160 likes | 192 Views
Public Accountability Meeting 28/08/18. Digital Investigation & Intelligence. Superintendent Mark Khan Head of Function - Digital Services. “Protecting the vulnerable in our virtual neighbourhood”. Topics to be covered in this presentation will include;.
E N D
Public Accountability Meeting 28/08/18 Digital Investigation & Intelligence Superintendent Mark Khan Head of Function - Digital Services “Protecting the vulnerable in our virtual neighbourhood”
Topics to be covered in this presentation will include; • Cyber Dependent Crime and Cyber Enabled Crime – what is the difference? • What does our vulnerability look like in North Yorkshire? • How have things changed in the last few years in relation to cybercrime? • A case study – what do we consider a success? • How do our front line staff respond and investigate cybercrime? • How are we engaging with our communities to prevent cybercrime? • How does North Yorkshire fit in the regional and national picture? • Investment and expansion for Digital Services – what have we achieved? • What can our staff achieve outside of the digital laboratory? • What are the differences between frontline and specialist departments? • Given the rise of ‘devices’ in almost every crime – are costs rising? • What improvements can we make? • What are the plans for the future?
Cyber-dependent crimes can only be committed using computers, computer networks or other forms of information communication technology (ICT). They include the creation and spread of malware for financial gain, hacking to steal sensitive personal or industry data and denial of service attacks to cause reputational damage. Cyber-enabled crimes, such as fraud, the purchasing of illegal drugs and child sexual exploitation, can be conducted on or offline, but online may take place at unprecedented scale and speed. They are crimes that, traditionally, could still be committed without the use of a digital device, but may be more harmful using computers, networks or other form of ICT. Cyber crime activity is growing fast and evolving at pace, becoming both more aggressive and technically proficient. As such it is a major and growing threat to the UK. * National Crime Agency publication 709 “Cybercrime Assessment”.
Nationally – Oct – Mar 2018 North Yorkshire – Oct – Mar 2018
Then Now In 2006 iPhones didn’t exist, 3G was a thing of the future, YouTube was starting to catch on, Twitter was launched, Dropbox didn’t exist, iCloud was 5 years away, people still rented video games and films from Blockbuster, Netflix wasn’t in the UK and BT TV was just launched. • Cyber Crime has become an industry in it’s own right where offenders can enter a virtual marketplace and purchase ‘as-a-service’ software packages like; • Ransomware / DDos attacks • Exploit kits / Botnets • Spamming / Phishing • Money services / Bitcoin tumblers Cybercrime was generally committed by technically competent individuals for the kudos. Cybercrime offences accounted for £130 billion stolen from UK consumers in 2017.
A case study – what do we consider a success? • Following a disclosure from the National Crime Agency, a suspect in Scarborough was arrested for sharing indecent images of children, grooming and inciting others to offend online. He was convicted and imprisoned. • Examination of devices revealed hundreds of thousands of lines of chat room data, all of which required reading and grading by digital forensics staff. • A number of conversations were identified as high risk and one indicated an offender committing contact abuse offences against a child victim. • Using a number of non-disclosable covert techniques the offender was tracked to America and local law enforcement notified immediately. • Homeland Security and US Marshalls used the evidence supplied by North Yorkshire Police to arrest Joshua Benfey. • Their investigation revealed horrific offences committed by Benfey and his associates in relation to their victim who was unknown to all services. • In June 2018 Benfey was convicted of a string of sexual offences against his victim & sentenced to 25 years in the New Jersey State Penitentiary. • The victim has been safeguarded and now has the opportunity to rebuild their life. Benfey is not eligible for parole until 2043.
