Cases, Instructions

On the whole the civil cases are less interesting than the criminal ones. Civil cases tend to be concerned with the provenance of emails and documents or disputes between computer companies and customers who complain about system failure. Too often I have been asked to opine on situations where the original computer systems are no longer in existence, having been extensively modified or completely discarded.

In all instances my role has been as an expert witness. The over-riding duty of an expert witness is to the court that is hearing a case and not to whoever is paying the witness. Expert witnesses assist a court by explaining and analysing material and circumstances likely to be outside the regular experience and knowledge of judges and juries. Ultimately it is a decision for a judge to admit expert evidence and to adjudicate as to the scope of an individual’s expertise. Counsel can make submissions to influence a judge’s decision. Experts can express opinions on relevant matters within the scope of their expertise. Often an expert will be examining only one aspect of a wider case. They do not express opinions on a case’s “ultimate issue”, on the guilt of an individual in a criminal case or the liability or blame in a civil case.

As with solicitors and barristers, the fact that an expert takes on a case does not imply sympathy with the lay client. Experts are employed by the prosecution to carry out specialist investigations, to verify and support the work of law enforcement investigators and to provide the court with explanations and descriptions of commercial, social, technical and scientific circumstances. Experts are instructed by defence lawyers to test specialist technical evidence, to see how far prosecution forensic evidence supports the claims being made for it and to test arguments and claims being made by defendants. Even when an accused decides to plead it will be important to sentencing to establish the exact level of criminality or offending. Experts in civil cases often have to reconstruct past events and attribute causation. They may also be asked to assist in assessing the extent of damage, which will have an impact on a court’s ultimate ruling.

Notable Cases

R v MJS Official Secrets (1993)

This was described by the Security Commission as the UK’s most important official secrets case involving scientific and technical espionage. It came my way because the accused claimed he thought he was dealing in commercial or industrial secrets whereas the prosecution said his contact was a KGB officer. I had written a book about industrial espionage. The bundle featured statements showing extensive surveillance of MJS but also from “Mrs C” (Stella Rimmington, at the time a specialist in Russian espionage and later MI5’s first female director general) and Oleg Gordievsky, KGB colonel turned British intelligence asset. MJS had come to attention because he had been identified by a Russian defector Viktor Oshchenko. My role was to comment on how far the alleged secrets were dual use technologies (usable in commercial as well as military or diplomatic situations) and the extent to which “Moscow Rules” type tradecraft was used by industrial spies.

Rome Labs / Datastream Cowboy and Kuji hack (1996)

A major global hacking case with USAF and NASA among the targets initially thought to have been perpetrated from North Korea and Latvia but which turned out to have been by two UK schoolboys. There were hearings in the US Senate at the beginning of the “Information Warfare / Electronic Pearl Harbour” scares. The UK case involved many novel issues of the handling of technical evidence, admissibility and the problems of evidence from US covert agencies.  DataStream Cowboy blueboxed into a poorly secured telecommunications facility in Bogota, Colombia,  giving him in pre-broadband days free Internet access.  From there he used an ISP based in Seattle from where he mounted his explorations/attacks.  He was identified as a result of an unwise chat  interaction with some-one he thought was a fellow hacker but was in fact a USAF officer. The UK Met Police were able to mount a monitor on his home phone and saw that it was active whenever “DataStream Cowboy” was active from Seattle.   DataStream Cowboy, at the time only 16,  eventually pleaded to “lesser” charges. Kuji, who was seeking information about Area 51 and supposed alien aircraft, avoided charges as the CPS failed to lay them within due time. Later I was able to meet and compare notes with some of the USAF investigators.

National Crime Squad Operation Cathedral (1999-2001)

The first large UK internet paedophile ring, the W0nderland Club. Would-be members had to produce 10,000 indecent images of children for sharing. World-wide 104 suspects were arrested in 13 countries. There was a Trader’s Handbook to help members keep safe and to use their own secure communications channels based on a modified form of Internet Relay Chat. At the end of the trial penalties for the related offences were increased and POLIT, the precursor to CEOP, was set up. At a technical level there were significant issues of case management arising from the large numbers of computers that had to be examined. My task was due diligence on the prosecution case and required the setting up of viewing facilities at the Hendon Police College.

