In the UK, there is a substantial body of law that must be considered when investigating cybercrime offences.  

This includes Acts drafted specifically to deal with aspects of cybercrimes and data protection, along with more generic legislation that affects all investigations and Police work. 

There are also Regulations and Procedures that cover civil actions. 

The slide gives a sample of the legislation and guidelines which need consideration. 

UK legislation covers a range of concerns, such as protecting the rights of subjects under investigation; detailing how evidence should be gathered; how evidence should be handled; and mandating actions that investigators must undertake. 

A failure to comply with mandatory requirements, such as those for note-taking or disclosure, can fundamentally compromise an investigation. 

Later, we will look at two of the most relevant Acts – the Computer Misuse Act 1990, and the Data Protection Act (DPA) 2018/GDPR. 

Authorizing officers have to ensure that any invasion into privacy is necessary and the proposed method of proceeding is the only way to collect the evidence.  

If there is a less intrusive way, the investigation should proceed using that method.  

The invasion into privacy has to be legal, justifiable and proportionate.   

Therefore internal investigators in organizations cannot assume they have the right to collect every piece of evidence on an individual – if an individual is being investigated for inappropriate browsing, it is not appropriate, or proportional, to retrieve the contents of their personal storage or mailbox. To do so would not be justifiable, or proportionate, to the investigation. 

Speculative searching for evidence, known as fishing, should not happen; investigations must be authorized and based on sufficient justification and should not be conducted simply to find justification for the investigation. Any evidence collection should be within the scope of the allegation, and contained to finding evidence of such allegations. 

This does not preclude a legitimate discovery of evidence of other activity which may subsequently requires investigation, but there has to be legitimacy in how you have found this information.  

Fishing was defined in the UK Court of Appeal by Lord Justice Kerr as: 

“It arises in cases where what is sought is not evidence as such, but information which may lead to a line of inquiry which would disclose evidence. It is the search for material in the hope of being able to raise allegations of fact, as opposed to the elicitation of evidence to support allegations of fact”. 

If you are searching a mailbox for keywords and you choose to open and read each email rather than use an automated tool; if you discover an email that has some relevance, but they wouldn’t have been seen through the keyword searches, then it may not be considered a legitimate discovery. If you would have found it through keyword searching, or an expansion of keywords based on evidence found, it would be.  

Another example is in a software piracy case; a review of the pictures on a computer identifies that there are illegal images on the drive. This is a legitimate discovery if you were searching for images used for packaging and the selling of such software. If there had been no reason to look at the images, it is not a legitimate discovery and there may be issues with admissibility of such evidence.   

Investigators must understand that their role is to search for evidence of the allegations, not search for wrong doing, with which to raise allegations.  

They must understand that they do not have unmitigated rights to search through things on the off chance there may be more wrong doing by an individual without some supporting justification.   

So, how does the legislation affect the everyday work of cyber investigators? 

Firstly, cyber investigators must be authorized to conduct the investigation, as well as be competent to do so. A failure to gain authority to gather evidence could lead to offences under the Computer Misuse Act. 

Cyber investigators must work ethically, ensuring they are impartial and that they do not impede the investigation subject’s right to a fair hearing.  

They must ensure that the subject’s privacy rights are protected, and that evidence gathered is relevant to the issue that is under investigation. 

As mentioned, a failure to gain appropriate authority could constitute an offence under the CMA. Failures to gather evidence lawfully could constitute offences under other legislation. 

It is possible to take incorrect steps at any stage of an investigation, leading to the investigation becoming legally compromised. 

A breach of the right to fair trial can result in the dismissal of all charges.  

In the UK, various Police forces have fallen foul of issues around the disclosure of digital evidence, particularly evidence that could undermine the prosecution case.  

This is not only a possible offence under the Criminal Procedure and Investigations Act, it can also lead to a breach of Article 6 of the Human Rights Act as the subject could not receive a fair trial 

Any breach of the legal requirements or administrative processes can render evidence inadmissible – this is often referred to as the “fruit of the poisoned tree” principle.  

Organizations that are found not to be following investigative procedures can call in to question their credibility, and the credibility of prior investigations. The same impacts can occur to the investigator.  

The Computer Misuse Act of 1990 is a great example of legislation being created to deal with a problem that had not been foreseen. 

Hacking has been around since the dawn of mass communications, and became more of a problem from the 1960’s onwards, as computers became more interconnected around the globe. 

This greater spread of computer technologies and connectivity saw technically savvy individuals and groups deliberately setting out to break into computer systems for both the challenge and, in some cases, profit. 

