Mostra menu

Captain CC Marco Mattiucci

Technical Investigations: tools and problems

The High Tech Crimes Section in the RIS of Rome has national competence in technically supporting the territorial Arm against crimes involving the high technology.  The present work shortly describes the greatest forensic fields of surveying on digital systems, that the mentioned Section has faced in the last years evidencing statistics, tools, employed methods, and some of the new and fundamental problems from a technical/ legal point of view.


The High Tech Crimes Section in the RIS (Reparto Investigazioni Scientifiche, Scientific Investigations Department) of Rome is very peculiar among the other RIS, which are in Rome, Parma, Messina and Cagliari. Such peculiarity has given to the High Tech Crimes Section (HTC Section) competence on all the national territory in relation to investigative activities on computer science, data transmission and in general on digital electronic systems.  In this work, we will refer to this widespread subject with the specific term of High Tech Crimes, as established from the Group for High Technology Crimes of the G8.

2. Tecnichal Investigations

The HTC Section in the RIS of Rome usually analyzes digital systems on demand of the investigators, the Magistrates and very rarely of other police forces.  The investigations’ experts capture the digital systems generally on the crime scene in order to send them to the laboratories of the Section.  An alternative praxis enables the technical staff of the Section to directly take part to the recovery activities on the crime scene as a support when this operation  becomes too difficoult from the technical point of view.  Some exceptions to the previous mentioned procedures obviously turn out if the criminal fact happens in virtual atmosphere (Internet).  It may happen that the same Section verifies the presence of an illegal fact and then ready calls the investigators’s investigators,  so that the normal investigative flow is recovered.  Instead we can find the situation in which a common customer look at the fact-crime on Internet and gives communication of this to the investigators (this is a common situation).  In conclusion, it may happen that the investigators individuates the crime on Internet and activates surveyings asking the HTC Section and/or external specialists (when this is the decision of the magistracy) for the necessary support.
In conclusion tecnichal investigations always rise after or in parallel to the traditional investigations and remain a support avoiding to rise to self-sufficient element.

3. Areas of study

The areas of forensic scientific study of the HTC Section are widely increased in the last 5 years, moving from the more traditional study of the mass memories (till now one of the most important field in Internet) to sophisticated and particular electronic systems.  The following categories are experience-based and have been made following the directives and international publications in the field.

3.1 Forensic analysis of storage units
This is the field to which one often refers using the term Forensic Computing (FC) and whose different definitions have been given. We can consider these two definitions, that surely collect all the fundamental concepts:  "... the process of:  Identification, Preservation, Analysis and Presentation of ' digital evidence' in the court guaranteeing the ammissibility "[ ] and/or"... the collection and the analysis of data following a praxis that guarantees to avoid distortions and prejudgments trying to reconstruct data and facts, that happened in the past inside a computer science system " [ 4 ].  In any case, since the FC activities stretch to obtain elements to testify a fact that happened in or happened by a computer science system, their main characteristic is that they always start after the fact happened.  We can note that the two considered definitions stretch to complete and to explain each other because the ammissibility, mentioned in [ 3 ], usually from a legal point of view is just "freedom from voluntary/involuntary distortions and prejudgments (of analysis)" we told in [ 4 ].
The term mass memories collects the digital storage units of whichever nature and principle, from the electronic to the magnetic ones until the optical ones.  The FC must therefore keep in account the physical peculiarities of each of these digital supports to guarantee an accurate, complete and repeatible analysis (that does not alter in any way the content).  To such scope the predominant factors in the laboratory procedure are the initial copy and the instruments of analysis of the copy. 
In [ 5 ] it is emphasized that "... the special nature of the digital tests demands additional considerations and some changes in respect to the real tests " and in particular the fact that the information stored in a are for their own nature independent from the digital system.  In practice, without the necessary and forced external characterization (physical), the digital tests are not linkable to an apparatus or a moment of time.  This determines the fundamental fact that the differentiation between the copy and original item, when we work on digital memories and in lack of specific directives of the operator, is impossible.  Therefore there is an indistinguishibility principle that has lead to the preservation of useful data (also called data recovery) and to an equivalent activity on the copy on particularly reliable supports of storage unit (optical and/or magnetic tapes with "armor plating").
The characterization of the copies is realized including in them  some auxiliary information like:  date and hour in which the copy happens, ID of the operator, comments, etc.  Such elements are subjected to a process of hashing together with useful data and the calculated values are stored in auxiliary supports to the final supports of the copy.  To this purpose, in the FC some functions of hash standard like DIVA [6] (owner of the company Computer forensics ltd) o MD5  [7] (standards open widely employed from various products in the FC like EnCase, Ilook, etc) are employed. ] (owner of the company [ 7 ]).  The values of hash calculated during the copy are useful in order to guarantee two essential facts:

