e crime strategy

8/3/2019 e Crime Strategy

1/13E-CRIME STRATEGY TO 2010 11

ELECTRONICCRIME

STRATEGYTO 2010 Policing With Confdence


2/13

RIME STRATEGY TO 2010 E-CRIME STRATEGY TO 2010 11

ContentsContentsElectronic Crime 2Electronic Crime 2

Denition 2

Nature o Electronic Crime Problem 3

Policing Challenges 4

E-Crime Strategy 5E-Crime Strategy 5

Strategic Alignment 5

Outcomes 5Principles 5

Goals and Objectives 6Goals and Objectives 6

Organisation 7

Partnerships 9

Capability 11

Integrity 16

Strategy Review and Governance 17Strategy Review and Governance 17

Appendix A: National E-Crime Structure 18 Appendix A: National E-Crime Structure 18

Appendix B: Summary o Actions 19 Appendix B: Summary o Actions 19

CommissionersCommissionersForewordForewordNew communication and computer based technologies oer benets to NewZealand communities. They also present opportunities or criminals to commitcrimes in new ways and provide opportunities to infict harm and cause loss.

The increasing uptake o technology by criminals means some types o crimecan now be committed aster, against more victims, with anonymity and orgreater gain. Crimes now occurring in the electronic environment includetraditional oending, such as raud and paedophilia, and emerging new

crimes such as denial o service attacks and hacking. O great concern isorganised criminal use o inormation and communications technology toconceal their activities, reach a wide range o victims, and network withother criminal groups.

Through this strategy, we will ensure that Police are positioned to address theuse o technology by criminals and can respond to new types o electroniccrime (e-crime).

Since 2001, we have been collaborating with Australian Federal and State Policein our response to e-crime. These arrangements have worked well and wewill continue to work closely with the new high-technology crime centre thoseagencies have established. However, over the past ve years there have alsobeen developments in New Zealand, which now make it appropriate or theNew Zealand Police to articulate its own strategy.

In recent years we have bolstered the size o our e-crime laboratory, respondingto increasing demands or electronic orensic input into criminal investigations,and we have started to train sta about how to deal with electronic evidence.

Among our partner agencies, a centre or critical inrastructure protection(CCIP) has been established to address threats to critical inrastructure andGovernments digital strategies have l ed to a variety o other initiatives toenhance electronic security and address e-crime.

This strategy places a great deal o ocus on a combined agency responseto e-crime. Police are only one interested party among Government, industrygroups and others playing a role in the security and saety o the electronic

environment. As well as endorsing collaborative approaches, this strategy willlead to urther development and maintenance o our own internal capability.

These strategies will ensure that crime reduction capabilities are maintained andcomplement the eorts o other organisations involved in keeping New Zealandselectronic systems and their users sae and secure.

Howard BroadNew Zealand Police Commissioner


3/13


Electronic CrimeElectronic CrimeDenitionDenitionPolice agencies worldwide have struggled to dene their role in policing e-crime andto understand how to be eective in addressing the problem. This is partly becausethese types o crimes are extremely diverse. New Zealand Police consider electroniccrime (e-crime) to cover:

All offences where information and communications technology is:

1.1. used as a tool in the commission of an offence

2.2. the target of an offence

3.3. a storage device in the commission of an offence.

E-crime includes traditional oending acilitated by technology such as telephony, theInternet and encryption. It also involves computer attacks. However, it is important torecognise that the bulk o e-crime we currently see is not attributed to hackers.In New Zealand, e-crime mostly involves traditional oending with componentshaving electronic means. This includes trading in illegal drugs, raud, harassment,and many other types o criminal activity. Inormation technology has particularlyinfuenced some traditional oending. Most notably, this includes:

raud

identity thet

organised crime

paedophilia

However, e-crime also includes new activity such as attacks on computers and newopportunities or crime enabled by electronic systems, such as services thet andsotware piracy. Worldwide these are signicant and new problems.

Nature o Electronic Crime ProblemNature o Electronic Crime ProblemCriminals have exploited developments in inormation and communicationstechnologies. It has provided them with new tools and acilitated new criminalactivity, which can now target computing inrastructure. Criminals can also exploitthe act that oending can easily cross jurisdictional boundaries and large distances.Increasing bandwidth, as well as supporting growth in commerce, is also increasingopportunities or criminals. Potential victims are becoming increasingly availableas more people use these technologies. Many o these new users represent easytargets because they lack online security awareness or skills.

Measuring e-crime problems aecting New Zealand is hampered by a lack odata or oences involving electronic components. The recent successul transero Police operational computer systems to NIA (the National Intelligence Application)and a Police Crime Statistics Strategy provide an opportunity to improve

e-crime recording. This should allow or the capture o e-crime connections torelevant oences.

Local and Australian victimisation studies have collected some inormation aboute-crime prevalence, though mainly about computer attacks. Most studies have notquantied growth in traditional crime acilitated by electronic means. However, Policehave monitored the demand or orensic analysis o e-crime exhibits by the ElectronicCrime Laboratory (ECL). The number o crimes involving electronic evidence hasincreased ten-old over the past eight years. Electronic evidence is increasinglyprominent in some types o oending such as raud and sexual crime.

e-crime isphisticated. It oten involvesties on the Internet such asng stolen property throughon sites, obtaining stolent card inormation romgroups and chat rooms,buting pirated intellectualerty, and dealing drugs

gh email and websites.nternet has providedderable opportunity oroenders to extend

supply and customerorks and exploit the reache medium just as it hasded the same advantagesitimate users. The use oology or these criminal

oses causes challenges ore because o sometimesanding investigativerements and apparentcant growth in some crime.

