| 12 August 2015
On the anniversary of this infamous crime, we ask - how would it be investigated if it happened in 2015?
52 years ago, on a quiet piece of track somewhere in Buckinghamshire, a Royal mail train was held up by a gang of 15 men, robbing it of the large quantity of cash it was hauling to London. After a successful raid, they made off with £2.6 million (equivalent £50m today) and although most of the gang were eventually arrested and imprisoned, it required one of the largest criminal investigations in UK history. As such, we’ve decided to have a look at how the robbers may have been caught by electronic or computer based evidence if it had been attempted in 2015.
The first thing to acknowledge is that whilst there is valuable cargo still transported on the UK’s train network, it’s not likely that such large sums of cash are moved like they were in 1963. It’s also been many years since the Royal Mail sorted letters on its Travelling Post Office (TPO) and we know that advances in crime scene investigation would also yield more clues, so please forgive the licence we granted ourselves in this article.
In order to look at how a robbery like this might be investigated today we’ve broken it down into a number of elements. In each one we describe how the robbers may have operated today and as such how they may have been found and caught after the fact. Whilst it would still be the job of the police to run the investigation it’s likely that it would involve the co-operation of a number of private companies. In fact the way these companies might be investigated is very similar to how we perform incident response work for our clients on a day-to-day basis.
If you are interested in the story of the Great Train Robbery then there are plenty of places to go learn about it. We’ll not repeat the whole story here but for those who are familiar with it we’ll hopefully have some fun on our journey through the panning, execution and aftermath of one of the UK’s most infamous crimes.
During the robbery, the gang were provided with intelligence by someone dubbed “The Ulsterman”. They were later discovered to be a postal worker with some inside knowledge of Royal Mail operations and in particular the mail trains. A particularly careless robber in today’s world may pass on similar intelligence via social media or send it by email. In either situation a forensic analysis of any suspect’s personal computer and smartphone may reveal these conversations.
Additionally, if they had used corporate systems to send the information to the gang then investigating those systems and performing computer forensics on them would be a profitable exercise. That assumes there is sufficient logging enabled in that environment, something that isn’t often the case! Actively monitoring for sensitive data being leaked from the environment is also another possibility but is only likely to have worked if the exfiltration of data was blatant and the informant was not sufficiently skilled to avoid detection.
So stopping the robbers by intercepting the data passed by the informant would be tough but finding them after the fact may be possible.
Whilst the information provided by the informant was useful it would not be enough to plan the operation. That would require gathering more intelligence about the train timetable, the location where the train would be stopped and getaway routes. The police spotting all of this before the robbery took place would again be a tough ask without some form of tip-off. However, after the fact there are places you could go and look for clues.
The robbers may now use online resources to gather information, potentially searching for planned train movements and using online maps rather than paper ones in their planning. Operating in this way would reduce the risks of needing to visit locations beforehand. The ability to review the log files generated by online resources like mapping sites and databases for the location of the robbery and the train itself would be a valuable exercise. Correlating these and then mapping those back to source IP addresses may also produce results, especially if the robbers had not taken steps to hide their electronic tracks. If their laptops were seized then any cached files on their computer or image fragments from their searches could also be revealed.
In this instance it would be difficult to prevent the robbery but the investigation may have generated some leads for the investigating officers.
Stopping the Train
In the near future our trains and signalling systems will be linked by more sophisticated electronic systems and computer networks. As such you might think that stopping the mail train at a red signal today would involve a hi-tech cyber-attack. However, given the complexity of performing such an attack when compared to the methods used by the train robbers it’s unlikely it would be used, even today. Covering up a green light and introducing a red one is theoretically easy to do, stopping the driver from using their mobile phone to call the signalman is the more complex part.
So assuming that they were able to stop the train using their original techniques, tracking down the robbers would probably involve the same kind of detective work used in the 1960’s. Tracking back the equipment that was used, some of which was left at the crime scene, back to the shops that sold it to them might be one option. Where we might have more luck these days is if the robbers paid for the equipment with credit cards or other electronic means. If they did that and didn’t hide their tracks well enough then the trail might lead back to them. As would purchases made on auction sites, such as Ebay. Obtaining log files from Internet Search Providers (ISPs) to identify searches for techniques to stop a train would also be another option if the data were available.
