The Case of Rainbowboy: How the Mobile IT-Forensic Laboratory Helps the German Police to Solve Their Cases Faster

Andreas Arbogast: Well good morning, everybody. Everybody is online? Well, I’m looking into the faces, more or less, coffee was successful. I’m more than delighted to be here this morning.

As you see, due to our international customers and international people over here and international police forces and other forces who are going to do that keynote in English, I hope everybody will understand I’m going to do my very best. My English is not the very best, so be patient with me. My head is always translating and telling you the story.

So, what’s the matter? We’re going to start at the bottom. I’m still more than delighted that we are not only having the opportunity to present what we are doing; we are customers as well. We bought in 2021 the Paladin forensic lab and we started to work.

And for us it was changing a complete process because what we all know when we are working on forensic topics elsewhere, it was, child abuse was everything that you can imagine. It was always kind of dirty, nerdy work, sitting on the knees with a laptop and trying to figure out the evidence.

Most of you or some of you can imagine how it is working in a special field like that and so we decided to be more professional. We got into contact with mhService and I’d like to show you how we are processing today, how we are working today and how Paladin and every, well, product from your vendors even too, is helping us to assist in our tasks.


Get The Latest DFIR News!

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

The case “Rainbowboy” is a little funny because well, things are happening with police forces too. A little bit embarrassing maybe even, but it was happening just three, four weeks ago and I’d like to know what we did at this crime scene.

First of all, who am I? My name is First Lieutenant Andreas Arbogast. I’m working at the State Bureau of Crime, North-Rhine Westphalia. Well, you can say for everybody who is not here from Germany, it is like a little FBI.

So we are just representing one state in Dusseldorf. Exactly, representing 17 million people, the biggest state here in Germany. And well, our unit, our department has at the moment, 300, 320 people just working there as cybercrime specialists and me and my team, we’re here to enjoy these days with you together.

Well, I don’t want to leave you there with some technical topics, or I’d like to start easy today in the morning because I think you guys are, or most of you have even an idea what we’re talking about when we have artifacts and evidence. I think this is something for later.

What was happening with us is just a process and the result, what we have. The process was we had to change our complete IT enrollment when we were thinking to use the Paladin, because the Paladin is staying downstairs the whole day in the garage and none of us were interested in working in the garage.

So we had to fix the system around and we had to do that in advance before we were able to start with our work. So we needed about, let’s say, half a year to prepare us, to prepare our group, and to build a group to educate people that are able to work with this special equipment.

The first output was that we created a group, the name is DIT, Digital Intervention Team or Digitale Einsatzgruppe in German, just to make sure that you have people there knowing what they’re doing there.

The first idea was to take the key, to give it to anybody else and say, okay, we are renting that car to anybody who needs it. Forget it. It’s not possible. That was even another three months of working with us to educate us to work with and on the car.

Our car’s name is not Paladin anymore, the name is MODAL, it is the Mobile Data Analytic Laboratory. It is a kind of toolbox. So as you see, you need three things; the process, the staff and the tools, and when these things are together you are able to start to work and that’s what we did.

Well, when we had our first missions with that car, it was even a kind of surprise for us what was waiting for us. Yeah, I don’t know if you behind can see the picture. This is an agricultural company in the middle of nowhere with 1,200 cows.

So, we were there and thinking, “Is it possible that we are on the wrong mission? Why the heck should we go to that agricultural company to count 1,200 cows?” Because, let’s think. Everybody’s thinking about cybercrime, which means hacking, like DDOS-ing, like ransomware.

But no, IT crime and digital crime is everywhere. Even on that field as you can see, and what was happening, we had these fellas over there and they were counting the cows.

So at the end of the day it was an economic offender. He was having cows and meat and milk and was selling it as a special biological food. Very expensive, but it was rubbish and of course they had a complete IT surrounding where they were producing and everything was kind of IT-controlled.

Of course, if you have colleagues from regular police forces, they are confronted with these things, they have no chance. So it was our task and our duty to go to this crime scene and even work with our colleagues in this, for us, very, very far away topic.

But at the end of the day, without Paladin and without our work, we were not able to solve this in a really proper way. It was the usual things we were doing at the end. We had artifacts, we were analyzing them, we were seeing evidence and seeing what the company was doing, where the offenses were happening.

So we decided at that point, okay, we have to offer our service to let’s say, everybody in police forces. That’s what we did. We did a kind of roadshow. We were going into even the little police stations and telling them, “Hey, we are there to assist you in whatever offense you have and it needs not be cybercrime or child abuse, child porn, whatever you have, what you regularly think why this car could be used.”

