During December five men from the UK received sentences totaling 17 years after leaking thousands of movies onto the Internet. In an earlier article we revealed how the men were tracked down. Today we'll look more closely at what police and the Federation Against Copyright Theft were looking for when the men were raided.

Following a three year investigation by Hollywood-backed anti-piracy group the Federation Against Copyright Theft (FACT), in December five of the UK’s most prolific movie pirates were sentenced to more than 17 years.

The men, who were behind several interrelated movie release groups including RemixHD, 26K, UNiQUE, DTRG and HOPE/RESISTANCE, were tracked down with techniques detailed in our earlier article but when FACT and the police came knocking, what were they looking for?

TorrentFreak has obtained documents which reveal FACT’s “forensic strategy” in the case and details how the anti-piracy group sought to link the suspects with data gathered in the early stages of the operation.

A check-list shared with police underlined the need to corroborate existing intelligence and, if that was not possible, to determine whether suspects were involved in similar activities.

Find evidence of a conspiracy

As highlighted previously, FACT had long since abandoned attempting to prosecute defendants on copyright infringement grounds, largely since the maximum penalty in the UK for online offenses is ‘just’ two years. Working instead towards charges of Conspiracy to Defraud, officers were instructed to find evidence which would show that the defendants worked in concert (conspired) to defraud.

Since the case was about movies there is little surprise that evidence sought included information linking the defendants to the capturing or camming of movies or anything which indicated copyrighted video had been encoded.

The most obvious items to be searched for included the movies themselves but FACT and the police also searched for video encoding and conversion software plus anything that suggested the defendants were involved in counterfeit DVD production.

On the conspiracy side, it’s clear that securing evidence of communications was crucial. Those carrying out the raid were keen to secure not only emails, but Internet chat logs plus any other related documents such as spreadsheets.

Evidence of uploading infringing content to the Internet plus any discussion of doing so was desired. It was hoped that in part this could be achieved by finding logs from FTP software used to upload videos to servers operated by some members of the release groups.

Logs, logs, software – and more logs

While garage mechanics have their own unique tools to fix an engine or change some oil, Internet pirates’ tools largely exist in the digital domain. However, while the use of a wrench can be forgotten as soon as it’s been placed back in the box, pieces of software tend to have longer memories.

As a result, finding software on the machines of suspected pirates is a top priority since not only do these paint a picture of their owner, but they also carry detailed logs that can incriminate others.

On the machine of Sahil Rafiq police found lots of software designed to manipulate video and audio alongside ripping, encoding and torrent software. A copy of the DRM-busting software DVD Fab was also used in evidence.

At the time of the raid Rafiq’s machine was actually encoding a film but an inspection showed that the machine had been used for encoding before. Server logins, usernames and other passwords also provided useful pointers to previously monitored online behavior.

Also in apparent abundance were logs retained by chat software. The logs detailed links with groups releasing movies on the Internet and revealed discussions with Rafiq’s co-defendants alongside general comments indicating activity in the piracy business.

As is usually the case, FACT took an interest in Rafiq’s cellphone. According to evidence collated by the anti-piracy outfit, this device contained several messages from torrent sites which offered thanks for uploaded torrents.

Reece Baker’s machine had actually been wiped clean and a new operating system installed around two weeks before the raid. While that might have been a good start, when FACT arrived the machine was encoding the movie Gangster Squad which Baker had obtained from a Chinese torrent site.

The presence of the software VirtualDub was also viewed as a negative, as were logins which revealed Baker’s connection to the pirate group DEYA and a dozen uploads to ExtraTorrent.

In common with the others, Baker’s computer also carried lots of chat logs which detailed encoding and uploading of movies. Discussion surrounding the “de-dotting” of cams were seen as a negative as were incriminating comments made over Skype.

Baker’s phone was also seized – that contained a reminder for Rafiq’s birthday.

Like the others, Graeme Reid’s computer contained encoding and ripping software. It also had logins to a server used by the group and chat logs indicating that Reid was the leader of release group RemixHD and involved in another called UNiQUE.

A batch of emails showed how Reid had collaborated with others to source, encode and release movies. In total 1,725 torrent files were found plus DVD copying software.

Ben Cooper’s computer was also found to contain software for encoding and editing movies and carried chat logs confirming that he operated a server used to store films encoded by the groups.

With Scott Hemming it was a similar story. Evidence of encoding, incriminating chat logs with his co-defendants, and logins for a seedbox.

Conclusion

While FACT had built a pretty strong case against all of the defendants during its preliminary investigation, it’s very tempting to conclude that without the troves of information found on their computers, things would have turned out very differently indeed.

Quite how many of the 17 years sentenced could have been avoided will never be known, but it’s not beyond the realm of possibility that the case would have faltered before ever reaching a court room.