National Crime Squad Operation Ore (2003-2004)

This was the UK exploitation of an investigation commenced in the US of a subscription management service for paedophile websites called Landslide. It is now easy for individual websites to take funds direct from customers but 25 years ago recourse had to be made to third party specialist providers. Large numbers of websites offering commercial access to CSAM used Landslide as their technical intermediary.

As a result Landslide created a large database of CSAM customers and their credit cards. Landslide was investigated under US Operation Avalanche and the seized Landslide database was passed to the National Crime Squad. The database had to be converted into a form which NCS investigators could use. The credit card data was used to identify real people and their addresses. Data was passed to regional police forces to conduct further inquiries. A major problem was that news of the Operation leaked and as a result many UK subscribers decided to wipe their computers or at least their troves of CSAM. Often the subsequent police raids found nothing with which they could charge suspects of “possession” or “making”.

Prosecutors then decided to attempt charges of incitement – the individuals, by taking out subscriptions were inciting the provision of illegal material. The weakness there was that the evidence pointed to the owner of a credit card and only by inference to some-one who had sought CSAM. Some of the credit cards, it became apparent, had been used fraudulently so that innocent individuals found themselves accused. Police learnt many lessons from their experiences, among them to keep secret any major intelligence source until after raids. My own role was to carry out due diligence on some aspects of the Operation.

R v R G (2000-2001)

R G was a 19-year-old hacker from South Wales who used the name Curador.  He attacked a number of websites using Microsoft’s Internet Information Server and extracted customer and credit card data which he then posted publicly. He had no ulterior motive other than to show security weakness. He had seen no notices warning about unauthorised access.  In early conferences with lawyers and his expert he wanted to be able to call as witness Microsoft’s Bill Gates.  In the end he was persuaded to plead to 6 charges of unauthorised access.

Godfrey v Demon Internet (2001)

An important Internet defamation case which helped define the extent of the “innocent dissemination” defence available to ISPs. Demon Internet was one of the first UK operations to offer Internet connectivity to the public. Lawrence Godfrey, a scientist, complained that Demon had hosted a forged message purporting to come from him which was defamatory.

Drink or Die (2002)

An international investigation into organised software piracy – “warez” groups – led to the charging of 6 UK individuals. The main aim appears to have been the demonstration of skills in breaking software protection as opposed to financial gain. Because of the large numbers of computers involved and the extent of complex evidence from overseas agencies, this was a further challenge in terms of case management as well as of basic investigation of the contents of computers. The UK case was one of the most expensive trials in recent years. Also known as National Crime Squad Operation Blossom.

Chohan family murders (2005)

A family was killed by a criminal in order to take over a transportation company which was then to be used for international narcotics trafficking. Some bodies were never found. A computer was located and seized which held deleted drafts of important documents. There was some dispute as to the actual originators of the documents. My task was to verify the work of prosecution experts.

“Red Mercury” terrorist case (2005)

This was an allegation by the News of the World’s “fake sheik” investigative reporter that material for a dirty bomb was being offered in the UK. Three men were put on trial; a number of computers had been seized and files were recovered using advanced forensic techniques. In the end the case was thrown out. “Red mercury”, the subject of an attempted purchase by the reporter, is a myth.

Operation Crevice (2005-2007)

Also known as the fertiliser bomb terrorist case. A group of Al-Qaida sympathisers, some of them linked to the 2005 7/7 London bombings, planned a series of further explosions throughout the UK including the large Bluewater shopping centre. They were monitored by MI5 and SO15 and the concern became more active when a purchase of 600kg of fertiliser was reported. Fertiliser, ammonium nitrate, is an important ingredient in making an explosive bomb but the quantity was suspicious – far too great for use in a domestic garden and not enough for agriculture. I was instructed for one of the defendants and one main issue was the possession of data relating to underground utility facilities – electricity and gas – targets for bombs. The overall trial lasted 14 months at the Old Bailey.

R v B and others (2006-2008)

One of the first detailed “phishing and laundering” cases. At the heart were a group of Russian criminals who used various methods to acquire banking and other financial details from victims which they then exploited. Another set of methods were used to transfer – launder – the acquired money to Russia.

