery where this is possible without trying to use the power button or shut it down. This is not always possible with all devices some of which have internal batteries, in this case you would look to put the device into a faraday bag or allow its battery to run down naturally. Note:- Faraday Bags block radio frequency signals from both being sent and received to an electronic device such as a mobile phone, car key or laptop. Where you are on a planned operation or you have intelligence outlining the digital evidence you are focused on you should have a strategy and plan for securing digital evidence and handling devices. This strategy may be provided by a Digital Media Investigator (DMI) and should form part of the briefing or the DMI may accompany you and assist. Memory Peg The mnemonic SINGER is useful:- Seize electronic devices with data storage Intelligence opportunities Notations, passwords, account info Get the camera (if present) Evidence/Document Remote storage 19 Scots Criminal Law: Introduction and Investigation OFFICIAL OFFICIAL Unit 4 Lesson 9 Digital First Responder Further Guidance Additional guidance and support is available on the intranet and from the following specialists:- Cybercrime Investigations and Digital Forensics. Internet Investigations Unit. Communications Investigations Unit. Digital Media Investigator Co-ordinator. InTACT Department (Scottish Police College). 20 Scots Criminal Law: Introduction and Investigation OFFICIAL OFFICIAL Unit 4 Lesson 9 Digital First Responder For further information, use the resources shown below:- Intranet Please refer to the intranet for the latest information on Digital Crime Review: You can explain the difference between cybercrime and cyber-enabled crime You can identify popular ‘Apps’ and the key information that you need to gather from them You can explain the NPCC principles of digital evidence seizure You can define the golden rule of digital crime scene searching 21 Scots Criminal Law: Introduction and Investigation OFFICIAL OFFICIAL Unit 4 Lesson 9 Digital First Responder Learning Log: How will what you have learned in this module impact your day-to- day role? Are there any skills or knowledge you would like to develop further following this module? End of Module 22 Scots Criminal Law: Introduction and Investigation OFFICIAL
