Tools and Techniques

1
Tools and Techniques
2
Outline

• General Introduction NFI
• Department for Digital Technology
• Working Groups within DT
• Future developments
• Communication

3
National Situation
7 Computer crime units
regional
26 Basic law enforcement
4
Digital Technology

• From 1985 till 1995 part of Hand and Machine
  Writing department
• 1992 2
• 1994 5
• 1997 23
• 1998 23
• 2002 34

5
3 Core Activities

• Forensic Investigations
• Research Development
• Centre of Expertise

6
Organisation
7
Outline

• Introduction
• Embedded Systems
• Open Systems
• Data Analysis
• Image Processing and Biometrics
• future developments

8
Activities of Open Systems group

• Media analysis disks, tapes
• Crack passwords and security
• Reverse engineering
• Find hidden data
• Data Interception
• Investigation of Hacking

9
Media Analysis

• Different kinds of media
• disc, tape, hard disc, zip, MO, chipcards,.
• File System Analysis
• FAT16, FAT32, NTFS, Mac, Unix, Linux, VAX/VMS,
  ..
• Large hard disks / RAIDS

10
Tape, chip, MO, CD formats
11
Imaging and analysis

• Do not change the data !!!!
• Compute a unique hash value for comparison
• Own development (VAMP) stopped due to other
  developments e.g.
• Ilook
• Encase
• Forensic Toolkit

12
Quality assurance

• Validation of commercial products is often not
  possible, since source code is not available
• Resulted in own version of dd rdd that handles
  bad blocks more properly

13
Crack passwords and security

• Reverse engineering

14
Applications of Reverse Engineering

• Crack passwords and security
• Check working of software for media access
• Reconstruct working of suspect software virus,
  fraude, etc.

15
Encryption

• Crack passwords from Word datafiles etc.
• Commercial Software cracking packages -
  Accessdata
• Own developments of cracking passwords
• e.g. DES / https

www.hippiesfromhell.org/ linz.asp
16
Stego

• Also in other traffic audio-files / ip-traffic
  / word-files etc.
• The number of tools for stego is growing rapidly
  now over 150 on the Internet
• For detection knowledge of statistics is needed
• Often combined with other crypto-products

17
Data Communication

• Internet (ADSL, cable etc.)
• (Voice) Networks
• Wireless Nets (WAP, IEEE-802.11b, Bluetooth)

18
New Protocols / equipment
19
Hacking
Defacing Steal Data (credit card
numbers) Disrupt services
20
Forensic Evidence needed

• Log files
• Files that have been transferred
• Problem who was behind the keyboard, and was
  someone behind it ?

21
Outline

• Introduction
• Embedded Systems
• Open Systems
• Data Analysis
• Image Processing and Biometrics
• Future developments

22
Data Analysis

• Filtering of relevant data
• History of data, log file analysis
• Patterns in large amounts of data

23
Filter data

• Standard files of Operating Systems
• Search for relevant data (keywords)
• Search for known images (e.g. child pornography)
  by hash or image comparison
• Development of own search procedures

24
Data Analysis

• Search for patterns in large amounts of data
• Statistical Techniques
• Find relations between data which were not known
  before

25
Outline

• Introduction
• Embedded Systems
• Open Systems
• Data Analysis
• Image Processing and Biometrics
• Future developments

26
Camera Identification

• Has a certain picture been taken by a camera ?
• CCD-defects

27
Pattern recognition
28
Biometrics

• Biometrics is the automatic identification or
  recognition of people based on behavioral or
  physiological characteristics.
• Definition from International Biometric Group in
  New York

29
Examples

• Irisscan Schiphol
• Face recognition in
• airports

30
Biometric features for identification

• DNA
• Finger print
• Handwriting
• Voice recording
• Face
• ear print
• Voice
• Iris, retina
• Hand scan
• The way someone enters a password in the computer

31
Obscure ways of biometrics

• Ear channel

32
Life detection

• Patent information
• Hart beat
• Blood pressure
• 3D-shape
• Example influence pupil light
• Resistance

33
Gait
34
Forging biometrics

• Finger Print - silicon cast
• Hand Palm - latex model
• Voice - digital or analog recording
• Face - photograph or mask on face
• Keyboard strokes - recording
• Iris image of an iris

35
FearID earprints as evidence ?
36
Future case ?

• Who was behind a computer with finger-scan access
  control at a given time ?
• Low False Acceptance Rate ?
• Keyboard bug ?

37
Future developments

• More open source developments for software that
  can be used in court
• Crypto and stego-detection tools
• New protocols for interception
• Data-analysis techniques
• Proper preselection techniques
• Wireless communication who was sitting behind
  the computer ?

38
Security 2010

• Software and hardware devices smaller and faster
  - more complex
• Detection of security problems is based on a
  number of statistical techniques
• People live with the feeling that it it is
  possible to have security troubles, like they
  once where used to regular burglaries

39
Mobile Devices

• Smaller, integrated in watch, keys, ring or hands
  in glove
• Access devices (keys) hidden
• Electronic paper
• More tracking options
• Small sensors for blood pressure, temperature and
  health condition
• Electronic tags

40
Communication with our customers

• Newsletter
• Meetings with the computer crime teams
• requests for information and advice
• 200 cases each year handled

41
International Co-operation

• International Organisation on Computer Evidence
  (IOCE )
• Interpol (European Working Party on Information
  technology and crime )
• Lathe Gambit (NATO)
• ENFSI - European Network of Forensic Science
  Institutes
• Contacts with many labs
• We also accept cases from foreign Forensic
  institutes (law enforcement)