ELECTRONIC CRIME STRATEGY to 2010 Policing with Confidence

ELECTRONIC CRIME STRATEGY TO 2010 Policing With Confidence

E-CRIME STRATEGY TO 2010 1 Commissioner’s Contents Foreword Electronic Crime 2 Definition 2 New communication and computer based technologies offer benefits to New Zealand communities. They also present opportunities for criminals to commit Nature of Electronic Crime Problem 3 crimes in new ways and provide opportunities to inflict harm and cause loss. Policing Challenges 4 The increasing uptake of technology by criminals means some types of crime can now be committed faster, against more victims, with anonymity and for E-Crime Strategy 5 greater gain. Crimes now occurring in the electronic environment include Strategic Alignment 5 traditional offending, such as fraud and paedophilia, and emerging new crimes such as denial of service attacks and hacking. Of great concern is Outcomes 5 organised criminal use of information and communications technology to Principles 5 conceal their activities, reach a wide range of victims, and network with other criminal groups. Goals and Objectives 6 Through this strategy, we will ensure that Police are positioned to address the Organisation 7 use of technology by criminals and can respond to new types of electronic crime (e-crime). Partnerships 9 Since 2001, we have been collaborating with Australian Federal and State Police Capability 11 in our response to e-crime. These arrangements have worked well and we Integrity 16 will continue to work closely with the new high-technology crime centre those agencies have established. However, over the past five years there have also Strategy Review and Governance 17 been developments in New Zealand, which now make it appropriate for the Appendix A: National E-Crime Structure 18 New Zealand Police to articulate its own strategy. In recent years we have bolstered the size of our e-crime laboratory, responding Appendix B: Summary of Actions 19 to increasing demands for electronic forensic input into criminal investigations, and we have started to train staff about how to deal with electronic evidence. Among our partner agencies, a centre for critical infrastructure protection (CCIP) has been established to address threats to critical infrastructure and Government’s digital strategies have led to a variety of other initiatives to enhance electronic security and address e-crime. This strategy places a great deal of focus on a combined agency response to e-crime. Police are only one interested party among Government, industry groups and others playing a role in the security and safety of the electronic environment. As well as endorsing collaborative approaches, this strategy will lead to further development and maintenance of our own internal capability. These strategies will ensure that crime reduction capabilities are maintained and complement the efforts of other organisations involved in keeping New Zealand’s electronic systems and their users safe and secure.

Howard Broad New Zealand Police Commissioner

2 E-CRIME STRATEGY TO 2010 E-CRIME STRATEGY TO 2010 1 Nature of Electronic Crime Problem Electronic Crime Criminals have exploited developments in information and communications technologies. It has provided them with new tools and facilitated new criminal activity, which can now target computing infrastructure. Criminals can also exploit Definition the fact that offending can easily cross jurisdictional boundaries and large distances. Police agencies worldwide have struggled to define their role in policing e-crime and Increasing bandwidth, as well as supporting growth in commerce, is also increasing Much e-crime is to understand how to be effective in addressing the problem. This is partly because opportunities for criminals. Potential victims are becoming increasingly available Identity crime is one of the unsophisticated. It often involves as more people use these technologies. Many of these new users represent easy fastest growing types of crime in activities on the Internet such as these types of crimes are extremely diverse. New Zealand Police consider electronic the world, and is defined as any trading stolen property through crime (e-crime) to cover: targets because they lack online security awareness or skills. offence involving the misuse of a auction sites, obtaining stolen personal identity. The majority of All offences where information and communications technology is: Measuring e-crime problems affecting New Zealand is hampered by a lack of credit card information from data for offences involving electronic components. The recent successful transfer identity crime is committed with newsgroups and chat rooms, 1. used as a tool in the commission of an offence the help of computers. distributing pirated intellectual of Police operational computer systems to NIA (the National Intelligence Application) Identity crime often involves property, and dealing drugs 2. the target of an offence and a Police Crime Statistics Strategy provide an opportunity to improve through email and websites. e-crime recording. This should allow for the capture of e-crime connections to criminals obtaining information 3. a storage device in the commission of an offence. from everyday transactions like: The Internet has provided relevant offences. • bank and credit card numbers considerable opportunity for E-crime includes traditional offending facilitated by technology such as telephony, the Local and Australian victimisation studies have collected some information about many offenders to extend Internet and encryption. It also involves computer attacks. However, it is important to e-crime prevalence, though mainly about computer attacks. Most studies have not • names their supply and customer recognise that the bulk of e-crime we currently see is not attributed to hackers. networks and exploit the reach quantified growth in traditional crime facilitated by electronic means. However, Police • addresses In New Zealand, e-crime mostly involves traditional offending with components of the medium – just as it has have monitored the demand for forensic analysis of e-crime exhibits by the Electronic • driver’s license details provided the same advantages having electronic means. This includes trading in illegal drugs, fraud, harassment, Crime Laboratory (ECL). The number of crimes involving electronic evidence has to legitimate users. The use of and many other types of criminal activity. Information technology has particularly increased ten-fold over the past eight years. Electronic evidence is increasingly • log-on details for other technology for these criminal influenced some traditional offending. Most notably, this includes: services purposes causes challenges for prominent in some types of offending such as fraud and sexual crime. Criminals then use this Police because of sometimes • fraud information to commit fraud demanding investigative Proportion of Electronic Exhibits Processed by ECL and theft. Opportunities in this requirements and apparent • identity theft area are increasing with the significant growth in some crime. • organised crime development of online auctions, Burglary & Theft 13% gaming and other services. • paedophilia Fraud 18% Computer users and businesses However, e-crime also includes new activity such as attacks on computers and new need to be vigilant to ensure that opportunities for crime enabled by electronic systems, such as services theft and Homicide 8% personal information is managed software piracy. Worldwide these are significant and new problems. cautiously and with heightened security. This applies to the Threats 4% security of online transactions, paper waste containing Telecommunications Act 4% sensitive information, personal Sexual – Indecency 20% details in wallets and purses and information on portable Aggravated robbery 3% computers. Receiving stolen goods 3% Identity crime is a growing Assault 1% global problem – it knows Kidnapping 1% no boundaries; victims and Arson 1% Drugs 25% criminals can be on opposite sides of the world making it difficult for local law enforcement agencies to investigate the crime, catch the perpetrator, or help the victim.

