SYTECH Case Study – Digital Forensic Investigations in Cases Against Child Predators and Co-Conspirators

How Cellebrite’s UFED Link Analysis Strengthens Cases Against Child Predators and Co-Conspirators – Mobile Phone Forensic Examinations

 

Who:

Simon Lang, Senior Digital Forensic Consultant / Digital Forensics Manager, SYTECH – Digital FOrensics, Stoke-on-Trent, England

 

What:

Use of Cellebrite UFED Link Analysis to attribute suspect handsets and assess and identify victims

 

Why:

Investigating rings of criminals who produce child exploitation materials

 

Results:

UFED Link Analysis saves time and effort associated with connecting suspects and victims on child exploitation, illegal money lending and drug conspiracy cases

 

Child exploitation can be one of the hardest crimes to prosecute. Victims are often too scared or ashamed to admit any connection to a suspect, and paedophiles go to great lengths to protect one another. To make their cases, police need ways to tie suspects and victims to one another via the frequency, type, and mode of their communications. Often this evidence is found on their mobile phones and GPS devices.

 

Simon Lang, Digital Forensics Manager at SYTECH – Systems Technology Consultants Ltd., England, has put UFED Link Analysis to work on several such cases in recent months. In the United Kingdom, law enforcement agencies frequently outsource digital forensics to ­rms like SYTECH. That’s because when a case goes to trial, the courts require an independent review of the work police did. High pro­le or complex cases with multiple devices often end up in court, so teams like Lang’s need tools that enable them to explain digital evidence simply and concisely at trial.

 

Lang himself has been a mobile device forensics examiner since about 2008, and he and his team have used Cellebrite systems since 2011. However, when faced with multiple mobile devices on a single case, they faced the time-consuming process of running data through spreadsheet software.

 

“Creating custom ­filters in Microsoft® Excel® and looking for common contacts, usernames and IDs, and incriminating content [such as text messages] can take a few hours when comparing the results from iPhones etc.,” says Lang.

 

That’s because of the sheer amount of data that iPhones and other smartphones can store. UFED Link Analysis provides an almost instantaneous graphical representation of the common contacts with the click of a button. “It is easier using these diagrams than looking at rows of text,” says Lang.

 

Why is this important? Lang and his team work on large cases involving multiple defendants across the United Kingdom, including child exploitation and drug conspiracy cases. “This tool comes in extremely handy in child exploitation and grooming cases, which are becoming more common in the UK,” Lang explains. “There are large ‘rings’ of individuals who have been targeting vulnerable people across the country.”

 

One of the most common ways his team uses UFED Link Analysis is for attribution of handsets, when the suspect denies ownership. Investigators can corroborate text messages or instant messaging, call logs, contacts and found on the suspect’s handset with like data found on victims’ or other suspects’ handsets.

 

Lang’s investigators also use UFED Link Analysis to compare “clean” and “dirty” phones. In these scenarios, suspects use one device for everyday noncriminal activities, and a second or more devices for their criminal activities. Common contacts and locations between the two can show which devices are used by the same suspect(s) and thus, can tie otherwise “innocent” suspects to the crimes they commissioned or committed.

 

The software is also handy for assessing multiple victims on these cases. The “Links-Mutual” view shows whether victims all had one or more suspects in common on their devices; patterns in keywords or timelines—days of the week or times of day—can help corroborate the evidence.

 

Once the evidence is collected and analysed, Lang uses the snapshot option to show common contacts within cases, placing these within his report. Put together, the links and patterns strengthen the Crown’s case and lead to what Lang believes will be a higher likelihood of conviction.

 

About Cellebrite Founded in 1999, Cellebrite is known for its technological breakthroughs in mobile forensics. Its Universal Forensic Extraction Device (UFED) is used internationally by law enforcement, military, intelligence, corporate security, and eDiscovery agencies to extract data from legacy and feature phones, smartphones, portable GPS, tablets and phones manufactured with Chinese chipsets.

