The National Gendarmerie is now systematically exploiting digital traces that it can find at crime scenes. A task that is far from simple, given the great variety of things connected.
Perhaps forensic science is on the cusp of a new revolution, such as exploiting traces of DNA. Connected objects proliferate in our personal and professional environment and the computer traces they leave can, in some cases, facilitate the reconstruction of the chronology of events in the context of crime. This is not a theory.
Several news items have made headlines in recent years. In 2017, US law enforcement sought Amazon to verify records and audio recordings from an Echo speaker in a suspected Arkansas murder and domestic abuse in New Mexico. In 2018, heart data from a FitBit wristband aided the conviction of a killer in San Jose. And in 2019, geolocation data from a Garmin watch helped identify a killer in Merseyside, Britain.
Connected objects can be especially valuable witnesses to solving crimes, because they are full of antennas and sensors – movements, photos/videos, light, temperature, geolocation, etc. In addition, the data they generate has a timestamp, which is very practical for reconstructing events. But it is still necessary to be able to find and understand this data which is often the result of interactions between many networked objects and can be stored in very different ways.
Must be able to locate relevant data
Thus, a home security system like Amazon Ring can rely on motion sensors, surveillance cameras, and a command center, itself linked to the access provider’s router modem. The data is captured at the edge, travels over the local network and then ends up centrally stored on Amazon servers. Therefore, the investigator has several options. It can analyze the memory of the sensor, which is technically difficult. It can extract logs from the modem router, which is easy, but it doesn’t add much to the sent content. It can also query Amazon, which includes a third party who is not necessarily very cooperative or trustworthy.
The art of IoT forensic investigation is to weigh the pros and cons of these different access options and prioritize to best resolve the issue at hand. Which is easier said than done given the ever-increasing number of connected objects and the resulting complexity in data processing.
That is why the thoughtful leaders of the Gendarmerie are working to develop a complete methodology. This is based in particular on the research of Captain François Bouchaud, Head of the Cyber Operations Coordination Department, who has just written a dissertation on the topic. “Many connected objects are known and analyzed individually, such as connected smartphones or speakers. But when you are part of connected environments, there is a lot of work to be done to figure out who is interacting with whom and at what time and to transmit data”The researcher explains.
SDR Equipment for Environmental Scanning
The first thing the investigator must do when he arrives in the field is to identify the connected objects that are present. This can be done visually, but it is not always enough, since some elements can be hidden. That is why the gendarmerie deploy software radio equipment (SDR, Software Defined Radio) to capture and analyze potential electromagnetic emission. In fact, connected objects generally communicate via wireless links – WiFi, Bluetooth, ZigBee, UWB, infrared, etc.
Depending on the situation, it may be a single sensor transmitted in the environment, or several sensors distributed in space. Thanks to the strength of the signals received at the different measurement sites, it is possible to infer the location of the connected objects. The longer you catch, the higher the chance of discovering connected things, because some only communicate at certain times of the day or week. The goal is to eventually obtain a complete mapping of the connected objects that exist.
These SDR tools have already been used by the gendarmerie for several years. François Bouchaud analyzed the results of the last 400 publications, between November 2015 and November 2019. The number of connected items found is highly variable and can range from 0 to 80. On average, it was about ten, and it continues to grow. In current surveys, the average is several dozen connected objects.
Once objects are identified, the investigator must decide which equipment to target first. Since it is impossible to know the details of all models of connected objects found in nature, the gendarmes have a central knowledge base that can be accessed from a web portal, as well as a hotline. This allows them to quickly know what types of data are stored in which objects and how to access them while maintaining its integrity. If necessary, experts from the National Electronic Assistance Center (Cnac) can be sent to the site to perform the analysis. If the extraction proves to be too complex, the object will be confiscated and sent to the National Center for Digital Experience (Cnenum), which has a clean room and specialized equipment.
It is clear that the gendarmerie do not wait to face crimes to carry out this type of investigation. Not only do they train in theoretical scenarios (see image above), but they also have a real-size training space at Serge Pontoise where they can experiment with surveying and analysis tools.
But did the analysis of really connected objects solve the forensic investigation in France? ” ShouldFrancois Bouchaud answers. But what must be understood is that digital traces allow, in the same way as DNA or other elements of the investigation, to verify or unverify hypotheses and give new directions to the investigation. The point is that we can finally come together in a story that reveals past events. » In short, we won’t know more at this point. What is certain, however, is that in a connected world like ours, criminals will find it increasingly difficult to conceal their actions.