Cyber Crime Fighting

okay uh first thank you for having me uh today uh as you said a tech guy I started programming when I was 15 and I was in 95 or something uh no no 90 something like that all right uh um I uh is about to talk about the cyber crime fighting but from a tech point of view I would like to uh have uh give you hopefully some new insights it in what our capabilities are today uh I will try to uh give you a glimpse of where have what did we do 20 years ago how uh how uh what do we do to keep relevant so what

up so uh my background I'm uh head all uh at the the digital forensic section at the national cyber crime Center uh we are have our headquarters here in Oslo uh we are um part of the national criminal investigation service that's NCIS what we do is we assist the uh all right hang

on that's it uh and um uh okay sorry about that um this is our headquarter based in Oslo brand new building quite nice actually we started building and expanded uh a few weeks ago and in two years we will move the rest of the NCIS into this building uh my unit section is in the sixth floor and when you will see some uh pictures photos of what kind of equipment we got in that laboratory you will wonder why did you build such an laboratory in the sixth floor when the building is waving well I won't answer it it was not me to decide all right the uh NCIS the national criminal investigation service that's investigation not

intelligence all right uh we are a special Agency for fighting organized and serious crime and uh just to give you a picture of what we do in Broad we are 750 people half are uh police officers have are engineers and other kind of non-p police uh professions uh we have our men half are women all right we are expanding when I started back in uh 2002 we were like 200 now 750 my experience is that all kind of public uh uh Services uh for security in investigation and such are expanding rapidly all right so we for the Norwegian police we are the national uh contact uh point of contact for international uh cooperation and police

uh uh work with we assist the all the police districts uh with the kind of crime that need special competence equipment and and stuff like that well uh nc3 which is 1if of the ncas we have given a mission our mission is to uh be the national capacity to combat cyber crime bu words I know uh online SE child sexual abuse you know the Euro the European cyber crime Center in their definition of cyber crime uh child sexual abuse is within that definition we uh should uh and uh will contribute to the increased awareness uh and knowledge about the cause of crime in a digital Society but uh and where I come from capacity to preserve digital

evidence so therefore we have this uh uh laboratory which have become quite uh Advanced uh well we are six sections I don't uh in it's not necessary to dig or dive into the organization but the digital forensic section is one all the uh six well digital forensics what would you well uh copy data uh as evidence anal prepare a report give to the investigation team done well digital forensics is from uh as a discipline from the forensic science discipline you also got the digital investigation and sometimes we do the tech people do some kind of Investigation task and some uh times uh the police officers do the forensic tasks so these days it's been a mix in

for us it's uh very important to follow a few uh principles uh order of volatility are you going to dump the ram before you turn off the computer you should the credentials are still very or not still but today it's very important to get the credentials before you leave the crime scene uh chain of custody everything we do uh is supposed to be uh uh trackable uh reproducible uh uh we should uh all kind of tasks we do we it's important for us to ensure the data Integrity well you can think uh if you come to a crime scene a live crime scene well there are a lot of computers you are going maybe it's some

cyber crime attack you will do some incident response but at the same time our task is also to preserve uh the data uh and because our trial our exam is the trial court all right so we need to what did we do how did we do it and uh and ensure that everything was done as forensically sound as possible that's very important for us so fancy animation copy the store data easy dump volatile data easy maybe often uh volatile data is often uh the uh the step into the cloud to decrypt the data nothing new well I jump to mobile phone acquisition that's where we have been very um how do I put it uh we have

succeeded a lot because as having the uh National capacity for uh data acquisition it's not only in the cyber crime cases it's in the murder cases in in robberies and all that kind of serious uh crime um different levels of phone uh acquisition today manual extraction logical well that's easy hex stomping JTAG other kind of interfaces we look at the uh p CBS or uh external uh whatever exposed uh something interface uh chip off is uh not used very often anymore what is chip off well do some desoldering heat the PCB up uh and the chip will go off uh you can then uh but hey it's uh many vendors many interfaces many protocols but yes we do

a lot of them uh but cheap off well today as you know uh Hardware encryption is by default on turned on uh also you got encryption and all levels uh of software uh stuff like that so you got to be better micro read all right you can do some special equipment going deep into the ones and zeros and level six what is that I will try to give you a Li in what it can be and how we work to uh develop and in aate uh those levels all right fancy animation often we we uh well we have to dig inside often we got damaged or broken kind of devices so we are very become experts to

