Forensic Focus attended the Forensics Europe Expo at Kensington Olympia on the 29th & 30th of April. This article is a recap of some of the main highlights and over the next few weeks we will also be bringing you a number of interviews recorded at the expo.
The Digital Forensics part of the Expo brought together speakers and exhibitors from law enforcement, software development, academia and elsewhere to provide an overview of the unique challenges around forensics in the computer technology sphere.
There was a strong focus on the investigation of crimes organised through the internet; Charlie McMurdie, the former Head of eCrime for the Metropolitan Police, discussed the unique challenges associated with online marketplaces such as Ghost Market and Silk Road, where consumers can buy anything from illegal drugs to cybercrime tutorials.
McMurdie focused on the fact that there is no need for state of the art equipment for cyber criminals to be able to conduct their nefarious business; targeting high-profile organisations has become “a step up from playing World of Warcraft; a way for young cyber criminals to validate their hacker capabilities”.
Andrew Beckett from Airbus discussed the rise in cybercrime weapons, beginning with first-generation cyber weapon Stuxnet, which, Beckett explained, was flawed because it was tactical rather than strategic. We have not yet seen second generation cyber weapons, but Beckett predicts that these will also be tactical in focus, and will probably be short-lived. He highlighted the importance of building in a self-destruct element to any future state-sponsored cyber weapons, in order to prevent them from falling into the wrong hands.
In Beckett’s opinion, cybercrime is changing the state of international relations. Whilst of course there have always been crimes committed across borders, or with international implications, the popularity of the internet in today’s world has made it possible for even fairly simple criminal actions to have international relevance. For example, a criminal organisation based in any given country can easily segregate its data, using servers around the world to make tracing and prosecution more difficult than with “traditional” offline crimes.
Authentification of data was another focal point of the conference; Martino Jerian from Amped talked about the difficulties of validating images for use in criminal cases. Identifying whether an image is an original file can be challenging, but the main issue is with the authenticity of the image’s contents. Three of the main things that Amped look out for in image validation are recapture, staging and misrepresented content; once they are sure that none of these are problematic, they analyse the image itself for signs of modification. Even a relatively simple technique such as cropping or editing the colour saturation can have a strong effect on the perceived meaning of a picture.
Social media based evidence was a central focus of the conference, with several speakers mentioning it as an evolving area to be used in criminal investigations. Neil Smith, an investigative researcher and open source intelligence trainer, provided an overview of the ways in which freeware and social media can be used in this way. There are several commercial databases available which provide sufficient information to gather evidence, particularly concerning individuals’ identities and movements, and many such databases are free to use and easy to access.
Microsystemation XRY’s Paul Baxter discussed the investigation of data on mobile devices, pointing out that there are now more mobile devices than there are people on the planet. The largest growth in recent years has been in Samsung and ‘Other’ devices, such as those with Chinese chip sets. The extreme proliferation of mobile devices has meant that keeping up to date with the investigative tools needed to examine the software is a significant challenge for investigative organisations.
Yuval Ben Moshe from Cellebrite elaborated on this theme, emphasising that in some cases there are backlogs of up to six months for processing mobile devices. He encouraged the decentralisation of forensic capabilities to speed up investigations, for example placing forensic extraction devices in police squad cars to allow data to be analysed “on the job”, as it were.
Cloud storage forensics, a relatively new discipline, was explored by Marco Scarito from RN System Solutions. He discussed ways to find the usernames and passwords in cleartext in Dropbox, Google Drive and SkyDrive. The latter in particular has a relatively simple way of uncovering user data: if the ‘web access’ option has been enabled, it is possible to remotely access a user’s PC, which can be very useful in criminal investigations.
The penultimate talk of the second day was by Richard Leary from Forensic Pathways, who discussed how digital forensic evidence can be managed and standardised. He highlighted three areas that currently present challenges for digital investigators in court, perhaps the strongest of which was the ‘black box’ problem: producers of technology often do not want to explain in detail how they collate data in forensic investigations, largely due to concerns about competition within the industry. Leary advocated a mixture of ACPO and Daubert guidelines to set an overriding standard for interpretation of technical data.
The conference was brought to its conclusion by Professor David Last, who discussed how to maximise the potential of GPS evidence, making reference to his Forensic Focus article of the same name. He stressed the importance of understanding the level of exactness of GPS devices; city centres in particular present an issue here, as satellite signals can be blocked and reflected by buildings, giving a large margin for error.
There were several exhibitors showcasing their investigative technologies at the conference; Forensic Focus caught up with some of them over the course of the Expo, and their interviews will be available soon in the Interviews section.
Some of the forensic tools being presented included the TD3 Forensic Duplicator from Guidance Software, a Tableau device developed for the FBI in the US which in its latest incarnation includes a TDS2 SATA Drive enclosure.
ALI’s laser imaging technology, showcased at their exhibition stand, aims to address some of the challenges associated with the use of CCTV in criminal convictions. Rather than focusing on a single “line of sight”, as it were, the technology allows users to access a 360° laser image of a crime scene.
Other exhibitors included Paraben Software with their range of mobile and computer forensics tools; Magnet Forensics with Internet Evidence Finder (IEF); AccessData with FTK and MPE+; and Belkasoft’s Evidence Center.
The next Forensics Europe Expo will take place on the 21st – 22nd April 2015. Anyone interested in speaking or exhibiting should contact Rob Lozowski via the contact details here.