4NSEEK Tool

At the beginning of the project, INCIBE deployed in its infrastructure a specific system to facilitate users the installation and update of the tool. Since Release 1 and until today, this has been the platform used by the users of the tool.

The results produced by the 4NSEEK tool have been improved to further facilitate the work of LEAs agents. In this sense, in addition to incorporating new analysis modules based on specialized tools and artificial intelligence, the way in which the results of these modules are evaluated has been adapted in order to provide a simpler and more accurate final evaluation.

The structure and the internal flow of action of the tool have been completely revised, in order to achieve a better performance.

As a result, the latest versions of the tool make better use of the analysis time, prioritizing those files that, a priori, have a higher probability of being CSAM.

In addition, the change of structure allows greater flexibility to adapt to the needs of the agent or the technical requirements of the machine on which 4NSEEK is running.

A diagnostic functionality has been included to make it easier for agents to prioritize devices to be analyzed or to partially analyze them.

This diagnosis provides a preview of the content of each partition, so that the agent can decide based on this diagnosis if it is interesting or not.

INCIBE has added a carving module to 4NSEEK tool. This forensic technique allows the recovery of previously deleted files from a storage device.

Despite being a computationally expensive technique, the user can select it to perform this in-depth analysis as an additional functionality of the 4NSEEK tool, whose main mission is to perform agile triages of storage devices.

The user interface has been completely renewed taking into account good usability practices, improvements in navigation and new functionalities that increase the user's possibilities in processing analysis information and accessing results.

The support of multiple languages has also been incorporated, which is very necessary in view of the many countries that have requested access to the tool.

The existing analysis in the tool have been adapted to the operation of the MacOS operating system. This way the agent will be able to extract valuable information also from partitions where the Apple operating system is installed.

Interesting new tools have been included in the forensic analysis. The new tools analysed have been selected as a result of an analysis of the state of the art together with LEAs.

Now, the information extracted from the new social network tools (Twitter and Facebook) and cloud platforms (DropBox and Google Drive), provide additional information on the investigated user's behavior, providing new indications of criminal activity and even giving access to evidence of crime.

Hot analysis refers to the ability to perform forensic analysis of volatile information from computer equipment, i.e. information that can only be recovered while the computer is still on.

In this area, INCIBE's work has focused on the two necessary activities:

• Memory acquisition. A very simple and inexpensive device has been designed and developed based on easily accessible technology so that any user, without the need for advanced technical knowledge, can have it. Once this device is connected to a computer with a running Windows system, the device will automatically extract a copy of the information contained in its RAM memory for subsequent analysis.
• Forensic analysis. The functionalities of 4NSEEK have been adapted for the automatic detection of the memory extracted in the previous step and its subsequent analysis, aimed at detecting evidence or signs of criminal activity.