Specialist police units tackle computer crime

In their fourth year, Hi-Tech Crime Units are proving invaluable to police forces across the country

Computer crime cost UK businesses £2.4bn last year and this figure is likely to rise unless companies do more to protect themselves.

Organised gangs are using the internet to carry out crimes such as fraud, identity theft, blackmail, hacking and denial of service attacks.

Camera phones, CCTV, PDAs and computers are also providing digital forensic evidence that can help solve conventional crimes, such as murder, kidnapping, burglary and – more recently – the London terrorist bombings.

In April 2001, the government established a National Hi-Tech Crime Unit (NHTCU) to combat the growth of computer crime and solve serious crime.

Some 43 local Hi-Tech Crime Units (HTCUs) were also set up to tackle similar offences at a regional level.

But according to detective chief superintendent Sharon Lemon, head of the NHTCU, more needs to be done to educate the 140,000 police officers in England and Wales about how technology can provide digital clues to solve crimes.

‘Most of us now carry around some sort of equipment which holds useful data, even if it is just a mobile phone. We need to stop thinking of computer crime as a specialism and integrate it as part of everyday policing,’ she says.

‘There are many examples of officers referring every crime that has a computer involved to a computer crime unit, and this should not be the case. There needs to be complete educational awareness – not just in the police, but also in the Crown Prosecution Service and judiciary.’

If there is a burglary, says detective constable Andy Joyce at Avon & Somerset Constabulary’s HTCU, officers will search the usual places, such as a pawn shop. Many officers, however, do not trawl web sites, such as eBay.

‘We are trying to explain this to them,’ says Joyce. ‘There are easy techniques they could use, such as a radius search on eBay. For example, you can use it to search within a 10km radius for people selling a Sony laptop. Burglars do not want to travel far and it is a way for them to get rid of things.’

Funding is also an issue when it comes to combating computer crime, says detective chief inspector Charlie McMurdie, head of The Metropolitan Police’s Computer Crime Unit (CCU).

An additional £1m funding could potentially double the number of cases the unit can investigate each year (Computing, 7 July).

‘Many computer crime units around the country have not increased their teams due to lack of resources, yet at the same time e-crime is increasing and growing more organised,’ says McMurdie.

And Lemon says that while the NHTCU deals with top-level criminals using the internet, regional forces need to deal with everyday crimes involving computers.
‘It is the responsibility of the chief officers to invest in their computer crime units to get this done,’ she says.

Fortunately computer crime units are being resourceful. The Met’s CCU is in discussions with several private sector firms about funding and support – and Avon & Somerset HTCU is working with technology firms as part of its investigations.
‘We get a lot of support from industry. If we need to look at Sage software for financial crimes, or HP systems in terms of storage, then we get great support from firms,’ says Joyce.

Another key role of the UK’s HTCUs is crime prevention, says detective inspector Chris Simpson, at the Metropolitan Police. He believes computer crimes targeted at businesses – such as hacking and denial of service attacks – could be reduced if people did more to secure their systems.

‘Vast numbers of businesses have an online presence, and they are vulnerable to crimes such as hacking,’ he says.

‘There is a need for consumer education. Proxy and zombie computers are marketable assets, but if we can educate the end user to install firewalls, anti-virus software and update systems, then we can put a stop to this.’

In the Avon & Somerset region, the HTCU spends time educating local business people through The Rotary Club and other organisations.

The NHTCU is also co-funding a web site called Get Safe Online, aimed at educating consumers about how PCs can be used by hackers to distribute spam and launch denial of service attacks.

As new technologies emerge, police must develop their skills to combat crime. Joyce says greater international liaison is helping forces do this.

‘Computer forensics is quite unique. If you look at DNA or other medical forensics there is a range of research and journals. But with computer forensics there is often not enough time to sit back and do this,’ he says.

‘Fortunately we have good relations with other computer crime units abroad. Police officers in any other field do not have the communication network that computer crime units do. I can pick up the phone at any time to the US and get advice from my counterpart.’