2 E-CRIME STRATEGY TO 2010 E-CRIME STRATEGY TO 2010 3 Policing Challenges The attributes of e-crime pose challenges. These include anonymity, global reach, E-Crime Strategy the speed by which crime can be committed against multiple victims, the potential for deliberate exploitation of sovereignty issues, and the volatility of evidence. The e-crime strategy outlines the Police approach to combat e-crime over the next These features create obstacles to detecting and tracking criminals. Techniques five years. The strategy aims to better position Police to deal with e-crime moving used by criminals range from false Internet accounts to the use of secure Internet forward – the first steps toward establishing a much larger core of specialist forensic The involvement of organised and telephone communications. A particular risk is that the now widespread and investigative expertise. The Government is targeting criminals in e-crime is a concern availability of encryption enables criminals to communicate with each other with information and computing to Police. technology growth and minimal risk of discovery. New e-crime prevention and problem-solving approaches are required to protect potential victims and environments. To facilitate these approaches it is necessary innovation to “grow an inclusive, Organised criminals exploit innovative economy for the sovereign states that support Responding to these challenges requires expertise and resources beyond the to align intelligence systems, tools, investigative requirements and laws to address current capability of mainstream Police. Perhaps the biggest problem is the pressure benefit of all”. Achieving this illegitimate Internet connections. e-crime issues. goal depends on growing New These locations offer safe to keep pace with increasing technological sophistication. This includes maintaining Zealanders’ confidence in using havens from external authorities the skills and resources required to provide advice on crime prevention, and the This strategy provides a framework for future planning and will give certainty to new technologies safely. A safe and have limited restrictions skills required to respond, investigate and prosecute offenders. The availability of partner organisations about the directions being followed to prevent and respond and secure digital environment on activities such as trading these skilled resources within Police is limited. Most critically, we face a capability to e-crime. is essential to the success of the pornography, money laundering, Government’s digital strategies. pyramid selling, and other gap among generalist staff. With many traditional crimes now involving electronic activities that would be illegal in devices, any lack of knowledge and skills has the potential to compromise Strategic Alignment One strategy is e-government. many other jurisdictions. investigative outcomes. Importantly though, investigating e-crime still requires many The strategy demonstrates commitment to Police’s high-level outcomes of confident, This has been developed traditional policing methods that remain a strength of Police in New Zealand. as a vision to enable all The threat of organised crime safe and secure communities, less actual crime and road trauma, fewer victims, and New Zealanders to access is real. Unfortunately it is very a world class Police service. government information and difficult to assess the size and As a result of the growth in e-crime our specialist forensic capabilities are continually stretched. There is an ongoing demand to grow forensic capabilities to keep pace services using the Internet, impact of organised crime Outcomes telephones and other groups. This is because by its with the increasing requirements for electronic evidence and to provide investigators technologies. very nature organised criminal with assistance required on other technical aspects of e-crime investigations. The desired outcomes include: offending is usually hidden. The e-government unit is In addition to limited resources, Police face problems with a legislative framework focused on building electronic The increase in organised • a safe online environment by reducing e-crime offending and minimising largely based on physical world constructs. The current regulatory environment the harm caused to people and organisations in New Zealand, and security through initiatives such criminals’ use of secure as online authentication to communications technology, the sometimes limits access to evidence, because of the dependence of Police on • improved e-crime investigative and forensic capability leading to provide a means for people and potential for global reach and the external organisations, such as Internet service providers, to enable access to increased crime resolution government agencies to verify connection of organised criminal information about criminal activity. Criminals also exploit the inter-jurisdictional their authenticity when making networks internationally, are difficulties in pursuing investigations. electronic transactions. significant concerns to Police. Principles Also worrying is the growth A public perception that Police or other government agencies are not equipped to in opportunities for organised respond to e-crime may result in the feeling that there is little benefit in reporting The following principles guide this e-crime strategy: criminal exploitation of electronic incidents. In the case of threats to electronic commerce or other business activities, commerce and the new vehicles • Police will adopt a collaborative approach using multi-agency methods that are available for laundering the concerns of business are often continuity and reputation related. Business can and networks. money and goods that are be motivated not to report crime because publicity will harm business. facilitated by the Internet. • Police will not duplicate services or capabilities offered by other agencies. Other jurisdictions already report significant organised crime • Police will adopt knowledge and intelligence-based approaches to the involvement in the Internet and deployment of preventive and detective activities and resources. the use of other technologies (such as secure mobile • Police will engage internationally to monitor and respond to emerging telephony) by these groups. risks and opportunities. Particular evidence exists for the involvement of organised crime in credit card fraud, money laundering and identify theft.

