Senior Threat Researcher
François Paget is a senior threat research engineer and one of the founding members of McAfee Labs, where he conducts a ...
This week in Troyes, France, the University of Technology hosted the fourth French-Speaking Days on Digital Investigations, designed for investigators, prosecuting attorneys, and legal experts in charge of fighting cybercrimes. All the participants in the congress were members of the AFSIN, the Francophone Association for Digital Investigation.
In addition to the usual presentations on improving the administration of these fields, various talks covered juvenile protection and the tools used to unmask pedophiles and prove their guilt.
(Source: Police Headquarters, Paris)
Investigating alleged cybercriminals is difficult work that often must be completed in 48 hours, the time that police can hold a suspect. The main problem is the amount of data that police must analyze.
On average, each suspect owns:
When searching a home or office, finding USB drives is always a challenge. They can be concealed in a pen, a lighter, or many other hard-to-examine locations.
The records for a single business are sometimes staggering:
Only a well-organized methodology, automation, and devotion to the cause can produce results. For security reasons, I cannot describe the characteristics of the police’s child-abuse image scanners, but I was impressed by the technology they use–which not only searches for precalculated hashes of known clean and “illegal” images but also, based on similarities, analyzes images and videos to find and group child sexual-abuse elements. With 200 legal actions in 2009 and 70 police arrests, these computers run 24 hours a day.
Another talk discussed Facebook investigations. They can run on three fronts:
With GraphAPI, it is also possible to extract several photos’ metadata information that is not included in the tables. This is a very valuable feature for analyzing users or groups that store illegal photos.
I gave a talk on criminal searches using open sources, and recapped the methods McAfee used to investigate the business Innovative Marketing Ukraine.
We frequently read of the immense gap in cybersavvy between police forces and cybercriminals. The bad guys are way ahead of any attempt to stop them, some say. In Troyes, however, we saw that police investigations have changed and are much more sophisticated than in the past. Despite restricted budgets, law enforcement uses all possible modern equipment and works hand in hand with the security industry and the courts.