But what is a police officer’s main goal? At the end of the day, there’s one point where they’re really, really happy. You can imagine that’s what we want to do. We want to see the handcuffs, we want to see somebody lying on the ground, he’s guilty and then we are happy.

Of course, in areas of ransomware well, it’ll be a little bit difficult. Flight tickets to Russia are not so available at the moment. But anyway, I’m going to show you that that really was happening and that we really were able to do that. I have to leave you with some words depending on the group, on the DEG.

So we have combined types of cybercrime or other crime, let’s say, that require that we have good, really proper experience in our police processing. This is not only to see the artifacts.

As you know yourselves who are working at police forces, we have special programs, our own office programs where we have to transfer all these things, all that what we have in evidence has to be transferred to our systems.

Sometimes it needs a little time to start working on this process. It is not possible just to do it and push on the button and do it and everything is working. No, we have to learn and to produce our own processes. We have a high level of knowhow and creativity.

Of course, we are all here, we are all interested in these new products. I can tell you it was a long way to tell our decision makers what we want to do and why we need the Paladin. It was a really, really hard and long way, but at the end of the day everybody is happy because of course the last point is the most intensive one. It is the rapid response.

As police officers, I was working in this old town and we are used to, somebody is fighting with each other. We are seeing the crime scene. We can take that guy, we can put him into jail, we can write our report, we have everything we need; we have the offender, we have the evidence, we can write the report, we can give it to the public prosecutor and everything is finished.

Are we used to doing that with cyber crime or IT-related crimes? No. It is taking weeks, it is taking months. Already our offender is back home. Maybe he’s not even sitting in prison because we have more evidence that takes days and days to extract everything and the rapid response will make us real police officers again.

Well, what we were imagining at the beginning to find was of course that one. Yeah, Munster, exactly. It was a guy that was hosting child porn and child abuse videos, everything. And that was a situation we were confronted with where we did not have our MODAL laboratory.

So, who of you guys is able to store 200 or 300 terabytes of data elsewhere on a storage infield? Yes, you’re laughing. Are you? No. But yes, we are. We are now able to do, and we are more than happy because that was a hard learning process for us and for our decision makers too that it was not possible.

And still, after two years of selecting the data, it is not quite clear in that case what was happening in this crime scene. It still takes time and we have at the beginning no idea what we had on this IT system.

I already asked this question, just for having it in mind again, who is able to secure 200 terabytes of data on-field? So if we look at several missions we are able to fulfill now, of course everybody is thinking about “Okay, we are doing forensic things, yeah?”

No, no, no, no, no. It is a lot more. Outstanding extortions and kidnappings. Well, why not to use that car as a single point of contact for police forces when they’re directly in the field to connect us with the people that may recognize these crime scenes.

You are remembering at the Christmas market when this truck was driven into the crowd, of course the people were making videos, the people were taking photos, and how were police able to get that days or weeks later?

But here it is possible we are going into the field with our mobile truck and we are giving them a QR code to scan, to do swiping and giving everything to the police on scene.

This is, as I described before, the thing we need as police officers to work as real police officers again, with the evidence now. IT-related attacks, of course, DDOS-ing, ransomware, no question. High-skilled perpetrators.

We have IT everywhere, especially in economical crimes where are really this is a big task for us. Major incidents like a truck driver going into the crowd, for example. Notice portal, that’s what I describe to you now.

So we have the possibility to tell the people, “Hey, we are there. We are your single point and you can swipe your data just with the sum to the police.”

Well, this is what our single point of contact, by the way, is looking like. We don’t need 200 terabytes of data there. Now, this is not the point we are needing. We need little data.

Anis Amri, I don’t know if you guys know him, was the guy who was driving into the crowd. He was able to go to Italy four, five days later. When was his photo online? I have no idea.

But, if the people would had the opportunity to send us the picture immediately and we can put it through this car into our police structure with 1,200 police officers around, everybody, his iPhone in the pocket and we can send this picture there, we are talking about 500 kilobytes, not 200 terabytes.

But, we are able to deliver that service now and it was kind of impossible before and we had not even an idea that we would like to do that. So we were seeing before, we need a kind of creativity to work in that topic and that’s what we of course were doing with mhService.

(Dick is there. So if you need to talk with him today, he will be available.)

This is our car. Well, what we’re doing here is an important thing: transferring data to the decision makers. We have a video conferencing system here. It is online here.

So what did we do? We have an IP cam and just when the special forces were going into the offender’s house, we can video the scenery, we can transfer it in our war room 200 kilometers away and let the decision makers be part of our mission.