4 E-CRIME STRATEGY TO 2010 E-CRIME STRATEGY TO 2010 5 Organisation Goals and Objectives Police will demonstrate their commitment and understanding of the significance and priority surrounding e-crime by establishing the National Cyber Crime Centre Police will actively support government goals and initiatives enabling information, (NC3) and aligning the Electronic Crime Laboratories (ECL) under a single national communications, and technology (ICT) in New Zealand and furthering international structure. commitments to enhance New Zealand’s cyber security and cyber crime defences. Police Strategic Plan to 2010, A nationally focussed unit will improve Police’s coordination with Government Australasian Police agencies Strategic Goals: Police will build the capability and credibility to effectively investigate and and key industry groups within New Zealand and other international groups and have established the Australian resolve e-crime. jurisdictions – both at strategic and operational levels. High Technology Crime Centre Community Reassurance: (AHTCC). Its role is to provide a • provide opportunity for Police will target the following objectives in keeping with overall strategic goals of National Cyber Crime Centre (NC3) nationally coordinated approach participation community reassurance, policing with confidence, and organisational development. The National Cyber Crime Centre (NC3) is a specialist e-crime response and to combating serious, complex and multi-jurisdictional high • set local priorities Key initiatives of Partnerships, Organisation, Capability, and Integrity contribute to investigation group that will: tech crimes (especially those • work in partnership achieving the objectives. • provide a single reporting point for e-crime able to be accessed through beyond the capability of single jurisdictions); to assist in • provide protection traditional telephone reporting channels and through enhanced Internet improving the capacity of all contact points, enabling the collection and investigation of complaints jurisdictions to deal with high Policing with Confidence: Partnerships Form significant e-crime prevention and detection tech crime; and to support partnerships through collaboration with other • coordinate Police’s response to e-crime reported in New Zealand • evidence based proactive Government, international, and industry groups. efforts to protect the National policing • coordinate Police’s response to trans-national e-crime – in which there Information Infrastructure. • timely and effective response can be any combination of New Zealand or overseas victims, offenders, The United Kingdom set up to calls for service and technologies involved in the commission of an offence a national high-technology Responsiveness Respond to offending by investing in capability crime unit in the year 2000, • thorough investigations to effectively detect and apprehend criminals • proactively target and electronically patrol places where crime occurs, following recommendations of a where electronic media is used for, or • effective resolutions focusing on high priority areas such as organised crime, violence, and computer crime working group associated with, the commission of crime. online child exploitation of the Association of Police

Organisational Development: Community Reassurance Partnerships Officers. The unit has since been transferred into the Serious • leadership and people in The NC3 will be a national facility with a central base and core team of dedicated Organised Crime Agency. policing specialists located in Wellington, working closely with the specialist capability already

Intelligence Organisation Adopt an intelligence-based approach to existing within the ECL. The central Wellington location aligns with key partner The unit provides e-crime • integrity and accountability analysing e-crime problems, producing quality investigative capability and information to support the deployment of organisational structures and response units eg Centre for Critical Infrastructure maintains a national capability • technology and innovation resources. Protection (CCIP), Interpol, Customs, and the Department of Internal Affairs (DIA). to address e-crime threats. The unit also supports investigations,

Policing With Confidence The NC3 will complement traditional investigations, assisting initial high-level e-crime intelligence, technical support, Investigations Improve front-line investigative capability, investigations to determine criminal activity, and providing specialist assistance and forensic retrieval of digital response, and understanding of e-crime evidence. through enhanced skills and tools. where criminal activities enter the electronic world. The principles and protocols surrounding how the NC3 will operate need to be The Royal Canadian Mounted Forensics Meet increasing forensic specialist and inter- identified and agreed, and this will be cognisant of similar centres established by Police have formed a distributed Integrity network of computer crime jurisdictional demands, by focussing the ECL Capability other jurisdictions (and their lessons learnt), and any wider sector initiatives that response units under the Organisational Development with the capacity, tools and skills to meet might arise to establish a New Zealand based computer emergency response international laboratory standards. banner of a Technological Crime team (NZCERT). Program. The group research and develop computer forensic Appendix A contains a high-level diagram of the e-crime structure. tools and provide forensic assistance to domestic and international accredited agencies and Police services.