Identity crime is one o theastest growing types o crime inthe world, and is dened as anyoence involving the misuse o apersonal identity. The majority oidentity crime is committed withthe help o computers.

Identity crime oten involvescriminals obtaining inormation

rom everyday transactions like:

bank and credit card numbers

names

addresses

drivers license details

log-on details or otherservices

Criminals then use thisinormation to commit raudand thet. Opportunities in thisarea are increasing with thedevelopment o online auctions,gaming and other services.

Computer users and businessesneed to be vigilant to ensure thatpersonal inormation is managedcautiously and with heightenedsecurity. This applies to thesecurity o online transactions,paper waste containingsensitive inormation, personaldetails in wallets and pursesand inormation on portablecomputers.

Identity crime is a growingglobal problem it knows

no boundaries; victims andcriminals can be on oppositesides o the world making itdicult or local law enorcementagencies to investigate thecrime, catch the perpetrator, orhelp the victim.

Proportion o Electronic Exhibits Processed by ECL

Burglary & Thet 13%

Homicide 8%

Drugs 25%

Sexual Indecency 20%

Fraud 18%

Threats 4%

Telecommunications Act 4%

Aggravated robbery 3%

Receiving stolen goods 3%

Assault 1%

Kidnapping 1%Arson 1%


4/13


Policing ChallengesPolicing ChallengesThe attributes o e-crime pose challenges. These include anonymity, global reach,the speed by which crime can be committed against multiple victims, the potentialor deliberate exploitation o sovereignty issues, and the volatility o evidence.These eatures create obstacles to detecting and tracking criminals. Techniquesused by criminals range rom alse Internet accounts to the use o secure Internetand telephone communications. A particular risk is that the now widespreadavailability o encryption enables criminals to communicate with each other withminimal risk o discovery.

Responding to these challenges requires expertise and resources beyond thecurrent capability o mainstream Police. Perhaps the biggest problem is the pressureto keep pace with increasing technological sophistication. This includes maintainingthe skills and resources required to provide advice on crime prevention, and the

skills required to respond, investigate and prosecute oenders. The availability othese skilled resources within Police is limited. Most critically, we ace a capabilitygap among generalist sta. With many traditional crimes now involving electronicdevices, any lack o knowledge and skills has the potential to compromiseinvestigative outcomes. Importantly though, investigating e-crime still requires manytraditional policing methods that remain a strength o Police in New Zealand.

As a result o the growth in e-crime our specialist orensic capabilities are continuallystretched. There is an ongoing demand to grow orensic capabilities to keep pacewith the increasing requirements or electronic evidence and to provide investigatorswith assistance required on other technical aspects o e-crime investigations.

In addition to limited resources, Police ace problems with a legislative rameworklargely based on physical world constructs. The current regulatory environmentsometimes limits access to evidence, because o the dependence o Police onexternal organisations, such as Internet service providers, to enable access toinormation about criminal activity. Criminals also exploit the inter-jurisdictionaldiculties in pursuing investigations.

A public perception that Police or other government agencies are not equipped torespond to e-crime may result in the eeling that there is little benet in reportingincidents. In the case o threats to electronic commerce or other business activities,the concerns o business are oten continuity and reputation related. Business canbe motivated not to report crime because publicity will harm business.

E-Crime StrategyE-Crime StrategyThe e-crime strategy outlines the Police approach to combat e-crime over the nextve years. The strategy aims to better position Police to deal with e-crime movingorward the rst steps toward establishing a much larger core o specialist orensicand investigative expertise.

New e-crime prevention and problem-solving approaches are required to protectpotential victims and environments. To acilitate these approaches it is necessaryto align intelligence systems, tools, investigative requirements and laws to addresse-crime issues.

This strategy provides a ramework or uture planning and will give certainty topartner organisations about the directions being ollowed to prevent and respondto e-crime.

Strategic AlignmentStrategic AlignmentThe strategy demonstrates commitment to Polices high-level outcomes o condent,sae and secure communities, less actual crime and road trauma, ewer victims, anda world class Police service.

OutcomesOutcomesThe desired outcomes include:

a sae online environment by reducing e-crime oending and minimisingthe harm caused to people and organisations in New Zealand, and

improved e-crime investigative and orensic capability leading toincreased crime resolution

PrinciplesPrinciplesThe ollowing principles guide this e-crime strategy:

Police will adopt a collaborative approach using multi-agency methodsand networks.

Police will not duplicate services or capabilities oered by otheragencies.

Police will adopt knowledge and intelligence-based approaches to thedeployment o preventive and detective activities and resources.

Police will engage internationally to monitor and respond to emergingrisks and opportunities.

nvolvement o organisednals in e-crime is a concernlice.

nised criminals exploiteign states that supportmate Internet connections.

e locations oer saens rom external authoritiesave limited restrictions

tivities such as tradingography, money laundering,mid selling, and otherties that would be illegal inother jurisdictions.

hreat o organised crimel. Unortunately it is veryult to assess the size andct o organised crimeps. This is because by itsnature organised criminalding is usually hidden.

ncrease in organisednals use o securemunications technology, thential or global reach and theection o organised criminalorks internationally, arecant concerns to Police.

worrying is the growthportunities or organisednal exploitation o electronicmerce and the new vehiclesre available or laundering

ey and goods that areated by the Internet.

r jurisdictions already reportcant organised crime

vement in the Internet and

se o other technologiesas secure mobile

hony) by these groups.cular evidence exists orvolvement o organised in credit card raud, moneyering and identiy thet.

