Tag: Computer security

Don’t Ditch Corroboration for Digital Evidence


Corroboration article
Corroboration article

I was asked to comment a couple of week ago on ditching corroboration in cyber crime in Scotland, and I’d like to outline the reasons that I am completely against this viewpoint. If we progress towards this, I think we are leaving ourselves open to miscarriages of justice.

Overall I am a computer science professor, and not a legal expert, so I’ll stick to the technical reasons that this would be a bad move. I am also a citizen, and have the rights to express my own views on things that I see as possible injustices. If there’s one thing I know about criminal investigations, it is that, as much as possible, investigators should try and cross-correlate evidence, and digital information can be used as a key element in the corroboration of traditional sources of evidence (CCTV, statements, fingerprints, DNA, and so on).

Six Scenarios

Digital Information is really just a bunch of 1s and 0s. It is fragile, and often can be changed while it is stored, transmitted or even processed. Basically all the information what we see is converted from these 1s and 0s, and often provided in a way which can be easily compromised. I thus see the usage of digital evidence gathering provides investigators with new ways to quickly investigate, and also to provide corroboration to traditional evidence. I’d like to thus outline seven scenarios, which show how fragile digital information is.

Crime Scenario 1 (Defence: It wasn’t my computer). In this case Bob is at home, and his ISP has detected that he has been accessing illegal content. Bob is arrested, and says that it was someone else in his work. In this case, most home networks use NAT (Network Address Translation) which maps one or more private IP addresses (such as,, and so on) to a single public IP address. Thus all the data packets received by the ISP will have the same IP address, no matter the computer that generated the request. Thus is is not possible to lock-in on the physical address of the computer, as the physical address cannot be determined from the data packets. So just IP addresses alone cannot be taken as a single source of evidence.

In a company environment, again, the IP address alone cannot be taken as a creditable single source, as it can be spoofed. In this case, Alice waits for Bob to log-off, and then sets her computer to a static address which matches Bob’s computer, and then accesses the material, and Bob gets the blame. If we were to use the physical too as a trace, again, the physical address (normally known as the MAC address) is also easily spoofed.

Crime Scenario 2 (Defence: Someone accessed my machine and did it). In this case, Bob’s computer has illegal content on it, and he claims that he had no idea how it got there. In this case, most computers are networks, and once they join a network that can be connected to. Often guest shares or guest accounts can be used to create a connection. If not, there’s a whole lots of malware kits that Eve can use to gain remote access to the machine. In this case Eve sends a link to Bob to access a PDF document. He views it, and it actually setups up a remote access method for Eve, and she can do whatever she wants on his machine. If Bob hasn’t patched his machine, he has become vulnerable to this. So in defence he just says that he doesn’t trust Microsoft for their patches, and it was their fault. If the PDF one doesn’t work, she tries a Java exploit, if that doesn’t work, it’s a Flash compromise … and she keeps trying.

Crime Scenario 3 (Defence: Someone stole my user account details). Bob is arrested for trying to take money from someone else’s account and put it into an off-shore account. The bank says that he logged in, and transferred the money. With this, Eve has send Bob a trick email which asks him to login and check some details. He logs in, but it doesn’t work, but the next time it is fine. After this Eve has his login details, and can go ahead and login on his behalf. Bob has no idea that anything has went wrong, but the first site was a spoof-site, and captured his login details for his bank, and then redirected to the main site, for which the login worked. To make the spoof site look real, Eve has scrapped the images, text and style sheets from the bank site, so it all look real.

trojCrime Scenario 4 (Defence: The bot did it). In this case, Bob has been attacking a remote site, and is arrested. His defence is that it wasn’t him, but it was a bot on his machine. In most cases, this defence is not strong, but there is always a chance that a bot on the computer did generate the malicious activity. Just because no malware is found on a machine at the point of investigation, doesn’t mean that it wasn’t there at sometime in the the past.

Crime Scenario 5 (Defence: My computer automatically went to it). In this case, Bob has been detected by his ISP in accessing some criminal material. He is arrested, and says that he knew very little about it, and has basically accessed his bank but ended up viewing the criminal material. For this one, we have to look at details at domain name servers (DNSs), and to Internet gateways. Unfortunately, the Internet has been created with very little creditability in the information that is passed. So when Bob starts his computer, Eve has broadcasts the MAC address of her computer, and pretends to be his Internet gateway and also his DNS server. All Bob knows is that when he accesses his bank, he sees the wrong site. In fact, Eve has poisoned his domain name look-ups, and she resolves his domain requests to the wrong IP address, which is logged on the ISP.

