10. Memorandum submitted by the National
Technical Assistance Centre
NTAC is a Home Office unit in the Crime Reduction
and Community Safety group. Within NTAC the Forensic Computing
Team (Stored Data) are responsible for providing technical support
to UK law enforcement and intelligence agencies in order to assist
them gain access to protected data.
NTAC forensics staff work on a diverse case
load primarily associated with supporting the investigation of
serious and organised crime. Typical tasks involve accessing encrypted
files or password protected electronic devices.
Cases are submitted to NTAC via a Principle
Points of Contact network comprising individuals usually working
in the forensic computing or data recovery units of the respective
Referred cases are generally a minimum of several
weeks old by the time they are allocated to NTAC although casework
involving crimes of a terrorist nature usually arrive more quickly.
Delays occur for either or both of the following reasons:
Limited resources within LE forensic
teams This means that work is queued, sometimes for several months,
awaiting an initial review by heavily tasked officers. It is only
when this process takes place that encryption is recognised and
Large amounts of data seized. In
many serious investigations the sheer quantity of material needed
to be examined means that it may take several weeks for the investigator
to discover encrypted material.
On arrival at NTAC forensic case investigation
starts immediately; even when total caseload is heavy, work is
commenced on a new case within five working days.
An initial examination will reveal the extent
of the encryption and indicate the likelihood of success. This
process takes less than a week. The subsequent timing of the case
is wholly dependant on the type of encryption applied and the
nature of the forensic information recovered from the suspect
computer. For example NTAC have processed cases for over one year
and have still remained optimistic of obtaining a successful result.
Other cases have been completed in less than a week.
In general terms however it would be fair to
say that if resolution of a case had not been possible after a
reasonable period then the likelihood of a positive result diminishes
significantly. An exact value for the length of this period is
hard, if not impossible, to determine precisely due to the variety
of factors involved. Past experience has shown that two months
is usually adequate if a result is possible although this might
extend to three months where a substantial amount of data or a
large quantity of computers and media are involved. After these
timescales the case officer will, in most cases, have secured
a result; have identified indicators which pointed towards a positive
outcome with considerable further work or concluded that the chances
of success were limited or non existent.
26 January 2006