|
The High Tech Crimes Section in the
RIS of Rome has national competence in technically supporting the
territorial Arm against crimes involving the high technology. The
present work shortly describes the greatest forensic fields of
surveying on digital systems, that the mentioned Section has faced
in the last years evidencing statistics, tools, employed methods,
and some of the new and fundamental problems from a technical/
legal point of view.
1.Introduction
The High Tech Crimes Section in the RIS (Reparto Investigazioni
Scientifiche, Scientific Investigations Department) of Rome is very
peculiar among the other RIS, which are in Rome, Parma, Messina and
Cagliari. Such peculiarity has given to the High Tech Crimes
Section (HTC Section) competence on all the national territory in
relation to investigative activities on computer science, data
transmission and in general on digital electronic systems. In this
work, we will refer to this widespread subject with the specific
term of High Tech Crimes, as established from the Group for High
Technology Crimes of the G8.
2. Tecnichal Investigations
The HTC Section in the RIS of Rome usually analyzes digital systems
on demand of the investigators, the Magistrates and very rarely of
other police forces. The investigations' experts capture the
digital systems generally on the crime scene in order to send them
to the laboratories of the Section. An alternative praxis enables
the technical staff of the Section to directly take part to the
recovery activities on the crime scene as a support when this
operation becomes too difficoult from the technical point of
view. Some exceptions to the previous mentioned procedures
obviously turn out if the criminal fact happens in virtual
atmosphere (Internet). It may happen that the same Section
verifies the presence of an illegal fact and then ready calls the
investigators's investigators, so that the normal investigative
flow is recovered. Instead we can find the situation in which a
common customer look at the fact-crime on Internet and gives
communication of this to the investigators (this is a common
situation). In conclusion, it may happen that the investigators
individuates the crime on Internet and activates surveyings asking
the HTC Section and/or external specialists (when this is the
decision of the magistracy) for the necessary support.
In conclusion tecnichal investigations always rise after or in
parallel to the traditional investigations and remain a support
avoiding to rise to self-sufficient element.
3. Areas of study
The areas of forensic scientific study of the HTC
Section are widely increased in the last 5 years, moving from the
more traditional study of the mass memories (till now one of the
most important field in Internet) to sophisticated and particular
electronic systems. The following categories are experience-based
and have been made following the directives and international
publications in the field.
3.1 Forensic analysis of storage units
This is the field to which one often refers using the term Forensic
Computing (FC) and whose different definitions have been given. We
can consider these two definitions, that surely collect all the
fundamental concepts: "... the process of: Identification,
Preservation, Analysis and Presentation of ' digital evidence' in
the court guaranteeing the ammissibility "[ ] and/or"... the
collection and the analysis of data following a praxis that
guarantees to avoid distortions and prejudgments trying to
reconstruct data and facts, that happened in the past inside a
computer science system " [ 4 ]. In any case, since the FC
activities stretch to obtain elements to testify a fact that
happened in or happened by a computer science system, their main
characteristic is that they always start after the fact happened.
We can note that the two considered definitions stretch to complete
and to explain each other because the ammissibility, mentioned in [
3 ], usually from a legal point of view is just "freedom from
voluntary/involuntary distortions and prejudgments (of analysis)"
we told in [ 4 ].
The term mass memories collects the digital storage units of
whichever nature and principle, from the electronic to the magnetic
ones until the optical ones. The FC must therefore keep in account
the physical peculiarities of each of these digital supports to
guarantee an accurate, complete and repeatible analysis (that does
not alter in any way the content). To such scope the predominant
factors in the laboratory procedure are the initial copy and the
instruments of analysis of the copy.
In [ 5 ] it is emphasized that "... the special nature of the
digital tests demands additional considerations and some changes in
respect to the real tests " and in particular the fact that the
information stored in a are for their own nature independent from
the digital system. In practice, without the necessary and forced
external characterization (physical), the digital tests are not
linkable to an apparatus or a moment of time. This determines the
fundamental fact that the differentiation between the copy and
original item, when we work on digital memories and in lack of
specific directives of the operator, is impossible. Therefore
there is an indistinguishibility principle that has lead to the
preservation of useful data (also called data recovery) and to an
equivalent activity on the copy on particularly reliable supports
of storage unit (optical and/or magnetic tapes with "armor
plating").
