Saturday, July 01, 2006

July 2006

This month gets somewhat more quiet, in order to think issues over. Forensic science keeps attracting more media attraction, and I have to cope with it. Last month I had four workshops at the EAFS-meeting in Helsinki with talks of 45 minutes, on biometrics, face comparison, how to setup or maintain a digital evidence section and integrity of images. As a chair of the union I also had a busy time with restructuring of the organization, and changes towards a more competitive system.

At FIDIS also the review meeting worked out well. I did not have enough time to spend, and this also appeared to be true in the forensic profiling part. The reviewers where not giving a fine review on my publication on this part, and I can imagine that they did since I did not have enough time for it, to make it proper. However, since I have written this paper, it might be useful for other use, and I just enclose it in the weblog for anyone who would like to continue to work on it. So, at this moment, I decided not to continue this research, since it is a dead horse to me.

Forensic Profiling
Author Zeno Geradts
In forensic science, the old fashioned traces like fingerprint evidence, cartridge cases of firearms, tool marks and shoeprints are used for over a century either in manual form or in database form. These databases are used for finding links between crimes which were not previously known. Newer, powerful, databases are databases of DNA.
Since more information is available in digital form, from customer databases to biometric databases of faces and fingerprints combined with chip-cards and other information, there exist in theory methods to do profiling in databases and combining the databases from government and police. Privacy laws have to be taken into account when using the combination of databases.
If allowed for serious crimes, the information can be combined, and will provide more useful information if a certain person was at the scene of crime at a certain crime. For less major crimes (for instance burglaries) it is possible to use information from the police databases and combine these for finding a profile of a certain perpetrator. An overview of current databases that are used in extracting forensic evidence is given in this chapter, together with other possible databases that could be used in theory.
An important issue that should be taken in to account is that some information from databases can be not structured, and that structuring information is an important task before analyzing the data. It is also important to consider alternative scenario’s and hypothesis when using profiling.

Forensic science is a multi disciplinary field in which many different fields of expertise can form evidence in court. In this chapter we do not limit ourselves to DNA profiling1, however we also look at profiles that can be extracted by combination of any form of information that is available, such as digital evidence.
Current situation
In a forensic laboratory, currently there exist many different databases that in principle can be used to link cases and suspects :

  • Firearms : Cartridge cases, bullets
  • Fingerprints
  • DNA
  • Faces
  • Tool marks (e.g. screwdrivers )
  • Shoe prints
  • Handwriting
  • Paint and glass
  • speaker

Unstructured data also exists from e.g. hard drives and cellular phones that have been seized during an investigation.

Many fields in forensic science have been experienced based, and came from practitioners at the police. For example, fingerprint examination exist over a century and until recently not many questions2 where asked concerning the statistics and the scientific research. DNA arrived in forensic labs in the beginning of the nineties, and this was from a scientific background with more statistical data available. However, as is mentioned by Stanley Cohen3, one has to consider why the DNA has been retrieved at a certain place. For reason of wrongful convictions also other evidence has to be taken in account, and forensic profiling can help in combining the information. However still it can also lead to wrong convictions if used in a not proper way4.

Based on earlier research in Workpackage 6, the taxonomy is used in this paper concerning a certain artefact with the implications for a single item, and for the items in the database for forensic science, to use as evidence.

Current Possibilities
We expect that in current and future databases, the data models will become more standardized, in such a way that they can be combined with other databases such as :

