Digital Evidence Standard Presentation

1
Forensic Use of Biometric Access Devices
Zeno Geradts PhD, Jurrien Bijhold PhD, Arnout
Ruifrok PhD Netherlands Forensic Institute
Digital Evidence section
2
Outline

• Definition Biometrics
• Biometrics within the NFI
• Biometric Access Systems
• Tampering with these systems
• Research and Development
• Discussion on forensic evidence

3
Biometrics

• Biometrics is the automatic identification or
  recognition of people based on behavioral or
  physiological characteristics.
• Definition from International Biometric Group in
  New York

4
Biometrics

• More invested in airport security and other
  security systems
• Other codes, like pin codes and passwords are
  sometimes difficult to remember, and often not
  difficult to obtain by third parties
• Since others can use them also it does not
  identify the person

5
Biometrics at Digital Evidence section

• Length measurements
• Face comparison
• Morphometric comparison with 3D models
• Pattern Recognition from Forensic Databases
• FearID project
• Biometric Systems

6
Biometric Properties

• Face, Weight
• Fingerprint
• Iris, Retina
• Hand shape, blood vessel patterns
• Ear shape
• DNA
• Odor
• Voice, gait, movement, entering passwords in
  computers
• Handwriting
• Many others

7
Examples

• Irisscan Schiphol
• Face recognition in
• airports

8
Biometric System
(Common Methodology for Information Technology
Security Evaluation, The Biometric Evaluation
Methodology Working Group, 2002)
9
Properties Biometric System

• FRR, false rejection rate
• FAR, false acceptance rate
• FER, Failure to enroll

10
Performance
Low security, Large numbers
High security applications
Public applications
11
Face recognition - eigenfaces

• http//www.geop.ubc.ca/kaplan/eigenfaces.html

a
b
c
..
d
e
f
..
12
Obscure ways of biometrics

• Ear channel

13
Gait
14
FearID earprints as evidence ?
15
State-of-the-art Error Rates
At Newark airport, an average of 70,000
passengers pass through daily. If all of these
used biometric-authenticated smart cards for
identification, there would be 140 falsely
rejected (and inconvenienced) passengers per day
for fingerprints, and 10,500 for face or voice.
Lawrence OGorman, Seven Issues with Human
Authentication Technologies, AutoID 2002
Anil K. Jain Dept. of Computer Science and
Engineering Michigan State University
http//biometrics.cse.msu.edu
16
Forging biometrics

• Finger Print - silicon cast
• Hand Palm - latex model
• Voice - digital or analog recording
• Face - photograph or mask on face
• Keyboard strokes - recording
• Iris photograph of iris

17
Life detection

• Patent information
• Hart beat
• Blood pressure
• 3D-shape
• Example influence pupil light
• Resistance

