Presentation given in the Belgian Senate on 14 03 2014.
Comparison of classical police investigation methods with the new cyber investigation methods.
Problems and proposals for better cyber investigations
Rohan Jaitley: Central Gov't Standing Counsel for Justice
20140314 Belgian Senate Judicial action of police on social media
1. Belgian Senate
Brussels, 14 March 2014
Luc Beirens
Federal Computer Crime Unit
1101011001110110110011010100010
2. Give input for reflexions
on judicial action on social media
Why we need new solutions
Even in an era of NSA ...
(c) 2014 Luc Beirens - Federal Computer Crime Unit
3. Judicial actions
Basic principles of police interventions
Pre digital era methods
Footprint & digital footprint
Digital era impact on police methods
Problems
Solutions
(c) 2014 Luc Beirens - Federal Computer Crime Unit
4. Detect & stop crime
Gather evidence
Identify and arrest criminal(s)
Bring him to court
Execute court decisions
(c) 2014 Luc Beirens - Federal Computer Crime Unit
5. (c) 2014 Luc Beirens - Federal Computer Crime Unit
To maintain law and order in cyberspace
Detect crime in cyberspace ?
=> patrolling => Privacy intrusion ?
Identify users (criminals, victims) in cyberspace
Locate communications geographically and in time
Identify correspondents => contact network
Gather and analyse electronic evidence
Protect ourselves and methods
Enforce court decisions also in cyberspace
6. Legality
• Police action must be based on legal provisions
(general law / police specific law)
Loyalty
• Whenever in action :
give proof of your quality as policeman
except when legally allowed not to do so
(c) 2014 Luc Beirens - Federal Computer Crime Unit
7. Goals of criminals Money
Power / influence
Banks /
moneytransport
Merchants / politicians
Activities Traces Police methods
-Meeting crime
partners
-Search victims
-Reconnaissance
-Perpetrate crime
-Hide criminal
proceeds
-Wipe out – traces ??
- seen with victim
- present on crime
scene
- paper traces
- material traces
-Interrogate witnesses
-Use informants
-House searches
-Forensic analysis of
traces
Location of the crime Physically present
in our jurisdiction
We were territorially
competent
(c) 2014 Luc Beirens - Federal Computer Crime Unit
8. Made by himself
Not intentionally created
Unique
Proof of presence
Non intentional safeguarding
Non intentional erasure
(c) 2010 Luc Beirens - Federal Computer Crime Unit
9. House search and closed door
=> proportionate force allowed
to open the door
=> use lock smith or special forces
Telecom interceptions with help of operator
Special investigative measures
• Observation / infiltration / informants
• Use of fictive identity : only
For serious crime and if serious indications available
after very strict evaluation procedure
(c) 2014 Luc Beirens - Federal Computer Crime Unit
10. Nearly everyone
• has a computer
• has a mobile phone
• has a digital camera
• is internet connected
Every company is present on the net
• is connecting more and more internal networks
Wireless connections become dominant
(c) 2014 Luc Beirens - Federal Computer Crime Unit
11. Text spreadsheet
Presentations
E-mails
Music
Pictures
Movies
E-Banking
Social networking
Instant messaging
Blogging
Twittering
(c) 2010 Luc Beirens - Federal Computer Crime Unit(c) 2014 Luc Beirens - Federal Computer Crime Unit
12. (c) 2014 Luc Beirens - Federal Computer Crime Unit
13. Cloud computing & virtualization
• Data and applications in the cloud for enterprises and enduser
• Security depends on cloud provider (too often still user id & pw)
Social media : integrators and identity providers
• bring access to all your internet services together
Geolocated services
• Based on location – user or device based signal
• Buddy list information
• Commercial links
Instant broadcasting of information
Internet of things everything connected
(c) 2014 Luc Beirens - Federal Computer Crime Unit
14. (c) 2014 Luc Beirens - Federal Computer Crime Unit
15. (c) 2014 Luc Beirens - Federal Computer Crime Unit
16. Very dynamical digital footprint (based on user actions)
Dispersed over different systems (internet)
Often very easily searchable and accessable
A lot of people give an awfull lot of private information
free on the internet in different formats
(identity, education, contact, family, social life)
Information storage is moving towards internet accounts
Who are these service providers ?
