Entries Tagged "forensics"

Page 9 of 10

Computer Forensics Case Study

This is a report on the presentation of computer forensic evidence in a UK trial.

There are three things that concern me here:

  1. The computer was operated by a police officer prior to forensic examination.
  2. The forensic examiner gave an opinion on what files construed “radical Islamic politics.”
  3. The presence of documents”in the “Windows Options” folders was construed as evidence that that someone wanted to hide those documents

In general, computer forensics is rather ad hoc. Traditional rules of evidence are broken all the time. But this seems like a pretty egregious example.

Posted on August 31, 2007 at 6:13 AMView Comments

More on Smell Samples

Earlier this month, I blogged about a library of people’s smells kept by the former East German police. Seems that the current German police is still doing it:

The Stasi secret police used scent gathering in Communist East Germany, collecting smells in empty jam jars and storing them. The method has reminded Germans of that failed regime of snoopers, and was highlighted in the recent Oscar-winning film “The Lives of Others” about a Stasi surveillance officer.

The domestic policy spokesman for the Social Democrat Party, Dieter Wiefelspütz, finds the new weapon “pretty bizarre.” But he knows that unappetising though it may be, the method has been employed by German investigators for a long time.

In legal terms, recording someone’s body odour is no different than taking their finger prints. It’s covered by the criminal statue book. The scent contains a person’s identity just like the lines of his finger tips or his DNA.

Taking someone’s DNA is subject to strict conditions but the law permits finger printing and scent recording whenever police deem it necessary as part of a criminal investigation—which means virtually always. Erhard Denninger, an expert on Germany’s justice system, has no problem with scent analysis. “It’s harmless by comparison with sledgehammer plans like searching people’s computers,” he said.

Suspects are told to hold several 10 centimeter steel pipes in succession for several minutes each.

There are strict rules governing this procedure. The interior minister of the state of North Rhine-Westphalia has decreed that “persons must contaminate the metal tubes through their hands”, and that the aromatic traces thereby recorded “be secured in glass containers in dry condition.”

It sounds harmless. But a number of defence lawyers, Düsseldorf-based Udo Vetter among them, advise their clients not to agree to scent recording. If the state sniffs the sweat of its citizens, it amounts to a “considerable intrusion into one’s intimate sphere,” he says.

The complexity of collecting someone’s scent is the theme of Patrick Süskind’s novel “Perfume”, recently made into a movie, in which an 18th century murderer wraps beautiful women in cloths which he later boils. Unlike in real life, the perfume specialist chose to kill his victims before taking their scent.

Posted on August 1, 2007 at 2:05 PMView Comments

Faking Hardware Memory Access

Interesting:

[Joanna] Rutkowksa will show how an attacker could prevent forensics investigators from getting a real image of the memory where the malware resides. “Even if they somehow find out that the system is compromised, they will be unable to get the real image of memory containing the malware, and consequently, they will be unable to analyze it,” says Rutkowska, senior security researcher for COSEINC.

Posted on March 1, 2007 at 1:33 PMView Comments

Complexity and Terrorism Investigations

Good article on how complexity greatly limits the effectiveness of terror investigations. The stories of wasted resources are all from the UK, but the morals are universal.

The Committee’s report accepts that the increasing number of investigations, together with their increasing complexity, will make longer detention inevitable in the future. The core calculation is essentially the one put forward by the police and accepted by the Government – technology has been an enabler for international terrorism, with email, the Internet and mobile telephony producing wide, diffuse, international networks. The data on hard drives and mobile phones needs to be examined, contacts need to be investigated and their data examined, and in the case of an incident, vast amounts of CCTV records need to be gone through. As more and more of this needs to be done, the time taken to do it will obviously climb, and as it’s ‘necessary’ to detain the new breed of terrorist early in the investigation before he can strike, more time will be needed between arrest and charge in order to build a case.

All of which is, as far as it goes, logical. But take it a little further and the inherent futility of the route becomes apparent – ultimately, probably quite soon, the volume of data overwhelms the investigators and infinite time is needed to analyse all of it. And the less developed the plot is at the time the suspects are pulled in, the greater the number of possible outcomes (things they ‘might’ be planning) that will need to be chased-up. Short of the tech industry making the breakthrough into machine intelligence that will effectively do the analysis for them (which is a breakthrough the snake-oil salesmen suggest, and dopes in Government believe, has been achieved already), the approach itself is doomed. Essentially, as far as data is concerned police try to ‘collar the lot’ and then through analysis, attempt to build the most complete picture of a case that is possible. Use of initiative, experience and acting on probabilities will tend to be pressured out of such systems, and as the data volumes grow the result will tend to be teams of disempowered machine minders chained to a system that has ground to a halt. This effect is manifesting itself visibly across UK Government systems in general, we humbly submit. But how long will it take them to figure this out?