18
Treats to biometric Systems
1 User. Authorized user provides own
biometric sample, unknowingly, unwillingly or
willingly (collusion), to imposter. 2
User/capture. Authorized user tries to enroll a
weak biometric template. Imposter presents own
biometric sample in an attempt to impersonate an
authorized user. Imposter modifies own
biometric in an attempt to impersonate. Imposte
r presents an artificial biometric
sample. Imposter uses a residual biometric in
an attempt to impersonate the last user (e.g.
latent fingerprint). 3 Capture/extraction. Impos
ter intercepts an authorized biometric sample,
and inserts the authorized biometric sample
(replay). 4 Extraction/comparison. Imposter
intercepts extracted biometric features, and
inserts these into the comparison subsystem. 5
Enrollment Extraction/Template storage Imposter
intercepts an authorized biometric
template. Unauthorized user is enrolled due to
error or by replacement of an authorized user
template 6 Template storage. Attacker modifies
templates in storage. Imposter presents own
biometric after manipulation of a template
storage device. Imposter steals the biometric
template of an authorized user from a storage
device. 7 Template Retrieval. Imposter
intercepts an authorized biometric template
during transmission between Storage and
Comparison subsystems. Imposter inserts own
template directly into the comparison
subsystem. 8 Administrator/Resource manager. A
hostile unauthorized user may acquire
administrator privileges Non-hostile
administrator or hostile unauthorized user or
imposter incorrectly modifies matching
thresholds, incorrectly modifies user
privileges, allows unauthorized access to
template storage, allows unauthorized
modification of audit trail, enrolls
unauthorized user. Administrator fails to
properly review and respond to audit trail
anomalies. 9 User policy/management. Imposter
authenticates as authorized user through
collusion, coercion, password, backup system,
10 Policy management. Audit data collection
inadequate to detect attacks, attacker modifies
user identity. 11 Policy management/portal. Atta
cker bypasses biometric system by inserting
appropriate grant privileges signal directly
into portal. Attacker disables system, and
defeats backup system or alternative
authentication method 12 Portal. Attacker
gains unauthorized access with the willing or
unwilling aid of an authorized user User
gains access to unauthorized privileges after
improper modification of privileges. 13 Hardware
components. Attacker tampers, modifies,
bypasses, or deactivates one or more components,
and exploits hardware back- door, design
flaw, environmental conditions, or failure mode.
Attacker floods one or more components with
noise (e.g. electromagnetic energy). Imposter
intercepts or inserts authorized biometric
templates to one or more hardware components. 14
Software/firmware components. Attacker tampers,
modifies, bypasses, or deactivates one or more
executables, and exploits software
back-door, algorithm quirk, design flaw, or
failure mode. A virus or other malicious
software is introduced into the
system. Imposter intercepts or inserts
authorized biometric template to one or more
software or firmware components. 15
Connections (including network). Attacker
tampers, modifies, bypasses, or deactivates one
or more connections between components. Imp
oster intercepts or inserts authorized biometric
sample or template during transmission.
19
Future case ?

• Who was behind a computer with finger-scan access
  control at a given time ?
• Low False Acceptance Rate ?
• Keyboard bug ?

20
Conditions for forensic identification

• 1) Model of the relevant properties
• 2) Method for determination of these properties
• 3) Variation between different persons
• 4) Should be stable in time
• 5) Decision rules for identification
• (v. Koppen en Crombag Oren, lippen en
  vingers, NJB 1, 2000)

21
Research and Development at NFI

• Face comparison with 3D-scanner. Development of a
  more objective model for comparison
• FearID ear prints for identification
• Validation image processing of finger prints
• Iris scanner (and other systems) reversibility of
  stored template

22
Discussion

• Fraud with smart cards are well known
• Possibilities of tampering with biometric
  properties and unauthorized access should be
  investigated further
• Large image databases will give more statistical
  information. However first these databases should
  be filled in a standardized way.

23
Beeldonderzoek en Biometrie
Questions ?
24
Biometrische systemen misleiden

• Vinger afdruk - siliconen afgietsel
• Gezicht - foto of masker
• Iris - foto met gaatje
• Hand - latex model
• Spraak - digitale of analoge opname
• Toetsenbord aanslagen - opname

25
Eigenschappen biometrische systemen

• FTE, failure to enroll
• afgesleten vingerafdruk (metselaar), bril
• FRR, false rejection rate
• kans op onterechte weigering (verkeerde
  uitsluiting)
• FAR, false acceptance rate
• kans op onterechte toelating (verkeerde
  identificatie)

26
Forensische identificatie door het NFI

• DNA
• Vinger afdruk
• Handschrift
• Spraak opname
• Gezicht in een foto
• Oor (afdruk)
• Beweging, manier van lopen in video

27
Voorwaarden voor forensische identificatie

• 1) Beschrijvingsmodel van relevante kenmerken
• 2) Voldoende variatie in de kenmerken tussen
  personen
• 3) Kenmerken stabiel over tijd
• 4) Methode voor vaststelling van de kenmerken
• 5) Beslissingsregels voor identificatie
• (v. Koppen en Crombag Oren, lippen en vingers,
  NJB 1, 2000)

28
Vergelijking van videobeelden

• Er zijn videobeelden van een onbekende
• Van een verdachte worden vergelijkingsopnames
  gemaakt
• onder dezelfde of vergelijkbare omstandigheden,
  voor dezelfde camera, op dezelfde plaats in
  dezelfde houding