 

SYTECH – UFED Link Analysis – Child Exploitation Case Study

Forensic analysis of a Sony PlayStation 4: A first look – Presentation Slides – Matt Davies – SYTECH

To accompany the fantastic research carried out by Matt Davies (SYTECH) et al. from:

http://sytech-consultants.com/forensic-analysis-of-a-sony-playstation-4-a-first-look-matthew-davies-digital-forensic-analyst-sytech/

The presentation slides from the DFRWS (Digital Forensics Research Conference) Europe 2015 Annual Conference are now available below:

Forensic analysis of a Sony PlayStation 4 – Matt Davies – SYTECH

Forensic Focus Interview – Matt Davies – Digital Forensics Analyst – SYTECH

Matt, you’re a digital forensics analyst at SYTECH. Tell us a bit about your role and what it involves.

My role at SYTECH predominantly involves the extraction and analysis of embedded devices, such as mobile phones, tablets, satellite navigation systems, games consoles, unknown devices etc. The examinations I am involved in vary considerably and range from indecent images of children (IIOC) to providing assistance in murder investigations. Working for a private organisation, such as SYTECH, allows me to experience both prosecution and defence based cases.

What first made you interested in digital forensics as a field?

It was the varied nature of the work accompanied by the opportunity to make a difference that attracted me to the field of Digital Forensics.

I really didn’t want a mundane or repetitive job; I wanted a career that would provide both challenges and stimulation, so far I have not been disappointed! I have a real passion for forensics and love what I do.

At DFRWS you presented some research on forensic analysis of a Sony PS4. Could you briefly outline this for our readers?

The Sony PlayStation 4 is the most powerful 8th generation games console on the market. As of March 2015, there are over 20,000,000 devices in worldwide circulation. The console’s security features, such as encryption, face recognition technology and passcode protection, make this device the perfect weapon for criminals. Therefore it was essential that an analysis method be devised for this device. The proposed best practice methodology is the result of over 50 experiments conducted upon the PlayStation 4 over a 12 month period.

In the first instance the console’s hard drive is removed, imaged and restored upon a duplicate HDD using a Linux based system. A shadow drive is then inserted between the console and the duplicate drive, which receives all write requests and as such prevents the alteration of data stored upon the HDD. The operational effectiveness of the shadow drive was evaluated in the following manner: The duplicate HDD was imaged and verified. An online analysis of the console’s Internet web browser was conducted and the HDD removed and verified. A comparison of both the MD5 & SHA-1 hash values concluded that no alterations were made to the HDD during the analysis.

A technique that can be exploited by the user enables images viewed online to be stored upon the device. These images are stored as screen captures and can easily be copied to a USB pen drive for evidential purposes. Image and video content acquired via the console and saved to an alternative device (under a different file name) contain metadata that includes the device make & model, firmware version used, original file name and the date and time created. This information can be correlated to the suspected device responsible for creating the artefacts.

One of the greatest challenges with the PlayStation 4 is the continuous updating of system firmware. It has been observed that firmware updates take place at around 8 week intervals and provide additional features as well as “system stability” updates (suspected updating of encryption keys). For each firmware update where the experiments were repeated, the results differ considerably between firmware versions.

You mentioned that one investigative challenge is that Sony is now storing the majority of PlayStation data on the PlayStation Network rather than on each device. Talk us through the unique challenges associated with this, and how they might be addressed.

Having previously evaluated the operational effectiveness of the shadow drive when viewing non PlayStation Network (PSN) dependent content, a second experiment focusing upon PSN was conducted. The experiment involved connecting the console to PSN and sending a single message to a friend, whilst utilising the shadow drive. The console was then rebooted and the message content analysed. The first iteration demonstrated that the message was not visible upon rebooting the console. For validity reasons, the experiment was repeated. On this occasion both the initial and second messages were visible. The experiment was repeated a final time and it was apparent that all messages sent whilst connected via a shadow drive were visible. Therefore, the shadow drive does not prevent data stored in PSN being altered. This presents a significant challenge as data stored in the PSN is duplicated, in part, upon the console’s HDD, meaning that an investigator accessing PSN content without a shadow drive could potentially overwrite existing data or unintentionally delete vital evidence.

The best solution is to use a secondary console to view PSN content. Creating a basic user account without any data will result in that account being populated with the user’s content upon logging into PSN, including unique PSN gamer ID, profile information, messages, party, friends, What’s New, Notifications etc. In addition, an investigator can also access partial PSN data by logging into the suspect’s account via a PC browser. The Sony Entertainment Network (SEN) can be used to prove ownership and contains the user’s real name, address, credit card details etc.

