4NSEEK Tool

IMPORTANT
The 4NSEEK forensic analysis tool is no longer supported.

The 4NSEEK tool is a forensic analysis tool that searches for child abuse material on storage devices. You can download the product sheet

The objective of the work of INCIBE's Technology team in this project has been to provide greater value to the tool by:

  • the inclusion of new functionalities that facilitate the work of detecting child abuse material (hereinafter CSAM).
  • the evolution of existing functionalities with the aim of adapting them to the state of the art and the changing environment.

All this in continuous collaboration with the agents involved in this branch of the project: Law Enfocement Agencies (hereinafter LEAs) and the universities of the consortium (Universidad de Malta, Universidad de Groningen and Universidad de León, as coordinator of the research work).

The results of the tool in project are presented below: description of the main improvements of the tool, the development of the Artificial Intelligence modules by the research teams of the universities and, finally, the indicators of access to the tool by the LEAs:

Tool improvements Development of IA modules Indicators of access 

Tool improvements

Installation/update platform

Installation/update platform

At the beginning of the project, INCIBE deployed in its infrastructure a specific system to facilitate users the installation and update of the tool. Since Release 1 and until today, this has been the platform used by the users of the tool.

Improved results

Improved results

The results produced by the 4NSEEK tool have been improved to further facilitate the work of LEAs agents. In this sense, in addition to incorporating new analysis modules based on specialized tools and artificial intelligence, the way in which the results of these modules are evaluated has been adapted in order to provide a simpler and more accurate final evaluation.

Efficiency and scalability

Efficiency and scalability

The structure and the internal flow of action of the tool have been completely revised, in order to achieve a better performance.

As a result, the latest versions of the tool make better use of the analysis time, prioritizing those files that, a priori, have a higher probability of being CSAM.

In addition, the change of structure allows greater flexibility to adapt to the needs of the agent or the technical requirements of the machine on which 4NSEEK is running.

Pre-diagnosis

Pre-diagnosis

A diagnostic functionality has been included to make it easier for agents to prioritize devices to be analyzed or to partially analyze them.

This diagnosis provides a preview of the content of each partition, so that the agent can decide based on this diagnosis if it is interesting or not.

Carving analysis

Carving analysis

INCIBE has added a carving module to 4NSEEK tool. This forensic technique allows the recovery of previously deleted files from a storage device.

Despite being a computationally expensive technique, the user can select it to perform this in-depth analysis as an additional functionality of the 4NSEEK tool, whose main mission is to perform agile triages of storage devices.

Usability improvements

Usability improvements

The user interface has been completely renewed taking into account good usability practices, improvements in navigation and new functionalities that increase the user's possibilities in processing analysis information and accessing results.

The support of multiple languages has also been incorporated, which is very necessary in view of the many countries that have requested access to the tool.

Configuration facilities

Configuration facilities

The functionalities of the tool have been developed to be highly configurable:

  • The execution of the forensic analysis is configurable in multiple aspects through the application interface in a simple and understable way.
  • The tool itself and each of its modules are highly configurable through internal options that allow it to be adapted to the needs of the end user.
MacOS Operating System Support

MacOS Operating System Support

The existing analysis in the tool have been adapted to the operation of the MacOS operating system. This way the agent will be able to extract valuable information also from partitions where the Apple operating system is installed.

Analysis of new tools

Analysis of new tools

Interesting new tools have been included in the forensic analysis. The new tools analysed have been selected as a result of an analysis of the state of the art together with LEAs.

Now, the information extracted from the new social network tools (Twitter and Facebook) and cloud platforms (DropBox and Google Drive), provide additional information on the investigated user's behavior, providing new indications of criminal activity and even giving access to evidence of crime.

Hot analysis

Hot analysis In progress

Hot analysis refers to the ability to perform forensic analysis of volatile information from computer equipment, i.e. information that can only be recovered while the computer is still on.

In this area, INCIBE's work has focused on the two necessary activities:

  • Memory acquisition. A very simple and inexpensive device has been designed and developed based on easily accessible technology so that any user, without the need for advanced technical knowledge, can have it. Once this device is connected to a computer with a running Windows system, the device will automatically extract a copy of the information contained in its RAM memory for subsequent analysis.
  • Forensic analysis. The functionalities of 4NSEEK have been adapted for the automatic detection of the memory extracted in the previous step and its subsequent analysis, aimed at detecting evidence or signs of criminal activity.

Development of IA modules

The objective of the modules developed by the consortium of universities, within the 4NSEEK project, is to provide the tool with a differential value through the use of Artificial Intelligence (AI).More specifically, the Universidad de León (ULE), Universidad de Malta (UoM) and Universidad de Groningen (RUG) are developing modules based on Artificial Vision and Automatic Learning, whose combination facilitates the automation of the detection of Child Sexual Abuse Material (CSAM).

The following is a list of modules, together with the responsible University.