The characterization of the copies is realized including in them
some auxiliary information like: date and hour in which the copy
happens, ID of the operator, comments, etc. Such elements are
subjected to a process of hashing together with useful data and the
calculated values are stored in auxiliary supports to the final
supports of the copy. To this purpose, in the FC some functions of
hash standard like DIVA [6] (owner of the company Computer
forensics ltd) o MD5 [7] (standards open widely employed from
various products in the FC like EnCase, Ilook, etc) are employed. ]
(owner of the company [ 7 ]). The values of hash calculated during
the copy are useful in order to guarantee two essential facts:
- because of the possibility of calculating the hash both on the
original data that on the copied ones and because of the property
of univocity of the algorithms that implement the function of hash,
is possible to verify "the absolute" adhesion of the copy of the
original data during the clonation process, employing such method
as a heavy (computationally speaking) and rigorous error control
system.
- subsequently with the copy, the availability of the value or
values of hash, concurs to establish if the copy is still valid and
if there have been some alterations (voluntary and/or
involuntary).
A very important note has then to be taken into account in
relation to the kind of data copy of a mass storage unit or a
digital device. In fact we can distinguish at least three levels of
copy:
a. Low level physical copy: or bitstream copy, in
which the content of the physical unit is read bit by bit (the
sequence is established from the physical address, usually managed
from the controller of the storage unit unit) loading the minimal
amount of each time's addressable storage unit (for example in hard
disk the physical , in the ROM the byte, etc.) in order then to
record the same sequence on the common binary files (physical image
of the unit);
b. Low level file system copy: or cluster-copy, in which
the content of a logical partition (structured as a result of a
formattazione correlated to precise rows system) is read bit by bit
loading the minimal amount of memory that the file system concurs
each time to address (to es. the cluster in FATxx) in order then to
record the same sequence on common binary file (image of low level
of the file system);
c. File system copy: in which part or all the high level
content of a logical partition (structured as a result of a
formatting operation correlated to precise file system), meaning
the contents of evident files and directories (not deleted), is
subject to backup on a file (backup file) of particular format
(used from the employed tool).
The classic function dd of the Unix-like operative systems can for
example carry out the copies as reported both in a. and in b. while
the Ghost software tool carries out copies as reported in c. The
dd, for the semplicity of employment and the availability of the
code source (es. in Linux) has become a point of reference also in
dumping digital systems, for example the smart-card. Unfortunately
it does not supply forensic guarantee, this means that it does not
carry out adhesion checks or hash-function calculations, etc. It
is emphasized, finally, that the mentioned levels of copy are not
at all equivalent if the scope is to characterize probative
elements of forensic type. In [10] it is allegated that "the
persistence of data is enormous. Differently as it could be
thought, it is very difficult to remove data from a mass storage
units, even if we want... we have employed an hard disk in order to
install before a copy of Windows, the one of Solaris and finally
one of Linux and the result has been that with an opportune
forensic software the files of the two previous installations were
easy recoverable... ". The research of deleted data (generally
very rich of information on the carried out activity) is a
fundamental element from the legal point of view and the three
copies, we discussed before, do not allow the mentioned analysis.
In particular the physical copy in a. keeps all the possible
information also on the partition (for example, co-existence of
more operative systems, etc), the one in b. contains both the
cancelled files and the evident ones but not the information about
the partitions including just one of them, finally the copy in c.
maintains just the content of evident files and directories.
Obviously the choice of the type of copy is connected to the speed
of development of the copy that increases from the copy in a. to
the one in c. Therefore the choice of the one or another type of
copy depends a lot on the type of digital test we want to obtain
and the available time.
3.2 Forensic analysis of wireless communication
systems
In this field, the most important forensic analysis is the one of
the mobile telephones in various currently present protocols:
ETACS, GSM, GPRS, UMTS. Such analysis is lead through the
exploration of the hardware content of the mobile, excluded SIM ,
and then through the analysis of the chip storage units contained
in the SIM. While in the FC the consolidated experience allows to
select validated procedures and tools in thousands of cases, the
same does not happen in the world of the mobile telephones in which
methods and instruments are various depending on the technical
studies and the guarantees that the forensic laboratory
assures.
The HTC Section stretches, as a praxis, to guarantee the minimal
alteration of the content of the memories of the mobile telephones,
avoiding the connection to the net and so working in absence of
radio signals.
Unfortunately, there are exceptions to this kind of nearly-ideal
approach, expecially when we need to exceed protections (PIN) of
the SIM. From the legal point of view it is possible to solve this
problem by a specific disposition of the magistracy but from a
technical point of view the insertion of the PUK, for example, to
exceed the PIN gives rise to an irreversible alteration of the SIM
memory.