Additional challenges are presented by the console’s remote access features: such options should be disabled, the console restarted and the changes verified prior to conducting an online analysis of the device. In addition, investigators should disable the PSN automatic login feature in order to prevent the alteration of PSN content.

How do you think the world of digital forensics will change over the next few years?

Security Features
The industry trends seem to indicate a significant increase in the use of security features such as encryption, biometrics and passcode protection. Over the coming years such features are likely to become more widely utilised, and as a result present greater challenges to forensic investigators.

Technological Evolution
It has been said for many years that the line between personal computers and embedded systems is becoming increasingly blurred. The technological advancements, accompanied by larger storage capacities, will continue to present significant problems for digital investigators. According to Sony, the PlayStation 4 possesses 43 times the processing power of the PlayStation 2 and 10 times that of the PlayStation 3. One can’t help but wonder what the PlayStation 5 will have in store for us!

Social Media
The sharing capabilities of the PlayStation 4 enable social media websites such as Facebook, Twitter and Youtube to be synced with the device. Tablets and mobile phones also encourage users to share content via social media applications, the whole area seems to be expanding at an alarming rate.

We only need look at the development in mobile phone forensics over the past 5 years to see how far the field of digital forensics has already come. The challenges faced by investigators in the coming years will greatly surpass those seen in previous years, providing a solution to these is far from impossible. Perhaps the greatest change to the field of digital forensics will be the operational requirement for dedicated Research & Development teams within every organisation. We might also see a significant shift from traditional forensic techniques and the reliance upon industry standard tools. There has been a great deal of debate in this area and as to whether or not the whole forensics process is becoming automated. I think it’s an interesting discussion and one that is likely to continue in the future.

I am currently continuing further research into game console forensics and intend on presenting the results at DFRWS 2016, Switzerland.

Matt Davies is a Digital Forensics Analyst at Sytech, who work on digital investigations across all areas including criminal justice, civil litigation and corporate.

Forensic Focus interviewed Matt at DFRWS, the annual Digital Forensics Research Workshop, which took place in Dublin from the 23rd-26th of March. The next workshops will be held in Philadelphia in August 2015, and Switzerland in March 2016. You can find out more and register here.

Original Forensic Focus Article

Cell-Site Analysis

SYTECH Assisted Case – Cell-Site Analysis – “Gang jailed after Penkridge mother’s knifepoint burglary ordeal”

SYTECH – Cell-Site Analysis in action.

Burglary, four men attacked a woman in her own home whilst her husband was away in May 2013. She was sleeping in her own bedroom at the time the men attacked her. They held a knife to her neck requesting they have access to the family safe and any other possessions they have.

Week commencing 11th February 2015 Scott Ball, one of the four gang members, received 3 years for conspiracy to commit burglary.

SYTECH – Cell-Site Analysis helped to locate the direction of movement of Scott Ball during the periods of interest, linking him to the burglary that took place May 2013.

 

Gang jailed after Penkridge mother’s knifepoint burglary ordeal

http://www.staffordshirenewsletter.co.uk/Gang-jailed-Penkridge-mother-s-knifepoint/story-26008878-detail/story.html

 

A MOTHER has spoken of her terrifying knifepoint ordeal after burglars broke into her home.

The woman, then 44, was tied up and had a knife held to her neck as four men ransacked her Stafford Road, Penkridge home.

Her elder son, who was 15 at the time, fought with gang members who were also armed with a cosh and he struck one several times. The teenager escaped injury but his younger brother, then aged 12, was hit in the face and knocked to the floor, causing bruising.

This week five people were starting jail terms totalling 37 years for their part in the raid, which happened while the woman’s husband was away in May 2013.

She said: “It’s been a very hard 18 months but now we feel justice has been done.”

Her ordeal began just after midnight when she was in bed.

The mother told the Newsletter: “They came upstairs and into my bedroom with knives. There were four of them and they had a knife to my neck and tied me up.

“They were asking if we had a safe and what possessions we had. They were ransacking everything,” she said.

The gang forced the woman to open a safe and stole cash and jewellery.