fix uh what is a broken class and all that kind of stuff uh well extract the data that's also easy or here yes they are random components only for the animation so when we got a data we reverse it what do we use well ID Pro all that kind of free tools out there may maybe some own tools well you know this I guess how many of you have done reversing firmware from uh modern smartphones or right you didn't know okay or you won't tell me okay but it's uh today it's like finding the hole jump through it jump over the fence because there are security measures all over the place okay uh as I said uh live

forensics I meant computer forensics today it's uh at the crime scene it's uh balancing of doing live forensics and the incident response uh you cannot turn off the computer you cannot shut it down because then the the opened uh like uh drives uh which are encrypted will well you lose the the passwords the the session Keys you lose your access into the data the what we are able to do as a uh police we have by law uh different police methods to uh EV for evidence Gathering we can ask companies to give us the data we can uh well all kind of stuff we can do lawful interception what is that well we can tap the phone we can tap the internet

uh uh wire if it's very very serious crime uh also a few years ago the Norwegian police got the ability to uh uh to do uh what is called some kind of uh surveillance at the device itself because if you tap in the middle or outside the tunnel you won't get the uh raw data so uh what we are able to do is do we well hack the phone hack the computer some kind of software in there then read the data is it easy no it's not uh can we do it yes we can do it but I won't tell you any more stuff about that my point here is that the the forensic tools itself is not enough to

get the access you need to have uh all kind of police methods and the main point here is that if police is meant to have ability to fight crime you also need the tools or methods to do so uh but of course you have to uh uh to guarantee privacy and all that kind of stuff which is of also very important so balancing privacy and uh uh police methods are uh of course important

well uh back in 20 years ago it was kind of a bunch of tech people did a lot of stuff Windows 95 well that's kind of easy fat 32 kind of easy and each uh investigator or Tech uh person could do or handle a lot of different exhibits or devices there was Nokia Eric on and stuff like that or renders of uh phones what we are experiencing now is that there are so specialized so we need a team uh one person fixing the software firmware maybe the only interface the J tag and it's so Advanced it need to be updated one person needs to fix the device before we open it and stuff like that

and we need a coordinator to coordinate all so we have changed our way of working the way of uh well nothing new but still it's a challengeing for organization to adapt all right a lot of fancy animations how does it look for real okay we uh have a laboratory in the sixth floor as I told you it's about 800 900 uh square meters something like that it's uh ESD uh all over the place uh we have uh shielded the different uh functions of the our workflow uh in this picture we have a special room for handling uh dirty stuff or uh I mean we get uh exhibits devices from all over uh different crime scenes uh DNA

fingerprints we should preserve them as well uh that's another department but still in this picture we see an well a simple SD card but is from a bad accident and uh the police believed there are uh some photos in there uh describing what happened all right well we use some acids to remove the plastic we are soldering thin thin wires directly to the the storage uh component uh but it's easy uh well this is easy because it's so large you mean I mean uh what we will see ther on is that thing are becoming quite small miniaturized uh and we are talking about micro meters nanometers and stuff like that okay so uh kind of a laboratory put

together with all kind of equipment not for forens six task but for production for reversing for failure anal analysis and stuff like that right here we got uh phone took everything out I mean the PCB the main uh board and we had to uh remove broken components and uh do some hot swapping or not hot actually but cold swapping uh resoldering in order to make it uh work again so we could uh uh read out the data well uh as you see sometimes uh modern uh chips today are multi-layered what if the data is stored inside the middle layer and the uh wires are not exposed uh outside the chip well we need to get inside we can do some in

circuit uh data read as I saw the fancy animation quite easy but of course as you understand it's very uh challenged to have uh the tech people uh uh to to constantly be updated on all the standards uh it's not easy to get the standards uh details uh as well because well we have good relationship and cooperation with a lot of privacy companies but still they uh protect also because this is company confidential stuff uh so that's a challenge too when things are really bad it could look like this uh do we are we able is it possible to read data from burned heavily burned stuff sometimes we have a motto that we never give up it's

possible we cannot say up front it's impossible all right uh uh broken device from another accident and a boat with the navigation problem um interesting challenge what does what happens when electronic components are exposed to Salt Water and Air O oxygen well it will start to uh change or or uh so you have to uh be quick you have to do it in the proper way you have to it's a good advice to transport all the components in the same environment stuff like the water take a big bag or not a bag but a box uh with the same environment uh and bring it and when you expose to air then clean it well uh I won't go into that further the