The Government is targetinginormation and computingtechnology growth andinnovation to grow an inclusive,innovative economy or thebenet o all. Achieving thisgoal depends on growing NewZealanders condence in usingnew technologies saely. A sae

and secure digital environmentis essential to the success o theGovernments digital strategies.

One strategy is e-government.This has been developedas a vision to enable allNew Zealanders to accessgovernment inormation andservices using the Internet,telephones and othertechnologies.

The e-government unit isocused on building electronicsecurity through initiatives suchas online authentication toprovide a means or people andgovernment agencies to veriytheir authenticity when makingelectronic transactions.


5/13


Goals and ObjectivesGoals and ObjectivesPolice will actively support government goals and initiatives enabling inormation,communications, and technology (ICT) in New Zealand and urthering internationalcommitments to enhance New Zealands cyber security and cyber crime deences.

Police will build the capability and credibility to eectively investigate andresolve e-crime.

Police will target the ollowing objectives in keeping with overall strategic goals ocommunity reassurance, policing with condence, and organisational development.

Key initiatives o Partnerships, Organisation, Capability, and Integrity contribute toachieving the objectives.

OrganisationOrganisationPolice will demonstrate their commitment and understanding o the signicanceand priority surrounding e-crime by establishing the National Cyber Crime Centre(NC3) and aligning the Electronic Crime Laboratories (ECL) under a single nationalstructure.

A nationally ocussed unit will improve Polices coordination with Governmentand key industry groups within New Zealand and other international groups andjurisdictions both at strategic and operational levels.

National Cyber Crime Centre (NC3)

The National Cyber Crime Centre (NC3) is a specialist e-crime response andinvestigation group that will:

provide a single reporting point or e-crime able to be accessed throughtraditional telephone reporting channels and through enhanced Internetcontact points, enabling the collection and investigation o complaints

coordinate Polices response to e-crime reported in New Zealand

coordinate Polices response to trans-national e-crime in which therecan be any combination o New Zealand or overseas victims, oenders,and technologies involved in the commission o an oence

proactively target and electronically patrol places where crime occurs,ocusing on high priority areas such as organised crime, violence, andonline child exploitation

The NC3 will be a national acility with a central base and core team o dedicatedspecialists located in Wellington, working closely with the specialist capability alreadyexisting within the ECL. The central Wellington location aligns with key partnerorganisational structures and response units eg Centre or Critical InrastructureProtection (CCIP), Interpol, Customs, and the Department o Internal Aairs (DIA).

The NC3 will complement traditional investigations, assisting initial high-level e-crimeinvestigations to determine criminal activity, and providing specialist assistancewhere criminal activities enter the electronic world.

The principles and protocols surrounding how the NC3 will operate need to beidentied and agreed, and this will be cognisant o similar centres established byother jurisdictions (and their lessons learnt), and any wider sector initiatives thatmight arise to establish a New Zealand based computer emergency responseteam (NZCERT).

Appendix A contains a high-level diagram o the e-crime structure.

e Strategic Plan to 2010,egic Goals:

munity Reassurance:

ovide opportunity orrticipation

t local priorities

ork in partnership

ovide protection

ng with Condence:

dence based proactivelicing

mely and eective responsecalls or service

orough investigations

ective resolutions

nisational Development:

adership and people inlicing

egrity and accountability

chnology and innovation

Australasian Police agencieshave established the AustralianHigh Technology Crime Centre(AHTCC). Its role is to provide anationally coordinated approachto combating serious, complexand multi-jurisdictional hightech crimes (especially thosebeyond the capability o single

jurisdictions); to assist inimproving the capacity o alljurisdictions to deal with hightech crime; and to supporteorts to protect the NationalInormation Inrastructure.

The United Kingdom set upa national high-technologycrime unit in the year 2000,ollowing recommendations o acomputer crime working groupo the Association o PoliceOcers. The unit has since beentranserred into the SeriousOrganised Crime Agency.

The unit provides e-crimeinvestigative capability andmaintains a national capabilityto address e-crime threats. Theunit also supports investigations,intelligence, technical support,and orensic retrieval o digitalevidence.

The Royal Canadian MountedPolice have ormed a distributednetwork o computer crimeresponse units under thebanner o a Technological CrimeProgram. The group researchand develop computer orensic

tools and provide orensicassistance to domestic andinternational accredited agenciesand Police services.

CommunityReassurance

PartnershipsPartnerships Form signicant e-crime prevention and detectionpartnerships through collaboration with otherGovernment, international, and industry groups.

Partnerships

PolicingWithConfdence

ResponsivenessResponsiveness Respond to oending by investing in capabilityto eectively detect and apprehend criminalswhere electronic media is used or, orassociated with, the commission o crime.

Organisation

OrganisationalDevelopment

IntelligenceIntelligence Adopt an intelligence-based approach toanalysing e-crime problems, producing qualityinormation to support the deployment oresources.

InvestigationsInvestigations Improve ront-line investigative capability,response, and understanding o e-crimethrough enhanced skills and tools.