The main suspect fled the UK before he could be arrested leaving his wife – Mrs B – and others to face complex charges of conspiracy to defraud and money laundering. The phishing methods included bogus websites which persuaded victims to give up their sign-on details. Other methods involved persuading innocent members of the public to enter business details involving the handling of funds in return for a percentage. Two laundering methods were deployed; fake eBay transactions were used so as to create apparent legitimate seller’s income, and “drop” individuals were sent to casinos in which chips were bought against a bank account but winnings were received as cash (the aim of the casino visit was not to win or lose money but to come out more-or-less even). Some funds were transferred by Western Union.

The police, in those days the National Hi-Tech Crime Unit and then the Serious and Organised Crime Agency, built their case from a variety of computer-based sources, seized computers containing documents, spreadsheets and records of chat via ICQ. There were other forms of evidence including statements from victims forged passports belonging to conspirators.  This was Operation Euphroe.

I was instructed by solicitors for Mrs B and the task was mostly due diligence testing of the police computer-derived evidence for reliability and conclusions drawn and to explain the mechanisms of phishing. Mrs B found herself under considerable strain, said she was acting under duress and that some of the computer activity was wrongly attributed to her. In the end she was regarded as unfit to plead.

Sorrell v FullSix and others (2007)

This was an aggressively fought defamation action by the head of the advertising group WPP against Italian former colleagues suspected of publishing defamatory blogs. But the authors had used anonymising facilities to conceal their activities. Some of the UK’s finest defamation lawyers were involved. The case tested the limits of the disclosure rules in relation to forensic artefacts as well as significant technical challenges. In the end the case was settled half way during a trial.

Operation Alpine (2009-2010)

One way in which CSAM material can be distributed is via the Internet Newsgroups. Most ISPs filter out and prevent the distribution of offending Newsgroups but others make a virtue of allowing “uncensored feeds”. Alpine was a large-scale investigation by CEOP and Lincolnshire Police which involved probing the distributors of newsgroups but also their customers. I was asked by CEOP to review the digital forensic aspects of the investigation and in particular the interactions between law enforcement officers and civilian external specialist contractors. The main organisers all pleaded guilty as did many of the identified customers.

R v L P & G C-H (2009-10)

Works by the street artist Banksy are much prized by collectors but are easily forged as the main production method is stencil. The only official authentication comes from a body called the Pest Control Office. This has not stopped enthusiasts from trying to acquire prints on eBay and specialist forum websites. In this case would-be purchasers of prints with apparent official stamps were reassured by purported independent members of a web forum. Nearly all the prints were forgeries and the IP addresses of the sellers and the independent forum members overlapped. The recommenders were the sellers.  I was instructed by the Met Police Art and Antiques Unit. EBay and a key specialist web forum provided access to IP data.

UEA-CRU Independent Climate Change Review (2010)

In November 2009 a number of emails relating to the work of the Climatic Research Unit at the University of East Anglia appeared on various websites and were subjected to hostile interpretation by those disputing the reality of climate change. A number of enquiries were instituted. This Review was commissioned by UEA and sought to investigate email traffic. In the end there was potentially 7.95 GB of material to be reviewed. The police had designated the material as “secret” which meant that various protocols, including the use of secure premises, had to be observed. In the end I had to ask the Review team whether the significant additional costs involved could be justified.

Y v Secretary State for the Home Department (2013)

Y was, and perhaps still is, an Algerian under immigration bail. The bail conditions were very strict and tightly defined and include curfews, geogrpahic restrictions and regulat police reporting.  He sought limited variations on his very restricted use of the Internet. The matter was heard before the Special Immigrations Appeal Commision – SIAC.  In SIAC proceedings an applicant is respresented not by their regular lawyers but by special advocates who in turn get information from the regular lawyers.  I was asked to prepare a report explaining how,  at relatively modes capital and ongoing  cost, it would be possible for the authorities to monitor Y’s Internet use to establish compliance and to do so, for the most part,  remotely and without frequent visits to Y’s home.

Special Tribunal on the Lebanon (2012-2015)

The Special Tribunal on the Lebanon was set up by the United Nations to pursue charges against alleged Hezbollah supporters alleged to be concerned with the assassination in Beirut of Prime Minister Rafiq Hariri. The set up of the court was similar but not the same as the International Criminal Court and was based in the Hague. A significant part of the charges was cellsite evidence, in effect to show the research planning movements of the accused. I was asked by the Tribunal to validate the methods used to examine the very extensive mobile phone communications data that the STL had managed to acquire.