  • because of the possibility of calculating the hash both on the original data that on the copied ones and because of the property of univocity of the algorithms that implement the function of hash, is possible to verify "the absolute" adhesion of the copy of the original data during the clonation process, employing such method as a heavy (computationally speaking) and rigorous error control system.
  • subsequently with the copy, the availability of the value or values of hash, concurs to establish if the copy is still valid and if there have been some alterations (voluntary and/or involuntary).

A very important note has then to be taken into account in relation to the kind of data copy of a mass storage unit or a digital device. In fact we can distinguish at least three levels of copy:

a. Low level physical copy: or bitstream copy, in which the content of the physical unit is read bit by bit (the sequence is established from the physical address, usually managed from the controller of the storage unit unit) loading the minimal amount of each time’s addressable storage unit (for example in hard disk the physical , in the ROM the byte, etc.)  in order then to record the same sequence on the common binary files (physical image of the unit);

 Low level file system copy: or cluster-copy, in which the content of a logical partition (structured as a result of a formattazione correlated to precise rows system) is read bit by bit loading the minimal amount of memory that the file system concurs each time to address (to es. the cluster in FATxx) in order then to record the same sequence on common binary file (image of low level of the file system);

 File system copy: in which part or all the high level content of a logical partition (structured as a result of a formatting operation correlated to precise file system), meaning the contents of evident files and directories (not deleted), is subject to backup on a file (backup file) of particular format (used from the employed tool).

The classic function dd of the Unix-like operative systems can for example carry out the copies as reported both in a. and in b. while the Ghost software tool carries out copies as reported in c. The dd, for the semplicity of employment and the availability of the code source (es. in Linux) has become a point of reference also in dumping digital systems, for example the smart-card.  Unfortunately it does not supply forensic guarantee, this means that it does not carry out adhesion checks or hash-function calculations, etc.  It is emphasized, finally, that the mentioned levels of copy are not at all equivalent if the scope is to characterize probative elements of forensic type.  In [10] it is allegated that "the persistence of data is enormous.  Differently as it could be thought, it is very difficult to remove data from a mass storage units, even if we want... we have employed an hard disk in order to install before a copy of Windows, the one of Solaris and finally one of Linux and the result has been that with an opportune forensic software the files of the two previous installations were easy recoverable... ".  The research of deleted data (generally very rich of information on the carried out activity) is a fundamental element from the legal point of view and the three copies, we discussed before, do not allow the mentioned analysis.  In particular the physical copy in a. keeps all the possible information also on the partition (for example, co-existence of more operative systems, etc), the one in b. contains both the cancelled files and the evident ones but not the information about the partitions including just one of them, finally the copy in c. maintains just the content of evident files and directories.  Obviously the choice of the type of copy is connected to the speed of development of the copy that increases from the copy in a. to the one in c. Therefore the choice of the one or another type of copy depends a lot on the type of digital test we want to obtain and the available time.

3.2   Forensic analysis of wireless communication systems
In this field, the most important forensic analysis is the one of the mobile telephones in various currently present protocols:  ETACS, GSM, GPRS, UMTS.  Such analysis is lead through the exploration of the hardware content of the mobile, excluded SIM , and then through the analysis of the chip storage units contained in the SIM. While in the FC the consolidated experience allows to select validated procedures and tools in thousands of cases, the same does not happen in the world of the mobile telephones in which methods and instruments are various depending on the technical studies and the guarantees that the forensic laboratory assures. 
The HTC Section stretches, as a praxis, to guarantee the minimal alteration of the content of the memories of the mobile telephones, avoiding the connection to the net and so working in absence of radio signals. 
Unfortunately, there are exceptions to this kind of nearly-ideal approach, expecially when we need to exceed protections (PIN) of the SIM.  From the legal point of view it is possible to solve this problem by a specific disposition of the magistracy but from a technical point of view the insertion of the PUK, for example, to exceed the PIN gives rise to an irreversible alteration of the SIM memory.
Other "wireless" systems studied by the so-called forensic analysis can be the LAN-wireless in which different kind of resources are shared through radio signals.  This sub-field is not only important but also new from the forensic point of view and we are studing specific solutions by means of experimental systems realized by the HTC Section. 
Together with the forensic study of the mobile telephones the HTC Section has been facing the world of the interceptions and the radiolocalization and has become the technical referee in national normative matter.