6 E-CRIME STRATEGY TO 2010 E-CRIME STRATEGY TO 2010 7 ECL and E-Crime Structure Partnerships A review of the ECL recommended ways to address issues with the ECL staff Police cannot effectively address e-crime issues alone. This is because of its size, turnover rates, training and career structures, and workloads. Several of the complexity, the technical resources required to respond, and the limited amount recommendations made have already been implemented. Those remaining include of reporting to Police that occurs. These factors mean Police are dependent on moving to a revised national structure, which is incorporated into a proposed overall other organisations. The challenge is to enhance cross-agency and public-private e-crime structure as shown below. sector cooperative approaches. This includes combining complementary specialist The ECL evolved in the early to The drivers for restructuring the ECL include: expertise, intelligence and other resources. In the case of business or mid 1990s, and subsequently government infrastructure, it from the necessity for Police • raising the profile of the ECL to reflect national rather than District Police continue to encourage organisations that enhance security of the electronic is important that any systems investigators to have computer based response (ECL will continue to work with their local Districts for environment. The wider government sector is already showing leadership on these compromised in a computer forensic skills in Districts. issues through its digital strategy and e-Government initiatives. Police will continue to attack are restored as quickly established local priorities) as possible. The Police Executive approved contribute enforcement perspectives to these initiatives. the current ECL structure in • increasing the focus on strategy and development of key partnerships Owners of New Zealand’s critical From Police’s perspective, the objectives of these partnerships is to promote October 2000, and the ECL now • maximise the time ECL specialists spend on specialist forensic work, infrastructure are provided with operates with a staff of 18, over security policies, private sector leadership (including self-regulation), and government government support to protect three locations. by providing operational management and administrative support roles regulation where required. Police wish to ensure that significant crimes are prevented and restore critical services. • prepare the ECL for international accreditation (see Integrity section, and that the electronic environment retains the community’s trust and confidence. The Centre for Critical Establishment of the ECL Infrastructure Protection (CCIP) was in line with best practice page 16) which requires a single ‘authority’ responsible for assigning Government provides this support. models under development by responsibilities, accountability, unity of command, and performance the Australian Centre for Police The Centre for Critical Infrastructure Protection (CCIP) is the main government New Zealand Police work Research (ACPR). Structured, • alignment of the ECL with the proposed NC3 agency focused on protecting public and private organisations that supply services closely with the CCIP to high-level coordination at a ensure that alongside any national and Australasian level, • simplified reporting and line management such as power, telecommunications and health care from computer misuse and need to re-establish critical and the development of police hacking. Police will coordinate with the CCIP in responding to e-crime incidents services, requirements for capability and capacity were • improved consistency of processes across ECL locations affecting critical services, formalising requirements to collect evidence and meet evidence are fulfilled in the two of the guiding principles other criminal investigative obligations. event that this may be required contained in the Electronic in a criminal investigation. Crime Strategy of the Police The other operational agencies involved with Police in responding to reports NATIONAL MANAGER: CRIME SERVICES The CCIP is a unit of the Commissioners Conference in of e-crime are the Customs Service, Security and Defence agencies, and the March 2001. Government Communications Department of Internal Affairs. Police will continue relationships with these agencies, Security Bureau. It has a web The ECL was intended to building protocols for effective coordination through mechanisms such as Combined site at www.ccip.govt.nz provide the New Zealand Police Law Agency Groups, the Departmental Committee on Computer Security (which MANAGER The ICT group of the State with a formalised, national sets and reviews national computer security policies) and the Officials’ Committee for forensic computing capability. NATIONAL E-CRIME GROUP Services Commission (SSC) Domestic and External Security. has proposed a Computer ECL Positions Emergency Response Team The Information Technology and Telecommunications Policy Group in the Ministry (CERT) in response to various Admin Officer (1) E-Crime NC3 positions of Economic Development, the ICT branch in the State Services Commission, international commitments under and CCIP all initiate activities that require Police support. Police will support and OECD, APEC and the ASEAN contribute law enforcement perspectives to these initiatives. Regional Forum, aimed at Manager R&D (1) promoting trust and confidence Manager: Operations (1) Det Sen Sgt (1) RESEARCH and DEVELOPMENT in information technologies in NATIONAL ELECTRONIC CRIME LABS NC3 POLICY and STRATEGY New Zealand. A CERT closely aligns with the CCIP functions, – Research & Development – lab operations (regional and national) – National Investigations – Strategy/new initiatives – standards and quality implementation (accreditation) – Intelligence but provides cover beyond – National procurement – Public response critical infrastructure, for key – National training – NZCERT/CCIP liaison societal and commercial sectors – National standards as well as the public.