“I was terrified, wondering whether my children were alive because my sons were in the house,” she said. “The raiders left but then came across my sons – they attacked my boys.

“I was just terrified. You just do what they want because I didn’t know if my children were alive. They’re very brave bless them.”

The offenders escaped in a vehicle driven by a female accomplice.

The five were later arrested and appeared at Stoke-on-Trent Crown Court on Friday.

Leon Gordon, 33, formerly of Heathfield Lane, Darlaston, Matthew Bristow, 28, formerly of Heathfield Lane, Darlaston, and Marcus Davies, 35, of St James Road, Leicester, received 11 years each having been found guilty of conspiracy to commit burglary and robbery.

Scott Ball, 41, of Norton Green Lane, Norton Canes, received three years for conspiracy to commit burglary.

Christie Phillips, 20, formerly of Heathfield Lane, Darlaston, was convicted of conspiracy to commit burglary and jailed for one year.

DCI Paul Bentley, of Staffordshire Police, said: “This was a terrifying ordeal for a mother and her two sons, and it has had a lasting impact on them. Their bravery in giving evidence in court is to be applauded and I hope it encourages other victims of crime to come forward and speak out.”

The mother added: “They do these things for gain and they don’t realise the devastation they have left behind them, how they ruin people’s lives.”

Detailed View of a Memory Chip

SYTECH Assisted Case – Password Protected BlackBerry Chip-Off – “31-member drug gang that controlled illegal supplies across the north east are jailed following three-year investigation”

OCG (Organised Crime Group) Investigation

James Kelly and Paul Gill were 2 of the a 31 member drug gang. Police Operation Cobweb saw that all 31 members of the OCG “drug gang” were jailed in total to 231 years.

The Court case for Operation Cobweb started in 2012 and finished in 2015. Kelly is now currently serving a 10 year sentence and Gill serving a four year sentence.

SYTECH were asked to carry out an advanced digital forensic examination of a PIN / Password Locked BlackBerry Mobile Phone Handset which is attributed to this on-going investigation.

 

“31-member drug gang that controlled illegal supplies across the north east are jailed following three-year investigation”

http://www.dailymail.co.uk/news/article-2919511/Final-two-defendants-31-member-drug-gang-controlled-illegal-supplies-north-east-jailed-following-three-year-investigation.html

The final two defendants of a 31-member drug gang that supplied class A drugs across the north east have been jailed following one of the biggest drug operations ever.

Craig Ferguson, 38, and Dawn Gorman, 43, were jailed at Teesside Crown Court for their part in the cross-country drug dealing network.

They were the final two members of the 31-strong gang to be sentenced, after a three-year police investigation – dubbed ‘Operation Cobweb’ – brought the drugs ring to an end.

The investigation, the biggest drugs operation ever to be run by Cleveland Police, has now seen a total of 31 people put behind bars for a total of 231 years.

The final defendants were linked to a conspiracy to deal Class A drugs on an industrial scale, which allowed its kingpins to lead the high life.

Ferguson was jailed for five years and three months at the court hearing on Monday after the judges heard how he collected drugs for a local dealer on four occasions from January 2012 to August 2012.

Judge Simon Bourne-Arton QC, the Recorder of Middlesbrough, said Ferguson transported large quantities of drugs from the north west to Teesside.

He said: ‘It was, as you know, a professional and skilled conspiracy.

‘You are towards the very bottom of this conspiracy.’

Also in the dock yesterday was Gorman, the wife of one of the conspiracy’s top bosses, who was jailed for 18 months.

The former air hostess’s husband Jeffrey Hanks, 52, is currently serving a 22-year jail term – the longest sentence given to any of the conspirators.

The couple, from Bury, splashed out on motorbikes, holidays, private education, a lavishly-furnished home, Jimmy Choo shoes and a Porsche Cayenne, the court heard previously.

Gorman was not involved in the drugs plot itself, but a jury convicted her of money laundering.

She had denied offences of concealing and converting criminal property.

The judge said she knew her husband Hanks – branded ‘a thoroughly manipulative, dishonest individual’ – was a drug dealer.

He told her: ‘It beggars’ belief that you did not know what was going on.

‘You were happily spending money that was part of a considerable and sizeable drug conspiracy.

