Tools and Techniques

Outline• General Introduction NFI

• Department for Digital Technology

• Working Groups within DT

• Future developments

• Communication

National Situation

7 Computer crime units

26 Basic law enforcement

NationalNFI and KLPD

superregional

regional

Digital Technology• From 1985 till 1995 part of Hand and

Machine Writing department• 1992 : 2 • 1994 : 5 • 1997 : 23• 1998 : 23 • 2002 : 34

3 Core Activities• Forensic Investigations

• Research & Development

• Centre of Expertise

Organisation

E m be d de d S yste m s O p e n syste m s D a ta A n a ly s is Im a g e P ro ce ss ing& B io m e trics

N F ID ig ita l T ech n o lo gy

Outline• Introduction• Embedded Systems• Open Systems• Data Analysis• Image Processing and Biometrics• future developments

Activities of Open Systems group• Media analysis: disks, tapes• Crack passwords and security• Reverse engineering• Find hidden data• Data Interception• Investigation of Hacking

Media Analysis• Different kinds of media

disc, tape, hard disc, zip, MO, chipcards,….

• File System Analysis FAT16, FAT32, NTFS, Mac, Unix, Linux, VAX/VMS, ..

• Large hard disks / RAIDS

Tape, chip, MO, CD formats

“Imaging” and analysis• Do not change the data !!!!• Compute a unique hash value for comparison

• Own development (VAMP) stopped due to other developments e.g.:– Ilook– Encase– Forensic Toolkit

Quality assurance• Validation of commercial products is

often not possible, since source code is not available

• Resulted in own version of dd – rdd that handles bad blocks more properly

Crack passwords and security• Reverse engineering

Applications of Reverse Engineering• Crack passwords and security

• Check working of software for media access

• Reconstruct working of suspect software: virus, fraude, etc.

Encryption• Crack passwords from Word datafiles

etc.• Commercial Software cracking

packages - Accessdata• Own developments of cracking

passwords• e.g. DES / https

www.hippiesfromhell.org/ linz.asp

Stego • Also in other traffic – audio-files / ip-

traffic / word-files etc.• The number of tools for stego is

growing rapidly : now over 150 on the Internet

• For detection knowledge of statistics is needed

• Often combined with other crypto-products

Data Communication• Internet (ADSL, cable etc.)• (Voice) Networks• Wireless Nets (WAP, IEEE-802.11b,

Bluetooth)

New Protocols / equipment

Hacking Defacing

Steal Data (credit card numbers)

Disrupt services

Forensic Evidence needed• Log files• Files that have been transferred• Problem : who was behind the

keyboard, and was someone behind it ?

Outline• Introduction• Embedded Systems• Open Systems• Data Analysis• Image Processing and Biometrics• Future developments

Data Analysis

• Filtering of relevant data

• History of data, log file analysis

• Patterns in large amounts of data

Filter data• Standard files of Operating Systems• Search for relevant data (keywords)• Search for known images (e.g. child

pornography) by hash or image comparison

• Development of own search procedures

Data Analysis• Search for patterns in large amounts of

data• Statistical Techniques• Find relations between data which were

not known before

Outline• Introduction• Embedded Systems• Open Systems• Data Analysis• Image Processing and Biometrics• Future developments

Camera Identification• Has a certain picture been taken by a camera

?• CCD-defects

Pattern recognition

Biometrics• Biometrics is the automatic identification or

recognition of people based on behavioral or physiological characteristics.

• Definition from International Biometric Group in New York

Examples• Irisscan Schiphol• Face recognition in airports

Biometric features for identification• DNA• Finger print• Handwriting• Voice recording• Face • ear print• Voice• Iris, retina• Hand scan• The way someone enters a password in the computer

Obscure ways of biometrics• Ear channel

Life detection• Patent information :

• Hart beat• Blood pressure• 3D-shape• Example influence pupil – light• Resistance

Gait

Forging biometrics• Finger Print - silicon cast• Hand Palm - latex model• Voice - digital or analog recording• Face - photograph or mask on face• Keyboard strokes - recording• Iris – image of an iris

FearID: earprints as evidence ?

Future case ?• Who was behind a computer with finger-scan

access control at a given time ?– Low False Acceptance Rate ?– Keyboard bug ?

Future developments• More open source developments for

software that can be used in court• Crypto and stego-detection tools• New protocols for interception• Data-analysis techniques• Proper preselection techniques• Wireless communication – who was

sitting behind the computer ?

Security 2010• Software and hardware devices smaller

and faster - more complex• Detection of security problems is based

on a number of statistical techniques• People live with the feeling that it it is

possible to have security troubles, like they once where used to regular burglaries

Mobile Devices• Smaller, integrated in watch, keys, ring

or hands in glove• Access devices (keys) hidden• Electronic paper• More tracking options• Small sensors for blood pressure,

temperature and health condition• Electronic tags

Communication with our customers• Newsletter• Meetings with the computer crime teams• requests for information and advice• 200 cases each year handled

International Co-operation• International Organisation on Computer

Evidence (IOCE )• Interpol (European Working Party on

Information technology and crime )• Lathe Gambit (NATO)• ENFSI - European Network of Forensic

Science Institutes• Contacts with many labs• We also accept cases from foreign

Forensic institutes (law enforcement)