ECL South ECL Central ECL North Forensic Supv Analyst (1) Supv Analyst (1) Supv Analyst (1) Architects (4) Det Sgt (1)

Sys Admin (1) Signal Proc (2) Analysts (3) Analysts (3) Analysts (5) Detectives (2)

Admin Asst (1) Admin Asst (1) Admin Asst (1)

8 E-CRIME STRATEGY TO 2010 E-CRIME STRATEGY TO 2010 9 Industry Capability The Security Research Group (SRG) of the University of Otago in partnership with Enhancing the skills to gather and assess electronic evidence is required to deal the Computer Security Institute (CSI), the CCIP and Police, produced the 2005 New with information and communication technology issues that now confront many Zealand Computer Crime and Security Survey of New Zealand businesses. The investigations. Equipping detectives and other staff with the skills to recognise and 2005 survey found 60% of respondent organisations had experienced electronic deal with electronic evidence will ensure that skills are available to conduct most attacks originating outside the organisation, showing a steady growth over the past Police investigations. The Crimes Amendment Act five years. Average annual losses were estimated at $43,000 per organisation. The availability of computer 2003 came into effect on Police maintain the ECL to provide forensic support to investigations and evidence is increasingly 1 October 2003 and created Prevention of e-crime relies on industry organisations and public awareness. Having prosecutions. These serve Police and other law enforcement agencies. The ECL providing Police investigations four distinct new computer an effective regulatory environment helps to ensure that organisations take measures currently comprises 18 staff located in Auckland, Wellington and Dunedin. Their with powerful evidence. crimes. to protect consumers. Police will support groups such as the Internet Safety Group, capabilities include signal processing, computer examination, forensic software Criminals use computer 1. Accessing a computer who assist in heightening community awareness and provide policy responses to development, and the search and seizure of electronic evidence. The group also devices for record keeping, as system for a dishonest e-crime issues. maintains partnerships with computer crime agencies and links to Internet and communication tools to plan purpose. Specialist ICT sector input is required for an effective response to many types of telecommunications providers. crimes, as devices to execute fraud, to transmit pirated 2. Damaging or interfering with a e-crime. Police will work with Internet service and telecommunication providers to For the past five years, the ECL has experienced significant growth in demand. software, and a host of other computer system. enable access to records of traffic information to assist the investigation of crime During 2003, requests were received for the analysis of 16,300 items of forensic illegal activities. In some cases, 3. Making, selling, distributing (pursuant to search warrants). evidence.1 This demand outstrips the ability of the laboratory to service the majority computers may simply serve as a silent “witness” to a crime by or possessing software for of investigations involving electronic evidence. committing crimes. It is essential to keep abreast of technology trends and changes in commonly used storing information relating to technology. Police will continue to establish and maintain relationships with major the offending. 4. Accessing a computer technology stakeholders, eg Microsoft and Cisco. system without authorisation. Number of Exhibits Presented to ECL A criminal’s computer often International contains incriminating evidence This legislation now gives strong that might never have been new protection against hackers. International partners include the G8 sub-group on High Tech Crime, Interpol, and 18000 accessible 20 years ago. For example, criminals using The Telecommunications the US Federal Bureau of Investigation. The South Pacific Chiefs of Police forum and 16000 (Interception Capability) Act the Internet leave behind a trail the Australasian Police Ministers Council (APMC) are forums to coordinate regional of evidence that Police and 2004 came into force on response capability. Police will work with the APMC to improve the regular sharing of 14000 5 April 2004. That Act allows other law enforcement agencies Police to effectively carry information, skills and response capability among e-crime managers. 12000 can use to identify them and their offending. out the lawful interception of Inter-jurisdictional responses to e-crime are reliant on solid relationships and telecommunications under an 10000 cooperation with international law enforcement organisations. Police will work with interception warrant obtained in 8000 circumstances such as where the United Nations Convention against Trans-National Organised Crime to address Exhibits there are grounds for believing issues hindering Police ability to deal with international jurisdictions, including 6000 there is an organised criminal provision of mutual legal assistance, extradition, law-enforcement cooperation and enterprise, serious violent technical assistance. 4000 offence, or drug dealing offence. 2000 A network operator must ensure that they provide an interception 0 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 capability (although there is up to a five-year lead-in time Year for existing network operators to provide the necessary interception capability). This law Essentially, the identification and recovery of electronic evidence can be grouped into brings New Zealand into line three levels of complexity: with other countries that allow their law enforcement agencies Level 1: Identification of directly visible evidence similar access. Level 2: More intensive searching of contents and recovery of data (eg deleted files) to identify less obvious or latent evidence using specialist equipment and tools Level 3: External specialist expertise required, eg from hardware vendors.

1 Comparable statistics indicating the investigative demand for recovering e-crime exhibits are not available from 2004 onwards. This is because submission processes were changed during 2004 to relieve pressure on the ECL by restricting submissions to high priority exhibits, as determined by District Crime Managers.