3.1    Forensic analysis of computer network
The HTC Section lead also investigations in relation to crimes that are perpetrated through computer network or exclusively in virtual world of Internet.  Internet does not only represents a new instrument of aid to the crimes but it has also generated new categories of crimes for which sometimes it is difficult to find a correct legal positioning (sometimes it does not exist).  In addition, Internet is becoming a new mass media and a coordination instrument among the common and the organized crime forces. 
The HTC Section is proposed as an instrument of aid for the Territorial Units of the Carabinieri Arm in this delicate field supplying a continuous collaboration that concurs with the investigators to answer to situations for which a technical preparation is required. 
The treatment of the investigative cases may happen both through the instruments of the RIS laboratory and through actions of Internet provider (ISP) directed from the staff of the same Section.  The cases mainly deal with:  pedofilia, defamation, industrial espionage, terrorism, swindles, etc.  In what follows we report some generic references to the activities of surveying in this field, leaded by the HTC Section:

3.3.1 Remote control
The more and more frequent and massive use of the e-mail has carried to study software systems able to move through e-mail virus, troyans and remote control software of the adressee who becomes no more able to leak data in reception. 
In particular the remote control was originally thought to control and test the business networks and to allow the administrator to work on a computer connected to Internet or Intranet without being there.  The remote control can have important criminal aims like, for example, the industrial espionage and the intrusion.

3.3.2 Intrusion & Cracking
With the term of “intrusion” we mean the access to computer resources denied to the asking customer.  The protection of the resources is conducted by authorization mechanisms that keep into account  various elements:

  • Password: private key word known from the user and sometimes from the administrator of the system that allows identifying the actions of user;
  • Priority and levels: the customer can be qualified or not qualified to use some categories of resources as a conseguence of his hierarchical and functional position inside the organization he belongs to. The organization also established position levels and the priority of each user on the present resource;
  • Times: some computer resources have to be available in specific periods of time (for example during the tipical office timetable 8,00-16,00) because the organization’s rules does not allow to take advantage of them in other period;
  • Physical access:  if some resources have not to be seen from a class of customers, it is possible to make them physically invisible (no connecting cable) but such eventuality has made more and more remote because of the flexibility of employment of a totally connected system.

From such protection ties give rise studies on how to trick systems:  for  example, modifying the reference clock of the resources’ protecting machine, or emulating the identity of a qualified customer after having "listened to" identification messages (sniffing) in the network or tricking the administrator via fax or telephone asking him to give you identification data pretending being the legitimate owners, etc. 
The intrusion operations on a protected informatic system are however a violation of a private area because internationally an informatic resource is considered private if the organization has supplied every suitable instruments to protect its informatic system.  We note that in Italy a private but not protected information is however subjected to protection from a very restrictive privacy-law, instead in the rest of the world that is not so common. 
In the intrusion operations a fundamental role is due to the procedure of "cracking", that is the hardware/software system to violate a protection mechanism based on password or to individuate a password and to have therefore some not allowed and protected resources.

3.3.3 Illegal communications
First of all Internet remains a powerful and flexible multimedial mass media and therefore the majority of the crimes we currently find on the network of the nets is illegal communication. In what follows we will examine the reference categories of such a class of crimes:

  • pedofilia and Pornography on computer network: subject of great interest at the moment in Italy and in the rest of the world that has made Internet to become nearly a demonic mass media.  The possibility of anonymously sending information about pedofilia like photos, documents, contacts etc is well known to the operating criminal organizations that sometimes create also reference web site in which they expose the reasons of their exchange activity and the principles of freedom which such exchanges are based on;
  • defamation and threat: usually by e-mail;
  • e-mail Bombing: the e-mails from a customer to another pass through a mail server, a computer equipped with a large storage unit and software able to maintain and shunt the e-mail messages.  There are techniques developed from the e-mail communication protocol that allow making a great ammount of messages to arrive at the same mail server from different directions until they saturate the server’s management ability;
  • e-commerce frauds: the communications, which the economic transactions of the electronic commerce are based on, have to be extremely sure if we want to avoid error during transactions.  The swindles in this field are various and very sophisticated: they take in consideration the sniffing (listening to in the net) and the identity theft.  In this way they can, for example, obtain numbers of credit cards or load their transactions to other customers’ cards.

