How are electronic devices forensically analysed?

Lily Grundy considers technical issues in relation to the analysis of electronic devices by the police in indecent images investigations 

Do the police outsource forensic analysis work?

Many police forces outsource indecent images cases to forensic analysis companies who then generate a Streamlined Forensic Report (SFR). This is usually in circumstances where the police have a huge caseload and are struggling with a backlog of cases.

How do they receive the information from the analysis of devices?

The police will obtain a Streamlined Forensic Report (SFR) which will include information on:

• The quantity of images found;
• Whether they were accessible on the device; and
• Any indicative search terms.

These reports are not hugely in-depth but clearly set out whether any illicit material has been found.

What is meant by ‘indicative search terms’? 

Indicative search terms can mean anything that is suggestive of a particular action. Generally within SFRs, the term ‘indicative’ is reserved for keywords or phrases that suggest the searching of indecent material. There are a number of known indicative search terms that are prevalent within the indecent material sharing communities which are known to both the prosecution and defence. There is not however a definitive list of search terms and certain terms and phrases can be subjective.

Generally, the term ‘indicative search terms’ can be used in two contexts. The author of the SFR may be referring to searches that they have conducted across the exhibits for terms that are known to be pertinent to child abuse material and detail the findings of their searches. The other alternative, and possibly the more literal meaning, would be that the indicative search terms are terms used by the user of the computer to actively search the Internet for child abuse material (online searches).

This information is usually obtained from the computer itself, but can be obtained from Internet Service Providers (ISPs) with relevant authorities/warrants in place. It is not known quite how much information is stored by ISPs and it may be that each one will store data in different ways.

The police are unlikely to request web browsing history from ISPs. The data obtained from the exhibits is usually sufficient for charge and can be attributed to individuals in most cases. There is no necessity in most cases to request this information from the ISPs, albeit it may be retained by them for a limited period of time.

What happens to files when they are deleted?

Computer operating systems allocate space on the hard drive as adjacent groups of sectors known as allocation units or clusters. When a new file is created, the operating system locates available space and allocates that space to the file. ‘Unallocated space’ relates to space which is not allocated to active files within an operating system.

Computers and laptops with HDD hard drives move deleted files to the ‘Recycle Bin’. This is a location where deleted files are temporarily stored and allows users to recover these files easily.

Once the Recycle Bin has been emptied, the operating system ‘unallocates’ the space originally allocated to the files and makes that area of the hard drive available for new files.

The deleted files will now have been moved to unallocated space by the operating system. This does not mean that the data has been deleted fully, just that it sits in the unallocated space until the operating system stores another file in the same space i.e. the data is overwritten. The unallocated space therefore contains files that have been deleted, but not yet overwritten.

Can the police recover files once they have been deleted?

The deletion of files is a multi-step process. When a user deletes a file, it is moved to the recycle bin and can be restored with the click of a button. From a forensic viewpoint, this file remains live and accessible. When the recycle bin is cleared, the header of the file is removed and as such, the operating system cannot reference the file. The header is deleted but the contents of the file remain on the drive and thus, if forensic software is used to carve through all areas of a hard drive, it can parse out previously deleted files which are no longer accessible to the user. Imagine this as a contents page being removed from the start of a lengthy book.

The area of the drive that stores the deleted data is advertised to the rest of the drive as space ready to be written to. Until such time as new data is written to this area, the original data will remain. There is no exact science as to which areas of the drive are written to at which time and thus there is no way to determine without running the process exactly what deleted material can be recovered. The general rule of thumb is that the larger the drive, the newer the file of interest whereas the smaller the file of interest, the more likely it is to be recovered.

In terms of specialist deletion software, each tool will remove data in different ways, some beyond the recovery of forensic software.

In the case of HDD hard drives, the police and forensic entities can recover the data moved to unallocated space as long as it has not been overwritten. They will however be unable to both date and time stamp the data, as this information, the metadata, would have been stripped out.

Many newer computers and laptops have SSD hard drives. These are faster and more efficient, and strip themselves of deleted data to make space for new data. It can therefore be problematic for deleted data to be recovered from these devices and the police and forensic entities may not be able to do so.

Mobile phones also have SSD hard drives so, if these have been cleansed, the police and forensic entities will struggle to recover any deleted data.

In relation to images from deleted Internet cache, these may also be identified and referred to in the SFR. The investigator authoring the SFR would in most cases be able to identify images from deleted Internet cache folders providing the data is still saved on to the computer/hard drive.

Deleted data can be retrieved as long as it has not been overwritten on the drive. The process is the same for any digital storage whether it is a simple hard drive, desktop computer, laptop or full server.

Cached evidence would form part of the evidence in a case as it shows that a user has accessed a webpage with the picture or media file on. It does not say that the user has viewed or downloaded the image or video but is indicative of accessing pages with indecent material present upon it. Duplicated images should be counted once although only when these are exact copies. Visually similar images will be counted as separate images in the overall count.

If files are partially downloaded of their download was cancelled before completion, these files will not necessarily be disregarded as evidence by the prosecution. The files that are partially downloaded may still be readable and as such would, as an example, constitute the downloading of an indecent image.

What happens if I do not provide passwords to my devices?

The police may have requested passwords to your devices upon searching your property or during interview at the police station. At this stage, you are under no legal obligation to provide your password and, in many cases, it may be advisable not to do so.

The police can only require you to provide passwords if they have served a notice under section 49 of the Regulation of Investigatory Powers Act 2000. Non-compliance with such a notice could result in you committing a criminal offence and facing prosecution with a potential custodial sentence. See ‘Do I have to give the police my phone password’ for more information on section 49 notices.

Can the police access my mobile phone without a password?

If you have an iPhone, the police cannot access this without your pin code. However, if the device is such that they feel it necessary to have access, they can engage the services of a provider who can bypass the pin code. This is unlikely to happen in typical cases involving indecent images, as it is an expensive service for the police to procure.

With Android devices, the police have greater success in bypassing security. If you do not provide your password, it does not necessarily mean that the police will not be able to access you device.

How long will it take for my devices to be analysed?

It is worth being aware that analysis of your devices by the police can take some time. A typical case with no surrounding factors could take anywhere between 6-12 months for results to be obtained. Once this has happened, they still have to be reviewed by the officer in the case and a decision made as to how the material will be graded. Note that this could result in inconsistencies given the scope for human error. Following this, you may be re-interviewed if new evidence has come to light, or interviewed for the first time, usually on a voluntary basis.

My devices have been seized – can Olliers help me?

At Olliers we regularly speak to clients who have had computer equipment and phones seized by the police. On the one hand it is a waiting game but there is still a lot that can be done. We always ensure that we make early contact with the police. We will confirm the anticipated timeframe for the investigation with the police and obtain an assurance that any further contact will be through Olliers, ensuring that there is no embarrassment caused by a police visit to home or workplace.

We can discuss with our clients the circumstances that may have led to their material being seized. We will give our clients an opportunity to discuss any anxiety they may feel. Many want to discuss worst case scenarios and we can advise on the different offences of possessing, distributing and producing indecent images. We can also explain the different categories of offences as well as current sentencing guidelines. We can also attend a voluntary interview with our client if this has not already taken place. Click here to read more if you are under investigation for indecent images offences.

With thanks to Cyfor for their assistance with some of the more technical aspects of this article.

Contact our indecent images lawyers

If you are under investigation for an indecent images offence please contact Ruth Peters on 0161 834 1515 for a preliminary discussion as to how Olliers’ proactive and strategic approach can assist you.