BSides Oslo 2023

we we have uh public sector representation here at the b-sides as well and I'd like to introduce Stefan torkerson who is a uh a tech guy from the 90s and head of digital forensics section at the national cyber crime center with 25 years of experience and Sans CTF starting downstairs on the small stage during first break so all right let's go thank you thank you okay first thank you for having me today uh as you said a tech guy I started programming when I was 15 and I was in 95 or something uh 90 something like that all right um I uh is about to talk about cyber crime fighting but from a tech point of view I would like to have [Music] give you hopefully some new insights it in what our capabilities are today I will try to give you a glimpse of where have what did we do 20 years ago how uh how uh what do we do to keep relevant so what's up so my background I'm a head all at the the digital forensics section at the national cyber crime Center we have our headquarters here in Oslo we are part of the national criminal investigation service that's NCIS what we do is we assist the uh all right hang on that's it uh and um okay sorry about that um this is our headquarter based in Oslo brand new building quite nice actually we started building and expanded a few weeks ago and in two years we will move the rest of the NCIS into this building uh my unit section is in the sixth floor and when you will see some pictures photos or what kind of equipment we got in that laboratory you will wonder why did you build such an laboratory in the sixth floor when the building is waving well I want to answer it it was not me to decide all right the inside CIS the national criminal investigation service that's investigation not intelligence all right we are a special Agency for fighting organized and serious crime and just to give you a picture of what we do in Broad we are 750 people half our police officers have our engineers and other kind of non-police Provisions we have our men half are women all right we are expanding when I started back in 2002 we were like 200 now 750. my experience is that all kind of Public Services for security and we guess investigation and such are expanding rapidly all right so we for the Norwegian police we are the national uh contact uh point of contact for international uh cooperation and police uh work we assist the all the police districts uh with the kind of crime that need special competence equipment and and stuff like that well uh nc3 which is one-fifth of the NCIS we have given a mission our mission is to be the national capacity to combat cyber crime buzzwords I know online sexual abuse you know the europol the European cyber crime Center in their definition of cyber crime science sexual abuse is within that definition we should and will contribute to the increased awareness and knowledge about the cause of crime in a digital Society but uh and where I come from capacity to preserve digital evidence so therefore we have this uh uh laboratory which have become quite advanced uh well we are six sections I don't uh in it's not necessary to dig or dive into the organization but the digital forensics section is one or all the six well digital forensics what would you well uh copy data uh as evidence analyze prepare a report give the investigation team done well digital forensics is from uh as a discipline from the forensic science discipline you also got a digital investigation and sometimes we do the tech people do some kind of Investigation task and some times the police officers do the forensic tasks so these days it's been a mix in for us it's uh very important to follow a few principles order of volatility are you going to dump the ram before you turn off the computer you should the credentials are still very or not still but today it's very important to get the credentials before you leave the crime scene uh Channel custody everything we do is supposed to be uh uh trackable uh reproducible uh uh we should all kind of tasks we do uh we it's important for us to ensure the data Integrity well you can think if you come to a crime scene a live crime scene well there are a lot of computers you are going maybe it's some cyber crime attack you will do some incident response but at the same time our task is also to preserve the data and because our trial our exam is the trial court all right so we need to what did we do how did we do it and uh and ensure that everything was done as forensically sound as possible that's very important for us so fancy animation copy the store data easy dump volatile data easy Maybe often uh volatile data is often uh the uh the step into the cloud to decrypt the data nothing new well I jumped to mobile phone acquisition that's where we have been very uh how do I put it we have succeeded a lot because as having the national capacity for uh data acquisition is not only in the cyber crime cases it's in the murder cases in in robberies and all that kind of serious crime different levels of phone uh Acquisitions today manual extraction logical well the CC hex dumping JTAG other kind of interfaces we look at the pcbs or external uh whatever exposed uh something interface uh chip off is not used very often anymore what is chip off well do some desoldering heat the PCB up and the chip will go off uh you can then but hey it's uh many vendors many interfaces many protocols but yes we do a lot of them but cheap off well today as you know Hardware encryption is by default on turned on also you got encryption and all levels of software and stuff like that so you've got to be better micro read all right you can do some special equipment going deep into the ones and zeros and level six what is that I will try to give you a glimpse in what it can be and how we work to uh develop and innovate those levels all right fancy and animation often we we uh well we have to dig inside often we got damaged or broken kind of devices so we are very become experts to fix uh what is a broken glass and all that kind of stuff uh well extract the data that's also easy or here yes they are random components only for the animation so when we got a data we reverse it what do we use well either Pro all that kind of free tools out there maybe some own tools well you know this I guess how many of you have done reversing firmware from Modern smartphones a lot you didn't know okay or you won't tell me okay but it's uh today is like finding the whole jump through it jump over the fence because there are security measures all over the place okay uh uh as I said uh live forensics I meant computer forensics today it's at a crime scene