Other "wireless" systems studied by the so-called forensic analysis
can be the LAN-wireless in which different kind of resources are
shared through radio signals. This sub-field is not only important
but also new from the forensic point of view and we are studing
specific solutions by means of experimental systems realized by the
HTC Section.
Together with the forensic study of the mobile telephones the HTC
Section has been facing the world of the interceptions and the
radiolocalization and has become the technical referee in national
normative matter.
3.1 Forensic analysis of computer
network
The HTC Section lead also investigations in
relation to crimes that are perpetrated through computer network or
exclusively in virtual world of Internet. Internet does not only
represents a new instrument of aid to the crimes but it has also
generated new categories of crimes for which sometimes it is
difficult to find a correct legal positioning (sometimes it does
not exist). In addition, Internet is becoming a new mass media and
a coordination instrument among the common and the organized crime
forces.
The HTC Section is proposed as an instrument of aid for the
Territorial Units of the Carabinieri Arm in this delicate field
supplying a continuous collaboration that concurs with the
investigators to answer to situations for which a technical
preparation is required.
The treatment of the investigative cases may happen both through
the instruments of the RIS laboratory and through actions of
Internet provider (ISP) directed from the staff of the same
Section. The cases mainly deal with: pedofilia, defamation,
industrial espionage, terrorism, swindles, etc. In what follows we
report some generic references to the activities of surveying in
this field, leaded by the HTC Section:
3.3.1 Remote control
The more and more frequent and massive use of the e-mail has
carried to study software systems able to move through e-mail
virus, troyans and remote control software of the adressee who
becomes no more able to leak data in reception.
In particular the remote control was originally thought to control
and test the business networks and to allow the administrator to
work on a computer connected to Internet or Intranet without being
there. The remote control can have important criminal aims like,
for example, the industrial espionage and the intrusion.
3.3.2 Intrusion & Cracking
With the term of "intrusion" we mean the access to computer
resources denied to the asking customer. The protection of the
resources is conducted by authorization mechanisms that keep into
account various elements:
- Password: private key word known from the user
and sometimes from the administrator of the system that allows
identifying the actions of user;
- Priority and levels: the customer can be
qualified or not qualified to use some categories of resources as a
conseguence of his hierarchical and functional position inside the
organization he belongs to. The organization also established
position levels and the priority of each user on the present
resource;
- Times: some computer resources have to be
available in specific periods of time (for example during the
tipical office timetable 8,00-16,00) because the organization's
rules does not allow to take advantage of them in other
period;
- Physical access: if some resources have not
to be seen from a class of customers, it is possible to make them
physically invisible (no connecting cable) but such eventuality has
made more and more remote because of the flexibility of employment
of a totally connected system.
From such protection ties give rise studies on how to trick
systems: for example, modifying the reference clock of the
resources' protecting machine, or emulating the identity of a
qualified customer after having "listened to" identification
messages (sniffing) in the network or tricking the administrator
via fax or telephone asking him to give you identification data
pretending being the legitimate owners, etc.
The intrusion operations on a protected informatic system are
however a violation of a private area because internationally an
informatic resource is considered private if the organization has
supplied every suitable instruments to protect its informatic
system. We note that in Italy a private but not protected
information is however subjected to protection from a very
restrictive privacy-law, instead in the rest of the world that is
not so common.
In the intrusion operations a fundamental role is due to the
procedure of "cracking", that is the hardware/software system to
violate a protection mechanism based on password or to individuate
a password and to have therefore some not allowed and protected
resources.
3.3.3 Illegal communications
First of all
Internet remains a powerful and flexible multimedial mass media and
therefore the majority of the crimes we currently find on the
network of the nets is illegal communication. In what follows we
will examine the reference categories of such a class of
crimes:
- pedofilia and Pornography on computer network:
subject of great interest at the moment in Italy and in the rest of
the world that has made Internet to become nearly a demonic mass
media. The possibility of anonymously sending information about
pedofilia like photos, documents, contacts etc is well known to the
operating criminal organizations that sometimes create also
reference web site in which they expose the reasons of their
exchange activity and the principles of freedom which such
exchanges are based on;
- defamation and threat: usually by e-mail;
- e-mail Bombing: the e-mails from a customer to
another pass through a mail server, a computer equipped with a
large storage unit and software able to maintain and shunt the
e-mail messages. There are techniques developed from the e-mail
communication protocol that allow making a great ammount of
messages to arrive at the same mail server from different
directions until they saturate the server's management
ability;
- e-commerce frauds: the communications, which
the economic transactions of the electronic commerce are based on,
have to be extremely sure if we want to avoid error during
transactions. The swindles in this field are various and very
sophisticated: they take in consideration the sniffing (listening
to in the net) and the identity theft. In this way they can, for
example, obtain numbers of credit cards or load their transactions
to other customers' cards.