Joyce says Avon & Somerset is also developing new investigation methods to find evidence on 3G mobile phones.

‘But there are issues here. Most PCs have standard operating platforms. These can be different with 3G phones,’ he says.

While new technologies provide new challenges for the police, Lemon says they can also be used to catch the criminals.

‘Rather than looking at emerging technologies as a threat, we need to be more savvy to keep ahead of the game and use the same tools the criminals use against them,’ she says.

How the NHTCU seized an identity theft syndicate

The National Hi-Tech Crime Unit (NHTCU) scored one of its biggest victories this summer when two men were sentenced to a total of 10 years at Leeds Crown Court for their part in an online identity theft scam.

During the two-year period before their arrest, 24-year-old Douglas Havard and 25-year-old Lee Elwood made an estimated £6.5m.

Both men drove Mercedes cars and spent hundreds of pounds on champagne and casino gambling.

The two men headed a UK syndicate linked to an Eastern European crime gang that stole money using phishing emails, tricking online banking customers into giving out account passwords.

Using data dumps of credit card information and passwords sent to them by Russian counterparts, US-born Havard and Glaswegian Elwood cloned credit cards and stole money from cash machines.

They then laundered the money by purchasing goods online and selling them on to unsuspecting victims.

During one scam they bought laptop computers and other electronic goods before selling them at online auction sites, such as eBay.

‘The criminals cloned cards and ripped off ATMs. The pair stole at least £750,000 over a 10-month period, but with the high number of traffic they did over that period we estimate it could amount to £6.5m or more,’ a spokeswoman for the NHTCU told Computing.

The two men used Western Union to transfer 60 per cent of the takings back to St Petersburg and other locations in Russia, before splitting the remaining profits between them.

But the net closed on the gang in June 2004. On 4 June, the NHTCU raided the home of Douglas Havard.

Scattered around the flat were bank accounts with 10 different names as well as forged travellers’ cheques.

Further investigations at different addresses unearthed £10,000 in cash and £20,000 in bank accounts.

Evidence also led police to Lee Elwood, who was arrested four days later. A search of his flat found piles of forged documentation, bank details, credit card holograms and implicated computers.

The NHTCU tracked down the pair during its pursuit of an East European phishing gang that targeted UK banking customers.

Investigations led the unit to web sites shadowcrew and carderplanet – where criminals traded fake driving licences, credit cards and other forms of personal identity.

The Russians are believed to have made initial contact with Douglas Havard on the carderplanet site, where under the pseudonym Fargo he had become a reviewer, testing the illegal identities that criminals were selling for as little as a few pounds.
By using network investigation methods and by sharing information with the FBI and Russia’ s computer crime unit, the UK police unit Department K was able to track down Havard.

In June this year, Havard was sentenced to six years after being found guilty of conspiring to defraud and launder money.

US officials are also seeking to extradite him so he can be charged for his alleged role in an armed robbery and counterfeiting scam in Texas.

Elwood was sentenced to four years for his involvement in the online identity theft scam.

Case study - Avon & Somerset Hi-Tech Crime Unit

Working with a bespoke system to fight crimeOver the past eight years, Avon & Somerset Constabulary’s Hi-Tech Crime Unit has changed in the same organic way as the crime it was set up to investigate.

Before the official creation of a National Hi-Tech Crime Unit and local computer crime units in 2001, officers in Bristol were closely tied to the force’s fraud unit.
Avon & Somerset detective sergeant Tim Beer says the constabulary was going into offices on fraud cases and realising that computers were key to their investigations.
‘Over time we realised we needed to do something about computer crime but there were no national guidelines then,’ he says.

Until April 2001, most of the responsibility was falling to one digital evidence recovery officer. ‘They were completely swamped and learning on the job,’ says Beer.

Additional funding from the NHTCU enabled the unit to employ another investigator.
But they were soon to be overwhelmed when news broke that detectives, working on an internet paedophile investigation in the US, had discovered the names of 7,500 British child porn web site subscribers - and handed them to the UK’s National Criminal Intelligence Service.