Biometrics ( fingerprints, DNA, face, iris etc. )
Currently many countries have a DNA database for suspects or convicted persons. One of the largest is the database at the Forensic Science Service. The United Kingdom National DNA Database was set up in 1995. As of the end of 2005 it carries the profiles around 3.4 million people, over 585,000 of them taken from children aged under 165.
Most countries have such a database for criminal records. The largest -known- database in the world is IAFIS at FBI6. The IAFIS contains the fingerprints and corresponding criminal history information for more than 47 million subjects in the Criminal Master File in 2005.
There are databases of faces. However the problem is that the algorithms for searching in facial database perform poor. Also aging and the way a face is entered in the database will give poor results7. At our laboratory we also examined several state-of-the-art systems and had the same results.
In the United Arabic Emirates an iris database is used with more then 600.000 iris images. It is claimed8 that the results with this database are extremely good compared to other biometrics. The evaluation is conducted by the patent owner Daughman.
Banking and insurance transactions
In 2007 banking transactions of more than 15.000 euro are monitored in the EU9 for prevention of money laundering and terrorist financing. The US Patriot Act and the Bank Secrecy Act 10 goes futher, and also uses financial transactions to identify a certain person. It is known that with banking transaction it is possible to track and trace persons11. If a person uses his bank card to buy a train ticket, and later on to buy other goods, the location and time where the person is can be followed.
Telecommunication traffic (location GSM and Internet)
Location GSM
With the GSM information can be extracted from the phone or from the network. The call detail records at the provider give more information on the base station where a call or a sms has started. This gives a possibility to track a person12. In the Netherlands the case the “Deventer moordzaak” many experts were examining the possibility that the suspect was over 10 kilometers further than the base station where the suspect was connected to. Due to atmospherical circumstances this is possible, however it is not very likely, as is stated by prof. Jondral of University Karlsruhe13.
Call detail records and data retention
Data retention14 generally refers to the storage of telephony and internet traffic and transaction data by governments and commercial organisations. In the case of government data retention, the data that is stored is usually of telephone calls made and received, emails sent and received and web sites visited. Location data is also collected. The primary objective in government data retention is traffic analysis. By analysing the retained data governments can identify the locations of individuals, an individual's associates and the members of a group.
In Europe the data retention directive is accepted to fight terrorism. Data can be stored for up to two years. The contents of communication is not stored. An exception is (internet) interception in countries where it is legal with court order. For instance a survey by the Dutch Ministry15 of Justice in 1996 found that law enforcement in the Netherlands intercept more telephone calls than their counterparts in the United States, Germany or Britain.
All computer actions and storage
This is data that is stored on the hard disk of a computer. When the hard disk is forensically examined, information can be extracted, for instance email, password and other files. The data of the hard disk has to be seized16.
Records of toll ports / public transportation
automatic number plate recognition
For tracking cars on the street automatic number plate recognition is used17 which is also good for crime prevention of not insured cars or if the tax has not been paid. It can also be used for collecting toll, for instance in the city of London this is operational. Automatic number plate recognition (ANPR) is a mass surveillance method that uses optical character recognition on images to read the license plates on vehicles. As of 2006 systems can scan number plates at around one per second on cars traveling up to 100 mph (160 km/h). They can use existing closed-circuit television or road-rule enforcement cameras, or ones specifically designed for the task. They are used by various police forces and as a method of electronic toll collection on pay-per-use roads, and monitoring traffic activity such as red light adherence in an intersection. Britain will also be the first country where every car journey will be recorded and stored for two years. In 2005 they had 2000 camera's ready18.
Public transportation
Also other forms of transportation persons can be tracked. This is more even so if RFID's are used in the transportation that have an identity on them. In London the Oyster RFID card, is a tool that is used by the police to track persons. The smartcards, used by five million Londoners, record details of each bus, Tube or train journey made by the holder over the previous eight weeks. In January 2006, police requested journey information 61 times, compared with just seven times in the whole of 200419.
Board computer in private transportation (cars etc)
Airbag systems
Nowadays board computers are integrated in cars. Air bag systems and other systems in cars
can leave traces that are importance to forensic scientist. An example20 is a forensic company that advertises : “ We use the Vetronix Crash Data Retrieval System to download the Airbag System Sensing and Diagnostic Module in most General Motors cars, light trucks, vans, and SUVs. A select portion of the Ford automobile line can be accessed as well. Additional Ford models and other manufacturers will come on line in the near future. This technology provides information used by the airbag control module in making deployment decisions. In many GM vehicles, it also can provide 5 seconds of data before a crash, including speed and seatbelt status”
GPS also contains information on routes driven and stored which might be of interest as evidence. Also GPS units with a communication device (for example which is a remote control system for your vehicle that allows you to monitor, track and control your vehicle over the internet. Also GPS bugs are commercially available, which store 1 month of location on a USB stick . Depending on the legislation these can also be used by police by court order.
Customer loyalty programs (air miles etc.)
An interesting example of how data gained through the use of a customer loyalty card can be quite problematic for the individual customer can be found at slashdot21:
“Tukwila, Washington firefighter, Philip Scott Lyons found out the hard way that supermarket loyalty cards come with a huge price. Lyons was arrested last August and charged with attempted arson. Police alleged at the time that Lyons tried to set fire to his own house while his wife and children were inside. According to KOMO-TV and the Seattle Times, a major piece of evidence used against Lyons in his arrest was the record of his supermarket purchases that he made with his Safeway Club Card. Police investigators had discovered that his Club Card was used to buy fire starters of the same type used in the arson attempt. For Lyons, the story did have a happy ending. All charges were dropped against him in January 2005 because another person stepped forward saying he or she set the fire and not Lyons.”
The location where a person has been and what amount the person has bought is stored in databases, which might be accessible later for forensic evidence.
Surveillance cameras
Many surveillance systems are becoming digital, and it is possible to put all information in a huge database. As mentioned tracking cars based on their license plate is possible (if the license plate is readable and not stolen or copied). Tracking persons automatically is not feasible in on the street systems. Face recognition methods do not work properly. Even with the London attacks all video informations from thousands of camera had to be examined manually22. The alternative is tracking with license plates for cars as mentioned before.
The use of Surveillance cameras and other cameras from mobile phones are getting more important as evidence in court. The approval for use as evidence in court is restricted in Germany (in several stated) compared to the United Kingdom23.
A consumer goods tracking system called Radio Frequency Identification (RFID) is entering all of our lives. RFID couples radio frequency (RF) identification technology with highly miniaturized computers that enable products to be identified and tracked at any point along the supply chain.
The system could be applied to almost any physical item, from ballpoint pens to toothpaste, which would carry their own unique information in the form of an embedded chip. [3] The chip sends out an identification signal allowing it to communicate with reader devices and other products embedded with similar chips.
Analysts envision a time24 when the system will be used to identify and track every item produced on the planet if it is not stopped (and with the implementation of ipv6 (the evolving standard for ip-addresses) each item can have it's own ip-address).
RFID employs a numbering scheme called EPC (for "electronic product code") which can provide a unique ID for any physical object in the world. The EPC is intended to replace the UPC bar code used on products today.
Compared to the bar code, however, the EPC goes beyond identifying product categories--it actually assigns a unique number to every single item that rolls off a manufacturing line. [8] For example, each pack of cigarettes, individual can of soda, light bulb or package of razor blades produced would be uniquely identifiable through its own EPC number. It depends however very much on the implementation. Customers can destroy the RFID, or replace them on items, to protect themselves.
Digital traces in domestic applications (e.g. coffee maker, microwave, heater)
If all equipment is connected to the Internet, also possibilities exist that information concerning the use of those leaks to the outside world. Even if memory chips are available on our domestic equipment, time and date information can be extracted, and information of witnesses and suspects can be verified.

