One of the justifications for an increase in the number of days a terrorist suspect can be held in the U.K. without charge, from 14 to 90, is the time it takes to decipher what is on a suspect’s computer hard drive.
Assistant commissioner at the Met Police, Andy Hayman, has claimed the extra time is needed in order to make sure that all the evidence from a seized PC is located before someone is released. The question is: why does it take so long?
The Met Police has a high-tech crime unit and also has access to the Forensic Science Service. Both units employ Forensic Computer Analysts who crack hard drive contents.
We asked Dr. Fauzan Mirza of ProSoft Research, an expert in hard drive encryption, how the Met would set about cracking a hard drive and looking for evidence of terrorist activities. “There are two stages,” he told us, “acquisition and analysis.
Acquisition is automated and takes a copy of the hard drive itself. It runs at the speed of the fastest backups, around 500MB per minute. Analysis looks at the contents. It’s usually obvious within a matter of hours whether there is evidence on it.”
“If there is evidence it can take more than a week to analyze it. It could be two to three weeks depending upon the sophistication of the means used to hide it, steganography for example.”
A Met spokesperson confirmed to us that in some terrorism cases, they were facing this exact issue. “We are dealing with encrypted messages,” he said.
Dr. Mirza added that evidence may also be in a foreign language: “It would have to be reviewed by a linguist and feedback given to the analyst. They would re-check the computer on the basis of this feedback.”
Graham Cluley, a senior technical consultant at Sophos, said that additional time would be needed to assist with security and police services in other countries. Also the police need to formulate an interview strategy based upon any uncovered evidence. Combining the analysis, the translation and second stage analysis, add inter-country cooperation and interview strategy formation, and from the police point of view, the existing 14 days is inadequate and 90 days doesn’t look excessive .
Another factor is encryption sophistication. If 256-bit triple-DES or similar techniques are used then decryption could require supercomputer-levels of cracking.
We were not told how many analysts there are. A Met spokesperson told us: “We wouldn’t want to discuss our level of capability.” It was noted recently that the antipaedophile Operation Ore caused large scale delays in checking PC hard drives.
Dr. Mirza said: “There was a massive backlog of computers to analyze. Some of them couldn’t be looked at for over 90 days.” It could be just as likely that the police are looking at the controversial extension measures simply because the lack of resources mean terrorist hard drives could be part of a wider queuing system.
With the measure unlikely to make it into law thanks to widespread opposition from MPs due to its civil liberty implications, it looks as though the police will have to find ways of streamlining their approach to this 21st century aspect of crime fighting.