Prior to the CMA, there was no specific legislation in place under which UK based hackers could be prosecuted. One of the first attempts to prosecute hackers in the UK saw two individuals charged under the Forgery and Counterfeiting Act 1981, for defrauding BT by manufacturing a ‘false instrument’. Whilst the pair were found guilty and fined, their subsequent appeal was successful and they were acquitted. This case lead to the drafting of the CMA. 

The CMA comprises 4 main offenses:  

Unauthorized access to computer material 

This is the lowest level of offence and is one that many of us might be guilty of at some stage in our lives 

If someone found or guessed a password belonging to someone else then by looking at their files you are guilty of accessing materials without authorization 

This offence carries the risk of being sentenced to six months in prison and/or a hefty fine. 

Unauthorized Access with Intent to Commit a Crime 

The difference here is that access is sought with the intent to commit a crime 

Phishing emails where someone seeks to obtain bank details to steal money would be covered by this part of the act. 

Unauthorized Modification of Computer Material 

This offence relates to the deletion or changes made to files with the intent to cause damage to an individual or company 

This offence also covers purposely introducing viruses to other peoples' systems 

If you knowingly transmit a virus to others, you are guilty under this section of the Computer Misuse Act. 

Making, Supplying or Obtaining Material 

Making – This includes the writing or creation of computer viruses, worms, Trojans, malware, malicious scripts etc. 

Supplying – It is an offence to supply or distribute these files to others 

Obtaining – If you purposely obtain malicious files then you have committed an offence under the Computer Misuse Act. 

The UK's third generation of data protection law received Royal Assent and its main provisions commenced on 25 May 2018, known as the General Data Protection Regulation, or GDPR. This new Act modernized data protection laws to ensure that they are future-proofed.  

The UK's Data Protection Act (DPA) 2018 complements GDPR, and updates the 1998 DPA. It makes provisions about processing personal data and creates a complete data protection system.  

As well as governing general data covered by GDPR, the DPA covers all other general data, law enforcement data and national security data.  

Furthermore, the act exercises a number of agreed modifications to GDPR to make it work for the benefit of the UK, in areas such as academic research, financial services and child protection.  

GDPR has a direct affect across all EU member states and has already been passed. Organizations that are not based in the EU, but operate within it, must comply with it.  

This means organizations still have to comply with this regulation and still have to look to GDPR for most legal obligations.  

However, GDPR gives member states limited opportunities to make provisions for how it applies in their country. 

The DPA 2018 updates data protection laws in the UK, supplementing General Data Protection Regulation (EU) 2016/679, and implementing the EU Law Enforcement Directive, as well as extending data protection laws to areas which are not covered by GDPR. It is intended to provide a comprehensive package to protect personal data.  

The DPA 2018 has a section dealing with processing that does not fall within EU law. For example, where it is related to immigration. It applies GDPR standards but it has been amended to adjust those that would not work in the national context.  

It also has a part that transposes the EU Data Protection Directive 2016/680 (Law Enforcement Directive) into domestic UK law. The Directive complements GDPR, and Part 3 of the DPA 2018 sets out the requirements for the processing of personal data for criminal ‘law enforcement purposes’.  

National security is also outside the scope of EU law. The Government has decided that it is important that  intelligence services are required to comply with internationally recognized data protection standards, so there are provisions based on Council of Europe Data Protection Convention 108 that apply to them. 

There are also separate parts to cover the Information Commissioners Office's duties, functions and powers, along with enforcement provisions.  

The Data Protection Act 1998 is being repealed, so the updated DPA makes the changes necessary to deal with the interaction between the DPA 2018 and other legislation, such as the Freedom of Information Act & the Environmental Information Regulation. 

GDPR applies to all organizations that are Controllers or Processors of personal data, and have an establishment within the EU. In order to ensure the rights of EU citizens are protected, the scope of the law extends to controllers or processors who reside outside the EU but process EU citizen personal data, also known as a data subject.  

The requirement is to protect EU citizen’s fundamental rights to have personal data protected. The legislation sets out clear definitions of terms to ensure consistency in application across the EU, and provides legal certainty and accountability.  

A data subject's rights are enhanced, such as the right to object to personal data being processed, and allows for a data subject to withdraw their consent for an organization to process their data at any time.  

The right to be forgotten (that is, the right to personal data being erased), is now a requirement and obligates controllers of data to stipulate a data retention policy or review policy and provide that information to the data subject.  

The law provides for a right to restrict data processing and provides for a right to data portability. 

GDPR sets out more clearly the obligations for data controllers and processors and where accountability and liabilities lie. The legislation was aimed to try and “future proof” the Regulation; it sets out the principles of personal data protection in that it should be “technologically neutral and should not depend on the techniques used” which ensures the principles apply however an organization intends to process personal data. 