it's uh balancing or doing live forensics and the incident response uh you cannot turn off the computer you cannot shut it down because then the the opened uh like drives which are encrypted will well you'll lose the the passwords the the session Keys you lose your access into the data the what we are able to do as a police we have by law uh different police methods to uh for evidence Gathering we can ask companies to give us the data we can uh well all kind of stuff we can do lawful interception what is that well we can tap the phone we can tap the internet uh wire if it's very very serious crime uh also a few years ago no Norwegian police got the ability to uh to do what is called some kind of surveillance at the device itself because if you tap in the middle or outside the tunnel you won't get the raw data so what we are able to do is do we well hack the phone hack the computer some kind of software in there then read the data is it easy no it's not and can we do it yes we can do it but I won't tell you anymore stuff about that my point here is that the the forensic tools itself is not enough to get the access you need to have all kind of police methods and the main point here is that if police is meant to have ability to fight crime you also need the tools or methods to do so but of course you have to uh uh to guarantee privacy and all that kind of stuff which is of also very important so balancing privacy and uh police matters are uh uh of course important well uh back in 20 years ago it was kind of a bunch of tech people did a lot of stuff Windows 95 well that's kind of easy fat 32 kind of easy and each investigator or Tech uh person could do or handle a lot of different exhibits or devices there was Nokia Ericson and stuff like that or renders or phones what we are experiencing now is that there are so specialized so we need a team uh one person fixing the software firmware may be the only interface the JTAG and it's so Advanced need to be updated one person needs to fix the device before we open it and stuff like that and we need a coordinator to coordinate all so we have changed our way of working the way of well nothing new but still it's a challenging for an organization to adapt all right a lot of fancy animations how does it look for real okay we have a laboratory in the sixth floor as I told you it's about 800 900 square meters something like that it's uh ESD all over the place uh we have shielded the different uh functions of the our workflow uh in this picture we have a special room for handling dirty stuff or uh I mean we get exhibits devices from all over different crime scenes uh DNA fingerprints we should preserve them as well that's another department but still in this picture we see an well a simple SD card that is from uh bad accident and the police believed there are some photos in there describing what happened all right well we use some assets to remove the plastic we are soldering thin thin wires directly to the the storage components but it's easy uh well this is easy because it's a large you mean I mean what we will see further on is that thing are becoming quite small miniaturized and we are talking about micro meters nanometers and stuff like that okay so uh uh kind of a laboratory put together with all kind of equipment not for forensics tasks for production for reversing for failure analyst analysis and stuff like that all right here we got a phone that took everything out I mean the PCB the main board and we had to remove broken components and do some hot swapping or not hot actually but cold swapping uh resoldering in order to make it work again so we could uh read out the data well uh as you see sometimes modern chips today are multi-layered what if the data is stored inside the middle layer and the wires are not exposed outside the chip well we need to get inside we can do some in circuit data read as I saw the fancy animation quite easy well of course as you understand it's very challenged to have the tech people uh to to constantly be updated on all the standards uh it's not easy to get the standards uh details uh as well because well we have good relationship and cooperation with a lot of privacy companies but still they protect also because this is company confidential stuff uh so that's a challenge too when things are really bad it could look like this uh do we are we able is it possible to read data from burned heavily burned stuff sometimes we have a moto that we never give up it's possible we cannot say upfront it's impossible all right uh broken device from another accident and about with the navigation problem interesting challenge what does what happens when electronic components are exposed to salt water and air oxygen well it will start to change or so you have to be quick you have to do it in the proper way you have to it's a good advice to transport all the components in the same environment stuff like the water take a big bag or not a bag but a box with the same environment and bring it and when you're exposed to air then clean it well uh I won't go into that further this is more uh okay a bunch of devices well what an example uh well what is this some sport watch you know tracking Health Data GPS the question here was murder case all right when did the heart stop to beat well then we had to reverse this one we took the hardware apart the firmware software and everything just to um just to reverse while the data formats in order to try to find out the specific time stamp for when the the heartbeats seem to stop okay what's why is that important in an investigation well uh if you are not sure when the time of death occurred it's important to narrow down the time a period of time for other kind of evidence Gathering like so if you if you uh thinking like uh well reducing months to days or minutes that's important you can focus and narrow down the investigation actually this was well it looks like well every can everybody can do this except that there's a lot of protection mechanisms in from the vendor side so this is actually a quite Advanced glitch attack we did uh please don't tell the vendors but of course we protect How We Do It and the question if we find some kind of vulnerabilities we find a way in do we tell the vendors do we tell the vendors no I don't think so but we can we are obliged to do it if there are severe uh series stuff if there are systems that are critical for some reason of course we tell that's uh that's important and this kind of stuff we we then nobody will uh we don't expose our way so doing what we actually did that's not the point we can tell the the the vendor the