Gallery: Tools for CSI cybercrime
Image 1 of 11
The digital forensics unit (DFU) of the Australia Serious Fraud Office sniffs out incriminating evidence from crime scenes with ZDNet Australia on hand collecting clues.
rnArmed with laptops and suitcases containing specialist forensic tools the 21-strong team can swiftly capture information from nearly any device, from laptops to mobile phones and PCs to games consoles.rn
rnThis Logicube CellDEK forensic tool can pull data from more than 1,100 of the most popular mobile phones and PDAs, capturing information using a plug-in connector, infrared or Bluetooth.rn
rnThe team aims to capture nearly all the data it needs on scene during a police search, storing a complete image of each device on its 300TB of dedicated storage–where it will help solve anything from multi-billion pound corporate price fixing investigations to murders.rn
rnPicking apart the information is a painstaking process as the team first strips out the hundreds of thousands of duplicate, system or application files; most photos; attachments; and malware, to produce a clean set of data.rn
rnCracking encryption is the second major hurdle, with the team employing the brute force of its 100 quad-core PCs to break low-grade encryption, such as password protected files.rn
rnThe team does not attempt to crack high-grade encryption, relying instead on the threat of a prison sentence for individuals refusing to hand over passwords or decrypted files.rn
rnPhoto credit: Nick Heath
One of the biggest challenges faced by the unit is the sheer size and scale of the fast evolving mobile phone market.rn
rnNew forensic tools are constantly being devised to detect emerging devices and the team must carry around scores of connectors for nearly every mobile phone produced, a small selection of which are seen here.rn
rnKeith Foggon, head of the DFU has overseen a revamp of the unit earlier in the summer.rn
rnHe said: “The PC architecture it is usually stable. But with mobile devices they change daily and consumers buy, throw away and upgrade their mobile phones, with new models coming out very, very regularly.rn
rn”That is an area where we are almost playing catch-up, we are never ahead of the mobile device forensic market.”rn
rnPhoto credit: Nick Heath
When forensic tools are unable to capture data from an obscure or new mobile phone it can mean reverting to a painstaking manual process of photographing each screen.rn
rnThis fixed digital camera is used to capture screens from phones, a time-consuming process that can run to hundreds of images but is necessary to produce screenshots to show in court, in the event of a dispute over an issue such as SIM card references.rn
rnPhoto credit: Nick Heath
A small selection of the hundreds of mobile phones that are analysed by the DFU on a regular basis.rn
rnThe unit also probes phones for the City of London Police to allow it to develop tools and resources to tackle the variety of phones on the market.rn
rnFoggon says the DFU can cope with all of the major brands but still comes across handsets that leave it stumped, such as an Amoi phone that initially had it baffled.rn
rnThe DFU has two attached officers from the City of London Police, soon to be increased to four, and provides evidence for a wide range of cases such as people trafficking.rn
rnPhoto credit: Nick Heath
These servers are devoted solely to the 130TB of information, including half-a-billion emails, amassed during the seven-year Operation Holbein investigation into pharmaceutical price fixing.rn
rnThe DFU uses about 60 per cent of its 300TB storage, which is spread over two floors of the Serious Fraud Office (SFO) headquarters.rn
rnThe alleged price-rigging of generic drugs such as penicillin is estimated to have cost the National Health Service as much as two billion pounds.
rnrnPhoto credit: Nick Heath
This degausser generates a magnetic field to wipe clean any hard discs and other storage devices.rn
rnIf a drive or memory stick holds government protected data the unit will first degauss it several times using several different polarities of magnetism and then pulverise them.rn
rnThe degausser comes with a remote control that looks like a car central locking keyring to allow it to be used from a safe distance.rn
rnFoggon warns: “You need to stand back two metres otherwise it degausses you as well. It can be dangerous if you have a pace maker and it can’t be used too close to other equipment because it resets a lot of the machines, it killed our microwave.”rn
rnPhoto credit: Nick Heath
This is the workspace in which the SFO tests out new tools for forensic analysis on emerging hardware, such as solid state hard drives.rn
rnPhoto credit: Nick Heath
These innocuous looking pictures may look identical to the naked eye but the one on the right contains data hidden within almost imperceptible color differences.rn
rnFoggon is concerned that the unit’s job could start becoming far more difficult as criminals embrace stenography as a way of hiding information.rn
rnThe subterfuge only becomes apparent when comparing the number of colours in both pictures, with 46,270 colours in the one of the left and 44,311 on the right.rn
rnPhoto credit: Nick Heath
Here the pictures are filtered through a specialized viewer and magnified to reveal the tiny differences in their make-up. The area of the picture that has been altered to hide the data has been circled.rn
rnFoggon says it would make uncovering evidence far more difficult if its use starts to become more widespread.rn
rnHe said: “We have tools to help us analyze it but it’s a long process to help us do that, it’s not an easy job at all.”rn
rnPhoto credit: Nick Heath
Here are some of the variety of tape drives that the DFU uses to process the back-up tapes seized on searches.rn
rnPhoto credit: Nick Heath
These are the Rainbow Tables that contain lists of password hashes for common applications, such as those made by Microsoft and Adobe, to allow the DFU to quickly crack password protected files relating to this software.rn
rnPhoto credit: Nick Heath