3.3.4 Hacker & Hacking
From statistics supplied from CERT-it (Italian CERT) the most
common attack techniques are:
- sniffing capture of data while traveling in the net;
- spoofing: counterfeiting of data;
- denial of Service: preventing an computer system from providing
services;
- backdoor: secret entrance in an computer system that the hacker
is able to create himself;
- e-mail bombing: the action of bombing with thousands of e-mail
messages causing to the server a crash (a critical
malfunctioning).
3.4 Forensic analysis of electronic
systems
The HTC Section of the RIS of Rome takes care also of analyzing a
great variety of digital electronic systems not properly included
in the previous categories. They are often modules difficult to
analyze for which the procedural knowledge has to be empirically
studied or be found by external collaborations (specialized
university, companies, etc).
Here we can give some examples:
- clonation system of magnetic cards:
microcameras, microphones, systems of transmission ad
short/intermediate distance, readers of magnetic bands, etc. The
main problem is demonstrating the operativity of these devices
showing the operative range and giving eventually names and data
swindled customers. The variety of possible swindles is very wide,
but the most common in Italy is the skimming, that is the reading
and reproduction of magnetic credit cards to obtain clones to use
in foreign country;
- clonation system of smartcards: the
smartcards, that is plasticized cards equipped with a
microprocessor (digital chip able to store and elaborate
information) constitute one new frontier in money and data movement
in a technologically advanced society. As a more and more
increasing investigative field, the categorie of "smartcard frauds"
contains all the possible swindles using smart cards (smartcards
are very diffuse in those countries where criminality has done
great steps ahead in these last years). The area of study is very
wide and it is also connected to swindles through credit cards on
Internet;
- electronic Agendas: area of study similar to
the forensic computing one whose only difference is the particular
hardware that it is usually analyzed. Such systems have electronic
protections and their total complexity quality is inferior with
respect to the personal computers' one. In such sense, the
analysis and the overcoming of the protections (elimination of
protection's password) can be realized in systematic way through
particular hardware/software instruments, that are exclusive
property of the scientific police;
- video controlling systems: the recording
systems devoted to surveillance in banks and in other public places
are by now nearly all digital and therefore they store digital
video sequences on hard disk instead of analogic VHS or other
standards video. From this point of view such systems can be
considered as special-purpose (specialized) computers and therefore
they must be analyzed by criteria similar to those of forensic
computing.
- priming and weapon control systems: digital
systems, often remote controlled, that allow activating crews,
explosive mechanisms, etc.
- Other…
This field, which is often referred as electronic-forensics it
has a limited volume of technical analysis in quantity but not
concerning the importance and the laboratory operators' engagement
because each technical surveying seems different from the other and
it is difficoult to re-unite these analisis in the same
categorie.
3.5 Forensic analysis of software
The activities of the HTC Section in this particular and extended
field involve:
- location of piracy software;
- analysis of video-games at programming and firmware level;
- analysis of protection software to unlock the defense
mechanism;
- employment of EEPROM programmers to alterate the memories of
smartcards.
4. Statistics
The HTC Section uses a database devoted to the treatment of
documents involving technical surveyings and all the attributes
that characterize them. This electronic archive allows realizing
interesting statistics:
as depicted in figure 1, the increase of the cases' volume in the
HTC Section
INVESTIGATIVE CASES DURING
THE PREVIOUS YEARS
|
2000 |
2001 |
2002 |
2003 |
2004 |
| Nr. casi |
37 |
70 |
119 |
160 |
202 |
To such increment corresponds a remarkable problem of modernization
of the staff and of the technical-forensic tools employed for the
laboratory analysis, expecially considering the enormous speed of
change and progress of the information and telematic systems.
In figure 2, it results very interesting to see as the cases
have been distributed in relation to several categories of forensic
analysis. As shown in figure 2, technical surveyings on Internet,
even though limited since the Section has born mainly for forensic
computing (until today the main field of investigation), has
increased from 2000 until today while the analysis of special
electronic systems, even if very important in some national cases,
have numerically been decreasing.