R v Moazzem Begg (2014)

Begg is a British Pakistani in whom the authorities have had a persistent interest, suspecting him of links to Al-Qaida and other extremist groups. Between 2002 and 2005 he was held in extrajudicial detention by the US government at Guantanamo Bay and then released. In 2014 one of his UK arrests took place. He faced a seven count indictment. Five of these referred to computer files copies of which were found on an iPhone 5 and a computer and in respect of which he was charged under s 57 Terrorism Act 2000. He denied knowledge of the presence of the files and said that they were likely to be the result of automated bulk backup and synchronisation either to computers or to a remote Cloud-based service. I was instructed to test. However the trial was abandoned before it started when MI5 produced information persuading the Crown Prosecution Service that their charges no longer had a reasonable prospect of success.

Al-Sweady Inquiry (2014)

During the Iraq war in May 2004 an ambush took place on British soldiers. It was known as the Battle of Danny Boy. Subsequently it was alleged that 20 Iraqis had been captured and murdered. An initial internal MoD inquiry was deemed unsatisfactory and a judge-led inquiry was announced and set up. It reported in 2014. I was instructed to look at one aspect, the possibility that email messages by the soldiers most immediately involved might shed light on the overall circumstances. At the time much use was made by the military of Microsoft’s Exchange product; I was given a forensic image of the relevant computer to look for emails, extant and deleted and anything else that might be found. Because of the sensitivity of the circumstances, including how Army communications worked, I had to operate on MoD premises and use MoD-selected forensic tools; all extracts for a report had to be cleared with MoD.

Privacy International & others v GCHQ & SoS FCO (2015)

This was one of several cases brought by the NGO Privacy International and others before the Investigatory Powers Tribunal. The IPT is the body that can review the activities of the UK’s security and intelligence services. In this instance the concern was the operation of “computer network exploitation” and “equipment interference” powers, in other words, officially sanctioned hacking. There was a concern that GCHQ, the signal and electronic intelligence agency, would do what had happened on previous occasions and say that they could Neither Confirm Nor Deny what had said about them. I was instructed to describe what was known. In 2013 Edward Snowden had revealed a large trove of documents from the National Security Agency. NSA was and is the close partner of GCHQ. I had acquired copies of most of those documents that had been publicly revealed by journalists, including those on the Guardian.

R v B, M and G (2016-2017)

This case was interesting in the way in which interpretations of technical evidence and the relevant legal provisions can be strongly intertwined.  The defendants were police officers accused of conspiring to “fit up” a suspected criminal.  Significant evidence included SMS text messages which had been retrieved by a police technician from a Blackberry Enterprise Server linked to a Microsoft Exchange Server owned by their police force.   The applicable law was the Regulation of Investigatory Powers Act 2000 and  the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000. There was an agreement that interception had taken place;  if that had occurred on a public telecommunications network then s 17 RIPA would have rendered the material inadmissible but the traffic would be admissible if interception had taken place on a private network.

Not the least of the practical problems was that the police communications network as it had existed in 2013 when the messages were sent had subsequently been replaced and was not available for testing when I was instructed in 2016;  what was available were the recollections of those who had roles in setting up the system.  A further issue was that what had been retrieved by the police technician was a copy of messages not the original messages that passed through the server.   Only one officer had been using a Blackberry phone; the other two had an iPhone and a Samsung smart phone; only the Blackberry connected to the police system.  My role was to attempt to assist the court by analysing the ways in which the messages were passed between the alleged co-conspirators and the role of the police communications system.  There was other evidence of the conspiracy and two of the three police officers were convicted.

TOEIC cases (2016-2025)

Students wishing to study in the United Kingdom are required to demonstrate a level of written and spoken English. The Home Office contracted with a U.S. company called ETS to provide some of the testing. In turn ETS contracted with a number of UK based English language schools to provide local testing facilities. The tests were computer based and the results sent for assessment to the US. ETS then provided the results to the Home Office. It is common ground the number of the English language schools acted corruptly and made arrangements for unqualified students to appear to pass the tests. But qualified students also attended the test centres and complained that the Home Office had nevertheless excluded them on the basis of fraudulent activity. In 2016 I was instructed on behalf of one such student and asked to investigate. I and other experts concluded that the data being used by the Home Office was of insufficient quality and reliability for the decisions officials were making. In 2019 the National Audit Office came to a similar conclusion. There were later cases and some are still ongoing.