3.3.4 Hacker & Hacking
From statistics supplied from CERT-it (Italian CERT) the most common attack techniques are:

  • sniffing capture of data while traveling in the net;
  • spoofing: counterfeiting of data;
  • denial of Service: preventing an computer system from providing services;
  • backdoor: secret entrance in an computer system that the hacker is able to create himself;
  • e-mail bombing: the action of bombing with thousands of e-mail messages causing to the server a crash (a critical malfunctioning).

3.4    Forensic analysis of electronic systems
The HTC Section of the RIS of Rome takes care also of analyzing a great variety of digital electronic systems not properly included in the previous categories.  They are often modules difficult to analyze for which the procedural knowledge has to be empirically studied or be found by external collaborations (specialized university, companies, etc). 
Here we can give some examples:

  • clonation system of magnetic cards:  microcameras, microphones, systems of transmission ad short/intermediate distance, readers of magnetic bands, etc.  The main problem is demonstrating the operativity of these devices showing the operative range and giving eventually names and data swindled customers.  The variety of possible swindles is very wide, but the most common in Italy is the skimming, that is the reading and reproduction of magnetic credit cards to obtain clones to use in foreign country;
  • clonation system of smartcards:  the smartcards, that is plasticized cards equipped with a microprocessor (digital chip able to store and elaborate information) constitute one new frontier in money and data movement in a technologically advanced society.  As a more and more increasing investigative field, the categorie of "smartcard frauds" contains all the possible swindles using smart cards (smartcards are very diffuse in those countries where criminality has done great steps ahead in these last years).  The area of study is very wide and it is also connected to swindles through credit cards on Internet;
  • electronic Agendas: area of study similar to the forensic computing one whose only difference is the particular hardware that it is usually analyzed.  Such systems have electronic protections and their total complexity quality is inferior with respect to the personal computers’ one.  In such sense, the analysis and the overcoming of the protections (elimination of protection’s password) can be realized in systematic way through particular hardware/software instruments, that are exclusive property of the scientific police;
  • video controlling systems: the recording systems devoted to surveillance in banks and in other public places are by now nearly all digital and therefore they store digital video sequences on hard disk instead of analogic VHS or other standards video.  From this point of view such systems can be considered as special-purpose (specialized) computers and therefore they must be analyzed by criteria similar to those of forensic computing.
  • priming and weapon control systems: digital systems, often remote controlled, that allow activating crews, explosive mechanisms, etc.
  • Other…

This field, which is often referred as electronic-forensics it has a limited volume of technical analysis in quantity but not concerning the importance and the laboratory operators’ engagement because each technical surveying seems different from the other and it is difficoult to re-unite these analisis in the same categorie.

3.5     Forensic analysis of software
The activities of the HTC Section in this particular and extended field involve:

  • location of piracy software;
  • analysis of video-games at programming and firmware level;
  • analysis of protection software to unlock the defense mechanism;
  • employment of EEPROM programmers to alterate the memories of smartcards.

4. Statistics

The HTC Section uses a database devoted to the treatment of documents involving technical surveyings and all the attributes that characterize them. This electronic archive allows realizing interesting statistics:
as depicted in figure 1, the increase of the cases’ volume in the HTC Section


Nr. casi3770119160202

To such increment corresponds a remarkable problem of modernization of the staff and of the technical-forensic tools employed for the laboratory analysis, expecially considering the enormous speed of change and progress of the information and telematic systems.


In figure 2, it results very interesting to see as the cases have been distributed in relation to several categories of forensic analysis. As shown in figure 2, technical surveyings on Internet, even though limited since the Section has born mainly for forensic computing (until today the main field of investigation), has increased from 2000 until today while the analysis of special electronic systems, even if very important in some national cases, have numerically been decreasing. 
It has to be taken into account that more than 40% of all technical surveyings regards child-pornography.  Also such percentage is always rising from 2000 until today, with remarkable repercussions on the technical staff who, beyond having a limited preparation in the specific field of pedofilia, has operated in a subject of difficult human approach that, according to some psychological studies, could produce alterations in the personality, that has to be checked periodically by  test, talks, etc.

