This article is a recap of some of the main highlights of the Digital Forensics Research Workshop (DFRWS) held in Amsterdam from the 7th – 9th of May; over the next few weeks we will also be bringing you a number of interviews and research updates from the conference.
DFRWS brought together academics and digital forensics practitioners from all over the world to provide an overview of current research and future challenges in the field of computer technology.
There was a large amount of research into helping law enforcement officers on the ground; the lack of specialised digital skills within forensics units was a strong talking point throughout the conference. Peter Zinn, the Senior Cybercrime Advisor for the Dutch National High Tech Crime Unit, spoke about how the pace of change within digital forensics makes it difficult for law enforcement agents to keep up to date. He highlighted the difficulty with preventing criminals who are predominantly active online, citing two of the main problems as being the general availability of internet access and the concept of the internet having “no borders”, making it difficult for cases to be built against web-savvy criminals who work across international borders.
Zinn suggested that law enforcement agents could make better use of publicly available or easily accessible data, pointing out that constant web monitoring is expensive and relatively ineffective, and breaking encryption puts everybody at greater risk. However, the amount of data that can be scraped from the open web is not to be underestimated and could probably be used more effectively in criminal investigations.
Christian Winter and York Yannikos discussed robust image hashing, specifically the automation of detection of indecent images of children. Whilst several options are currently available, the error rates are too high to allow them to run unattended, meaning that a high level of human interaction is still necessary and the backlog continues to grow. Semi-automated processes such as the prioritisation of images tend to be more effective, and the next step would be working out whether an image is already known. Block hashing is one way of doing this, and this is the team’s focus at present. The improvement of approximate matching efficiency was put forward as an open research concept, along with the question of whether approximate matching could be used to detect variations of known malware.
Interagency communication was another focus of the conference, with several candidates positing this as a way to ease the backlog in criminal investigations. This was one of the main take-aways from the panel discussion on backlogs, which took place on the first day. The volume of digital evidence is constantly expanding and is no longer solely relevant to online crimes. With higher connectivity generally and the proliferation of mobile devices, low-tech and “offline” crimes are increasingly requiring a digital component during the investigation.
The amount of data is growing exponentially; the number of experts isn’t.
Several panel members brought up the difference in backlog between law enforcement and the private sector; often the latter have a far shorter backlog in investigation. It was suggested that this may be because private sector companies can turn cases down more easily, whereas police are required to respond to a call for assistance.
Triage is one of the main areas that needs to be addressed, as well as up-to-date training for digital forensics experts who are employed by law enforcement agencies. Traditional training structures do not generally apply when it comes to digital investigation, but law enforcement employers are not used to constantly updating their employees’ training and may be reluctant to do so due to the time and financial outlay required.
Frans Kolkman from the Dutch National Police expressed the problem succinctly: “If you are a company which is drilling holes and selling drills, then your world is probably not what you think. The customer wants holes, he doesn’t care about drills. We’re all talking about digital forensics, but the people we’re working for want to find stuff, they don’t care about forensics. We have nice tools and expensive equipment, but at the end of the day they don’t care.” Kolkman championed the idea of connecting ‘real life’ with digital forensics; connecting the police databases with the systems used by digital forensics professionals to extract useful and relevant data, rather than allowing some information to lie dormant.
It is often difficult to explain to non-experts how digital evidence is forensically extracted, and how it can back up certain elements of a case. Christiaan Alberdingk Thijm from Bureau Brandijs discussed this problem, adding that it is important to be able to demonstrate that extrapolated data backs up facts rather than theories. Proprietary technology not only makes it more difficult for forensic examiners to extract data, but also for them to explain what the technology is and how it works to a jury made up of members of the general public.
Thomas Gloe of Dence Germany discussed the forensic analysis of digital video formats, specifically semantic interpretation, source/author data and whether a video is original or has been altered. Statistical analysis can help to detect traces of manipulation or post-processing, but there are so many video formats available that determining where a file originated and precisely how it has been altered can be very difficult.
Europol’s Mikael Lindstroem gave an overview of EC3, the European Cyber Crime Center, and how it is structured. Agencies like Europol can be especially helpful in international investigations where certain countries do not want to send data directly to other places; Europol can comply with each territory’s security requirements whilst building an international case.
There are a number of challenges that are specific to international cases; for example, Lindstroem spoke about a case in which two law enforcement agents from separate countries were accidentally “grooming” each other online; the fact that everyone involved was an agent was not uncovered until the investigation reached a critical point. An international database of current criminal investigations and who the investigators are was posited, but the suggestion was struck down due to the likelihood that it would be hacked.
Recent privacy laws across Europe have also hampered some investigations; for example, Europol now do not keep logs of data extracted from paedophile networks due to the questionable ethics of housing and utilising such data.
The third day of the conference involved several workshops in which participants were split up into groups and asked to conduct investigations. Kelvin Wong from Hong Kong Police led a ‘Real Network Forensics Kungfu’ workshop which tackled questions of counterespionage and Skype forensics.
The next DFRWS conference will take place in Denver, Colorado from the 3rd – 6th of August 2014. Anyone interested in attending should consult the official website for further details.