GDPR now clearly applies to online data which is collected by websites, including IP addresses. Organizations must review how their sites work in line with the principles and requirements of GDPR in order to ensure compliance with online privacy requirements and the regulations. 

This diagram gives a high level overview of how GDPR works in practice. 

GDPR defines Articles, which are mandatory requirements and laws, and Recitals, which are commentaries and guidelines showing how such Articles are likely to be interpreted. 

The EDPB are the European Data Protection Board.  They are currently known as Working Party 29 (WP29). They manage all Supervisory Authorities and are creating guides on various key requirements. 

The ICO is the Information Commissioners Office. They are the UK’s Supervisory Authority (SA) for Data Protection & GDPR from May 2018. 

A DPO is a Data Protection Officer, and is the person within an organization who is responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements 

The person about whom data has been stored is the Data Subject, and GDPR affords them Subject Rights in respect of their data. They are able to raise complaints with the ICO if they feel their Subject Rights have been breached. 

The principles of GDPR are based on current existing data protection principles.  

Controllers must show their processing is lawful, fair and transparent, with regard to the data subject’s rights.  

Purpose limitation has been tightened in its definition in the law, where personal data shall be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”.  

Generic or blanket purpose statements will not be considered compatible with GDPR.   

The requirements to only collect what is necessary remains unchanged, and the emphasis on correcting data means that controllers must ensure personal data is corrected “without undue delay”.  

Data retention is also a key requirement to ensure that data is not kept longer than needed. However, there is a provision that data may be kept in archive for statistical purposes, but controllers must be able to demonstrate to the ICO that there is a need to keep the data, and that the data is not being used to support a “just in case we need it” approach.  

There should be some clear requirement for the statistical purposes of the data and, once the statistics have been produced, the need to keep the original data should be reviewed.   

Controllers should also be aware that keeping this data will mean it is subject to Subject Access Requests, or SARs. 

GDPR states that personal data must be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.” 

GDPR puts more emphasis on organizations to implement appropriate technical and organizational security measures.  

Failure to implement such measures, or demonstrate, appropriate risk management and due diligence may result in a significant fine from the ICO for a personal data breach. 

GDPR also implements more equitable liability between controllers and processors than currently exists. 

However, this does not absolve controllers from their overall liability; Article 5.2 states: “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1”.  

For organizations, explicit consent by the data subject is normally required in order for the personal data processing to be lawful.  

Implicit consent is no longer compliant with the data protection and privacy legislation. 

Processing of sensitive data is prohibited (Article 9), unless one of the conditions set out in the article are met.  

Controllers therefore must ensure that there is a need to collect such personal data and that they have the data subjects’ consent when collecting such data.  

Sensitive data that could be discriminatory should not be used in automated decision making processes. 

If a controller cannot identify a data subject, the controller is not obligated to collect additional information to identify the data subject. However, the controller cannot refuse information provided by the data subject to provide additional information when exercising their rights. 

Organizations should ensure they have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not they need to notify the relevant supervisory authority and the affected individuals. 

A personal data breach is defined in recital 85 as:   

“A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorized reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.”   

Under GDPR, reporting data protection breaches is now mandatory. Organizations must report breaches to their Supervisory Authority within 72 hours of identifying a breach even if the investigation is still ongoing.  The ICO know that an organization may not have completed its investigation or have a full idea of the scale or impact so a phased reporting approach will be applied. Organizations which fail to report breaches within the 72 hours must demonstrate to the Supervisory Authority why they did not do so and if the ICO deem the delay unjustified, a fine may be imposed.   

A controller is not obligated to notify a data subject where measures are implemented such as “render[ing] the personal data unintelligible to any person who is not authorized to access it, such as encryption” or the risk is no longer likely to materialize based on subsequent measures taken by the controller as part of its incident management process. If communication to multiple data subjects would involve disproportionate effort, the Regulation requires a public communication or similar measure. Data controllers should therefore advise the organizational management of this requirement, as this can impact how they manage any reputational damage on the organization. 

The law provides consideration that early disclosure to subjects could hamper a law enforcement investigation and, in such cases if that resulted in a delay in notification, then that has to be advised to the supervisory authority. The authority will require an assessment of impact as well as measures which had been put in place. Notification to data subjects must be done without undue delay where there is a high risk to their rights and freedoms.   

Safe Harbor is the name of an agreement between the United States Department of Commerce and the European Union that regulated the way that U.S. companies could export and handle the personal data of European citizens. It was introduced in 2000. The ECJ ruled it invalid in 2015, leading to the creation of Privacy Shield. 

The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the U.S. 