So in summary, stopping a train and then keeping it stationary long enough without anyone noticing would be much more difficult today purely because of better communications technology. Investigating the electronic footprint left by researching may also yield results after the fact.
The Getaway Car
Once the robbers had removed the bags of cash from the train they needed to move them by road to a safe-house. With no knowledge of the vehicles in use it would be difficult to find them. However, with the Automatic Number Plate Recognition (ANPR) capabilities in modern police cars and roadside cameras, if the vehicles in use were known then detection would be easier. If ANPR capabilities could be centrally linked by the Police the fact that the robbers used two vehicles with the same plates could potentially be flagged as an anomaly in the system. This may then result in the police having another lead to follow, especially if the licence plates had been seen by an eye witness.
We also know that the gang avoided the police by listening to their broadcasts on a VHF radio. Listening in to police communications is not as easy as it was in those days so that advantage could potentially be nullified. Additionally, once the getaway cars had been found by the police the computer systems within them would be open to investigation. The robbers may have even used the SatNav to find their way, potentially leaving vital evidence of the car’s role in the plot. Maybe the robber would have been careless enough to have driven the car to their house before the robbery and had flagged it in the system as “Home”.
So the electronics in the getaway cars may also have provided vital clues for the investigation and speeded up the rate at which a picture of the crime could be constructed by the police.
The robbers went to ground for a few days after the robbery and were holed up in a farmhouse about 30 miles from the scene of the crime. They had bought the farmhouse a few weeks beforehand after searching for suitable locations. However, if this were to occur today the owner may initially have used an online property site to advertise it for sale. As such the robbers could have identified it from the comfort of their living room, once again avoiding the risk of being spotted there. Additionally, the police would also be able to look for likely hideouts using the same sites, especially if the owner hadn’t removed it from the site. Analysis of web logs would also be possible once the hideout had been identified, to link the location with whoever had found it in an online search.
We also need to consider what the robbers would do if they needed to lie low for a few days. Rather than enjoying games of monopoly using their ill-gotten gains as in-game currency, they would probably find the need to browse the net and keep tabs on the media reports of the ongoing investigation. Who knows, one of the robbers may have been daft enough to brag on social media, something like “Hiding out after pulling off a big job @theflyingsquad on our tail #greattrainrobbery”. It wouldn’t be the first time a criminal had been tripped up by their communications.
Well OK, maybe they wouldn’t be that misguided but 48 hours without electronic devices is a long time for some people these days and that may have been something the police could have used to track them down.
So whilst the great train robbery isn’t likely to be repeated over 50 years later, it’s been an interesting process to look at how it might be investigated if it were to occur in the modern world. One thing we do observe is that the investigative techniques described in this article, once used solely by the police, are now used in the investigation of cyber-attacks on a daily basis. Also we can see that the systems and technologies we use in our daily lives do leave a footprint and that can help the investigation of crimes after the fact.
Whether we can and should use data like this to proactively prevent crime is another story and something for another article. So whilst the legacy of the Great Train Robbery lives on, it will clearly remain as a crime of its time. In today’s connected digital world maybe the next big crime that captures the imagination of the public, like The Great Train Robbery did, will be something conducted entirely in “cyber space”. Then we’ll need all of these skills and many more to catch the robbers.
About Martyn Ruks
Martyn Ruks is the Group Technical Director at MWR InfoSecurity a leading global provider of Information Security Services. He has worked inside the industry as a consultant and researcher for nearly 15 years. He has presented research findings at some of the World's largest security conferences including Defcon and Black Hat. In recent years he has also jointly authored white papers on Mobile Device Security, Data Exfiltration and Threat Intelligence that have all been published in conjunction with CPNI. In his current role he works closely with organisations with sophisticated security requirements, enabling them to conduct business effectively whilst ensuring their critical assets are secure