It has to be taken into account that more than 40% of all technical
surveyings regards child-pornography. Also such percentage is
always rising from 2000 until today, with remarkable repercussions
on the technical staff who, beyond having a limited preparation in
the specific field of pedofilia, has operated in a subject of
difficult human approach that, according to some psychological
studies, could produce alterations in the personality, that has to
be checked periodically by test, talks, etc.
5. Forensic tools
The HTC Section carries out
its forensic analysis activities based on some of the more
widespread and consolidated tools at national and European
level:
- DIBS: (Disk Image Backup System) one of the
first systems of recovery and analysis of data in forensic
computing, but now it is in disuse because of the enormous
development of the mass memories;
- EnCase: software on data recovery and analysis
in the field forensic computing employed from various years from
the majority of the police forces in the world;
- Linux: Unix-like operative system whose
opening at source level concurs to costumize easily even at
forensic level (as already done by the function "dd" in dumping
mass memories);
- A series of software devoted to cracking,
decryption, sniffing, tracing, ecc. often handicraft or obtained
from alterations of software freely available even at source level.
These last ones are very important for some activities, expecially
in Internet investigation but they are generally neither certified
nor subjected to long experience utilization.
6. Technical-investigative problems
The
technical investigations in high technology field hide various
problems both of technical and of legal nature. In what follows,
we give a short overview on some of the most common problems,
starting from very simple to more complicated questions. The aim
is to emphasize the importance of generating a standard at least
at the European level.
Then, because of the mentioned speed of evolution of the specific
field there is the necessity of a continuous updating of:
- employed tools;
- acquaintances among the involved people.
Beyond such aspects of guarantee, it should then be established
the optimal legal methodologie that allow an effective
investigation at least at European level in relation to crimes as
those on Internet whose obvious transnational nature is has been
preventing for a long time from continuing a consistent number of
investigative activities.
Then there are technical problems, i. e. the increasing storing
ability of mass memories. The process of filtering that the
operator has to apply is connected to his investigative acumen but
the possibility of omitting important traces during the analysis of
more than 10000 files (common number in a normal PC) becomes
remarkable. That is expecially valid considering that the type of
files can be altered showing a content not answering to the truth
or can be subjected to cryptation, steganography, etc that can
prevent from reading the data by a sometimes not superskillful
mechanism.
Another technical problem particularly felt from the operators is
their possibility of correctly estimating the material in
examination. As an example the simple fact of establishing if in a
porno digital image is involved a minor or not is something that
cannot be delegated to an informatic forensic technician who has
not the knowledge in estimating such fact (is not its specific
competence). Such problem obviously extends to many other fields
of criminality in which the operator is erroneously demanded to
select the file/data of interest even if he ha snot the specific
competence.
The last problem, that is common to a lot of forensic "high tech"
laboratory in Europe and all over the world, is the psychological
infuence that activities on child-pornography have on the
operators. In the last years a not indifferent alarm has been
raised, moving various scientific Departments to impose a periodic
control of the staff involving written tests, talks, etc.
6.1 Common problems
In order to give grants to both parts in the court, the procedure
of technical analysis of the informatic or telematic systems have
to respond to a standard of total quality and in particular it is
important to obtain certification and accreditation of:
- tools of analysis;
- procedures for the employment of tools;
- operator that leads the analysis;
- tools for editing the Technical Relations (reporting);
- head director of laboratory for reporting.
6.2 Specific technical problems
The HTC Section has met a great variety of specific technical
problems during the analysis carried out in the last 5 years. Among
them we report some that are important as a base for next studies
and as a meter of comparison with the other European reality.
Decryption: often surveyings that should be solved
in some days last for weeks because of problems in opening archives
and/or documents protected by cryptation mechanisms. The
decryption times vary as a function of the employed coding
algorithm, of the amount of information in the archives subjected
to the "breaking through" procedure and of the available power of
elaboration.
The compressed format .zip employs, for example, an algorithm
relatively weak and is susceptible to every kind of attack, i. e.
brute force attack, based on dictionary, on mask, of plain text or
tending to recover the cryptation keys directly prescinding from
the password. Whichever of the aforesaid methods allows the access
to archives in reasonable times with a succeeding percentage of
approximately 95%.
The formats .rar or .ace introduce greater difficulties: the
coding algorithm that they employ is clearly heavier than the
previous one and their intrinsic nature allows attacks exclusively
based on brute force attack or on dictionary, or the attempt of
selective insertion of password recovered from text file
opportunely prepared (dictionary) or generated by a progressive
combination of alphanumeric strings. Such method obviously depends
on the archives' dimension and on the number of present files since
every password generated or read from the dictionary is tried for
each of the files present in the archives. The decryption speed
and therefore inversely proporzional to the number of files and it
reachs, in some cases, a value of a 8-10 password per second using
computer based on a Pentium 4 at 3 GHz, a value that determines
unreasonable elaboration time for the recovering the access keys.