Article 45 of GDPR provides for the continuity of adequacy determinations made under the EU’s 1995 Data Protection Directive, one of which was the adequacy decision on the EU-U.S. Privacy Shield. 

The Privacy Shield was also designed with an eye to GDPR, addressing both substantive and procedural elements. 

For instance, the Privacy Shield includes an annual review, which was designed to address GDPR’s requirement for a mechanism for a periodic review, at least once every four years, of relevant developments. 

It is important to note that Privacy Shield is not a GDPR compliance mechanism, but rather is a mechanism that enables participating companies to meet the EU requirements for transferring personal data to third countries, discussed in Chapter 5 of GDPR.  

The National Police Chiefs Council (NPCC - previously the ACPO) Guidelines for Digital Evidence Capture were initially created in the 1990’s, to give Police investigators guidance on how they should handle digital investigations.  

Although they are a Police creation, the 4 principles can be applied equally to civil investigations, and they are often taken as being best practice for any cyber investigations. 

Principle 1:  

No action taken by law enforcement agencies, persons employed within those agencies or their agents should change data which may subsequently be relied upon in court. 

Principle 2:  

In circumstances where a person finds it necessary to access original data, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions. 

Principle 3:  

An audit trail or other record of all processes applied to digital evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result . 

Principle 4:  

The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to. 

The chain of custody, or continuity of evidence, should provide accountability for an item of evidence from seizure through to production in court or civil proceedings.  

It should account for the location and security of the evidence at all times – any gaps in the chain of custody could render the item inadmissible as an evidence source.   

Although this may seem to be a concern solely for law enforcement, civil actions, such as employment tribunals, are equally as sensitive to failures in the chain of custody. 

The chain of custody is usually kept using evidence bags, which are tamper proof bags with unique seal numbers.  

The first bag used when seizing the item will be recorded in the seizing officer’s notebook and the property officer’s exhibit book.  

It will usually be signed into the secure property office and any movement to the digital forensics lab subsequently recorded.  The digital investigator will need to break the seal when imaging an exhibit  – the date/time/location and reason for this should be recorded in the officer’s notebook.  

The exhibit is resealed into a new evidence bag along with the original evidence bag on completion of the imaging. If the bag needs to be opened for any subsequent reason, each reseal should include the previous evidence bags. The details should be updated in the property register accordingly. 

The reality of most prosecutions is that defense barrister’s will rarely question the evidence produced, which can be overwhelmingly against their client. They will invariably test the administrative procedures and chain of custody looking for weaknesses in the system.  

Failures in documentation, or gaps in the chain of custody, are areas they are looking for so the court will consider the evidence tainted.  

For examinations of hard disks which find large quantities of illegal material, if the drive is excluded due to failures in administrative procedures and the chain of custody, then under the principle of “fruit of the poisoned tree”, everything from that drive is inadmissible. 

One note of caution is that it may not be immediately obvious when discussing a chain of custody. Magnets or static electricity, and computer forensics don’t mix!. Always take appropriate precautions when handling digital devices, or your evidence could be destroyed before it has had a chance to be useful.  

Whatever type of cyber-investigation you might be involved in; law enforcement, civil or simply responding to a cyber-security incident, you must make appropriate considerations from the beginning. 

The start point for a cyber-security investigator will normally be ‘the crime scene’, whether that be a physical or virtual location. 

When attending a physical scene, the very first thing that must be considered is the safety of the investigators. Will their evidence-collection place them at risk of harm? Has the suspect been removed from the scene, or at least rendered incapable of interfering with it? 

Secondly, the investigator must be aware of the limitations of their authority to seize evidence. For law enforcement, what scope is afforded by the search warrant? If something falls outside that scope, can it be seized under other powers? 

The investigator must then consider the state of the scene. 

As a general rule, if a computer is on, leave it on until it can be dealt with by an appropriate person. If the computer is off, then leave it off.   

If data encryption is likely to be an issue or you need to collect the contents of the RAM, then the only way to deal with this is by making changes to the device.  

This is why principle 2 of the N-P-C-C Guidelines was introduced to provide support to investigators dealing with such issues.  

Any action must be accurately recorded and any changes made have to be accounted for in court, hence the crucial requirement for the investigator to be appropriately trained and qualified. 

If a device can be wiped remotely, then Faraday bags should be used to shield the device from electronic communications. 

This step can cause its own complications, so the decision to do this should only be taken by a competent individual. 

If secure wipe programs are an issue (such as SSDs) then you have to give consideration on how to handle those.  

If a RAID setup is being used, the examiner needs to understand how the drives are connected, and label them accordingly before being seized.  

Putting this together is possible in forensic software. 

That’s the end of this video.