Hundreds of these subscribers lived in the Avon & Somerset area and were passed on to the HTCU to investigate as part of Operation Ore, which nationally led to 1,300 arrests.

‘We had 220 targets in our area and we found that the average person had more than two personal computers,’ says Beer.

‘The bottleneck was our unit. We were already stretched to the limit with each case taking, on average, about 15 hours to complete.’

Detective constable Andy Joyce says that often, Avon & Somerset had suspects in the cells and only 24 hours to keep them.

‘In some cases their computer could be the only lead we had,’ he says.

The force had to make a decision: should it outsource or invest in a more effective IT infrastructure, which could process investigations faster?

‘The cost would have run into millions if we were to send it out to private computer forensic companies,’ says Beer, who decided instead to turn to IT consultancy Compusys for assistance.

The HTCU built a system which used Compusys ProManaged Servers and IDE-RAID disk systems, which provided two terabytes of centralised storage for forensic investigations.

By improving storage facilities, the force was able to increase the speed at which it took copies of hard disks sitting on confiscated home PCs.

Using a computer investigation and auditing tool called EnCase, it was then able to locate incriminating images and files more efficiently.

Each file and image has a digital fingerprint, called a hash value, uniquely associated with it.

By storing all seized hard disks centrally and using high-speed processors from Intel, the unit was able to carry out further searches and cross-reference hashes to find incriminating files on other computers.

Sony AIT-3 tape libraries were also added so that closed cases could be securely archived, meaning vital memory on the main Compusys investigation system was not wasted on storage.

Files could also be easily retrieved over a Gigabit Ethernet network should they need to be accessed as part of another case.

When new images are discovered, the hash number is entered into the central database and then cross-referenced.

Such effort reduces the time officers must spend viewing disturbing images, and also cuts the time to process an investigation.

Avon & Somerset Constabulary now has six people working in its HTCU and the nature of its investigations is expanding.

The unit deals with a range of cases from murders and robberies, where evidence stored on computers and mobile phones can prove vital, through to hacking and distribution of online pornography.

‘It’s always changing,’ says Joyce. ‘More recently we did work connected to the London terrorist bombings.’

The history of UK computer crime units

The National Criminal Intelligence Service commissioned Project Trawler in 1996 to identify potential threats that could emerge from the growth in information technology.

Key recommendations to tackle crimes - ranging from hacking and virus writing, to online fraud and paedophilia - included the creation of national and local computer crime units (CCUs), and the education of IT users about security threats.

In response to the recommendations, the Home Secretary announced the creation of the National Hi-Tech Crime Unit (NHTCU) to Parliament in November 2000.

Some 43 local Hi-Tech Crime Units were also set up across England, Wales and Northern Ireland.

The aim of the strategy was to ‘reduce harm caused to the community from computer-enabled criminality’.

According to the Association of Chief Police Officers this would be achieved through the ‘prevention, reduction, disruption and detection of crime, and the prosecution of those responsible’.

The government provided £25m in funding: £10m was spent on local computer crime units and £15m was used to create the NHTCU.

Basic computer crime courses have been compulsory for all police recruits since September 2003, so that all officers – not just those working in CCUs – can understand and exploit high-tech evidence found at crime scenes.

In July this year, Centrex - the Central Police Training and Development Authority - looked to further plug the knowledge gap between new recruits and serving officers by launching an elearning portal.

The High-Tech Crime First Responder elearning programme provides training, ranging from how to deal with public reporting of internet crimes through to
identifying, seizing and preserving digital evidence.

On 1 April next year, the NHTCU will become part of the newly created Serious and Organised Crime Agency (Soca). The move illustrates how technology is becoming an everyday part of crime detection.

It will work with the National Criminal Intelligence Service, the National Crime Squad and parts of HM Customs & Excise, and the Home Office, involved in combating drugs and immigration.