How do you get started in digital forensics

IT forensics - "We are actually always looking for a needle in a haystack"

SRF: How does an investigation in digital space begin?

Hans-Rudolf Flury: One way is for the public prosecutor to order searches or coercive measures in a preliminary investigation. We secure all electronic devices, smartphones, laptops, memory sticks and so on. Then we start evaluating the data on these devices.

We can also look at certain Internet pages and find pages with criminal acts or content. Or we receive information from third parties, citizens or other police departments.

We can state a great deal.

The amounts of data are huge. Where do you start when evaluating the confiscated electronic equipment?

The amount of data is a big challenge. But we carry out these coercive measures on the basis of clues. The data on the laptops, sticks, tablets and cell phones are first forensically backed up.

That means: We have to secure it in such a way that you can clearly see that it is the original data that the police have not changed. Then they are relevant in court. We can work with this data.

What can an investigator find out with it?

Very much. It is possible to follow traces on the Internet, create a personality picture or even a profile of a person that we want to take a closer look at.

The whole range is possible: We can determine the contacts, the phone calls, SMS, the content, images, documents that are saved. We're actually always looking for a needle in a haystack. But we can state a great deal.

For example, do you evaluate a person's search engine queries to find out what someone is interested in?

Exactly. You can really make breakthroughs that way.

Sight the policeman, the policewoman too Comments on social media?

It can mean that, yes. It must be so that we can get the necessary information. If pages call for violence or show violence, we also have the option of having them blocked. This is straightforward, especially in the area of ​​terrorism.

Is there a standard procedure, certain terms and patterns that you should use for this “search for a needle in a haystack”?

Standard software yes, but not standard search terms. Each case has to be viewed differently. This requires the investigator, not only the IT investigator, but also the original, classic one who processes the facts and can determine the search terms based on his findings.

We are very active on the Internet in the area of ​​terrorism.

Which offenses is the Federal Criminal Police's focus on?

All crime groups must be dealt with with the cantons. Our responsibility, that is to say the federal responsibility, primarily includes terrorism, human trafficking and people smuggling, as well as serious white-collar crimes such as money laundering.

We are very active on the Internet in the area of ​​terrorism. And also in cooperation with the cantons: We also worked on the case of the missing boy Paul in the canton of Solothurn.

There, the deleted data was of particular interest to you.

Yes. In the Paul case, that was the breakthrough in finding the kidnapped boy. At first you didn't know: was he kidnapped or did he run away?

He was playing with his PC. Our specialists and those of the canton took a close look at this PC and found clues in the digital recycle bin that were decisive in finding it.

We saw that he had contacts in Germany and that the game asked him to leave the game platform and switch to another system.

Then you found out who he was playing with under a pseudonym and which pseudonym the other side was using. Based on their IP address, we were able to determine where he was in Germany. That was the main reason why we could still find the boy.

The interview was conducted by Raphael Zehnder.

Broadcast: Radio SRF 2 Kultur, Context, September 27, 2017, 9 a.m.

To person

Open the box Close the box

Hans-Rudolf Flury is head of the Federal Criminal Police, which is based at "fedpol", the Federal Police Office, in Bern.

weary

  1. Culture
  2. Society & Religion
  3. Current article