Mission: Cybercrime

Most people are familiar with classic forensics from TV thrillers. FAU professor Felix Freiling is an expert for IT forensics and helps stop criminals in the digital world.

Nowadays, everything we know from the analog world has its counterpart on the internet. Like crime. Illegal arms trading is found there, as is theft, espionage, blackmail or child pornography. FAU professor Felix Freiling investigates how to track down criminals in the digital world.

One of his focal areas is IT forensics. Instead of bloody knives, Felix Freiling analyzes data. Nearly all public prosecutor investigations nowadays involve data taken from hard disks, cellphones or smartwatches. “Our task is to find methods that can document potential crimes in a way that stands up to scrutiny in court,” Freiling explains.

Stands up to scrutiny in court. That is the crux of the matter – and the challenge. “As computer scientists, the first thing we have to understand is what the lawyers actually need from us.” For example, when it comes to investigating whether someone owns child pornography.

“It is relatively easy to prove the existence of files – that would constitute the physical elements of the crime. However, this in itself does not have much legal clout. It must be proven that the defendant knew that there were images on their data carrier, in other words that they acted with criminal intent. The public prosecutor then asks us: Is there any indication of how the images got on to the data carrier? Or that the images were accessed, renamed or used in any other way by the user?” Timestamps can be a good indication in this instance. At least three or four of them are attached to each file, giving information about when the files were created or processed.

Helping in genuine detective work

Sometimes the FAU IT forensics team is also called on to assist with particularly tricky cases where the experts at the authorities cannot proceed any further using their traditional methods. In one case, Freiling remembers, they found incriminating preview pictures on a computer, but not the actual image files themselves. The question was: Are these preview images only created if you open the images in the image viewer? Does this count as criminal intent? “In such cases, we reconstruct the setting as an experiment, similar to an on-site inspection in traditional police work. We set up a computer with the same parameters and try it out.”

As a rule, however, IT forensic experts such as Freiling and his colleagues focus on developing methods and tools in order to answer questions the courts may have. For example in the DFG research training group “Cyber crime and forensic computing”, headed by Professor Freiling. “In our work, we rely on our understanding of computer systems, of how hardware and software work, and the nature of the various tools available.”

“Many of our students are highly motivated and come to us because they explicitly want to pursue IT forensics – Erlangen is the only place in Germany to offer a university-level course.”

Prof. Dr. Felix Freiling

In spite of strict data protection laws and even without data preservation: The IT expert from Erlangen is convinced that criminal prosecution in Germany is, in principal, extremely effective. “The authorities have a fairly free reign. It could be made even easier for them, but the danger of abuse would be high.” In his opinion, exploiting current capacities to the full and training good staff for this purpose is more important.

That is where Freiling sees his responsibility. “Many of our students are highly motivated and come to us because they explicitly want to pursue IT forensics – Erlangen is the only place in Germany to offer a university-level course,” he explains.

Staging a criminal procedure

A trademark of education in IT forensics at FAU is the close collaboration with the School of Law. “There, my colleagues work through a whole criminal procedure with their students: from the initial suspicion, to the investigations, to the trial that is held under realistic conditions in Erlangen district court. “Our IT students accompany the process and act as expert witnesses,” reports Freiling, for example in the fictional case of a television chef accused of tax avoidance. In his opinion, this close collaboration with future legal experts creates mutual understanding and a better appreciation of what one side requires and the other side can provide.

However, a little bit of criminal energy on the part of the prospective IT experts is no bad thing. Felix Freiling is sure: “You can only defend well if you are also good at attacking.” A hacker internship is now an integral part of the degree program. “Ten years ago, this was still looked down on by the scientific community.” Nowadays, student research projects on attacking techniques are also standard. It goes without saying that these exercises are not an end in themselves, but rather serve the purpose of discussing legal and ethical frameworks. By the way, the fictional TV chef was convicted and sentenced – not least thanks to Felix Freiling’s students.

Fictional case, genuine adrenaline

A door is thrown open with a bang, someone calls “police!”. Four figures huddled over a computer look up briefly then continue typing hectically. The intruders try to pull them away from their computers. Shouts. A scuffle…

Usually, IT forensic experts like those trained by Felix Freiling work in the lab. The police confiscate suspicious devices and data carriers and bring them to the IT experts. However, “the really tough cases encrypt their data,” Freiling explains. “You cannot access them if you don’t know the password. That is why IT investigators have to take the criminals by surprise in critical situations and take over the computers while they are up and running, particularly when it comes to cybercrime.”

This is the situation students are practicing during the simulation initiated by Freiling’s former doctoral candidate Janine Schneider. Actors take on the roles of the police and the criminals. But the adrenalin is real. The question is, “what do I do first?” “One wrong press of the button, then the computer crashes and all evidence is lost.” (Bilder: FAU/Boris Mijat)

Author: Sandra Kurze

This article is part of the FAU magazine

Innovation, diversity and passion: Those are the three guiding principles of our FAU, as stated in our mission statement. At FAU, we live these guiding principles every day in all that we do – in research, in teaching and when it comes to sharing the knowledge created at our university with society.

This, the second issue of our FAU magazine, underlines all of the above: It shows researchers who tirelessly keep pushing the boundaries of what has been believed to be possible. It introduces students who work together to achieve outstanding results for their FAU, talks about teaching staff who pass on their knowledge with infectious enthusiasm and creativity. And it reports back on members of staff with foresight and a talent for getting to the crux of the matter who are dedicated to improving the (research) infrastructure at FAU as well as people in key positions who are there for their university and are committed to its research location.