British Computer Society: Forensic computing experts find truth in crooks' microwave chips

Anything with a microprocessor inside it could prove at best embarrassing and at worst incriminating to anyone whose activities...

Anything with a microprocessor inside it could prove at best embarrassing and at worst incriminating to anyone whose activities result in them having to tell a lie.

This sobering thought emerged from the annual lecture organised by the BCS and the Royal Signals Institution, when a senior person from the Centre for Forensic Computing of Cranfield University gave an insight into the collection of digital evidence and what it can reveal.

The speaker's involvement in police work means that their identity cannot be revealed.

The speaker pointed to the range of devices that can provide evidence, including PCs, cash registers, fax and answering machines, alarm systems, mobile phones, cameras - even microwave ovens: the electronic clock and memory might show whether a suspect was cooking dinner at the time claimed.

Similarly, an electronic till might reveal whether it was being used at the time a suspect said he or she was at work. An alarm system might reveal whether it was set properly and switched on at the time of an incident.

The audience were warned about e-mailing Microsoft Office files: they include information about the user, the system used and the number of versions - and may include previously deleted comments about the recipient. A forensic computing expert could extract such information.

Forensic computing is the scientific examination of a digital device with a view to extracting all the information possible so it can be presented in an admissible form in court. The vital first step is to secure the evidence.

"It is absolutely vital to ensure that the process cannot be challenged," the speaker said. "You have to ensure continuity of evidence, ensure that an exhibit is signed for as it moves from person to person and that it is never in an unknown state, never open to contamination by anyone."

Evidence might be photographed: for example to show that a PC is fitted with sound and video cards and is capable of doing what a person is suspected of.

The device is then taken apart with great care, and with all steps recorded: cannabis was once found in a PC where a disc was supposed to be.

A PC's memory can yield information, such as the date and time set in the machine.

Advances in storage technology are making examination a growing task. The speaker highlighted some software products which can help to examine disc and memory contents. One product can create a gallery of live and deleted files and pictures. A practitioner can flag ones which look unlawful. Other products convert binary to hexadecimal, reducing the number of characters, and convert hex to Ascii text.

The skills of the experts were demonstrated when the speaker cracked a password on a personal digital assistant, used by a member of the audience, within minutes and revealed a message which was password-protected.

Read more on IT legislation and regulation