Cybernetic Investigations

"The extent of police cybercrime cooperation has reached a peak in recent years. Every police cybercrime unit, anywhere in the world, understands this." A peek inside the Cybercrime Unit of the Israel Police toward CyberTech 2017

Photo: Israel Police

The Cybercrime Unit of the Israel Police has been in existence for about three years as a nationwide unit. The Cybercrime Unit is the reincarnation of the Computer Crime Section that started operating way back in the late 1990s with a personnel of five. A part of the founders' nucleus of that section now serves in senior positions within the Cyber Unit that operates under the LAHAV 433 Division and handles the entire field of cybercrime in the State of Israel.

"Israel Police decided to build their cybercrime capabilities in the shape of a pyramid. All police personnel will receive basic cybercrime training through the National Police Academy. This process will begin in 2017," said a Police source. "The objective is to reach a situation where, if an ordinary citizen approaches any police station, anywhere in Israel, and complains that his/her Facebook page had been defaced or that his/her computer had been attacked by ransomware, they will know what he/she is talking about.

"Higher up the hierarchical ladder, we provide cybercrime units at the station level. The Commissioner wants about 70 stations with cybercrime units deployed nationwide. Each such unit will have more advanced capabilities, like extracting data from cellular phones, which would enable it to initiate a basic investigation when a complaint is filed. The unit will not be able to unlock locked phones, but will have the option of receiving data from the party filing the complaint. This will improve the service standard the stations provide to the ordinary citizens with regard to complaints associated with the world of cybercrime.

"One level up from the station is the district. Each district will have a unit with more experience and more sophisticated equipment. If someone walks into the station and complains about a Trojan horse in his/her cellular phone, they will take his/her telephone and submit it to the district unit. If the district unit is unable to conduct the investigation, it will go to the cybercrime unit at the national level."

The Police Cybercrime Unit is built around three major pillars: intelligence gathering, a technology team and a state-of-the-art forensics laboratory. "The trick is knowing how to assemble the search profile for each investigation and reach an amount of details with which you will be able to cope in the context of an investigation," the police source explained.

The police intelligence gathering activity revolves around cybercrime. Whereas the definition of cybercrime is very broad and there is no worldwide consensus about it, the police is involved with an extensive range of activities in this context. Israel Police defines cybercrime as a crime involving a technological element where knowledge of the cyber technology world is required in order to successfully conduct the investigation.

"Take, for example, the Bank Leumi extortion affair," our police source says. "Apparently, it did not involve a lot of activity that can be branded as cybercrime. However, as high-grade technical capabilities were required in order to extract the evidence, it was handled by the Cybercrime Unit. Ransomware and sextortion (cybernetic sex extortion) cases are also crimes that fall within the category of cybercrime.

"They built the Cybercrime Unit with independent capabilities of closing the cyber evidence cycle. In special situations, if necessary, other units may be approached, like the Police SigInt Unit. If you want to tap a specific telephone conversation, there is no need to duplicate your capabilities."

Along with the intelligence gathering activity, the Cybercrime Unit has an advanced technology branch staffed with specialists from the cyber technology and IT worlds. "This branch provides technological support to each cyber unit and to the investigators at the various districts," our source explains. "Cybercrime investigations require specialized skills in numerous technological fields. You cannot expect every police investigator to command knowledge about dozens or hundreds of different computer systems.

"If, say, you have an investigation and you call at the offices of a major company, they will have dozens of different systems there. SOC, monitoring, IT and many others. In this case, specialists from the Technology Branch will call at the offices of that company and provide support to the investigators on the scene vis-à-vis the company's IT and information security departments. Which systems to interrogate, what cross references are required – anything required in order to provide the investigator with all of the evidence that may be extracted from the scene with regard to the technological aspect.

"The people of the Technology Branch are policemen to all intents and purposes. Some of them are employed through special personal contract (civilian in police service) and there is also a new program to be authorized soon, known as 'temporarily assigned to policeman's status'. This program will make it possible to have specialists employed by the police for a predetermined period of two to four years, for a higher pay."

The third pillar of the Cybercrime Unit is the forensics laboratory. These people can take almost any hardware product and extract information from it. Even if it had been dropped into water, burnt, probed or smashed. If there is a physical way to extract information from it, the Cybercrime Unit Laboratory will be able to do it. Hard disk drives, cellular phones, portable storage devices and many other types of media.

The laboratory specialists are also involved in data fusion. This activity involves the ability to analyze massive amounts of data that help the police investigators extract the evidence from the crime scene.

"The Cybercrime Unit Laboratory provides services to the police investigators who need support for extracting evidence from computer systems," our police source explains. "Phones, hard disk drives and other hardware. This is a highly dynamic activity that compels you to remain up-to-date. A capability you acquired today may prove to be irrelevant in a few months. Any revision of an operating system, the hardware of a phone or computer, can render your capabilities irrelevant. With regard to the data fusion aspect, the laboratory works with cutting-edge tools that help extract the wheat from the chaff in investigations involving massive amounts of computer data."