[…]

There is clearly a major problem for the security services in distinguishing disaffected talk from serious planning, and in deciding when an identified group constitutes a real threat. But the current technology-heavy approach to the threat doesn’t make a great deal of sense, because it produces very large numbers of suspects who are not and never will be a serious threat. Quantities of these suspects will nevertheless be found to be guilty of something, and along the way large amounts of investigative resource will have been expended to no useful purpose, aside from filling up 90 days. Overreaction to suggestions of CBRN threats is similarly counter-productive, because it makes it more likely that nascent groups will, just like the police, misunderstand the capabilities of the weapons, and start trying to research and build them. Mischaracterising the threat by inflating early, inexpert efforts as ‘major plots’ meanwhile fosters a climate of fear and ultimately undermines public confidence in the security services.

The oft-used construct, “the public would never forgive us if…” is a cop-out. It’s a spurious justification for taking the ‘collar the lot’ approach, throwing resources at it, ducking out of responsibility and failing to manage. Getting back to basics, taking ownership and telling the public the truth is more honest, and has some merit. A serious terror attack needs intent, attainable target and capability, the latter being the hard bit amateurs have trouble achieving without getting spotted along the way. Buying large bags of fertiliser if you’re not known to the vendor and you don’t look in the slightest bit like a farmer is going to put you onto MI5’s radar, and despite what it says on a lot of web sites, making your own explosives if you don’t know what you’re doing is a good way of blowing yourself up before you intended to. If disaffected youth had a more serious grasp of these realities, and had heard considerably more sense about the practicalities, then it’s quite possible that fewer of them would persist with their terror studies. Similarly, if the general public had better knowledge it would be better placed to spot signs of bomb factories. Bleached hair, dead plants, large numbers of peroxide containers? It could surely have been obvious.

Posted on July 14, 2006 at 7:25 AMView Comments

Digital Cameras Have Unique Fingerprints

Interesting research:

Fridrich’s technique is rooted in the discovery by her research group of this simple fact: Every original digital picture is overlaid by a weak noise-like pattern of pixel-to-pixel non-uniformity.

Although these patterns are invisible to the human eye, the unique reference pattern or “fingerprint” of any camera can be electronically extracted by analyzing a number of images taken by a single camera.

That means that as long as examiners have either the camera that took the image or multiple images they know were taken by the same camera, an algorithm developed by Fridrich and her co-inventors to extract and define the camera’s unique pattern of pixel-to-pixel non-uniformity can be used to provide important information about the origins and authenticity of a single image.

The limitation of the technique is that it requires either the camera or multiple images taken by the same camera, and isn’t informative if only a single image is available for analysis.

Like actual fingerprints, the digital “noise” in original images is stochastic in nature ­ that is, it contains random variables ­ which are inevitably created during the manufacturing process of the camera and its sensors. This virtually ensures that the noise imposed on the digital images from any particular camera will be consistent from one image to the next, even while it is distinctly different.

In preliminary tests, Fridrich’s lab analyzed 2,700 pictures taken by nine digital cameras and with 100 percent accuracy linked individual images with the camera that took them.

There’s one important aspect of this fingerprint that the article did not talk about: how easy is it to forge? Can someone analyze 100 images from a given camera, and then doctor a pre-existing picture so that it appeared to come from that camera?

My guess is that it can be done relatively easily.

Posted on April 25, 2006 at 2:09 PMView Comments

MySpace Used as Forensics Tool

From CNN:

Detectives used profiles posted on the MySpace social networking Web site to identify six suspects in a rape and robbery….

[…]

She knew only their first names but their pictures were posted on MySpace.

“Primarily, we pulled up her friends list. It helped us identify some of the players,” said Bartley.

Posted on March 28, 2006 at 1:19 PMView Comments

Secret Forensic Codes in Color Laser Printers

Many color laser printers embed secret information in every page they print, basically to identify you by. Here, the EFF has cracked the code of the Xerox DocuColor series of printers.

The DocuColor series prints a rectangular grid of 15 by 8 miniscule yellow dots on every color page. The same grid is printed repeatedly over the entire page, but the repetitions of the grid are offset slightly from one another so that each grid is separated from the others. The grid is printed parallel to the edges of the page, and the offset of the grid from the edges of the page seems to vary. These dots encode up to 14 7-bit bytes of tracking information, plus row and column parity for error correction. Typically, about four of these bytes were unused (depending on printer model), giving 10 bytes of useful data. Below, we explain how to extract serial number, date, and time from these dots. Following the explanation, we implement the decoding process in an interactive computer program.

Because of their limited contrast with the background, the forensic dots are not usually visible to the naked eye under white light. They can be made visible by magnification (using a magnifying glass or microscope), or by illuminating the page with blue instead of white light. Pure blue light causes the yellow dots to appear black. It can be helpful to use magnification together with illumination under blue light, although most individuals with good vision will be able to see the dots distinctly using either technique by itself.

EDITED TO ADD: News story here.

EDITED TO ADD: And another.

Posted on October 19, 2005 at 8:12 AMView Comments

1 7 8 9 10

Sidebar photo of Bruce Schneier by Joe MacInnis.