R v D K (2018)

D K had had some setbacks in his personal life and started to offer his services as a hacker for hire. His weapon of choice, used in association with other hackers for hire, was a variation of the Mirai botnet. Botnets involved the taking over and harnessing of large numbers of otherwise innocent computers and getting them to send out multiple requests to targeted computers so that they become overwhelmed – a Distributed Denial of Service, DDoS. Mirai took over not conventional computers but Internet of Things devices, specifically Internet connected webcams which contained a very stripped-down Linux operating system. The initial target was the website of a Liberian cellphone company commissioned apparently by one of its rivals. An unexpected effect was that large numbers of modems in Germany were also taken over.  It was claimed that at its height K’s code took over 1 million devices world-wide. A further interesting feature was where the offences were, for legal purposes, said to have occurred. He had attacked from Cyprus,  the victims were in Liberia and Germany and he had dual UK and Israeli citizenship.  In the end he was convicted both in Germany and in England.

AY v Facebook (2017-2018)

This was a case heard in Northern Ireland.  AY, a girl, claimed she was suffering from “revenge porn”. The same naked and exploitative image of her had appeared on Facebook social media on at least 10 occasions and her legal representatives had informed Facebook asking them to block repetition. My role was to say that blocking technology existed, essentially file hashes and the deployment of PhotoDNA, and to describe how they worked. Facebook initially said there were legal constraints of what it could do; there were also juridictional issues; these had to be challenged.  They also resisted attempts at seeking disclosure of the technologies they actually had. In the end Facebook offered a settlement to AY, who was advised to accept.

EncroChat (2017-2025)

Please see the full article here.

Lapsus$ (2023)

Lapsus$ was, perhaps still is, a hacking group. Like many such it lacked a formal structure but consisted of individuals who often shared information and techniques. It appears to have started in Brazil but in 2022 a number of UK nationals were arrested, of whom two were charged. Both were teenagers, both of whom with diagnosed autism, one of them so severe that he did not attend his trial; the other was too young for an adult trial. As a result the trial in 2023 dealt with the facts and did not make findings of guilt. None of the techniques involved were innovatory though they were deployed with great persistence, determination and skill. Many but not all of the hacking attempts failed. Typical routes involved the use of social engineering, identifying contractors and other temporary staff at the targets and then phone-based masquerades asking system administrators for new passwords to replace “lost” ones. Targets included Revolut, Uber, Rockstar and Nvidia. Another series of stunts involved SIM swapping – taking over an innocent third party’s SIM and using it in the swapper’s own phone.  One route was via social engineering of mobile phone engineering;   another involved more sophisticated hacking of mobile phone systems.  Once a SIM had been acquired a full “restore” of the original owner’s phone was asked for – this provided user names and passwords to banking and other financial services and credentials for crypto currency wallets – all of which accounts were then looted,  2FA protection, normally quite effective,  was overcme because the banks, etc could not distinguish the swapped SIM from one that was still with the original owner. I was instructed by the City of London Police and the CPS.

Autism and Hacking

This might be a suitable point at which to comment on the “Is Aspergers a defence or excuse for hacking?” controversy. I ought to make completely clear that my speciality is digital forensics and not autism, Aspergers or neuro diversity. But I have been instructed in a number of well known cases in which that has been an issue. The first thing to say is that very often the technical digital element has tended to be unimportant. The techniques deployed were not unusual and were easy to establish. There have been several other instructions where the digital hacking techniques are insufficiently interesting to report. The focus of the defence is usually medical. Contrary to what is sometimes thought the courts need to be fully persuaded of the strength of such arguments in each instance.

For what it is worth, some very brief observations: recreational hackers, as opposed to those that are state sponsored or are professional, tend to use well-known techniques but with great persistence. It is the willingness to persist in the face of frequent failure that may be one feature of the autism spectrum. Another is the ability to handle quantities of detail; this feature can make some candidates with an element of autism attractive to employers seeking coders and programmers. Yet another aspect of autism is supposed to be a detachment from normal social interactions to the extent of not realising the consequences of their actions.