4.1. Receive report
- Any report or allegation of the presence of illegal material on a University system must be immediately recorded in writing and passed to the Authorizer responsible for that system. Only they can authorise further action. The written record must include how the presence of the material was detected: in particular staff must never proactively seek out illegal material.
- Do not start an investigation without authorisation from the Authorizer. Authorisation will be given in writing. In particular, do not investigate an allegation on your own.
- The Authorizer will contact University Personnel in the Central Offices (or the college equivalent) if a staff member is involved or the Proctors if a student is involved to inform them of the action being undertaken.
- Normally, The Authorizer will report the matter to the police and be guided by them in all further activities. If The Authorizer is not available, call the police and inform The Authorizer as soon as possible.
- Reports of material elsewhere on the Internet, for example on public websites, should normally be passed to the Internet Watch Foundation.
4.2. Obtain written authorisation (MoU principle 1)
The only situation involving illegal material that need not be immediately reported to the police is where there has been an unverified allegation that a member of the organisation has been accessing such material. Unfortunately there have been cases where such allegations have been made falsely and maliciously. If there is real doubt over the accuracy of a report, the Authorizer may need to authorise appropriately skilled members of staff to perform the minimum checks necessary to confirm the presence of such material on University systems or elsewhere.
If you are authorised to deal with an allegation, you will be informed in writing by the Authorizer. The authorisation should identify you, and the authorising manager, by name and job title. All actions to deal with the allegation must always be performed by two authorised staff working together.
As soon as it seems likely that illegal material is present, this must be reported to the Authorizer for them to contact the police. No further investigation must be done unless authorised by the police and then following their instructions to the letter. Staff must not attempt to identify how material came to be on the system, or which users may have accessed it, as doing so is almost certain to damage the credibility of evidence that may need to be presented in court.
4.3. Perform minimum checks needed to confirm the presence of material (MoU principles 3 and 4)
The purpose of the organisation's actions is only to confirm whether illegal material is likely to be present on a computer. This should involve the least possible handling of computer files and disks, both to reduce the risk of exposing staff to harmful material and to do the least possible damage to evidence.
Every action taken must be recorded in writing (ink, not electronic), with every mouse click, command or URL recorded. Where a complex command needs to be recorded this may be printed out in addition to writing it down but the printout must be signed and dated immediately and inserted into the written record.
Two staff must be present at all times. Both must sign and date every sheet of the record. If possible they should also initial each entry in the record.
If possible, these checks should be performed with the computer disconnected from all networks, to prevent external interference.
Often, checking a list of filenames or URLs visited will be sufficient to confirm suspicions: viewing files or visiting websites should be regarded as an absolute last resort. If it is necessary to visit a suspect web site then this should be done with a text-only browser, or at least with all image downloads turned off (ensure you know how to do this before starting the investigation). The text or filenames of a site will often indicate the nature of the content.
As soon as evidence of the presence or absence of illegal material is found, stop any further actions and report to the Authorizer who gave the original authorisation.
4.4. Protect evidence (MoU principles 3 and 4)
The most effective way to protect evidence is to remove power from the computer on which the illegal material is stored (pull the power lead out of the back of the computer, not the mains socket: do not perform a shutdown as this may overwrite evidence).
If, however, the computer cannot be taken out of service for an indefinite period then a backup copy of at least some of the illegal material must be taken before making it inaccessible to users. Ideally this should be a forensic-quality copy of the disk using, for example, the UNIX® 'dd' command or a recognised commercial forensic package. If this is not possible for reasons of space or skill then a directory listing and a selection of files should be copied to a secure medium, eg CD-ROM. Such copying should be the minimum necessary to indicate the scale and nature of the illegal material.
In either case the evidence - computer, disk or backup copies - must be sealed, labelled, signed and dated, and placed in a secure, locked location until it can be handed to the police. Details of the location and its security measures must be recorded in writing. All those with access to the location must be identified and any actual entry into the location recorded and signed.
The incident must not be discussed with colleagues. The material must not be shown to anyone other than, if absolutely necessary, those authorising and performing the investigation. Doing so may compromise the individual and jeopardise any subsequent police investigation.
4.5. Make minimum change to prevent access (MoU principle 3)
If the computer containing the material is not taken out of service, then action must be taken to prevent deliberate or accidental access to the material. Such action must make the least possible change to any remaining evidence; advice should normally be taken from the police on appropriate measures. These may include changing the permissions on directories or files to make them inaccessible, or deleting them.
4.6. Report to police (MoU principle 2)
When the authorised actions are completed, the results must be reported to The Authorizer who authorised them. If the presence of illegal material was confirmed or seems likely, this must be reported immediately to the police.