Integrity

Capability

ForensicsForensics Meet increasing orensic specialist and inter-jurisdictional demands, by ocussing the ECLwith the capacity, tools and skills to meetinternational laboratory standards.


6/13


ECL and E-Crime Structure

A review o the ECL recommended ways to address issues with the ECL staturnover rates, training and career structures, and workloads. Several o therecommendations made have already been implemented. Those remaining includemoving to a revised national structure, which is incorporated into a proposed overalle-crime structure as shown below.

The drivers or restructuring the ECL include:

raising the prole o the ECL to refect national rather than Districtbased response (ECL will continue to work with their local Districts orestablished local priorities)

increasing the ocus on strategy and development o key partnerships

maximise the time ECL specialists spend on specialist orensic work,

by providing operational management and administrative support roles prepare the ECL or international accreditation (see Integrity section,

page 16) which requires a single authority responsible or assigningresponsibilities, accountability, unity o command, and perormance

alignment o the ECL with the proposed NC3

simplied reporting and line management

improved consistency o processes across ECL locations

PartnershipsPartnershipsPolice cannot eectively address e-crime issues alone. This is because o its size,complexity, the technical resources required to respond, and the limited amounto reporting to Police that occurs. These actors mean Police are dependent onother organisations. The challenge is to enhance cross-agency and public-privatesector cooperative approaches. This includes combining complementary specialistexpertise, intelligence and other resources.

Police continue to encourage organisations that enhance security o the electronicenvironment. The wider government sector is already showing leadership on theseissues through its digital strategy and e-Government initiatives. Police will continue tocontribute enorcement perspectives to these initiatives.

From Polices perspective, the objectives o these partnerships is to promotesecurity policies, private sector leadership (including sel-regulation), and government

regulation where required. Police wish to ensure that signicant crimes are preventedand that the electronic environment retains the communitys trust and condence.

Government

The Centre or Critical Inrastructure Protection (CCIP) is the main governmentagency ocused on protecting public and private organisations that supply servicessuch as power, telecommunications and health care rom computer misuse andhacking. Police will coordinate with the CCIP in responding to e-crime incidentsaecting critical services, ormalising requirements to collect evidence and meetother criminal investigative obligations.

The other operational agencies involved with Police in responding to reportso e-crime are the Customs Service, Security and Deence agencies, and theDepartment o Internal Aairs. Police will continue relationships with these agencies,building protocols or eective coordination through mechanisms such as CombinedLaw Agency Groups, the Departmental Committee on Computer Security (whichsets and reviews national computer security policies) and the Ocials Committee orDomestic and External Security.

The Inormation Technology and Telecommunications Policy Group in the Ministryo Economic Development, the ICT branch in the State Services Commission,and CCIP all initiate activities that require Police support. Police will support andcontribute law enorcement perspectives to these initiatives.

CL evolved in the early to990s, and subsequentlythe necessity or Policetigators to have computersic skills in Districts.

olice Executive approvedurrent ECL structure inber 2000, and the ECL nowates with a sta o 18, over

locations.

blishment o the ECLn line with best practiceels under development byustralian Centre or Policearch (ACPR). Structured,evel coordination at anal and Australasian level,he development o policebility and capacity were the guiding principles

ained in the Electronice Strategy o the Policemissioners Conerence inh 2001.

CL was intended tode the New Zealand Policea ormalised, nationalsic computing capability.

In the case o business orgovernment inrastructure, itis important that any systemscompromised in a computerattack are restored as quicklyas possible.

Owners o New Zealands criticalinrastructure are provided withgovernment support to protect

and restore critical services.The Centre or CriticalInrastructure Protection (CCIP)provides this support.

New Zealand Police workclosely with the CCIP toensure that alongside anyneed to re-establish criticalservices, requirements orevidence are ullled in theevent that this may be requiredin a criminal investigation.

The CCIP is a unit o theGovernment CommunicationsSecurity Bureau. It has a website at www.ccip.govt.nz

The ICT group o the StateServices Commission (SSC)has proposed a ComputerEmergency Response Team(CERT) in response to variousinternational commitments underOECD, APEC and the ASEANRegional Forum, aimed atpromoting trust and condencein inormation technologies inNew Zealand. A CERT closelyaligns with the CCIP unctions,but provides cover beyond

critical inrastructure, or keysocietal and commercial sectorsas well as the public.

ECL CentralSupv Analyst (1)

Admin Asst (1)

Analysts (3)

Admin Asst (1)

Analysts (3)Signal Proc (2)Sys Admin (1)

Admin Ocer (1)

ECL Positions

E-Crime NC3 positions

ForensicArchitects (4)

Det Sen Sgt (1)NC3

Manager: Operations (1)NATIONAL ELECTRONIC CRIME LABS

MANAGER

NATIONAL E-CRIME GROUP

NATIONAL MANAGER: CRIME SERVICES

Manager R&D (1)RESEARCH and DEVELOPMENT

POLICY and STRATEGY

Admin Asst (1)

Analysts (5) Detectives (2)

Det Sgt (1)

ECL SouthSupv Analyst (1)

ECL NorthSupv Analyst (1)

Research & Development Strategy/new initiatives National procurement National training National standards

lab operations (regional and national) standards and quality implementation (accreditation)

National Investigations Intelligence Public response NZCERT/CCIP liaison


7/13

CRIME STRATEGY TO 2010 E-CRIME STRATEGY TO 2010 1111

18000

16000

14000

12000

10000

8000

6000

4000

2000

019901990 19911991 19921992 19931993 19941994 19951995 19961996 19971997 19981998 19991999 20002000 20012001 20022002 20032003

Industry

The Security Research Group (SRG) o the University o Otago in partnership withthe Computer Security Institute (CSI), the CCIP and Police, produced the 2005 NewZealand Computer Crime and Security Survey o New Zealand businesses. The2005 survey ound 60% o respondent organisations had experienced electronicattacks originating outside the organisation, showing a steady growth over the pastve years. Average annual losses were estimated at $43,000 per organisation.