For the passport for example it will be possible to track someone if the ICAO-standard is implemented without any protection. The passport will have a wireless chip in it, and information concerning face and fingerprint can be extracted from a distance. Currently in trials in the Netherlands more protection is used in such a way that one needs more information concerning the machine readable zone of the passport. However if countries do implement it without any protection, then possibilities exist that information concerning the passport they carry can be extracted from a distance.
If a severe crime happens, all CCTV-images in the neighborhood, computers of suspects and witnesses, location information of the GSM network, data that is available from communication providers can be collected. Together with the traces someone can be followed and the identities of the person can be checked with this data.
A simple example around this, is a real world example. Person A says he does not know person B. The bank records give information that they both bought a ticket at the railway system with their banking card in The Hague, with the same machine and and Amsterdam with the same machines and next to each other. This data is confirmed by CCTV-recordings on these dates where both persons A and B where recognized talking to each other.
The same is also true if the use of RFIDs is widely used with a unique code. An example from the real world : suitcases at the Hong Kong airport are labeled with a RFID-label. It is practical possible to follow the suitcase when the person arrives in Amsterdam if an RFID-reader is available at several positions in Europe.
It is also possible to do profiling with several tags. One person may have bought several cloths and items from different manufacturers and carry them with him. When this person enters the shops all tags are read. The combination of tags is a profile for this person. Together with DNA-data and fingerprints, the person might be identified for a crime case.
Another problem that arises, if a person accidentally fills out the wrong data or intentionally. By using a voice over ip-service as Skype one can request a phone number in another country. The mistake is easy to be made to fill out Namibia instead of the Netherlands. With some credit cards the country name is not checked. Since the jurisdiction is different in the Netherlands compared to Namibia, important data might be not be retrieved with a court order to Skype concerning phone calls or call records. Someone can also intentionally pretend to be a citizen of a different country, by using pre-paid credit cards and addresses of hotels.