5. Forensic tools
The HTC Section carries out its forensic analysis activities based on some of the more widespread and consolidated tools at  national and European level: 

  • DIBS: (Disk Image Backup System) one of the first systems of recovery and analysis of data in forensic computing, but now it is in disuse because of the enormous development of the mass memories;
  • EnCase: software on data recovery and analysis in the field forensic computing employed from various years from the majority of the police forces in the world;
  • Linux: Unix-like operative system whose opening at source level concurs to costumize easily even at forensic level (as already done by the function "dd" in dumping mass memories);
  • A series of software devoted to cracking, decryption, sniffing, tracing, ecc. often handicraft or obtained from alterations of software freely available even at source level. These last ones are very important for some activities, expecially in Internet investigation but they are  generally neither certified nor subjected to long experience utilization.

6. Technical-investigative problems
The technical investigations in high technology field hide various problems both of technical and of legal nature.  In what follows, we give a short overview on some of the most common problems, starting from very simple to more complicated questions.  The aim is to emphasize the importance of generating a standard  at least at the European level.

Then, because of the mentioned speed of evolution of the specific field there is the necessity of a continuous updating of:

  • employed tools;
  • acquaintances among the involved people.

Beyond such aspects of guarantee, it should then be established the optimal legal methodologie that allow an effective investigation at least at European level in relation to crimes as those on Internet whose obvious transnational nature is has been preventing for a long time from continuing a consistent number of investigative activities.
Then there are technical problems, i. e. the increasing storing ability of mass memories.  The process of filtering that the operator has to apply is connected to his investigative acumen but the possibility of omitting important traces during the analysis of more than 10000 files (common number in a normal PC) becomes remarkable.  That is expecially valid considering that the type of files can be altered showing a content not answering to the truth or can be subjected to cryptation, steganography, etc that can prevent from reading the data by a sometimes not superskillful mechanism.
Another technical problem particularly felt from the operators is their possibility of correctly estimating the material in examination.  As an example the simple fact of establishing if in a porno digital image is involved a minor or not is something that cannot be delegated to an informatic forensic technician who has not the knowledge in estimating such fact (is not its specific competence).  Such problem obviously extends to many other fields of criminality in which the operator is erroneously demanded to select the file/data of interest even if he ha snot the specific competence. 
The last problem, that is common to a lot of forensic "high tech" laboratory in Europe and all over the world, is the psychological infuence that activities on child-pornography have on the operators.  In the last years a not indifferent alarm has been raised, moving various scientific Departments to impose a periodic control of the staff involving written tests, talks, etc.

6.1    Common problems

In order to give grants to both parts in the court, the procedure of technical analysis of the informatic or telematic systems have to respond to a standard of total quality and in particular it is important to obtain certification and accreditation of:

  • tools of analysis;
  • procedures for the employment of tools;
  • operator that leads the analysis;
  • tools for editing the Technical Relations (reporting);
  • head director of laboratory for reporting.

6.2    Specific technical problems

The HTC Section has met a great variety of specific technical problems during the analysis carried out in the last 5 years. Among them we report some that are important as a base for next studies and as a meter of comparison with the other European reality.

Decryption: often surveyings that should be solved in some days last for weeks because of problems in opening archives and/or documents protected by cryptation mechanisms.  The decryption times vary as a  function of the employed coding algorithm, of the amount of information in the archives subjected to the "breaking through" procedure and of the available power of elaboration.

The compressed format .zip employs, for example, an algorithm relatively weak and is susceptible to every kind of attack, i. e. brute force attack, based on dictionary, on mask, of plain text or tending to recover the cryptation keys directly prescinding from the password.  Whichever of the aforesaid methods allows the access to archives in reasonable times with a succeeding percentage of approximately 95%. 
The formats .rar or .ace introduce greater difficulties:  the coding algorithm that they employ is clearly heavier than the previous one and their intrinsic nature allows attacks exclusively based on brute force attack or on dictionary, or the attempt of selective insertion of password recovered from text file opportunely prepared (dictionary) or generated by a progressive combination of alphanumeric strings. Such method obviously depends on the archives’ dimension and on the number of present files since every password generated or read from the dictionary is tried for each of the files present in the archives.  The decryption speed and therefore inversely proporzional to the number of files and it reachs, in some cases, a value of a 8-10 password per second using computer based on a Pentium 4 at 3 GHz, a value that determines unreasonable elaboration time for the recovering the access keys.  In such case it becomes therefore necessary to take advantage from the greater calculation power, offered for example by the employment of tools that support a distributed decryption using of a cluster of computer or, better still, of an entire network of computers. 
We note, at such purpose that the reality of the employment of network of PC for the decryption is an emergent truth in Europe like emphasized from the report on the conference on the Cyber Crime held to L’Aja on 19th April 2004, and it is involving several european units in High Tech Crimes.  In such meeting it has been proposed in fact to throw the bases towards the constitution of a virtual private network, managed at European level from Europol (EU HTC VPN - already active and, at least in part, operative) that could become an help to the forensic technical investigators for the decryption of files.