this is more uh okay a bunch of devices well what an example of well what is this some sport watch you know tracking Health Data GPS the question here was uh murder case all right when did the heart stop to beat well then we had to reverse this one we took the hardware apart the firmware software and everything just just to uh just to uh reverse well the data formats in order to try to find out a specific uh time stamp for when the the heartbeat seem to stop okay what's why is that important in an investigation well uh if you are not sure when the uh time of death occurred uh it's important to narrow

down the time uh period of time for other kind of evidence Gathering like uh so if you uh if you uh thinking like uh well reducing months to days or minutes that's important you can focus and hour down the investigation actually this was well it looks like well every can everybody can do this except that there's a lot of protection mechanisms in from the wender side so this is actually a quite Advanced glitch attack we did uh please don't tell the Wenders but of course we protect how we do it and the question if we find some kind of vulnerabilities we find a way in uh do we tell the vendors do we tell the

vendors no I don't think though but we can we are obliged to do it if there are severe uh serious stuff if uh there are systems that are uh critical for some reason of course we tell that's uh that's important uh this kind of stuff we we the nobody will uh we don't expose our ways of doing what we actually did that's not the point we can tell the the the vendor the wendor can also we can just say well we got a stump can you help us please or we will reverse it anyway can you please help help us well yes we can so often they do uh not always they they don't all right I won't

tell you about the glitch though but we needed a faraday room certified for 40 50 GHz we had a interesting setup for the side Channel attack and the glitching uh actually the F room we bought it for uh doing live foren six on uh equipment that is functioning all right so the uh the uh the signals the online uh communication is uh is not possible but what we found that that when we are uh doing some uh very low level signaling in the it was uh it was um what is it was cancel or it was uh uh polluted with signals from the railway from the subway and everything so we we we are doing a lot of stuff inside The

Fray room now so opposite use but okay what I'm actually talking about well today it's about for us about getting access to the data from the uh technical point of view so you can of course through internet you can get evidence you can have through software through Hardware okay nothing new um but forens to us and data acquisition is about finding vulnerabilities all right then the digital forensic discipline is starting to mix a lot with other kind of uh disciplines like cyber security uh and uh in general uh and because we need to develop new methods to defeat or bypass the security protection mechanisms uh in order to do the data acquisition and follow the traces online we thought uh

10 years ago is device uh Hardware uh forensics very important uh because everything is in the cloud yes as a stepping stone or as an entrance to online data it's still very very uh of high value so can we do all this kind of stuff alone oh I don't think we should the public and the private uh cooperation and collaboration is very important I saw that uh many nice companies are uh paying for hosting and for uh the sponsors and I also saw in the monic I got for my kid I got this reflex I thank you for that nc3 the national cyber crime uh Center and neonic we have uh an agree agreement we are cooperating and

because we see that you cannot fight cyber crime uh alone of course and what I will go into now is not a private public uh collaboration and partnership but with a more academic uh nonprofit organizations what how can we how where do we get the money from okay except from the tax money well we identifi the the European uh R&D programs for funding have you heard about those Horizon Europe 95 billion euros that is a lot of money we found out if we go together with our equivalents our similar cyber crime centers throughout Europe we could uh uh apply for or uh ask for money if we had an good reason for uh good challenge and

we need to solve there's also another funding um fund we identify so so which will contribute to reach high level of security in Europe in particular by preventing and combating terrorism radicalization serious and organized crimes and cyber crime all right that's a lot of money too so what we did we get together a bunch of uh mix of law enforcement agencies uh academics and uh three private companies not in a way well we our aim in this project is to develop new forensic uh models and methods for accessing data uh by by bypassing security features in modern mobile phones non-invasive semi-invasive and full invasive 10 15 years years ago we wouldn't even tell any about this there's something going

on change um this is wide open uh our project is uh soon to be completed in this October we have done it for 3 years uh and all the results are down downloadable you should probably visit this website read the papers uh a lot of very good stuff and it's probably State ofthe art in into this field which is public available so I uh this has been a interesting trip for us it also uh interesting to see uh what the focus focus points are at the other organizations as well uh X Files all cool projects need a very nice uh name you know so extracts for forensic information for law enforcement agency from En crypted smartphone