The question arises if the kind of evidence with the combination with many different databases, such as surveillance systems with non-structured data, is feasible. Also the amount of data that is collected grows very rapidly, and the question is if it is feasible to store this data in a proper way.
Furthermore, it is expected that there are more false positives when combining different databases. If a ‘cold’ hit is found in the database, which means that there was no prior information that a certain suspect would be involved in the case, false positives are possible. For example, if DNA would be collected of all citizens of the world, and the search would be against this database, then roughly at least 6 suspects would be found with current methods, and probably more since family relations are not accounted for.
Another issue is that in databases there are many writing and spelling errors25, or even persons that use another identity to protect their privacy. Data in itself is often “dirty”26, which means that many other errors are possible, and should be taken in account.
The final issue is the profile itself that is used to track a certain behavior for law enforcement. An example is a booklet that is given to the citizens of Korea where the profile of a terrorist is mentioned27 :
“For example, terrorist suspects often leave a restroom hurriedly after leaving a backpack or a plastic bag behind, and a person paying with cash is more likely to be a terrorist suspect than a credit card user since terrorists try not to leave any traceable evidence, the pamphlet says.
Terrorist suspects often do not order alcoholic beverages at bars or other similar entertainment spots or order a drink but do not drink it. They also have a tendency to sit in the corner, carefully watching others.
Regarding the appearance of terrorists, the booklet highlights those who have a pot belly or who wear thick clothing despite warm weather and sweat a lot as targets who should be carefully monitored because suicide bombers often wear explosives around their bellies hidden under thick clothes.
The booklet also requests immigration officers or travelers at airports or ports to carefully watch tourists who hold new, temporary or reissued passports. Those who pass bags or documents to strangers should be closely monitored as well.
At railway or subway stations, passengers who randomly change their destination also may be engaged in terrorist activities.”
A profile like this matches many tourists, and real terrorists know where they are looking for to find them. It is also possible to give other people a certain profile, without them knowing it. Copying information and using someone else's identity is easy, since look-a-likes with a lent or stolen id-card are not easy to distinguish28.
These kind of profiling can lead to confirmation bias with the examiner and the judge, which might lead to wrong convictions, if not the other hypothesis (the suspect is not guilty versus the suspect is guilty) is not tested thoroughly. In forensic science this is not the question; it is limited to the material that is received and answering the question concerning the material and a comparison.

1 Inferences Using DNA Profiling in Forensic Identification and Paternity Cases
Donald A. Berry
Statistical Science, Vol. 6, No. 2 (May, 1991) , pp. 175-189
2 Moenssens, Andre, Fingerprint Identification: A Valid, Reliable "Forensic Science", 18 Criminal Justice, No. 2, 30 (2003). -Mears, Michael, et al
3 The Wrong Men: America's Epidemic of Wrongful Death-Row Convictionsdoor Stanley Cohen Carroll & Graf Publishers, 1 okt 2003
5 status of 12.05.06
7 at 12/05/06
8 at 12/05/06
9Directive on money laundering and terrorist financing, 3631/05 + COR1, 11443/05 ADD1
11“Person location and person tracking - Technologies, risks and policy implications” , Roger Clarke, Information Technology & People Jun 2001 Volume: 14 Issue: 2 Page: 206 - 231
12Forensics and the GSM Mobile Phone System, S. Willassen, International Journal of Digital Investigation, Spring 2003, Vol. 2, Issue 1
13Conclusion drawn by the court of appeal in 's-Hertogenbosch at 9 november 2004, case 01568/04
16Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers, Brian Carrie, Winter 2003, Vol. 1 Issue 4 ,
25Investigative Investigative Data Mining for Security and Criminal Detection, Jesus Mena, Elsevier, 2003
26 A Taxonomy of Dirty Data Won Kim1, Byoung-Ju Choi2, Eui-Kyeong Hong3, Soo-Kyung Kim4 and Doheon Lee5Data Mining and Knowledge Discovery, January 2003 , Pages: 81 - 99
28Identity fraud as a challenge to the constitutional state By Dr mr J.H.A.M. Grijpink