How do our front line staff respond and investigate cybercrime? • North Yorkshire Police have designated the following distance learning packages as mandatory for all operational staff: Cybercrime and Digital Policing, Part 1 – First Responder, Part 2 – Introduction, Part 3 – Investigation and Digital Communications, Social Media, Cybercrime and Policing v1.2. • 250 staff members have received a one week course from the College of Policing regarding Mainstream Cybercrime Investigation Techniques. • Our cybercrime team are on call 24/7 for Senior Investigating Officers who require their expertise on complex and serious live time crimes. • Digital Media Investigators scan reported crime and provide frontline staff with advice on investigation plans and suggested lines of enquiry. • We have made significant links with York St John University and use professors as critical friends to our Cybercrime Unit on very complex investigations. • Our cybercrime team provide an input into every student officer course to raise awareness of their capability in relation to investigating cybercrime. • Every attending officer at a cybercrime report has their investigation reviewed by a detective to ensure all lines of enquiry have been considered. • Harrogate, York, Scarborough and Northallerton police stations all have offices with Online Abuse detectives available to give guidance to frontline staff.
Internal publications are regularly used to inform frontline staff of changes in legislation and advancements in data capture techniques.
How are we engaging with our communities to prevent cybercrime? • We have recruited thirty three highly skilled Cybercrime Ambassadors from industry with over 80 events planned for delivery to targeted audiences. • We are training ‘Digital Police Community Support Officers’ who will have an online presence and can signpost potential victims to our experts for advice. • Nationally trained Youth Officers working within our Partnership Hub deliver inputs into every school within North Yorkshire and specifically target year 6 pupils with campaigns like “The Crucial Crew”. • Our Citizens in Policing team (made up of volunteers, Special Constables, Police Cadets etc.) regularly hold events in conjunction with our Cybercrime Unit including advice drop in centres at, for example, Stokesley show. • The Cybercrime Unit attend a number of public and private sector meetings to provide advice on how to protect against cybercrime, for example, The North Yorkshire Schools Network Managers meeting. • Online communication platforms like Twitter, Facebook and Instagram are used to push cybercrime prevention advice such as Stay Safe Online. • Awareness campaigns such as Take Five (how to recognise fraudulent activity) and Keep It To Your Selfie (the dangers of sharing images online) are used to highlight trending issues to targeted members of our community.
Events over recent years, such as the Wannacry ransomware attack on the NHS resulting in some 6000 appointments being cancelled and the Equifax security breach where 700,000 individuals had personal details stolen, highlighted a need for a more national based response to cyber attacks. • North Yorkshire Police are early adopters of the ‘Regionally Managed, Locally Delivered’ model for Cyber Dependent Crime. • All seven forces in the region have a capability to investigate cyber crime and are now regionally managed under an agreed Tasking and Coordination process. Permitting coordinated responses to local, regional & national issues. • Other advantages of this include; • A National Training Roadmap for investigators to ensure all are at the same level of expertise. • The development of an App for all frontline staff to upskill officers. • An enhanced capability to investigate the ‘Dark Web’. • National Performance Indicators to ensure; • 100% of Action Fraud referrals are investigated. • 100% of victims will get personal advice on preventing a repeat offence. • 100% of young people vulnerable to cybercrime will receive intervention.
In 2011: In 2018: • 4 digital investigators • 2 mobile phone examiners • 11 submissions per month (comps) • 100 submissions per month (phones) • One year backlog • 2 week turnaround for high risk • 15 month for standard priority • 12 digital investigators • 4 mobile phone examiners • 8 online abuse detectives • 3 digital media investigators • 4 cyber crime investigators • 4 detective sergeants • 3 intelligence officers • 2 technical assistants • 1 victim identification officer • 138 submissions per month (comps) • 209 submissions per month (phones) • No backlog • ‘while you wait’ turnaround for high risk • 40 day turnaround for standard submissions State of the art accredited laboratory to Home Office and Forensic Science Service Regulator Code of Practice and Conduct. Only 13% of forces have achieved this.