X trust no one fox molder that's the TV series right okay second project we are in the middle that's uh uh also that's not the device itself it's combat the encrypt encrypted communication platforms uh used in the organized crime and gave police investigations access to the decr data that's a simple uh uh abstract four uh law enforcement agencies non uh non private nonacademic we uh haven't published anything so far but that's also kind of interesting that's more into the cloud you know uh so that's interesting and the third that's a forest forensic reverse engineering of silicon chips Norway is one of the most digitized countries in the world we see a lot of modern uh rics uh as exhibits

in use by the criminals uh we cannot have a low ambition our ambition is to uh be able to extract data from whatever uh that comes on our table so this aim uh is uh we are perform fully invasive operation and on Leading Edge semiconductor devices uh develop necessary tools and methods to attack the hardware chips uh or no chain or trust and Advance the capability of extracting us data from highly integrated devices okay and we are going to publish a lot of stuff there too so I'm wondering how the the industry will react up on this it's kind of interesting that the European uh uh the the EU are funding project like us at the same time they

are funding project that will protect and build build better security of course and that's important but it's a cat and mouse uh kind of game uh but uh well that's interesting and we're just start started this last week so uh we look forward but how can we deal with it what kind of equipment do we have to support uh this kind of uh project well um uh well we established a uh a nano lab we bought uh scanning electronic electron microscope with the focus iron beam uh lapping machines Ultra cators we had a lot of stuff from uh back in the days and now they're all coming together to work on a very uh small scale uh

physic scale all right uh we build a roof it's anti vibrational anti noise anti everything because we in sixth floor not my idea uh so example well we got some kind of electronical device there's a chip we need to get inside we use the micr as acids whatever to remove the uh or get physical access we could put it in the X-ray the 3D scanner and we could uh dive into it so we have the equipment but the competence how is it possible to reverse this kind of very advanced technology well we need a good plan and a framework for Innovation and then that that's uh what I talked the uh then we found this

funding and the projects okay so other kind of equipment the F room I showed you the micro mail uh CNC routers 3D scanners and this is only a uh a few uh so it's been quite Advanced 20 years ago we had one Ida and Sky cable that's it now we are here very advanced okay one case I'm allowed to tell you about but not too very detailed just to have you a short Glimpse because now I put a lot of uh focus into uh physical devices and this case a lot of people or other sections has of course worked in this well the Cyber attack on noos hedro have you heard about it did we believe it could happen no did

it yes it did 18th of March 2019 late night The Ransom where lcag googa was detected all right the attack affected the uh production worldwide almost all factories and production uh lines had to be isolated and uh put on manual control imagine being uh ICT Personnel or manager or whatever in such a situation well well uh we got not not notified quite uh fast uh the same evening and morning and uh received information about very very good cooperation they uh was actually uh well they have 35,000 employees they are factories in 40 countries uh on every continent and so on uh here in for fighting cyber crime it's borderless um uh you have to have the international

cooperation uh we are uh europol and interpo are information hubs europol also have their uh cyber crime Center facility and in the ha uh and U uh we organized the cooperation in um yeah of of course a very big case in a very few slides but still the main focus is to collect information through the hardware uh acquisition through uh online acquisition uh and also cooperation uh data from others uh too there was a lot of uh command and control servers live forensics you cannot shut it down what about the network forensics all disciplines at once at uh not only well one crime scen but systems all over the world so cooperation between uh technical people

and the police officer investigators uh the money Trail ransomware money how do you track the money if it's encrypted it was easy back then but now with crypto uh money it's uh a more difficult task but still uh we identified that in Ukraine was a hot spot for the bad guys so uh we have a very close and very good cooperation with the Ukrainian police uh even uh if they they as you all know they are in a very difficult situation but still they are heavily cooperating and uh in this operation as well uh we actually caught the bad guys here we had an there was a big uh uh targeted uh operation uh in Ukraine and one other

country uh we participated and we found a lot of stuff and during the investigation we Al also found the keys to the locker googa and mega cortex uh ransomware uh we derived the uh decryption key from the software found on the bad guys computer systems and we put together a script drove over to their headquarter hey here here's the software decrypt here we are and they did and it was success but the company lost 800 million Norwegian croners that they cost but very early in this stage they uh said we are going to fight we are not going to pay the ransom money so uh our experience from this investigation is that uh cyber crime is very time

consuming but someone has to do the do the investigation if you are doing incident response and clean it up and fix and just walk uh just go further or then someone has to do the investigation so therefore we uh exist we also do a lot of prevention you cannot arrest all bad guys in the world anymore you have to do a lot of pre prevention all right um in this uh came this case uh in specific we know what uh how it happened who did it uh we have the individuals in custody and we are still seeking uh the trial is soon to come and we found the decryption case uh it has cost a few years of