Face detection, gender and age estimation (ULE)

  • Introduction: the display and/or possession of CSAM is not allowed, which is a challenge when working on the problem of CSAM detection. For this reason, 4NSEEK has addressed the problem of CSAM detection through the combination of two lines of research working with legitimate data: (i) the detection of faces, gender and age estimation and (ii) the detection of adult pornography.
  • Objetive: detect the faces in an image, and make an estimate of the gender and age of the person whose face has been detected.
  • Results:

Adult pornography detection (ULE)

  • Introduction: the display and/or possession of CSAM is not allowed, which is a challenge when working on the problem of CSAM detection. For this reason, 4NSEEK has addressed the problem of CSAM detection through the combination of two lines of research working with legitimate data: (i) the detection of faces, gender and age estimation and (ii) the detection of adult pornography.
  • Objetive: detecting adult pornography content in images.
  • Results:
    • Delivery of SW library to the 4NSEEK project to achieve the above objective.
    • Publications:

CSAM detection (ULE)

  • Introduction: the display and/or possession of CSAM is not allowed, which is a challenge when working on the problem of CSAM detection. For this reason, 4NSEEK has addressed the problem of CSAM detection through the combination of two lines of research working with legitimate data: (i) the detection of faces, gender and age estimation and (ii) the detection of adult pornography.
  • Objetive: detect CSAM through the combination of the outputs of a face detector, age estimator and adult pornography detector. So, if a face is detected, with an age lower than 18 years old and pornographic content is detected, the image is estimated to contain CSAM.

Detection of CSAM through file name and path (ULE)

  • Introduction: CSAM usually contains descriptive names, symbols or codes that help pedophiles quickly identify the type of content that might be contained in the file in question.
  • Objetive: detect CSAM using only the path where a file is stored, as well as the name of that file.
  • Results:
    • Delivery of SW library to the 4NSEEK project to achieve the above objective.
    • Publications:
      • Al Nabki, WFidalgo Fernández, EAlegre, EnriqueAlaiz Rodríguez, R. "File Name Classification Approach to Identify Child Sexual Abuse". In: Proceedings of the 9th International Conference on Pattern Recognition Applications and Methods - Volume 1: ICPRAM. Valletta, Malta. 2020. pp. 228-234. DOI: 10.5220/0009154802280234.

Detection of sexual organs (UoM)

  • Introduction: CSAM usually contains the presence of sexual organs, both adult and child, which would be another indication of a higher probability of being CSAM.
  • Objetive: detect whether or not an image contains sexual organs, and what type of organ.
  • Results:
    • Delivery of SW library to the 4NSEEK project to achieve the above objective.
    • Publications:

Video summary based on presence of people (ULE)

  • Introduction: When analysing CSAM, it is common to find not only photographic material, but also multimedia files in video format. Its analysis requires an alternative approach to that used in the images, since it would be convenient to first identify those parts of the video where there might be presence of people, and then analyze only those parts of the video.
  • Objetive: provide a summary of the video, in the form of multiple frames, where only people appear.
  • Results:
    • Delivery of SW library to the 4NSEEK project to achieve the above objective.

Detecting the noise pattern of a camera (RUG)

  • Introduction: any image acquisition device (camera, smartphone, etc.) leaves a fingerprint on all images it takes, in the form of noise and artifacts. The extraction of this fingerprint or digital signature would make it possible to identify whether multiple images have been taken by the same device, and thus provide additional information when determining the origin of a certain CSAM seized.
  • Objetive: extraction of the digital signature of an image and grouping of images with similar digital signatures, in order to determine if multiple images have been made with the same camera.
  • Results:
    • Delivery of SW library to the 4NSEEK project to achieve the above objective.
    • Publications:
      • Bennabhaktula, G;Alegre, E Karastoyanova, DAzzopardi, G . "Device-based Image Matching with Similarity Learning by Convolutional Neural Networks that Exploit the Underlying Camera Sensor Pattern Noise". In: Proceedings of the 9th International Conference on Pattern Recognition Applications and Methods - Volume 1: ICPRAM. Valletta, Malta. 2020. pp. 578-584. DOI: 10.5220/0009101502050211

Decision layer for CSAM detection (ULE)

  • Introduction: in the 4NSEEK tool, the combination of the outputs from the previous software modules are combined using a set of manual rules to assign a relevance score to each seized evidence. The higher the score, the more likely it is that the file will contain CSAM. In addition, the 4NSEEK tool in this software release will calculate the relevance score per file using automatic learning. This score will be proportional to the probability that the file analysed contains CSAM.
  • Objetive: Carry out a training with the library outputs (face detection, gender and age estimation, adult pornography detection, sexual organs detection and CSAM detection through the file name and path) together with real CSAM, generating an intelligent system that will allow to automatically assign a score to each analyzed file.
  • Results:
    • Delivery of SW library to the 4NSEEK project to achieve the above objective (in progress).

Tool indicators

Below is a map of the countries whose LEAs have already requested the access to the project tool:

Map of the use of the 4nseek tool

  • Countries with access to the tool: Argentina, Austria, Belgium, Brazil, Canada, Colombia, Croatia, Dominican Republic, Ecuador, El Salvador, France, Germany, Ireland, Italy, Liechtenstein, Lithuania, Malta, Netherlands, New Zealand, Nicaragua, Norway, Poland, Portugal, Romania, Slovenia, Spain, Sweden, Switzerland and United Kingdom
  • Countries in the application processes to the tool: Australia, Barbados, Belize, Bosnia and Herzegovina, Chile, Costa Rica, Denmark, Estonia, Gambia, Greece, Guatemala, Honduras, India, Israel, Kenya, Mexico, Moldova, Morocco, Paraguay, Peru, Philippines, Slovakia, Turkey and Uruguay

The tool requests indicators can also be found in the following poster.

 

Co-funded by the International Security Fund of the European Union