What can our staff achieve outside of the digital laboratory? • North Yorkshire Police has invested in the hardware, licences and training for staff to permit the examination of mobile phones at police stations across the force. • Online Abuse Teams, Cybercrime Officers and qualified search teams have the ability to triage devices at crime scenes reducing the number of exhibits seized. • Specialist software, equipment and training is given to a number of police staff used to identify and locate offenders sharing indecent images of children online. • We have invested in a number of router analysis and device detection tools, which enable staff to locate digital devices efficiently when searching premises. • Operation Mobile Working devices will have access to social media platforms such as Facebook, they will also have the National Cybercrime app to take staff through the necessary steps on capturing evidence in digital investigations.
What are the differences between frontline and specialist departments? • Frontline - a case study; • Officer is dispatched to report of a victim who has received a demand for Bitcoin payment to release ‘frozen’ files on his computer. • The attending officer is able to recognise a Ransomware incident and has training to do the following; • Isolate the message • Obtain the header (sent from) • Preserve a copy of the demand • Complete anti-virus scan • Advise victim on password change • Advise victim on Action Fraud report • Correctly flag on internal system • Inform Cyber Crime Unit on header details and Bitcoin account • Instructions are available to staff through Operation Mobile Working • Specialist – a case study; • Upon receipt of this report, the Cyber Crime Unit have the specialist capability to conduct the following investigations; • Resolve the IP address to a suspect • Resolve the Bitcoin account • Build an intelligence package • Work with the NCA and Europol on the type of Ransomware used • Arrest and interview the offender • Conduct specialist searches at premises to seize ‘volatile’ data such as RAM capture • Use the Proceeds of Crime Act to seize Bitcoin accounts • Build the case file to prosecute the offender • Provide expert evidence at trial
Given the rise of ‘devices’ in almost every crime – are costs rising? • This micro SD card holds 180,000 times more data than an old 3.5 inch floppy disk, so instead of 280 pages it will hold 50.4 million pages. • If it takes 1 minute to read 1 side of an A4 page, to spend 7 hours a day over an average working year of 260 days – it would take 19 years to read the SD card. • This means a more targeted response is required to reduce demand and explains why it is important to have the ability to triage devices prior to full examination. • The examination of one mobile phone which is pin locked costs £2,500. • A recent study in similar rural force took a snapshot of 24 hours crime recording and established 93% of all reported crime had a digital element to it. • Outsourcing to a third party is used as a last resort to meet demand, the cost of outsourcing alone in 2011 was £63,398 - in 2017 it was £149,446. Therefore, despite a 150% increase in equipment, software and training and a 300% increase in staff within the department over the last few years, demand has outstripped resources by over 135%.
What improvements can we make? • It is accepted there is a gap in the knowledge of some frontline staff. Officers have been receiving inputs at initial training for the last five years, however many officers must rely on the mandatory distance learning packages of which only 35% of staff have completed. Communications have gone out to improve the take up of these. • We understand that crimes such as Sextortion target (mainly) teenagers and males in their 20’s. A campaign targeting teenage use of chat roulette sites is under development, however we must do more to reach males in their 20’s. • Equally, isolated rural and farming communities need to be kept abreast of the trending scams and vulnerabilities in cybercrime. We submit articles in local publications for; NFU Mutual, Country Landowners Association, Countryside Alliance, both National Park Authorities and Young Farmers. • Private industry expend resources on “Horizon Scanning” looking for the next innovation in hardware and software, we are too reactive to developing trends. • We must be in a position to adapt faster to changing demands e.g. triage mobile laboratory, advance data recovery, the rise in the use of mobile phones. • We could be more ambitious with our collaboration and insourcing opportunities.
Increase the number of detectives in the Online Abuse Team in April 2019. • Work towards accreditation of crime scene examinations. • Train staff in advanced data recovery techniques - reducing outsourcing. • Digital Forensics server comes online in Sept 2018 – speeds up processing. • Remote access reduces cost of staff travelling to police HQ for analysis. • Dedicated PROTECT officers to educate small businesses and farms. • New mobile laboratory will produce immediate results for investigators. • Crime scene triage speeds the course of justice and safeguards children. Funding has been identified for a mobile crime scene triage lab. Perhaps moving away from a more traditional response to crime.