In such case it becomes therefore necessary to take advantage from
the greater calculation power, offered for example by the
employment of tools that support a distributed decryption using of
a cluster of computer or, better still, of an entire network of
computers.
We note, at such purpose that the reality of the employment of
network of PC for the decryption is an emergent truth in Europe
like emphasized from the report on the conference on the Cyber
Crime held to L'Aja on 19th April 2004, and it is involving several
european units in High Tech Crimes. In such meeting it has been
proposed in fact to throw the bases towards the constitution of a
virtual private network, managed at European level from Europol (EU
HTC VPN - already active and, at least in part, operative) that
could become an help to the forensic technical investigators for
the decryption of files.
Filtering information: the increment of the mass
memories' storing capacity has become a critic problem that until
some years ago was solvable by the technician forensic with a
minimum of wit and experience. It's about the way of filtering the
information of interest in order to recovery data from a digital
mass memory.
There are at least two levels of problems in filtering, but it
could be possible to find a lot more. In particular:
- Choice of evident informations: also admitting
that all the contained information in a storage unit are obvious
(what at all discounted), the burden to select have become them
always greater in the last years because in the first place the
selection is not brutally technical but it must be based on various
factors not informed to us which: the personality and the
technical abilities to the customer, the type of crime, etc. For
example when the High Tech operator has to select some
child-pornographic images among many pornographic images to give
them to the magistracy, he carries out an activity of medical or
psychological nature but surely he is not involved in his
informatic competence.
In this direction there are new studies in the field of criminology
pointing out, for example, the Internet customer's profiling. Such
fascinating field of psychological nature would have to be placed
side by side to the forensic computing during the analysis, aiming
to realize correct selections and, above all, useful to the
indictment and/or the continue the surveyings.
As a practical example, one of the more recurrent technical
assessments is the research in the storage unit of a seizured PC of
interesting documents, child-pornographic photos that therefore can
be led back to a criminal activity within the pedofilia.
In a such context, the technical assessment lead by a forensic
product as EnCase concurs to analyze all the files containing
photos aiming to evidence the presence of documents of interest for
surveyings. However the enormous size of the usually found images
makes extremely long and boring the preliminary location of the
possible interesting files. That is still true considering the
fact that the majority of files containing images (graphical or
photographic) is constituted by graphics of the operative system
software and by several packages installed by the customer.
The acquired experience in the course of the numerous technical
assessments up to now has allowed characterizing criteria to reduce
considerably the number of the files to analyze.
A first criterion is based on the comparison of the values Hash MD5
between the files recovered on the storage unit and the bookcases
of Hash at disposition of the technician. In such a way it is
possible to evidence the belonging of specific files to specific
packages software, both of the operative system and of some
applications. That concurs therefore to exclude a part more or
less meaningful of files from the successive analysis. The same
criterion concurs also to an immediate identification of eventual
files containing photos of child-pornographic nature, if the match
of the values Hash MD5 of such file with those available in
appropriate bookcases turns out positive. It can therefore be
extremely usefull the constitution of a rich bookcase of Hash MD5
generated during previous technical assessments.
A second criterion of selection is based on identification and
successive valutation of each graphical image, taking care of the
JPEG format files, that are commonly used for the memorization of
photographic images. In fact the valutation of the single image's
resolution concurs to discard from a successive analysis all the
"too small" images, that because of their size are not of objective
interest for surveyings. Such criterion has been put in practical
by an appropriate script for EnCase (in versions 3 and 4) that
allows the customer to specify the minimal resolution of JPEG
images to search.
Therefore these selected files are marked through a bookmark and
eventually extracted in an appropriate folder. Two distinguished
versions of the mentioned script have been developed: the first
takes into consideration the JPEG files recovered from EnCase in
assigned area and therefore shown in the table; the second one
instead searches JPEG files in the entire not assigned area of the
storage units under examination. Both the versions of the
developed script concur in average to a 60% reduction of the total
number of JPEG files to analyze.
- Choice of non evident informations: There are
a lot of methods allowing the hiding of information, from
cryptation to manipulating the file extension to confuse small
files in big folder, for example the operative system's ones. Some
of these methods are very simple.