Prevention o e-crime relies on industry organisations and public awareness. Havingan eective regulatory environment helps to ensure that organisations take measuresto protect consumers. Police will support groups such as the Internet Saety Group,who assist in heightening community awareness and provide policy responses toe-crime issues.

Specialist ICT sector input is required or an eective response to many types o

e-crime. Police will work with Internet service and telecommunication providers toenable access to records o trac inormation to assist the investigation o crime(pursuant to search warrants).

It is essential to keep abreast o technology trends and changes in commonly usedtechnology. Police will continue to establish and maintain relationships with majortechnology stakeholders, eg Microsot and Cisco.

International

International partners include the G8 sub-group on High Tech Crime, Interpol, andthe US Federal Bureau o Investigation. The South Pacic Chies o Police orum andthe Australasian Police Ministers Council (APMC) are orums to coordinate regionalresponse capability. Police will work with the APMC to improve the regular sharing oinormation, skills and response capability among e-crime managers.

Inter-jurisdictional responses to e-crime are reliant on solid relationships andcooperation with international law enorcement organisations. Police will work withthe United Nations Convention against Trans-National Organised Crime to addressissues hindering Police ability to deal with international jurisdictions, includingprovision o mutual legal assistance, extradition, law-enorcement cooperation andtechnical assistance.

CapabilityCapabilityEnhancing the skills to gather and assess electronic evidence is required to dealwith inormation and communication technology issues that now conront manyinvestigations. Equipping detectives and other sta with the skills to recognise anddeal with electronic evidence will ensure that skills are available to conduct mostPolice investigations.

Police maintain the ECL to provide orensic support to investigations andprosecutions. These serve Police and other law enorcement agencies. The ECLcurrently comprises 18 sta located in Auckland, Wellington and Dunedin. Theircapabilities include signal processing, computer examination, orensic sotwaredevelopment, and the search and seizure o electronic evidence. The group alsomaintains partnerships with computer crime agencies and links to Internet andtelecommunications providers.

For the past ve years, the ECL has experienced signicant growth in demand.During 2003, requests were received or the analysis o 16,300 items o orensicevidence.1 This demand outstrips the ability o the laboratory to service the majorityo investigations involving electronic evidence.

1 Comparable statistics indicating the investigative demand or recovering e-crime exhibits are notavailable rom 2004 onwards. This is because submission processes were changed during 2004to relieve pressure on the ECL by restricting submissions to h igh priority exhibits, as determinedby District Crime Managers.

Crimes Amendment Actcame into eect onober 2003 and created

distinct new computers.

cessing a computerstem or a dishonestrpose.

amaging or interering with amputer system.

aking, selling, distributingpossessing sotware ormmitting crimes.

cessing a computerstem without authorisation.

egislation now gives strongprotection against hackers.

elecommunicationsception Capability) Actcame into orce onil 2004. That Act allowse to eectively carryhe lawul interception oommunications under aneption warrant obtained in

mstances such as whereare grounds or believingis an organised criminalprise, serious violentce, or drug dealing oence.

work operator must ensurehey provide an interceptionbility (although there isa ve-year lead-in timeisting network operators

ovide the necessary

eption capability). This laws New Zealand into lineother countries that allowaw enorcement agencies

ar access.

The availability o computerevidence is increasinglyproviding Police investigationswith powerul evidence.

Criminals use computerdevices or record keeping, ascommunication tools to plancrimes, as devices to executeraud, to transmit pirated

sotware, and a host o otherillegal activities. In some cases,computers may simply serve asa silent witness to a crime bystoring inormation relating tothe oending.

A criminals computer otencontains incriminating evidencethat might never have beenaccessible 20 years ago.For example, criminals usingthe Internet leave behind a trailo evidence that Police andother law enorcement agenciescan use to identiy them andtheir oending.

Year

Exhibits

Number o Exhibits Presented to ECL

Essentially, the identication and recovery o electronic evidence can be grouped intothree levels o complexity:

Level 1: Identication o directly visible evidence

Level 2: More intensive searching o contents and recovery o data (eg deletedles) to identiy less obvious or latent evidence using specialist equipmentand tools

Level 3: External specialist expertise required, eg rom hardware vendors.


8/13


When the ECL was r st established, specialist skills and equipment were neededto perorm Level 1 analysis, requiring that all jobs relating to electronic evidence besubmitted to the ECL or ull analysis and evidence recovery.

Technology has since moved on, and more tools are now available, making it easieror non-specialist sta to perorm Level 1 analysis (with assistance rom the ECL).This development has yet to be refected in the workload o the ECLs with most jobsstill submitted or ull analysis.

The proposed development o additional tools will simpliy some Level 2 analysisenabling more identication o evidence by sta outside the ECL, and reduction inthe overall ECL workload.