Filtering information: the increment of the mass memories’ storing capacity has become a critic problem that until some years ago was solvable by the technician forensic with a minimum of wit and experience.  It’s about the way of filtering the information of interest in order to recovery data from a digital mass memory. 
There are at least two levels of problems in filtering, but it could be possible to find a lot more.  In particular:

  • Choice of evident informations: also admitting that all the contained information in a storage unit are obvious (what at all discounted), the burden to select have become them always greater in the last years because in the first place the selection is not brutally technical but it must be based on various factors not informed to us which:  the personality and the technical abilities to the customer, the type of crime, etc.  For example when the High Tech operator has to select some child-pornographic images  among many pornographic images to give them to the magistracy, he carries out an activity of medical or psychological nature but surely he is not involved in his informatic competence. 
    In this direction there are new studies in the field of criminology pointing out, for example, the Internet customer’s profiling.  Such fascinating field of psychological nature would have to be placed side by side to the forensic computing during the analysis, aiming to realize correct selections and, above all, useful to the indictment and/or the continue the surveyings. 
    As a practical example, one of the more recurrent technical assessments is the research in the storage unit of a seizured PC of interesting documents, child-pornographic photos that therefore can be led back to a criminal activity within the pedofilia. 
    In a such context, the technical assessment lead by a forensic product as EnCase concurs to analyze all the files containing photos aiming to evidence the presence of documents of interest for surveyings.  However the enormous size of the usually found images makes extremely long and boring the preliminary location of the possible interesting files.  That is still true considering the fact that the majority of files containing images (graphical or photographic) is constituted by graphics of the operative system software and by several packages installed by the customer. 
    The acquired experience in the course of the numerous technical assessments up to now has allowed characterizing criteria to reduce considerably the number of the files to analyze. 
    A first criterion is based on the comparison of the values Hash MD5 between the files recovered on the storage unit and the bookcases of Hash at disposition of the technician.  In such a way it is possible to evidence the belonging of specific files to specific packages software, both of the operative system and of some applications.  That concurs therefore to exclude a part more or less meaningful of files from the successive analysis.  The same criterion concurs also to an immediate identification of eventual files containing photos of child-pornographic nature, if the match of the values Hash MD5 of such file with those available in appropriate bookcases turns out positive.  It can therefore be  extremely usefull the constitution of a rich bookcase of Hash MD5 generated during previous technical assessments.
    A second criterion of selection is based on identification and successive valutation of each graphical image, taking care of the JPEG format files, that are commonly used for the memorization of photographic images. In fact the valutation of the single image’s resolution concurs to discard from a successive analysis all the "too small" images, that because of their size are not of objective interest for surveyings.  Such criterion has been put in practical by an appropriate script for EnCase (in versions 3 and 4) that allows the customer to specify the minimal resolution of JPEG images to search. 
    Therefore these selected files are marked through a bookmark and eventually extracted in an appropriate folder.  Two distinguished versions of the mentioned script have been developed:  the first takes into consideration the JPEG files recovered from EnCase in assigned area and therefore shown in the table;  the second one instead searches JPEG files in the entire not assigned area of the storage units under examination.  Both the versions of the developed script concur in average to a  60% reduction of the total number of JPEG files to analyze.
  • Choice of non evident informations: There are a lot of methods allowing the hiding of information, from cryptation to manipulating the file extension to confuse small files in big folder, for example the operative system’s ones. Some of these methods are very simple.
    Let’s consider for example an investigator looking for some digital photos in an Hard Disk. First of all, he will try to isolate all the files that could contain such images.  His detection will be based fundamentally on the analysis of the file extension, focusing on those specific formats (jpg, bmp, tif, png...) that commonly contain images.  But, in this way, he excludes those files to which the suspect could have modified the extension, just to take the investigator’s mind off from that particularly classified content.
    In order to avoid such circumstances, the investigator could then take advantage of software able to compare the extension with the header of each file and to evidence eventual anomalies.  The header of the file, in fact, constitutes a sequence of particular values (strings of byte) placed at the beginning of the file, that identify (univocally, but not always) the type of contained data.  Using this technique the possibility that particular files are not considered by the forensic investigator is remarkable reduced, however could still remain excluded some files in which has been purposely inserted an anomalous header, compatible with the new opportunely assigned extension. 
    At this point the investigator currently does not have valid instruments of analysis, able to evidence the presence of so deeply altered files.  For this reason it is necessary to push towards other methodologies of analysis of the storage units’ content, that can prescind from the examination of the file extension and the header, like the scanning statistical.
    Considering this problem, the HTC Section has realized a software called "FileScanner", operating in Windows, thanks to which it is possible to graphically evidence some statistical property that can be usefully taken in consideration to automatically characterize the format of files, avoiding the binary analysis.