Let's consider for example an investigator looking for some digital
photos in an Hard Disk. First of all, he will try to isolate all
the files that could contain such images. His detection will be
based fundamentally on the analysis of the file extension, focusing
on those specific formats (jpg, bmp, tif, png...) that commonly
contain images. But, in this way, he excludes those files to which
the suspect could have modified the extension, just to take the
investigator's mind off from that particularly classified
content.
In order to avoid such circumstances, the investigator could then
take advantage of software able to compare the extension with the
header of each file and to evidence eventual anomalies. The header
of the file, in fact, constitutes a sequence of particular values
(strings of byte) placed at the beginning of the file, that
identify (univocally, but not always) the type of contained data.
Using this technique the possibility that particular files are not
considered by the forensic investigator is remarkable reduced,
however could still remain excluded some files in which has been
purposely inserted an anomalous header, compatible with the new
opportunely assigned extension.
At this point the investigator currently does not have valid
instruments of analysis, able to evidence the presence of so deeply
altered files. For this reason it is necessary to push towards
other methodologies of analysis of the storage units' content, that
can prescind from the examination of the file extension and the
header, like the scanning statistical.
Considering this problem, the HTC Section has realized a software
called "FileScanner", operating in Windows, thanks to which it is
possible to graphically evidence some statistical property that can
be usefully taken in consideration to automatically characterize
the format of files, avoiding the binary analysis.
In conclusion, it is important to emphasize that the information
filtering is relevant not only in forensic computing but also and
expecially in the supervision of data channels (to es. the control
of the ridges). Information filtering, in this case, uses various
techniques mutuated from the consolidated field of the data mining
(or text mining) that is involved in "automatically extracting
valid and useful information from great data sources to employ them
in taking decisions"[16 ].
- virtual images: there are at least two kind of digital images
that can be useful in the field of surveyings on the
child-pornography and that currently cannot be considered illegal.
The first ones enclose images obtained as a distorsion of real
photos or composition of part of them. The second ones contains
those pictures, generally realized by a software to remind
child-pornographic and erotic situations. The Italian law, today,
does not consider such materials clearly as pedofilia. Such
representations, that currently tend to bypass the law, however
feed an always increasing market on child-pornography, assembling
pieces of real bodies with drawn parts or pieces of comic strips
or cartoons. The treatment of such material have a lighter
sentence, in particular the penalty reduction is the third part of
penalty for images of real minors. That's why this is an always
increasing, according to the data available to this Section: there
is a big market involving comic strips or cartoon containing such
material (for example Manga) and modification of existing and
innocent comic strips, where the protagonists (often myths for the
children) are srepresented in sexual actions (for example Simpson,
Pokemon etc.). On 7th Novembre 2003 the Italian Government has
approved a law project in order to face forehead to the worrying
phenomenon of the child-pornography and the sexual exploitation of
minors. The proposal, due to the work of the Interdepartmental
Committee of Coordination for the fight against Pedofilia
(CICLOPE), is subdivided in 19 articles organized in two Capitols:
"Dispositions in matter of fight against the sexual exploitation of
the children and the child-pornography" and "Norms against the
child-pornography realized by Internet", as is due to at least two
requirements: (1) quickly exceeding the serious gaps of the
normative system, realized from the law number 269 of 1998,
entitled "Norms against the exploitation of the prostitution, the
pornography, the sexual tourism in damage of minors, as new kind of
reduction in slavery", at the light of the new computer science
technologies and of wide diffusion and commercialization of
child-pornographic material realized (see, for example, programs of
file-sharing, usage of newsgroup with binary contents etc.); (2)
substantially adapting the procedural discipline to the content of
the Decision 2004/68/GAI of the European Council, that induces the
States members, among other things, to indict also the "appearing"
child-pornography (even if nothing is explicitally said about
pornographic comic strips);
- new digital media and new investigative aspects: the HTC
Section meets always new problem in relation with the analysis of
new digital devices. A tipical example is constituted by the
wireless devices. (1) sono di natura sia tecnica che legale: (a)
riuscire a trovare fisicamente i dispositivi durante l'intervento
sulla scena del crimine, (b) avere la corrispondente autorizzazione
formale della magistratura ad effettuate il sequestro (ad es. un
WL-HDD può trovarsi in un domicilio adiacente ma comunque diverso
da quello dell'intervento. There are products, commonly available
on the market, that allow to make wireless the hard-disk and the
information contained in it. See for example the product that Asus
is selling in order to wide its range in the WLan solutions, and
introducing the new WL-HDD, a compact storage unit device. This
new solution has born to answer to the data storing and sharing
requirements even through a Wireless connection based on IEEE
802.11g protocol and compatible with the standard 802.11b. There
are both legal and technical problems: (a) succeeding in
physically finding devices on the crime scene, (b) having the
correspondent formal authorization of the magistrates to carried
out the seizure (to es. a WL-HDD can be found in an adjacent but
however different address) (2) Due to the evolution of mobile
communication's protocols, as for example the UMTS, which guarantee
a data flow comparable to that of the common on cable services,
portable devices as the mobile phones are becoming small
workstations. Palmtop or smartphone, that were exclusively used
for organizer's services, currently integrate communication systems
that go from the BT to the Wi-Fi, from the wap-gsm-gprs until to
the UMTS and use storing units that exceed the dimensions of the
Gigabyte. In this way it is possible, beyond visualizing images, to
reproduce audio and video files, to capture or to pour in net great
amounts of data without necessarily using a desktop or a notebook.