10 E-CRIME STRATEGY TO 2010 E-CRIME STRATEGY TO 2010 11 When the ECL was first established, specialist skills and equipment were needed District Liaison to perform Level 1 analysis, requiring that all jobs relating to electronic evidence be Improved communications to frontline staff will aid their understanding of e-crime, submitted to the ECL for full analysis and evidence recovery. electronic evidence, and the services available through the ECL. Introduction of the Technology has since moved on, and more tools are now available, making it easier above initiatives will also require assistance from Districts to provide local liaison for non-specialist staff to perform Level 1 analysis (with assistance from the ECL). points, contacts for scheduling preview sessions, and to generally act as a local This development has yet to be reflected in the workload of the ECLs with most jobs champion for the ECL. still submitted for full analysis. Dunedin-based ECL staff have E-Crime Liaison Officers are proposed for each District – either as a dedicated staff An E-Crime Liaison Officer in been operating preview clinics each District can: for one week of each month, in The proposed development of additional tools will simplify some Level 2 analysis member or in conjunction with other duties (depending on each District’s size and Christchurch. enabling more identification of evidence by staff outside the ECL, and reduction in requirements). • liaise with the ECL over case the overall ECL workload. submissions and priorities The clinic provides an Police will appoint E-Crime Liaison Officers for each District to facilitate local ECL • assist investigators in using opportunity to preview seized Improving Frontline Capability activities and communications. electronic equipment and identify provided tools to identify any obvious evidence. The high ECL workload is resulting in delays in processing electronic items, which Research evidence can compromise investigative outcomes. Moving Level 1 activities from the specialist Many of the cases previewed Police wish to build an accurate picture of e-crime offending and continue to • assist ECL staff in scheduling ECL to frontline staff (supported by the ECL) will enable a faster turnaround time and preview clinics and sessions at the clinic might otherwise not encourage all victims to report offences. We need this picture because crime reduce the ECL workload. have been submitted to the ECL. reduction relies on understanding the criminal environment as a critical first step in • prepare exhibits for preview In one clinic alone, of the Preview clinics take the ECL specialist capability out to each District on a effective problem solving. The intelligence picture will be used to influence public and sessions 36 items previewed: regular basis, with ECL staff working alongside investigators to securely (without private sector organisations and individuals who can impact on electronic security. • provide guidance for District endangering the exhibit or potential evidence) view the contents of seized computers staff in seizing electronic • 5 contained evidence of Police will encourage the sponsorship of research to clarify the extent, scope, and child abuse or objectionable or disks and identify items of interest. Such Level 1 type analysis will often identify exhibits impact of e-crime in the New Zealand setting. material all that is needed for the investigation, although subsequent Level 2 type analysis • provide onsite support • 10 provided leads to aid in can be initiated if required. This approach enables a focussed investigation of Police will collect and analyse e-crime data, providing intelligence and direction to for mobile phone booths, associated investigations disk contents, and avoids specialist effort on misdirected analysis and investigations, and strategies to address e-crime. assisting staff and maintaining equipment • 3 contained evidence of unneccessary reporting. money laundering or fraud • coordinate the Preview clinics are already held each month in Christchurch, and although the introduction of ECL initiatives • 8 items identified suspects in number of items previewed each month may vary, there is a consistently high (eg Project EVE) receiving or burglary cases success rate (refer sidebar). • 1 contained evidence relating Police will extend the use of preview clinics to each District. to a drugs investigation • 1 was submitted for further Recovery of evidence from mobile phones is another growth area for the ECL. specialist analysis and The extraction of photos or other information contained on a mobile phone in an recovery at the ECL evidentially safe manner requires some specialist tools that can be made available to frontline staff. Mobile phone booths have already been established in some Districts enabling local staff to obtain information (eg, photos, messages, contacts, or complete SIM dump) directly from seized mobile phones, without intervention from ECL staff. Police will implement mobile phone booths in each District with appropriate support and guidance for District staff.

12 E-CRIME STRATEGY TO 2010 E-CRIME STRATEGY TO 2010 13 Environment for Virtualised Evidence (EVE) European Convention on Cyber Crime Current inability to process the high volume of electronic exhibits seized during police The European Convention on Cyber Crime came into force in November 2001, investigations has prompted the need to develop a more effective system to conduct recognising the urgent need to pursue a common criminal policy aimed at the these types of specialist investigations. protection of society against cyber-crime especially, by adopting appropriate legislation and fostering cooperation between countries and private industry in Project EVE involves the development of a virtual forensic evidence recovery combating cyber crime. environment that will move the ability for general investigative interrogation to front Currently any evidence obtained line investigators via specifically targeted search tools. This approach will save Countries signing up to the convention are required to meet legislative standards The Council of Europe is made from the examination of up of 46 member states. electronic equipment by ECL resources within the specialist ECL being used to conduct a host of more mundane guiding the definition and response to cyber crime. New Zealand legislation staff is stored on individual queries and move this functionality directly to the investigator and/or Scene of Crime appears to align with the convention’s requirements; however these need to be The European Convention hard drives that are held within Officers (SOCOs). reviewed in detail. on Cyber Crime is the first caddies and need to be loaded international treaty on crimes manually for each case to be EVE will improve investigative capability, better positioning Police to manage both As well as aligning legislation with e-crime internationally, the core benefit for Police committed via the Internet examined. current demand and the expected increase in electronic-related crime. is the ability to progress cyber-based investigations across borders with other and other computer networks, participating countries, extending the reach and speed of investigations. dealing particularly with With EVE, when a computer Police will implement EVE nationwide, including: infringements of copyright, is seized and provided to the Police will drive any legislative changes required and progress New Zealand’s computer-related fraud, child • a targeted training programme for ECL staff and frontline investigators ECL, staff will create a virtual adoption of the European Convention on Cyber Crime. pornography and violations ‘image’ from the physical of network security. It also computer then run specialist • a mobile EVE for use in court or for investigation at crime scenes or contains a series of powers and analysis and indexing tools to remote areas procedures such as the search enable the search capability. The of computer networks and virtual copy is then placed on a Once proven, there is potential to make EVE available to other enforcement groups interception. Storage Area Network (SAN) and and jurisdictions, providing benefits beyond Police. made available to the frontline The Convention is the product investigator via the Police E-SOCO of four years of work by Council enterprise network. of Europe experts, but also by Ensuring appropriate seizure and preservation of computer items for forensic the United States, Canada, When an investigator accesses examination is essential to obtaining electronic evidence. EVE simplifies some of Japan and other countries the virtual copy it is loaded as these tasks, reducing the reliance on ECL specialists. which are not members of the a virtual machine and they can organisation. then see the computer in the Providing trained e-SOCOs to carry out this work will ensure integrity of evidence An additional protocol same way the suspect sees is maintained, while reducing the lead time in making such evidence available to it. Using simple search tools supplementing the Convention frontline investigators. This will also further reduce the ECL workload, enabling more makes any publication of racist the investigator can quickly focus on specialist evidence recovery. search through the data on the and xenophobic propaganda via computer to identify anything computer networks a criminal Police will establish the role of e-SOCO, with appropriate training and procedures, offence. relevant to the investigation. enabling the seizure and transformation of electronic evidence into EVE, without The introduction of EVE is involvement being required from the ECL. Non-European states who have expected to reduce lead times signed up to the Convention in obtaining electronic evidence include: from months down to days, • United States significantly increasing the throughput of the ECL and the • Canada investigative capability of the • Japan investigators. • South Africa