In conclusion, it is important to emphasize that the information filtering is relevant not only in forensic computing but also and expecially in the supervision of data channels (to es. the control of the ridges).  Information filtering, in this case, uses various techniques mutuated from the consolidated field of the data mining (or text mining) that is involved in "automatically extracting valid and useful information from great data sources to employ them in taking decisions"[16 ].

  • virtual images: there are at least two kind of digital images that can be useful in the field of surveyings on the child-pornography and that currently cannot be considered illegal.  The first ones enclose images obtained as a distorsion of real photos or composition of part of them.  The second ones contains those pictures, generally realized by a software to remind child-pornographic and erotic situations.  The Italian law, today, does not consider such materials clearly as pedofilia. Such representations, that currently tend to bypass the law, however feed an always increasing market on child-pornography, assembling pieces of real bodies with drawn parts or pieces of comic strips  or cartoons. The treatment of such material have a lighter sentence, in particular the penalty reduction is the third part of penalty for images of real minors.  That’s why this is an always increasing, according to the data available to this Section: there is a big market involving comic strips or cartoon containing such material (for example Manga) and modification of existing and innocent comic strips, where the protagonists (often myths for the children) are srepresented in sexual actions (for example Simpson, Pokemon etc.). On 7th Novembre 2003 the Italian Government has approved a law project in order to face forehead to the worrying phenomenon of the child-pornography and the sexual exploitation of minors. The proposal, due to the work of the Interdepartmental Committee of Coordination for the fight against Pedofilia (CICLOPE), is subdivided in 19 articles organized in two Capitols:  "Dispositions in matter of fight against the sexual exploitation of the children and the child-pornography" and "Norms against the child-pornography realized by Internet", as is due to at least two requirements: (1) quickly exceeding the serious gaps of the normative system, realized from the law number 269 of 1998, entitled "Norms against the exploitation of the prostitution, the pornography, the sexual tourism in damage of minors, as new kind of reduction in slavery", at the light of the new computer science technologies and of wide diffusion and commercialization of child-pornographic material realized (see, for example, programs of file-sharing, usage of newsgroup with binary contents etc.); (2) substantially adapting the procedural discipline to the content of the Decision 2004/68/GAI of the European Council, that induces the States members, among other things, to indict also the "appearing" child-pornography (even if nothing is explicitally said about pornographic comic strips);
  • new digital media and new investigative aspects: the HTC Section meets always new problem in relation with the analysis of new digital devices. A tipical example is constituted by the wireless devices. (1) sono di natura sia tecnica che legale: (a) riuscire a trovare fisicamente i dispositivi durante l’intervento sulla scena del crimine, (b) avere la corrispondente autorizzazione formale della magistratura ad effettuate il sequestro (ad es. un WL-HDD può trovarsi in un domicilio adiacente ma comunque diverso da quello dell’intervento. There are products, commonly available on the market, that allow to make wireless the hard-disk and the information contained in it. See for example the product that Asus is selling in order to wide its range in the WLan solutions, and introducing the new WL-HDD, a compact storage unit device.  This new solution has born to answer to the data storing and sharing requirements even through a Wireless connection based on IEEE 802.11g protocol and compatible with the standard 802.11b.  There are both legal and technical problems:  (a) succeeding in physically finding devices on the crime scene, (b) having the correspondent formal authorization of the magistrates to carried out the seizure (to es. a WL-HDD can be found in an adjacent but however different address) (2) Due to the evolution of mobile communication’s protocols, as for example the UMTS, which guarantee a data flow comparable to that of the common on cable services, portable devices as the mobile phones are becoming small workstations.  Palmtop or smartphone, that were exclusively used for organizer’s services, currently integrate communication systems that go from the BT to the Wi-Fi, from the wap-gsm-gprs until to the UMTS and use storing units that exceed the dimensions of the Gigabyte. In this way it is possible, beyond visualizing images, to reproduce audio and video files, to capture or to pour in net great amounts of data without necessarily using a desktop or a notebook.  Through the same devices it is possible to create photographic or small clip, using the integrated ccd rooms, and transmit them in the network or through the new services like the mms, the video-mms or the email.  All that brings to:  (a) difficulty of monitoring of the data flow between these systems, that can also create cryptated channel and (b) difficulty in the recovery of the multimedial data they contain.