Crime Scenario 6 (Defence: I didn’t send the email). In this case we have Bob who is send abusive emails to Alice, and she forwards them onto the Police saying that he is abusing her. Bob is then arrested saying that he knew nothing about it. In this case, the email system we have setup has no credibility, and anyone can send an email saying that they are anyone they want to be. Thus Eve uses her own SMTP server, within a private network, and send the email. In fact the email contents just contain headers of:

To: Alice@test.com
From: Bob@test.com

and there is no way of actually telling it was from Bob. So? Email really can’t be used as a fully creditable source of evidence. If can be used to timeline, but you cannot ever confirm that the send is actually who it says in the “From:” field.


My teaching and research work relates to computer security, and I’ve found that very little of what is generated on a computer or network is actually 100% creditable. Basically if someone wants to change things on the Internet, or on computers, they can do so. I appreciate that many of the crimes which are investigated related to cybercrime have have threat levels, but that does not justify reducing the threshold for the evidence level.

Text from the article

POLICE have called for the abolition of a key plank of Scots law in order to help secure convictions for online crimes such as child pornography and grooming.

Officers say the need to corroborate key facts to bring a case to court is limiting their ability to tackle cyber crimes, which include paedophilia, harassment and online fraud.

But online experts have warned that digital trails of evidence can be unreliable on their own and need to be corroborated by others forms of evidence to prevent miscarriages of justice.

Police Scotland officers struggle to find corroborating evidence when acting on allegations of online crime brought by members of the public.

Assistant Chief Constable Malcolm Graham said: “It’s an emerging crime type where the likelihood of getting corroboration for essential facts diminishes.

“A lot of cases that come through the courts are where police have proactively monitored people, where we think there’s a risk that children might be abused.

“But in cases where people come and report to us that they have been the victim of cyber crime, there can be issues in terms of attributed communications hardware.

“We believe the law should develop to keep in touch with technology. This would be an example where current legislation has not developed and evolved in recognition of the range of criminal operations.”

Police Scotland supports the Scottish Government’s plans to abolish the requirement to have corroboration in order to bring a case to court.

The legislation, which is being debated in the Scottish Parliament, is based on recommendations by Lord Carloway, the Lord Justice Clerk, which are opposed by other Scottish judges and leading lawyers.

Professor Bill Buchanan, director of Edinburgh Napier University’s centre for distributed computing, networks, and security, which trains police in tackling cyber crime, also warned against abolishing the need for corroboration.

“On the internet it’s very difficult to take one source of evidence as a definitive source as things can be changed and people can have different identities,” he said.

“We should always get some physical and some traditional corroboration, along with the digital footprint.

“Logs can be tampered with, you have an IP address, but people can spoof them.”

A UK expert on online crime said that more funding, rather than a change in the law, was needed.

David Cook, a cyber crime and data security solicitor, said: “Our prosecutors find it notoriously difficult to adequately evidence crimes that occur online and the vast majority go not only without prosecution but even without a proper investigation.

“However an effective investigation can and should still take place. That those who police us choose to not provide adequate resources to such matters, instead suggesting the erosion of a civil liberty that is centuries old, is a lamentable position.

“I fear that such a change would inevitably cause an increase in the number of miscarriages of justice,” he added.

Police Scotland estimates that 3,000 more victims will be granted access to justice by abolishing the need for corroboration,” he added.

In a separate study, the Crown Office looked at 458 rape allegations which did not reach court because of insufficient evidence. They were re-examined as if corroboration was not required and prosecutors estimated 82 per cent could have proceeded to trial, and 60 per cent had a reasonable prospect of conviction.

Police Scotland has not yet produced similar research on what impact removing the requirement would have on cyber crime.

Alison McInnes MSP, Scottish Liberal Democrat justice spokeswoman, said: “This is a new argument which has certainly not been reflected in the wide range of evidence given to the justice committee. If Police Scotland believe that corroboration has impeded cases such as these then I am surprised that they have not reflected that in their oral evidence to the committee.

Abolition call: Cadder ruling

The proposed abolition of corroboration – the requirement to have two independent pieces of evidence to bring a case to court – stems from a Supreme Court judgment in 2010.