Improving Frontline Capability

The high ECL workload is resulting in delays in processing electronic items, whichcan compromise investigative outcomes. Moving Level 1 activities rom the specialistECL to rontline sta (supported by the ECL) will enable a aster turnaround time andreduce the ECL workload.

Preview clinics take the ECL specialist capability out to each District on aregular basis, with ECL sta working alongside investigators to securely (withoutendangering the exhibit or potential evidence) view the contents o seized computersor disks and identiy items o interest. Such Level 1 type analysis will oten identiyall that is needed or the investigation, although subsequent Level 2 type analysiscan be initiated i required. This approach enables a ocussed investigation odisk contents, and avoids specialist eort on misdirected analysis andunneccessary reporting.

Preview clinics are already held each month in Christchurch, and although thenumber o items previewed each month may vary, there is a consistently highsuccess rate (reer sidebar).

Police will extend the use o preview clinics to each District.

Recovery o evidence rom mobile phones is another growth area or the ECL.The extraction o photos or other inormation contained on a mobile phone in anevidentially sae manner requires some specialist tools that can be made available torontline sta.

Mobile phone booths have already been established in some Districts enabling localsta to obtain inormation (eg, photos, messages, contacts, or complete SIM dump)directly rom seized mobile phones, without intervention rom ECL sta.

Police will implement mobile phone booths in each District with appropriate supportand guidance or District sta.

District Liaison

Improved communications to rontline sta will aid their understanding o e-crime,electronic evidence, and the services available through the ECL. Introduction o theabove initiatives will also require assistance rom Districts to provide local liaisonpoints, contacts or scheduling preview sessions, and to generally act as a localchampion or the ECL.

E-Crime Liaison Ocers are proposed or each District either as a dedicated stamember or in conjunction with other duties (depending on each Districts size andrequirements).

Police will appoint E-Crime Liaison Ocers or each District to acilitate local ECLactivities and communications.

Research

Police wish to build an accurate picture o e-crime oending and continue toencourage all victims to report oences. We need this picture because crimereduction relies on understanding the criminal environment as a critical rst step ineective problem solving. The intelligence picture will be used to infuence public andprivate sector organisations and individuals who can impact on electronic security.

Police will encourage the sponsorship o research to clariy the extent, scope, andimpact o e-crime in the New Zealand setting.

Police will collect and analyse e-crime data, providing intelligence and direction toinvestigations, and strategies to address e-crime.

din-based ECL sta haveoperating preview clinics

ne week o each month, intchurch.

inic provides anrtunity to preview seizedronic equipment and identiybvious evidence.

o the cases previewed clinic might otherwise notbeen submitted to the ECL.

e clinic alone, o thems previewed:

contained evidence oild abuse or objectionableaterial

provided leads to aid insociated investigations

contained evidence ooney laundering or raud

tems identied suspects inceiving or burglary cases

contained evidence relatinga drugs investigation

was submitted or urtherecialist analysis andcovery at the ECL

An E-Crime Liaison Ocer ineach District can:

liaise with the ECL over casesubmissions and priorities

assist investigators in usingprovided tools to identiyevidence

assist ECL sta in schedulingpreview clinics and sessions

prepare exhibits or previewsessions

provide guidance or Districtsta in seizing electronicexhibits

provide onsite supportor mobile phone booths,assisting sta and maintainingequipment

coordinate theintroduction o ECL initiatives(eg Project EVE)


9/13


Environment for Virtualised Evidence (EVE)

Current inability to process the high volume o electronic exhibits seized during policeinvestigations has prompted the need to develop a more eective system to conductthese types o specialist investigations.

Project EVE involves the development o a virtual orensic evidence recoveryenvironment that will move the ability or general investigative interrogation to rontline investigators via specically targeted search tools. This approach will saveresources within the specialist ECL being used to conduct a host o more mundanequeries and move this unctionality directly to the investigator and/or Scene o CrimeOcers (SOCOs).

EVE will improve investigative capability, better positioning Police to manage bothcurrent demand and the expected increase in electronic-related crime.

Police will implement EVE nationwide, including:

atargetedtrainingprogrammeforECLstaffandfrontlineinvestigators

amobileEVEforuseincourtorforinvestigationatcrimescenesor

remote areas

Once proven, there is potential to make EVE available to other enorcement groupsand jurisdictions, providing benets beyond Police.

E-SOCO

Ensuring appropriate seizure and preservation o computer items or orensicexamination is essential to obtaining electronic evidence. EVE simplies some othese tasks, reducing the reliance on ECL specialists.

Providing trained e-SOCOs to carry out this work will ensure integrity o evidenceis maintained, while reducing the lead time in making such evidence available torontline investigators. This will also urther reduce the ECL workload, enabling moreocus on specialist evidence recovery.

Police will establish the role o e-SOCO, with appropriate training and procedures,enabling the seizure and transormation o electronic evidence into EVE, withoutinvolvement being required rom the ECL.

ently any evidence obtainedthe examination oronic equipment by ECLs stored on individualdrives that are held withines and need to be loadedally or each case to beined.

EVE, when a computer

zed and provided to thesta will create a virtuale rom the physical

puter then run specialistsis and indexing tools toe the search capability. Thel copy is then placed on age Area Network (SAN) and

e available to the rontlinetigator via the Policeprise network.

n an investigator accessesrtual copy it is loaded asual machine and they cansee the computer in theway the suspect seesng simple search toolsvestigator can quicklyh through the data on the

puter to identiy anythingant to the investigation.

ntroduction o EVE iscted to reduce lead timesaining electronic evidencemonths down to days,cantly increasing theghput o the ECL and thetigative capability o thetigators.