‘You were willingly and enthusiastically spending the money on what, on any view, could be deemed an extravagant lifestyle.

‘Without that money from the drug dealing, you could not have in any way dreamt of leading such a life.’

He said the amount of money involved was ‘well in excess of £100,000′.

Barristers for the pair, who had few previous convictions, asked the judge to consider passing suspended sentences.

They stressed the ‘devastating’ impact of a prison term on the defendants’ children.

The judge told Gorman that she and her husband bore the responsibility for their children’s suffering, as they carried on their criminal activity knowing the possible consequences if they got caught.

‘You did it essentially because you were driven by greed,’ the judge added.

Duncan McReddie, defending Ferguson, said he had responsibility for seven children and he was a good and caring father who had tried to lead a productive, law-abiding life since his arrest.

He said Ferguson got involved out of a desire to help his cousin, fellow runner David Cuthbert.

Cuthbert, 38, was jailed for five years in May last year, along with 22 other members of the gang who were locked up for a total 177 years.

David Toal, representing Gorman, said she might have ‘turned a blind eye’ to the money and played a lesser role.

He said her health had also been affected and she stood to lose her home and possessions.

It has taken almost three years for the catalogue of court cases linked to Operation Cobweb to reach their conclusion.

They began with two cases in 2012 – one following a high-speed police chase where 2kg of heroin worth £90,000 was hurled from a moving car.

They finished with jail terms given yesterday to Ferguson and Gorman, who enjoyed the fruits of the network which flooded Teesside with Class A drugs.

In between, Judge Simon Bourne-Arton QC jailed 22 people – from couriers to warehousemen, right-hand men, lieutenants and ringleaders – to a total of 177 years in May last year.

He said of the drugs conspiracy: ‘It was carried out in a determined and ruthless fashion. It was conceived and put into effect by professional and experienced criminals who were aiming to achieve a high financial reward.’

The second-longest sentence of 16 years was given to Robert Hickman, 29 – the leader of the Teesside operation.

He unsuccessfully appealed his prison term, and arranged for drugs to be smuggled into prison, for which he received a concurrent six-year sentence.

Then in December, one of the gang’s north west ‘controllers in chief’ Jeffrey Hanks was jailed for 22 years.

Operation Cobweb was Cleveland Police’s largest-ever drugs investigation and has now put 31 people behind bars for a total of 231 years.

The three-year investigation smashed a well-organised drugs ring, which was driven by dedicated criminals trafficking heroin, cocaine and crack cocaine using ‘dirty phones’.

The drugs were transported from the Greater Manchester area to Teesside regularly, with payment in tens of thousands of pounds heading the other way.

More than 100 trips were made between Teesside and Manchester transporting vast amounts of drugs and ‘dirty money’.

Officers seized almost 6.9kg in heroin, 2.26kg of cocaine, 437.5g of crack cocaine and more than 22kg in cutting agents.

The recovered drugs were worth £824,686, and £127,966 cash was seized, but prosecutors said this was the ‘tip of the iceberg’.

Police and prosecutors pieced together evidence including telephone communications analysis, observations, drug and cash seizures, vehicle sightings and Automatic Number Plate Recognition (ANPR) camera data.

Detective Sergeant Colin Helyer, from Cleveland Police’s organised crime unit, said Operation Cobweb was a protracted and complex covert investigation and one of the unit’s largest-ever inquiries.

Speaking after the final two defendants were sentenced yesterday, Detective Constable John Findlay, who also works with Cleveland Police’s organised crime unit, said: ‘This has been one of Cleveland Police’s longest-running, most complex and involved investigations.

‘I would like to pay tribute to all our officers who have worked tirelessly over several years to bring these people before the courts.

‘I would also like to thank those members of the public who provided vital information to help our inquiries.

‘I would reiterate that police will always act on information on drug dealing and other crime which is provided to us.

‘You may not see anything happen immediately but rest assured, there will be a good deal of work going on in the background.

‘With assistance from our colleagues at Greater Manchester Police, we have succeeded in bringing to justice a large group of people who were involved in drug dealing across the North and North-east, and who were often profiting handsomely from their involvement.

‘Those jailed will have time to reflect on their actions, and the sentences should act as a deterrent to anyone tempted to deal illegal drugs.’

Categories