The UK’s highest criminal court found in favour of Peter Cadder by ruling that it was a human rights breach for police to interview suspects without giving them access to a solicitor. This has led to more suspects refusing to speak in interviews.

This is particularly problematic for police in cases of alleged rape. Previously an accused may have admitted having sex but claimed it was consensual, which would have allowed police to corroborate a key element of the charge.

In light of the Cadder ruling, the Scottish Government asked Lord Carloway, now Scotland’s most senior judge, to review Scots law. Carloway made a raft of recommendations, including abolishing the need for corroboration. The proposal is in a criminal justice bill now in front of the Scottish Parliament.

Getting More Kids into Computing!

I’ve been working on a range of books with Bright Red Publishing on N5 books (which relates to the new syllabus within Scottish Schools), and just now I’m working on the new N5 Computing book. The syllabus looks to be a great improvement on the previous one, with over half of it on software development, and good coverage of things such as security and databases. It thus highlights a changing work, as we now move towards new subjects within computing.

So many job roles …

brp02Over the past few years I’ve been presenting at events on how we need to get more kids into Computing. So why, in the UK, are we still funding so many university places in subjects in which there are few jobs in? Shouldn’t we be funding more student places in Computing? Few subjects can offer the breadth of jobs that Computing … from software development to network support, and from user interface design to computer security. In fact there’s so many jobs titles that someone entering a computing programme in lots of interesting areas: networking, computer security, software development, media design, mobile devices, web development, and many others. Along with this, there’s new areas such as Cloud Computing, Big Data and lots of developments around mobile devices. So a first year student in a computing degree can often select from a wide range of subjects, and select the one that interests them most, and which, possibly, has the best career options for them.

It’s at the core of everything now …

brp03The Internet is probably one of the greatest creations ever, and one which provides us with the core of the modern world. Without it, many industries such as banking, energy, education and so on, could not exist in their current form. We can see from the increasing creation and consumption of digital information that there is an increasing reliance on the Internet, with over 12TB of tweets every day, and almost 90% of all the data produced in the Cloud has been produced in the last two years. Along with this we see, over 2.5 Quintillion bytes of data being produced – that’s over 1 billion hard disks of data, every day. And the Internet is not just about computer data, we are moving toward digitizing a whole range of media, including with voice, video and sensor data. Along with this, areas such as health and social could be radically changed with digital methods, where patients could Skype with their GP, rather than having to arrange appointments for a face-to-face meeting.

For example … computer security

brp04A good example of the new industries that are being created within Computing, and the rise in the academic requirements is in computer security. Within it there’s a wide range of things to focus on including network security, operating systems, people, encryption, identity, mobile devices, wireless, and so on. Also there’s new applications for the Internet, and new threats occur ever days, especially as we become more mobile and more reliant on the Cloud. Many application areas, including banking, shopping, government services, health care and so on, are all going on-line, increasing the threats we are all under, which thus requires a new range of professionals, which ten years ago would not have even existed … computer security consultants.

Where are the employers …

brp05Well they are everywhere .. with large and small companies expanding from key applications sectors such as in banking to core IT companies. From my side, I see an increasing demand for graduates in computing, and where there is a wide range of companies looking for many graduates. Many years ago I would see graduates move away from Scotland, but now there are companies recruiting them on their home base where companies such as Dell SecureWorks and Amazon recruiting students to work on Princess Street … how great is that? And there’s great SMEs which are leading on an international basis, whether is it miiCard for identity provision, or Rock Star leading the way in computer games, there has never been a better time to get into computing.

So … why don’t we funding more graduate places in computing, and less in areas which struggle to find enough jobs for their graduates?

Introducing Bob and Alice …

brp06Over the past few years, Edinburgh Napier University has been engaging with local schools on creating interest in computing with both IT4U, which bring schools into universities, and provides them with a range of interesting workshops, and with the Cyber Christmas lecture. For this we have presented on a range of things including within computer security, and showing kids some fun things in cracking codes and introducing Bob and Alice. Can you remember the time when you passed secret messages to your friends at school? Well the need for code cracking increases by the day, as we see new threats evolve … so the time is right to engage with these young minds, and get them interesting in some of the new problems that the world faces. It is within areas such as computer security, that we created the architectures of the future, and one in which physical buildings have been replaced with virtual ones.