tools and techniques
TRANSCRIPT
Tools and Techniques
Outline• General Introduction NFI
• Department for Digital Technology
• Working Groups within DT
• Future developments
• Communication
National Situation
7 Computer crime units
26 Basic law enforcement
NationalNFI and KLPD
superregional
regional
Digital Technology• From 1985 till 1995 part of Hand and
Machine Writing department• 1992 : 2 • 1994 : 5 • 1997 : 23• 1998 : 23 • 2002 : 34
3 Core Activities• Forensic Investigations
• Research & Development
• Centre of Expertise
Organisation
E m be d de d S yste m s O p e n syste m s D a ta A n a ly s is Im a g e P ro ce ss ing& B io m e trics
N F ID ig ita l T ech n o lo gy
Outline• Introduction• Embedded Systems• Open Systems• Data Analysis• Image Processing and Biometrics• future developments
Activities of Open Systems group• Media analysis: disks, tapes• Crack passwords and security• Reverse engineering• Find hidden data• Data Interception• Investigation of Hacking
Media Analysis• Different kinds of media
disc, tape, hard disc, zip, MO, chipcards,….
• File System Analysis FAT16, FAT32, NTFS, Mac, Unix, Linux, VAX/VMS, ..
• Large hard disks / RAIDS
Tape, chip, MO, CD formats
“Imaging” and analysis• Do not change the data !!!!• Compute a unique hash value for comparison
• Own development (VAMP) stopped due to other developments e.g.:– Ilook– Encase– Forensic Toolkit
Quality assurance• Validation of commercial products is
often not possible, since source code is not available
• Resulted in own version of dd – rdd that handles bad blocks more properly
Crack passwords and security• Reverse engineering
Applications of Reverse Engineering• Crack passwords and security
• Check working of software for media access
• Reconstruct working of suspect software: virus, fraude, etc.
Encryption• Crack passwords from Word datafiles
etc.• Commercial Software cracking
packages - Accessdata• Own developments of cracking
passwords• e.g. DES / https
www.hippiesfromhell.org/ linz.asp
Stego • Also in other traffic – audio-files / ip-
traffic / word-files etc.• The number of tools for stego is
growing rapidly : now over 150 on the Internet
• For detection knowledge of statistics is needed
• Often combined with other crypto-products
Data Communication• Internet (ADSL, cable etc.)• (Voice) Networks• Wireless Nets (WAP, IEEE-802.11b,
Bluetooth)
New Protocols / equipment
Hacking Defacing
Steal Data (credit card numbers)
Disrupt services
Forensic Evidence needed• Log files• Files that have been transferred• Problem : who was behind the
keyboard, and was someone behind it ?
Outline• Introduction• Embedded Systems• Open Systems• Data Analysis• Image Processing and Biometrics• Future developments
Data Analysis
• Filtering of relevant data
• History of data, log file analysis
• Patterns in large amounts of data
Filter data• Standard files of Operating Systems• Search for relevant data (keywords)• Search for known images (e.g. child
pornography) by hash or image comparison
• Development of own search procedures
Data Analysis• Search for patterns in large amounts of
data• Statistical Techniques• Find relations between data which were
not known before
Outline• Introduction• Embedded Systems• Open Systems• Data Analysis• Image Processing and Biometrics• Future developments
Camera Identification• Has a certain picture been taken by a camera
?• CCD-defects
Pattern recognition
Biometrics• Biometrics is the automatic identification or
recognition of people based on behavioral or physiological characteristics.
• Definition from International Biometric Group in New York
Examples• Irisscan Schiphol• Face recognition in airports
Biometric features for identification• DNA• Finger print• Handwriting• Voice recording• Face • ear print• Voice• Iris, retina• Hand scan• The way someone enters a password in the computer
Obscure ways of biometrics• Ear channel
Life detection• Patent information :
• Hart beat• Blood pressure• 3D-shape• Example influence pupil – light• Resistance
Gait
Forging biometrics• Finger Print - silicon cast• Hand Palm - latex model• Voice - digital or analog recording• Face - photograph or mask on face• Keyboard strokes - recording• Iris – image of an iris
FearID: earprints as evidence ?
Future case ?• Who was behind a computer with finger-scan
access control at a given time ?– Low False Acceptance Rate ?– Keyboard bug ?
Future developments• More open source developments for
software that can be used in court• Crypto and stego-detection tools• New protocols for interception• Data-analysis techniques• Proper preselection techniques• Wireless communication – who was
sitting behind the computer ?
Security 2010• Software and hardware devices smaller
and faster - more complex• Detection of security problems is based
on a number of statistical techniques• People live with the feeling that it it is
possible to have security troubles, like they once where used to regular burglaries
Mobile Devices• Smaller, integrated in watch, keys, ring
or hands in glove• Access devices (keys) hidden• Electronic paper• More tracking options• Small sensors for blood pressure,
temperature and health condition• Electronic tags
Communication with our customers• Newsletter• Meetings with the computer crime teams• requests for information and advice• 200 cases each year handled
International Co-operation• International Organisation on Computer
Evidence (IOCE )• Interpol (European Working Party on
Information technology and crime )• Lathe Gambit (NATO)• ENFSI - European Network of Forensic
Science Institutes• Contacts with many labs• We also accept cases from foreign
Forensic institutes (law enforcement)