14 E-CRIME STRATEGY TO 2010 E-CRIME STRATEGY TO 2010 15 Integrity The growth in e-crime places increased reliance on electronic (or digital) evidence. Strategy Review The integrity of digital evidence and the process by which it is obtained is essential in successfully prosecuting e-crime. and Governance Laboratory accreditation provides Police, Courts, New Zealand enforcement agencies and their international counterparts with assurance as to the standard of The Crime Laboratory The governance of this e-crime strategy and the measures arising from it reach Implementation of the E-Crime forensics examination. This is particularly important in international investigations Accreditation Program of the across many areas of policing. These include operational responses to e-crime Strategy to 2010 involves several American Society of Crime where evidence recovered by the ECL is presented in courts overseas. key initiatives. Laboratory Directors/Laboratory prevention and investigation and the development of Police capabilities through Accreditation Board (ASCLD/ ECL Accreditation training, research and resource development. Additional capability will need to be acquired or reallocated by LAB) is a voluntary program in Accreditation shows that the ECL meets international standards for forensic which any crime laboratory may E-crime also reaches across traditional crime areas and criminal groups as well Police, to fund the key initiatives participate to demonstrate that examination of digital evidence. Accreditation forms part of a laboratory’s quality as some having new features that have emerged with the growth of the electronic and the ongoing development its management, operations, assurance programme, which also includes proficiency-testing, continuing environment. and participation in key personnel, procedures, education, and other programmes to help the laboratory give better overall service to partnerships and forums. The strategies in this document also affect a wide variety of Police staff and equipment, physical plant, the criminal justice system. The next steps in progressing security, and health and safety domestic and international partner agencies. the E-Crime Strategy include: procedures meet established The American Society of Crime Laboratory Directors/Laboratory Accreditation Board Because of the diversity of measures required to address e-crime, it is appropriate standards. (ASCLD/LAB) is an internationally recognised accreditation programme, based on • prioritise initiatives and assign that the Commissioners govern this strategy. Key roles include: ownership Accreditation is granted for a the ISO 17025 standard. period of five years provided that • Executive Sponsor: Deputy Commissioner, Operations • agree a programme of work a laboratory continues to meet Preparation for accreditation can be a lengthy process, ensuring that identified and associated resourcing ASCLD/LAB standards. standards and processes are in use for: • Business Owner: National Manager, Crime Services requirements Laboratories in New Zealand • administration and resourcing (including budget, management • Performance Management and Review: Assistant Commissioner, • incorporate initiatives into with current ASCLD/LAB information systems, job descriptions, performance reviews) Strategy, Policy, and Performance annual business plans / accreditation are: prepare business cases as • organisational structure and delegation of authority (see also ECL and The key elements of governance include: required • ESR E-Crime Structure, page 8) • Police Document Examination • an annual progress report to the Police Executive of the strategy and its Service • evidence control and quality management impact • personnel qualifications and proficiency testing • incorporation of actions into the performance management framework • physical layout and lab conditions (including security, design, health • a review of the strategy to be completed by 30 September 2009 and safety) Risks and issues associated with this strategy will be identified as part of the Police will implement formalised standard operating procedures, high-quality exhibit business unit planning process and in consultation with the Risk Advisor and the management, appropriate lab conditions, and other national practices required to Organisational Performance Group. The planning will cover strategic and operational achieve ASCLD/LAB international accreditation. risks in relation to services, capability, and change.