In this project, the aims of the RaCIS (Raggruppamento Carabinieri Investigazioni Scientifiche) are what follows:

  • updating and aligning the knowledge about investigations on Internet in the specific field of the pedo-pornography;

  • to stimulate, in the high technologies crimes investigations, the use of standard methods and tools devoted to technical investigations in order to make reports, that are clearly understandable by the magistates, and to make the competent authority conscious on the importance of creating a standard for forensic analysis in High Tech Crimes in Europe;
  • to facilitate the procedures of international cooperation, through a deep examination of the law and the direct interpersonal acquaintance between the civil employees, who are interested in the field of child-pornography in the other Countries involved in the project, proposing useful inherent modifications to the European directives in this field;
  • to obtain a valid documentation to subject to the attention of all the participants the conference and the departments of the Arm directly involved in the contrast to the child-pornography phenomenon on Internet; 
  • from the technical/legal point of view the HTC Section has contributed to evidence the operative organization, technical instruments, statistics on surveyings and connected problems, that have been or have to be faced in the next few years in order to continue the fight against High Technology Crimes.

Cap. M. Mattiucci, Ten. D. Tricca, Mar.Ord. R. Olivieri, Mar. Ord. A. Natale, Mar. Ord. G. Finizia, Mar. Ord. A. Turco, Car. Sc. L. Giampieri, Car. Sc. S. G. Monfreda RIS Rome - High Tech Crime Section.


  • [1]  Vlasti Broucek, Paul Turner (2001), “Forensic Computing: Developing a Conceptual Approach in the Era of Information Warfare”, School of Information Systems, University of Tasmania, Australia, Journal of Information Warfare.
  • [2] Vlasti Broucek, Paul Turner (2001), “Forensic Computing: Developing a Conceptual Approach for an emerging Academic Discipline”, School of Information Systems, University of Tasmania, Australia, 5th Australian Security Research Symposium.
  • [3] Mc Kemmish, R. (1999), “What is Forensic Computing”, Trends and Issues in Crime and Criminal Justice (118), Australian Institute of Criminology.
  • [4] Farmer D., Venema W. (2000), “Forensic Computer Analysis: an Introduction. Reconstructing past Events.”, Dr Dobb’s Journal, 29, 70-75.
  • [5] Bates J, (1997), “Fundamentals of computer forensics”, International Journal of Forensic Computing.
  • [6] Bates, J. (2001). “DIVA Computer Evidence (Digital Integrity Verification and Authentication)”, International Journal of Forensic Computing, 26 March 2001.
  • [7] R.Rivest (1992), RFC 1321 - “The MD5 message digest algorithm”, MIT laboratory for computer science and RSA Data Security, Inc., April 1992.
  • [8] Vlasti Broucek, Paul Turner (2002), “E-mail and WWW browsers: a forensic computing perspective on the need for improved user education for information systems security management”, School of Information Systems, University of Tasmania, Australia.
  • [9] Chet Hosmer (1998),“Time-lining Computer Evidence”, WetStone Technologies Inc.
  • [10] Farmer D. (2001), “Bring out your dead. The Ins and Out of Data recovery”, Dr Dobb’s Journal, 30(1).
  • [11] ACPO (2000), “Good Practice Guide for Computer Based Electronic Evidence”, The Association of Chief Police Officers (ACPO) Computer Crime Group.
  • [12] T. Sammes, B. Jenkinson (2000), “Forensic computing: a Practitioner’s guide”, Springer Publications.
  • [13] A.J. Marcella, R.S.Greenfield (2002), “Cyber Forensics: a field manual for collecting, examining and preserving evidence of computer crimes”, Auerbach Publications.
  • [14] M.M. Ferraro, E. Casey (2005), “Investigating Child Exploitation and Pornography”, Elsevier Academic Press.
  • [15] E. Casey (2004), “Digital Evidence & Computer Crime” 2° edition, Elsevier Academic Press.
  • [16] P. Cabena, P. Hadjinian, R. Stadler, J. Verhess, A. Zanasi (1997), “Discovering data mining: from concept to implementation” IBM Redbooks, Prentice Hall.