This week in Troyes, France, the University of Technology hosted the fourth French-Speaking Days on Digital Investigations, designed for investigators, prosecuting attorneys, and legal experts in charge of fighting cybercrimes. All the participants in the congress were members of the AFSIN, the Francophone Association for Digital Investigation.
In addition to the usual presentations on improving the administration of these fields, various talks covered juvenile protection and the tools used to unmask pedophiles and prove their guilt.
(Source: Police Headquarters, Paris)
Investigating alleged cybercriminals is difficult work that often must be completed in 48 hours, the time that police can hold a suspect. The main problem is the amount of data that police must analyze.
On average, each suspect owns:
- 5 hard disks
- 140 CDs or DVDs
- 17 floppy disks
- 4 memory cards and USB sticks
When searching a home or office, finding USB drives is always a challenge. They can be concealed in a pen, a lighter, or many other hard-to-examine locations.
The records for a single business are sometimes staggering:
Up to 31 hard disks
14 terabytes of data
2.5 million pictures
11,000 MSN Messenger contacts to investigate
Only a well-organized methodology, automation, and devotion to the cause can produce results. For security reasons, I cannot describe the characteristics of the police’s child-abuse image scanners, but I was impressed by the technology they use–which not only searches for precalculated hashes of known clean and “illegal” images but also, based on similarities, analyzes images and videos to find and group child sexual-abuse elements. With 200 legal actions in 2009 and 70 police arrests, these computers run 24 hours a day.
Another talk discussed Facebook investigations. They can run on three fronts:
- By analyzing the data stored locally on the computer of the user (cookies and traces). They can be uncovered by searching Internet artifacts and by using forensic techniques.
- By requesting Facebook provide data stored on the server, with or without user knowledge (for example, IP address at creation, IP at connections, contacts, etc.). When requested via subpoena[@]facebook.com, responses have been positive in some occasions. Despite the fact that Facebook’s Law Enforcement Guidelines document is confidential, many versions are available on the Internet.
- By querying data deliberately left by the user. This information is visible in the public area, but above all they are accessible via a set of APIs and tools that include Facebook Query Language, Graph API, and Old REST API. Using scripting languages, the searches can be automated.
With GraphAPI, it is also possible to extract several photos’ metadata information that is not included in the tables. This is a very valuable feature for analyzing users or groups that store illegal photos.
I gave a talk on criminal searches using open sources, and recapped the methods McAfee used to investigate the business Innovative Marketing Ukraine.
We frequently read of the immense gap in cybersavvy between police forces and cybercriminals. The bad guys are way ahead of any attempt to stop them, some say. In Troyes, however, we saw that police investigations have changed and are much more sophisticated than in the past. Despite restricted budgets, law enforcement uses all possible modern equipment and works hand in hand with the security industry and the courts.