Investigation a lot of money and almost half of our people one case in the meantime from 2019 there has been several uh almost similar uh attacks but they are prevented during this invation we found a lot of details uh about other uh attacks ongoing and we uh provided and shared all the kind all the information so they uh for prevention purpose of course um another another International investigation I won't say a lot about that but uh uh there's a high run somewhere when run somewhere where is becoming as a service uh it's a big case uh FBI is uh the main in main lead we have assisted because there are Norwegian companies hit by this one and

we are assisting uh the local police and uh and uh and uh doing the analyzing uh uh or investigation and analyzing the Caesar infrastructure and data so uh probably more to come but still very interesting I won't mention what companies or public services okay from 10 15 years of fighting cyber crime and murder cases and all kind of stuff what have we learned well these are some lessons or observations so take it for it's kind of experience-based nonacademic but uh I hope you will have some insights about what we do and why we do it and in this Final Chapter uh well in on particular order all right balance The Innovation and production rapid development of new

techniques is impossible if the same group of people have to manage these techniques all right the ability to simultaneously explore and exploit enables us to adapt over time me as uh the head of the section need to balance balance when should we produce I mean help in the cases and when should we uh do Innovation and components uh or training uh it's a two side The Dilemma uh case production using uh known techniques for the production innovatively find new Techni techniques for tomorrow case production there are a lot of history companies who didn't understand this one uh because they did a lot of production they forgot the Innovation all right number two you're only as relevant as your latest

Discovery when everyone new techniques are like fresh produced at some point they will go bad and become irrelevant sharing new information is the key to obtaining new information you have to bring something to the table to get something from the table number three it's good to have friends when everyone is working to solve the same challenges a joint International effort is the only sensible solution b l uh fighting cyber crime often means fighting a high-tech organized criminal activity across borders with unequal legislation resources and regulation number four big data is here to stay the amount of data to be acquired filtered analyzed and transferred will only increase we have experienced uh experience using the Transformers

technology you know the chat Gip the stuff uh for uh training with a large langage model for uh in the norian langage and put it inside a lot of case documents that's kind of interesting and Powerful technology not intelligent I know but it's a very nice way of search after or uh quickly find the needle in the Hast stack okay so uh number five the te technological Evolution will determine your focus areas there therefore we are focusing all the hard stuff that are hitting us through the cases in order to stay ahead in the game of cyber crime you have to continuously research and develop new methods techniques and knowledge um yeah this is known stuff but anyway

number six encryption is mostly bad for law enforcement encryption makes data harder to obtain however once decrypted the data may prove extremely valuable we have seen that in many cases criminals talk openly on encrypted platforms and consider them very safe but it's very expensive to defeat security mechanisms number seven zero days all days are hard currency finding vulnerabilities finding an exploit and weaponizing an exploit will provide you with an extremely useful and attractive solution commercial tools are not always um up to date it's like a saw too function if you yeah okay and many are quite expensive so uh number eight the best defense is a good defense researching and reverse engineering a system to find vulnerabilities could

prove to be time and money well spent disruptive uh actions uh become a valid policy of police strategy too many criminals to fit in jail like I said prevention is here also to stay number nine burn bridges in the right order in digital forensics it's uh order volatility uh but uh here there's usually more than one way to solve a problem make sure you don't close the door uh on one approach before considering considering potential consequences stay true to Long uh term goals don't be too shortsighted in these times of uh difficulties it's easy to say uh good uh longterm strategy is to be shortterm but again be uh think what you doing uh going in for landing number 10

don't ignore Outreach and prevention sometimes a non-technical solution is the best solution in a cost benefit perspective Outreach and prevention activity to many criminals to jail again number 11 invest in bright Minds that's you guys uh provide a work environment where creative can Pros spare Advanced digital forensics and digital investigations require skills which are few in Supply and high in demand number 12 respect the values of your own data algorithms are fed with data in the data driven world uh respect and understand and protect your data don't underestimate the consequence of data compromise and number 13 I know the best word ai ai is also here to stay the reward is a function of Regulation and

legislation understanding and actual application kind of deep but still new possibilities for law enforcement new possibility for criminals The Matrix is one step closer my kid said dad you're stuck in The Matrix no I'm not uh and that's it [Applause]