vendor can also we can just say well we got this dump can you help us please or we will reverse it anyway can you please help help us well yes we can so often they do not always they they don't right I won't tell you about the glitch though but we needed a faraday room certified for 40 50 gigahertz we had an interesting setup for the side Channel attack and the glitching uh actually the further room we bought it for doing live forensics on uh equipment that is functioning all right so the the signals the online communication is uh is not possible but what we found out that when we are uh doing some very low level signaling in the it was it was it was canceled or it was uh polluted with signals from the railway on the subway and everything so we we are doing a lot of stuff inside the Faraday room now so opposite use but okay what I'm actually talking about well today it's about for us about getting access to the data from the technical point of view so you can of course through internet you can get a evidence you can have through software through Hardware okay nothing new but forensics to us and data acquisition is about finding vulnerabilities all right then the digital forensic discipline is starting to mix a lot with other kind of uh disciplines like cyber security and in general uh and because we need to develop new methods to defeat or bypass the security protection mechanisms in order to do the data acquisition and follow the traces online we thought 10 years ago each device Hardware forensics very important because everything is in the cloud yes as a stepping stone or as an entrance to online data it's still very very uh Ohio value so can we do all this kind of stuff alone oh I don't think we should the public and the private cooperation and collaboration is very important I saw that many nice companies are uh paying for hosting and for uh the sponsors and also so mnemonic I got for my kid I got this reflex and thank you for that nc3 the national cyber crime Center and the mnemonic we have an agree agreement we are cooperating and because we see that you cannot fight cyber crime uh alone of course and what I will go into now is not the private public collaboration and partnership but with a more academic non-profit organizations how can we how where do we get a money from okay except from the tax money well we identified the European r d programs for funding have you heard about those Horizon Europe 95 billion euros that is a lot of money we found that if we go together with our equivalents our similar cyber crime centers throughout Europe we could uh apply for or ask for money if you had a good reason for a good challenge and we need to solve there's also another funding fund we identify so so which will contribute to reach high level of security in Europe in particular by preventing and combating terrorism radicalization serious and organized crimes and cyber crime all right that's a lot of money too so what we did we get together a bunch of uh mix of law enforcement agencies academics and uh three private companies not in a way well we our aim in this project is to develop new forensical models and methods for accessing data by bypassing security features in modern mobile phones non-invasive semi-invasive and full invasive 10 15 years ago we wouldn't even tell any about this there's something going on change this is wide open our projects is soon to be completed in this October we have done it for three years uh and all the results are downloadable you should probably visit this website read the papers uh a lot of very good stuff and it's probably state of the art into this field which is public available so I this has been an interesting trip for us it also interesting to see uh what the focus focus points are at the other organizations as well X-Files all cool projects need a very nice name you know so extracts for instance forensic information for law enforcement agency from encrypted smartphones X-Files just no one fox Mulder that's the TV series all right okay second project we are in the middle that's a uh also that's not the device itself it's combat encrypts encrypted communication platforms uh used in the organized crime and gave police investigations access to the decrypted data that's a simple uh abstract for a law enforcement agencies non-uh non-private non-academic we haven't published anything so far but that's also kind of interesting that's more into the cloud you know uh so that's interesting and the third that's a forest forensic reverse engineering of silicon chips Norway is one of the most digitized countries in the world we see a lot of modern Electronics as exhibits in use by the criminals we cannot have a low ambition our ambition is to be able to extract data from whatever that comes on our table so this aim is we are performed fully invasive operation and on Leading Edge semiconductor devices uh develop necessary tools and methods to attack the hardware chips or no chain or trust and Advance the capability of extracting used to data from highly integrated devices okay and we are going to publish a lot of stuff there too so I'm wondering how the the industry will react up on this it's kind of interesting that the European uh uh the the EU are funding project like us at the same time they are funding project that will protect them build build better security of course and that's important but it's a cat and my mouse uh kind of game uh but uh well that's interesting and we'll just started started this last week so uh we look forward but how can we deal with it what kind of equipment do we have to support uh this kind of uh project well um uh well we established a a nano lab we bought uh scanning electronic electron microscope with the focus iron beam uh lapping machines Ultra collimators we had a lot of stuff from uh back in the days and now they're all coming together to work on a very small scale physics scale all right uh we built a room it's anti-vibrational anti-noise anti-everything because we are in sixth floor not my idea uh so example well we got some kind of electronical device there's a chip we need to get inside we use the micro Mill acids whatever to remove the uh or get physical access we could put it in the X-ray the 3D scanner and we could dive into it so we have the equipment but the competence how is it possible to reverse this kind of very advanced technology well we need a good plan and a framework for Innovation and then that's what I talked the then we found these funding and the projects okay so other kind of equipment the further room I showed you the micro mail uh CNC routers 3D scanners and th