The Council o Europe is madeup o 46 member states.

The European Conventionon Cyber Crime is the rstinternational treaty on crimescommitted via the Internetand other computer networks,dealing particularly withinringements o copyright,

computer-related raud, childpornography and violationso network security. It alsocontains a series o powers andprocedures such as the searcho computer networks andinterception.

The Convention is the producto our years o work by Councilo Europe experts, but also bythe United States, Canada,Japan and other countrieswhich are not members o theorganisation.

An additional protocolsupplementing the Conventionmakes any publication o racistand xenophobic propaganda viacomputer networks a criminaloence.

Non-European states who havesigned up to the Conventioninclude:

United States

Canada

Japan

South Arica

European Convention on Cyber Crime

The European Convention on Cyber Crime came into orce in November 2001,recognising the urgent need to pursue a common criminal policy aimed at theprotection o society against cyber-crime especially, by adopting appropriatelegislation and ostering cooperation between countries and private industry incombating cyber crime.

Countries signing up to the convention are required to meet legislative standardsguiding the denition and response to cyber crime. New Zealand legislationappears to align with the conventions requirements; however these need to bereviewed in detail.

As well as aligning legislation with e-crime internationally, the core benet or Policeis the ability to progress cyber-based investigations across borders with otherparticipating countries, extending the reach and speed o investigations.

Police will drive any legislative changes required and progress New Zealandsadoption o the European Convention on Cyber Crime.


10/13


rime Laboratoryeditation Program o thecan Society o Crimeratory Directors/Laboratory

editation Board (ASCLD/is a voluntary program inh any crime laboratory maycipate to demonstrate thatanagement, operations,

onnel, procedures,ment, physical plant,rity, and health and saetyedures meet establishedards.

editation is granted or ad o ve years provided thatoratory continues to meetD/LAB standards.

ratories in New Zealandcurrent ASCLD/LABeditation are:

SR

olice Document Examinationrvice

Implementation o the E-CrimeStrategy to 2010 involves severalkey initiatives.

Additional capability will needto be acquired or reallocated byPolice, to und the key initiativesand the ongoing developmentand participation in keypartnerships and orums.

The next steps in progressingthe E-Crime Strategy include:

prioritise initiatives and assignownership

agree a programme o workand associated resourcingrequirements

incorporate initiatives intoannual business plans /prepare business cases asrequired

IntegrityIntegrityThe growth in e-crime places increased reliance on electronic (or digital) evidence.The integrity o digital evidence and the process by which it is obtained is essential insuccessully prosecuting e-crime.

Laboratory accreditation provides Police, Courts, New Zealand enorcementagencies and their international counterparts with assurance as to the standard oorensics examination. This is particularly important in international investigationswhere evidence recovered by the ECL is presented in courts overseas.

ECL Accreditation

Accreditation shows that the ECL meets international standards or orensicexamination o digital evidence. Accreditation orms part o a laboratorys qualityassurance programme, which also includes prociency-testing, continuing

education, and other programmes to help the laboratory give better overall service tothe criminal justice system.

The American Society o Crime Laboratory Directors/Laboratory Accreditation Board(ASCLD/LAB) is an internationally recognised accreditation programme, based onthe ISO 17025 standard.

Preparation or accreditation can be a lengthy process, ensuring that identiedstandards and processes are in use or:

administration and resourcing (including budget, managementinormation systems, job descriptions, perormance reviews)

organisational structure and delegation o authority (see also ECL andE-Crime Structure, page 8)

evidence control and quality management

personnel qualications and prociency testing

physical layout and lab conditions (including security, design, healthand saety)

Police will implement ormalised standard operating procedures, high-quality exhibitmanagement, appropriate lab conditions, and other national practices required toachieve ASCLD/LAB international accreditation.

Strategy ReviewStrategy Reviewand Governanceand GovernanceThe governance o this e-crime strategy and the measures arising rom it reachacross many areas o policing. These include operational responses to e-crimeprevention and investigation and the development o Police capabilities throughtraining, research and resource development.

E-crime also reaches across traditional crime areas and criminal groups as wellas some having new eatures that have emerged with the growth o the electronicenvironment.

The strategies in this document also aect a wide variety o Police sta anddomestic and international partner agencies.

Because o the diversity o measures required to address e-crime, it is appropriatethat the Commissioners govern this strategy. Key roles include:

Executive Sponsor: Deputy Commissioner, Operations

Business Owner: National Manager, Crime Services

Perormance Management and Review: Assistant Commissioner,Strategy, Policy, and Perormance

The key elements o governance include:

an annual progress report to the Police Executive o the strategy and itsimpact

incorporation o actions into the perormance management ramework

a review o the strategy to be completed by 30 September 2009

Risks and issues associated with this strategy will be identied as part o thebusiness unit planning process and in consultation with the Risk Advisor and theOrganisational Perormance Group. The planning will cover strategic and operationalrisks in relation to services, capability, and change.