16 E-CRIME STRATEGY TO 2010 E-CRIME STRATEGY TO 2010 17 Appendix A: Appendix B: National E-Crime Structure Summary of Actions

E-Crime Initiative Actions Timing Owner Success Indicators

Government Police Executive International Organisation 1. Develop, agree, and implement the 2007 Electronic Crime • national service provision with Industry Agencies, Groups, Strategy/Governance national e-crime structure for the Laboratory single line reporting Netsafe, etc and Forums Electronic Crime Laboratory (ECL). • the ECL is responsive to District Relationships workload pressures • there is consistency of operation Management across all ECL facilities

National Operations 2. Develop, agree, and implement the 2008 Crime Service • Police are responsive to Investigative/Intelligence Forensics/R&D national e-crime structure for the National Centre requests for assistance in Cyber Crime Centre (NC3). investigating cyber crime

Capability 3. Police will extend the use of preview 2007 Electronic Crime • preview clinics and mobile clinics to each District. Laboratory phone booths provide investigators with results in a short timeframe 4. Police will implement mobile phone 2007 Electronic Crime booths in each District with appropriate Laboratory • ECL staff are focussed on National Electronic support and guidance for District staff. specialist analysis and evidence Interpol recovery, with reduced delays Public Cyber Crime 5. Police will appoint E-Crime Liaison 2007 Districts for investigations Centre for Critical Infrastructure Crime Laboratory Courts Protection (CCIP) (NZ and International) Officers for each District to facilitate local • Investigators are using EVE with Computer Emergency Response Centre (Wellington) ECL activities and communications. Team (CERT) success in resolving crimes Industry (Telecom, Internet Service Providers) • improved understanding of 6. Develop and implement the Environment 2008 Electronic Crime e-crime and electronic evidence for Virtualised Evidence (EVE), including: Laboratory throughout Police – a targeted training programme for ECL staff and frontline investigators – a mobile EVE

7. Establish the role of e-SOCO, appoint 2009 Electronic Crime • improved identification and and train e-SOCOs in the identification Laboratory seizure of electronic items for Investigations E-SOCO and preservation of electronic evidence, evidence recovery (NZ and International) (Districts) including transformation of evidence into EVE. • short lead times for Investigators to access electronic evidence

8. Review legislation alignment with 2009 Electronic Crime • progress in ratifying the European Convention on Cyber Crime, Laboratory convention driving any changes required and progressing New Zealand’s adoption of the convention.

9. Encourage the sponsorship of research ongoing Electronic Crime • Police have a clear to clarify the extent, scope, and impact of Laboratory understanding of the extent, e-crime in the New Zealand setting. scope, and impact of cyber crime in New Zealand 10. Police will collect and analyse e-crime 2009 Electronic Crime data, providing intelligence and direction Laboratory to investigations, and strategies to address e-crime.

18 E-CRIME STRATEGY TO 2010 E-CRIME STRATEGY TO 2010 19 E-Crime Initiative Actions Timing Owner Success Indicators

Integrity 11. Obtain international accreditation of 2009 Electronic Crime • the ECL is a world class and the ECL, based on the ASCLD/LAB Laboratory internationally accredited International accreditation programme for forensic laboratory Digital Evidence. • consistency of practices and standards across all ECL facilities

12. Review of the e-crime strategic plan. 2009 Crime Service • initiatives on target to achieve Centre desired outcomes

Partnerships Government: ongoing Electronic Crime • Police working proactively with Laboratory stakeholders 13. Coordinate with the CCIP in responding to e-crime incidents affecting critical • Police are responsive to services, formalising requirements to requests for assistance in collect evidence and meet other criminal investigating cyber crime investigative obligations. • Memorandum of Understanding 14. Build protocols for effective coordination in place with local agencies between the Customs Service, Security facilitating the sharing of and Defence agencies, and the information and resources Department of Internal Affairs, through mechanisms such as Combined Law Agency Groups, the Departmental Committee on Computer Security and the Officials’ Committee for Domestic and External Security, Officials’ Committee for Review of Internet Security. 15. Support and contribute law enforcement perspectives to initiatives arising out of the work of the Information Technology and Telecommunications Policy Group in the Ministry of Economic Development, the ICT branch in the State Services Commission, and the CCIP.

Industry: ongoing Electronic Crime • community have trust and Laboratory confidence in Police 16. Support the Internet Safety Group, which heightens community awareness and • Police working proactively with provides policy responses to e-crime stakeholders issues. 17. Work with Internet service and telecommunication providers to enable access to records of traffic information to assist the investigation of crime (pursuant to search warrants). 18. Establish and maintain relationships with major technology stakeholders, eg Microsoft and Cisco.

International: ongoing Electronic Crime • Police working proactively in Laboratory partnerships with international 19. Work with the Australasian Police stakeholders Ministers Council (APMC) to improve the regular sharing of information, skills • Memorandums of Agreement in and response capability among e-crime place to facilitate the sharing of managers. information and resources 20. Work with the United Nations Convention against Trans-National Organised Crime to address issues hindering Police ability to deal with international jurisdictions, including provision of mutual legal assistance, extradition, law-enforcement cooperation and technical assistance.

20 E-CRIME STRATEGY TO 2010 E-CRIME STRATEGY TO 2010 21 Published by New Zealand Police PO Box 3017, Wellington ISBN 978-0-477-10059-5 (paperback) ISBN 978-0-477-10060-1 (pdf) www.police.govt.nz

22 E-CRIME STRATEGY TO 2010