Through the same devices it is possible to create photographic or
small clip, using the integrated ccd rooms, and transmit them in
the network or through the new services like the mms, the video-mms
or the email. All that brings to: (a) difficulty of monitoring of
the data flow between these systems, that can also create cryptated
channel and (b) difficulty in the recovery of the multimedial data
they contain.
7.Conclusions
In this project, the aims of
the RaCIS (Raggruppamento Carabinieri Investigazioni Scientifiche)
are what follows:
Cap. M. Mattiucci, Ten. D. Tricca, Mar.Ord. R.
Olivieri, Mar. Ord. A. Natale, Mar. Ord. G. Finizia, Mar. Ord. A.
Turco, Car. Sc. L. Giampieri, Car. Sc. S. G. Monfreda RIS Rome -
High Tech Crime Section.
Bibliography
- [1] Vlasti Broucek, Paul Turner (2001), "Forensic
Computing: Developing a Conceptual Approach in the Era of
Information Warfare", School of Information Systems, University of
Tasmania, Australia, Journal of Information Warfare.
- [2] Vlasti Broucek, Paul Turner (2001), "Forensic
Computing: Developing a Conceptual Approach for an emerging
Academic Discipline", School of Information Systems, University of
Tasmania, Australia, 5th Australian Security Research
Symposium.
- [3] Mc Kemmish, R. (1999), "What is Forensic Computing",
Trends and Issues in Crime and Criminal Justice (118), Australian
Institute of Criminology.
- [4] Farmer D., Venema W. (2000), "Forensic Computer
Analysis: an Introduction. Reconstructing past Events.", Dr Dobb's
Journal, 29, 70-75.
- [5] Bates J, (1997), "Fundamentals of computer forensics",
International Journal of Forensic Computing.
- [6] Bates, J. (2001). "DIVA Computer Evidence (Digital
Integrity Verification and Authentication)", International Journal
of Forensic Computing, 26 March 2001.
- [7] R.Rivest (1992), RFC 1321 - "The MD5 message digest
algorithm", MIT laboratory for computer science and RSA Data
Security, Inc., April 1992.
- [8] Vlasti Broucek, Paul Turner (2002), "E-mail and WWW
browsers: a forensic computing perspective on the need for improved
user education for information systems security management", School
of Information Systems, University of Tasmania,
Australia.
- [9] Chet Hosmer (1998),"Time-lining Computer Evidence",
WetStone Technologies Inc.
- [10] Farmer D. (2001), "Bring out your dead. The Ins and
Out of Data recovery", Dr Dobb's Journal, 30(1).
- [11] ACPO (2000), "Good Practice Guide for Computer Based
Electronic Evidence", The Association of Chief Police Officers
(ACPO) Computer Crime Group.
- [12] T. Sammes, B. Jenkinson (2000), "Forensic computing:
a Practitioner's guide", Springer Publications.
- [13] A.J. Marcella, R.S.Greenfield (2002), "Cyber
Forensics: a field manual for collecting, examining and preserving
evidence of computer crimes", Auerbach Publications.
- [14] M.M. Ferraro, E. Casey (2005), "Investigating Child
Exploitation and Pornography", Elsevier Academic Press.
- [15] E. Casey (2004), "Digital Evidence & Computer
Crime" 2° edition, Elsevier Academic Press.
- [16] P. Cabena, P. Hadjinian, R. Stadler, J. Verhess, A.
Zanasi (1997), "Discovering data mining: from concept to
implementation" IBM Redbooks, Prentice
Hall.
|