11/13


Appendix A:Appendix A:National E-Crime StructureNational E-Crime Structure

Appendix B:Appendix B:Summary o ActionsSummary o Actions

InterpolPublic

Centre or Critical InrastructureProtection (CCIP)

Computer Emergency ResponseTeam (CERT)

Industry (Telecom, Internet Service Providers)

Courts(NZ and International)

GovernmentIndustry

Netsae, etc

InternationalAgencies, Groups,and Forums

Forensics/R&DInvestigative/Intelligence

Police Executive

Relationships

National Operations

InvestigationsInvestigations(NZ and International)(NZ and International) E-SOCOE-SOCO(Districts)(Districts)

Strategy/Governance

Management

NationalNationalCyberCyberCrimeCrimeCentreCentre(Wellington)(Wellington)

ElectronicElectronicCrimeCrime

LaboratoryLaboratory

E-CrimeE-CrimeInitiativeInitiative ActionsActions TimingTiming OwnerOwner Success IndicatorsSuccess Indicators

OrganisationOrganisation 1.1. Develop, agree, and implement thenational e-crime structure or theElectronic Crime Laboratory (ECL).

2 007 E lec tro ni c Cr im eLaboratory

national service provision withsingle line reporting

the ECL is responsive to Districtworkload pressures

there is consistency o operationacross all ECL acilities

2.2. Develop, agree, and implement thenational e-crime structure or the NationalCyber Crime Centre (NC3).

2008 Crim e ServiceCentre

Police are responsive torequests or assistance ininvestigating cyber crime

CapabilityCapability 3.3. Police will extend the use o previewclinics to each District.


preview clinics and mobilephone booths provideinvestigators with results in ashort timerame

ECL sta are ocussed onspecialist analysis and evidencerecovery, with reduced delaysor investigations

Investigators are using EVE withsuccess in resolving crimes

improved understanding oe-crime and electronic evidencethroughout Police

4.4. Police will implement mobile phonebooths in each District with appropriatesupport and guidance or District sta.


5.5. Police will appoint E-Crime LiaisonOcers or each District to acilitate localECL activities and communications.

2007 Districts

6.6. Develop and implement the Environmentor Virtualised Evidence (EVE), including:

a targeted training programme or ECLsta and rontline investigators

a mobile EVE


7.7. Establish the role o e-SOCO, appointand train e-SOCOs in the identication

and preservation o electronic evidence,including transormation o evidence intoEVE.


improved identication andseizure o electronic items or

evidence recovery short lead times or Investigators

to access electronic evidence

8.8. Review legislation alignment withEuropean Convention on Cyber Crime,driving any changes required andprogressing New Zealands adoption othe convention.


progress in ratiying theconvention

9.9. Encourage the sponsorship o researchto clariy the extent, scope, and impact oe-crime in the New Zealand setting.

ongoing Electronic CrimeLaboratory

Police have a clearunderstanding o the extent,scope, and impact o cybercrime in New Zealand

10.10. Police will collect and analyse e-crimedata, providing intelligence and directionto investigations, and strategies toaddress e-crime.



12/13


E-CrimeE-CrimeInitiativeInitiative ActionsActions TimingTiming OwnerOwner Success IndicatorsSuccess Indicators

IntegrityIntegrity 11. Obtain international accreditation othe ECL, based on the ASCLD/LABInternational accreditation programme orDigital Evidence.

2 00 9 E le ct ro ni c Cr im eLaboratory

the ECL is a world class andinternationally accreditedorensic laboratory

consistency o practices andstandards across all ECLacilities

12. Revi ew o the e -c ri me st ra tegi c p lan. 2009 C ri me Se rv iceCentre

initiatives on target to achievedesired outcomes

PartnershipsPartnerships Government:

13.13. Coordinate with the CCIP in respondingto e-crime incidents aecting criticalservices, ormalising requirements tocollect evidence and meet other criminalinvestigative obligations.

14. Build protocols or eective coordinationbetween the Customs Service, Securityand Deence agencies, and theDepartment o Internal Aairs, throughmechanisms such as Combined Law

Agency Groups, the DepartmentalCommittee on Computer Security andthe Ocials Committee or Domestic andExternal Security, Ocials Committee orReview o Internet Security.

15.15. Support and contribute law enorcementperspectives to initiatives arising out othe work o the Inormation Technologyand Telecommunications Policy Group inthe Ministry o Economic Development,the ICT branch in the State ServicesCommission, and the CCIP.


Police working proactively withstakeholders

Police are responsive torequests or assistance ininvestigating cyber crime

Memorandum o Understandingin place with local agenciesacilitating the sharing oinormation and resources

Industry:

16.16. Support the Internet Saety Group, whichheightens community awareness andprovides policy responses to e-crimeissues.

17.17. Work with Internet service andtelecommunication providers to enableaccess to records o trac inormation toassist the investigation o crime (pursuantto search warrants).

18.18. Establish and maintain relationshipswith major technology stakeholders, egMicrosot and Cisco.


community have trust andcondence in Police

Police working proactively withstakeholders

International:

19.19. Work with the Australasian PoliceMinisters Council (APMC) to improvethe regular sharing o inormation, skillsand response capability among e-crimemanagers.

20.20. Work with the United Nations Conventionagainst Trans-National Organised Crimeto address issues hindering Police abilityto deal with international jurisdictions,including provision o mutual legalassistance, extradition, law-enorcementcooperation and technical assistance.


Police working proactively inpartnerships with internationalstakeholders

Memorandums o Agreement inplace to acilitate the sharing oinormation and resources


13/13

Published by New Zealand PolicePO Box 3017, Wellington

ISBN 978-0-477-10059-5 (paperback)ISBN 978-0-477-10060-1 (pd)

www.police.govt.nz

e crime strategy

Documents