Do they want to help end users ?
How do they take care (or not) of your data ?
(c) 2014 Luc Beirens - Federal Computer Crime Unit
17. They are so much like everyone else
• Communication with friends / collegues
• Show off their wealth (voyages / parties ...)
Search for & communication with victims
Getting personal data of victim
Creation of false profiles
Hacking & abuse of existing profiles
Vector for infection with malware
Abuse of profiles buying possibilities
(c) 2014 Luc Beirens - Federal Computer Crime Unit
18. Encryption tools
• Storage / Communication end to end
• Unability for police / authorities
to make effective legal intercept
to get to the content of stored information
Peer 2 peer applications
• No more central provider
• Hiding escaping from responsability
Strong authentication procedures
(c) 2014 Luc Beirens - Federal Computer Crime Unit
19. Goals of criminals Money
Power / influence
Banks /
moneytransport
Merchants / politicians
Activities Traces Police methods
-Meeting crime partners
-Search victims
-Reconnaissance
-Perpetrate crime
-Hide criminal proceeds
-Wipe out – traces ??
- not seen with victim
- not present on crime
scene
- no paper traces
- no material traces
-Only digital traces
-Interrogate witnesses ?
-Use informants
-House searches
-Forensic analysis of
traces
Location of the crime Not physically present
in our jurisdiction
are we were competent
territorially?
(c) 2014 Luc Beirens - Federal Computer Crime Unit
20. EU directive 54 / 2002
• obligation to delete / anonimize traces of electronic
communications after end of comm.
• except if there is a national law that obliges it
EU directive 24/2006
• tries to harmonize EU national laws
• general dataretention for traffic data for all users
• between 6 and 24 months
• Carrier / internet access / IP telephony & e-mail
• Not about content
• Resistance in implementation
• Invalidated laws by consitutional courts in DE and RO
• BE implementation since 2013 => 12 month
(c) 2014 Luc Beirens - Federal Computer Crime Unit
21. EU Directive
• 2006 : for technology of 2005 (pre social media)
• Only for EU member states
• Not for social media
• Didn’t regulate organizational aspects
(exchange formats / time frames / technical)
Very strict legal limitations to obtain
• Prosecutor / Investigating judge
• Serious crime ?
• => slowing down identification process
(c) 2014 Luc Beirens - Federal Computer Crime Unit
23. (c) 2014 Luc Beirens - Federal Computer Crime Unit
Data freeze :
keep available data from moment of request
Data preservation
start storing comm. data from moment of request
These instruments are needed but not sufficient
• no proof – no traces of criminal activity
if “one time attack” e.g. terrorism
• does not show links with crimes that happend in the past
(links with places where crimes happened)
• does not show networks if actor is arrested
Network investigations (art 88 ter BE Crim Proc C)
• No hacking allowed ? (opening doors ?)
24. Intelligence purposes
• Look and find criminals “digital identity”
• Verify content of social media profile
Often need for “own” profile to use service
Using our own ”real” identity (?) => risk for private life
Fictive identity (?) => based on which law
Gathering evidence
• Public available content / request IP-addresses
(c) 2014 Luc Beirens - Federal Computer Crime Unit
25. RCCU => specialized ICT forensics
Are social media “specialized”
Via FCCU : identity data and historical
connexion data to international ISPs
Microsoft, Facebook, Google,...
On voluntary base => no obligation
No content / no complete answers
Risks cfr Twitter
But every case officer should know
National security plan => training
(c) 2014 Luc Beirens - Federal Computer Crime Unit
26. The old investigation methods are not
so effective anymore
Social media : international (USA) providers
Sometimes difficult to contact / get cooperation
Ineffective in removing content from social
media even when there is a court decision
(no international directive => volontary)
(c) 2014 Luc Beirens - Federal Computer Crime Unit
27. Necessity for new laws ?
• Extended data retention => legal obligation
• “Infiltration” light / use of fictive identity to patrol
• Legal hacking
Opening the digital locker
Get access to be able to intercept before encryption
• Obligations to remove / block content for social media
International legal framework
Organizational matters
• Collaboration with internet service providers
to automate exchange (national & international)
=> faster / improved transparency
(c) 2014 Luc Beirens - Federal Computer Crime Unit