The Chain of Evidence Challenge

Unlike the operating methods of intelligence agencies that also employ cyber technology units, with the police, every criminal process ends up in court and is subject to the trial of a defense counsel and a judge. While for intelligence agencies the objective is to find a context that would lead to operational activity, police activity is about incrimination. "In some cases the difference between police work and the work of an intelligence agency in the context of collecting evidence is unclear," says our police source.

"In the process of a cybercrime investigation, the entire chain of evidence is on trial by lawyers and judges. Consequently, the evidence collection process must be free of any suspicion of manipulation and the entire path of each piece of evidence, all the way to the physical source, must be demonstrated and proven. This necessitates a special work process. In order to cope with the chain of evidence challenge in the context of an investigation, we took police investigators who grew up in that world and trained them around technology.

"Collecting evidence from technological devices necessitates a signature for each data storage source, methodical registration and chain-of-exhibit records, including full documentation for each and every exhibit. In court, each piece of evidence must have a viable, digitally-signed source with writing protection. You cannot change an evidence once you have signed it. Law enforcement agencies worldwide work with these systems. In the case of a hard disk drive, there is a digital signature for the source disk drive. It cannot be changed. If you produce mirror images, you will change the signature. If you failed to keep the source, you will see it in the system log files. You will see the change of signatures – there is no way to hide it.

"Additionally, the laboratory has structured, systematic work procedures, including careful registration of who comes in and who goes out and who touches the evidence. Working according to clearly-defined procedures is a part of the effort of extracting evidence from physical exhibits. The systems used by the Police were specifically designed for the forensics of a criminal investigation process."

Maintaining Ambiguity

In police work, there is a difference between a computerized evidence seized on a physical exhibit and evidence not obtained through physical devices. As real-life data collection and investigation methods are involved, our police sources will not elaborate about the measures used. They will not comment on the issue of encryption either, beyond stating that it is a professional challenge. "Maintaining a policy of ambiguity regarding our cybercrime operating methods is a must," our police source says. "In cyberspace, we are dealing with organized crime in Israel and worldwide. These organizations have massive resources that enable them to acquire the best tools and specialists. We have no intention of revealing our capabilities to them.

"An investigation portfolio can include such evidence as a PDF file from the hard disk drive of one computer, an image of the defendant shaking hands with someone on the same day from another computer and a document of the same date that constitutes a secret agreement between them – retrieved from the deleted files in the secretary's computer. These pieces of evidence are delivered to the investigator as they are. In court, the investigator is required to prove that all of the evidence had come from viable sources. The court does not ask you how you came by the evidence – but where you obtained it.

"It's the same as in physical crime. Let's say we have a rape scene. A forensic investigator comes in and uses a special light that identifies semen stains. The discussion will not revolve around the technology that enabled the investigator to find semen stains, but whether they are the defendant's. The forensics specialists do not reveal in court which technologies they use in order to find evidence. In cybercrime it is not much different. The question is whether the evidence is truthful and whether it had been tampered with.

"Criminal organizations can acquire analytical tools and learn how to evade such tools. In this way, they can evade police investigation. That is the reason why on the one hand, we work with several different tools, and on the other hand we never publicize the tools we work with and our collection methods."

There are no physical boundaries in cyberspace. A hacker does not have to land at Ben-Gurion Airport in order to steal money from a bank in Israel. Consequently, cyberspace law enforcement is similar to tackling international crime organizations, and is largely based on international cooperative alliances with other police forces.

"Take ransomware, for example. It is a market with a turnover of millions per year. Anyone, anywhere in the world, can purchase a tool that disseminates such software elements, and from that moment on he will be infecting the computers of ordinary citizens and collecting the ransom. Why bother with physical control domains and protection money?

"In coping with such criminal activities, analytics and international cooperation are the keys. Israel Police has a representative at IGCI (Interpol Global Complex for Innovation). As far as analytics are concerned, we have a nationwide center for monitor complaints on cybercrime. The center receives all of the complaints regarding ransomware from the various districts and assembles a status picture. In this manner, we attempt to identify patterns in Israel, which we then compare to patterns in other countries so as to understand whether there are specific global trends. The same also applies to sextortion.

"Today it is irrelevant where the perpetrator is located. If we investigated only cases concluded in Israel, we will not be effective at all. The extent of police cybercrime cooperation has reached a peak in recent years. Every police cybercrime unit, anywhere in the world, understands this.

"Some degree of cooperation also exists with civilian companies in the context of investigations. In the USA, the FBI cooperates extensively with civilian companies. Over here this activity is still in its infancy. The advantage is in the fact that those companies maintain a network of connections that helps cybercrime investigations. They also employ capabilities (personnel/tools) that in some cases the police does not have. Our vision is to maintain a higher degree of transparency vis-à-vis business companies and police agencies overseas and succeed in recruiting the very best specialists to the Police Cybercrime Unit in order to promote the ability to solve cybercrimes."