Dick was able to transfer the data immediately, some taken photos, some evidence, even into that video conference system even to show the decision makers again, “Hey, this is the evidence we got immediately here on scene.”

And then they have the opportunity to say, “Okay, this guy is now going into handcuffs.” We were never able to do that in IT-related crime scenes before. If anybody did, I want to talk with you a little later to inform me how you were able to do that. In Nordrhein-Westfalen this is here now the first opportunity.

Let’s talk about Rainbowboy just shortly. It is a little bit embarrassing. How much time is left? Well, okay, sounds good. Rainbowboy is a 17-year-old script kid. He called himself on the internet like that. We did not know him, but what was happening, we had a police front end webpage of a little police station and it was attacked through Rainbowboy.

Not that Rainbowboy was a kind of hardy expert. Yeah, he was not, definitely not. But he was kind of mad, because he was caught by police some days before and he was locking himself in his room at his parent’s home and figuring out what to do, how to penetrate police forces, and he hacked our website. He was choosing one of these well known DDoS apps and regularly you should think, well, it should not work. It worked. Website was down.

Of course, I don’t know if some of you guys here are from the Ministry of Inner Security or something like that. I know if this information goes to the Ministry, well it is kind of spooky because they want to know exactly what is up there today and we are still not talking about 200 terabytes of data, another idea of a mission, another idea of a topic, what we are able to solve now.

So what was the result for Rainbowboy? Of course, he had some visitors at six o’clock in the morning. For him quite uncomfortable, for us quite good because for the first time we were able with our MODAL truck to set up the IP cam on the scene and give all this information into the war room as I told you before.

Rainbowboy was not at home. He was at a friend’s home. We did know the friend’s home address and the same scene; he had visitors, us, at 10 minutes past six. But then Rainbowboy was caught, but Rainbowboy did not want to talk with us and he did not want to tell us what he did. Even he had the idea, “No, no, I don’t know anything.” What a surprise. What a surprise.

Well, let’s see from the forensic point, what we did and what were our tasks. Of course, we transferred the situation by IP cam. We got his PC, we got his HDD, we had some artifacts, we had his mobile phone. We were not quite sure what kind of techniques he additionally had in his house.

So that means at the first time we had to use nearly all our techniques we have stored in MODAL. Of course, I think you will discuss later what it is. I don’t want to tell you now. So even I think Dmitri and all the others at mhService, they can tell you exactly what we have.

We check the network. So we used Wi-Fi Hunter and other products to see what kind of mobile phones, what kind of access points, everything he has in his house. We used the analyzer to take the stored data and analyze it rapidly. We used Axiom and all these things as you might know to figure out what was happening with Rainbowboy.

Yeah, but the main thing was, of course, with Axiom you have the possibility to get Rainbowboy’s browser history, and with that browser history we could immediately see what kind of service he was using, what kind of DDoS attacks he was performing.

And while he was questioned, we were at a little police station and we were able to put our MODAL directly in front of it. The analyzing process was still ongoing but after a few minutes our result was there and we were able to inform the offender of what kind of knowledge we have.

And that was the point when he was breaking down. Suddenly he changed his mind and he was talking with us and suddenly of course he was telling us, “Okay, it was me. It was a DDoS attack and I was mad at the police because they caught me some days before when I was fighting with a friend on the street.”

It was just a little case, I know, and it was not the big thing we were waiting for. But for police forces when they get hacked themselves it is a kind of big thing because we were learning more about our own IT structure and that we have to fix here and there some things. Anyway, but it was another topic for us to know, “Okay, this is another scene to work with.”

Let’s see what we have. I don’t know if you can see it from last places regularly. We have police forces like Polizei on our sites. In this case we were using Baustellenfahrzeug. What is the translation of Baustellenfahrzeug? Construction worker’s vehicle?

Exactly. Thanks a lot. Not really to be like 100% invisible, but as you can imagine, when it is six o’clock and special forces are going in, well, you don’t like to be visible in the first second. If they identify us a little later, so what?

But we were like 100 meters away and you can see here was the IP cam and we were waiting with three officers in the lab to have the first artifacts coming in and it was really like that nobody on the street was really recognizing, who was it? Was it police? What were they doing there?

From inside it’s looking like an office. So for us working on the scene in the field was really, really, really comfortable. The first time, no laptop on the knees, no dirty enrollment, we had our coffee machine. Well it was quite important by the way, and we were really, really happy.

Well, let’s see. No wasted time in transferring data, I told you already. Securing evidence immediately. Handling big data if necessary.

Well, another point is I just want to let you know, we have now the opportunity to store a lot of terabytes in our car, but to be forensic-correct, if you have a case that is big like this. what is happening when you are coming home to your station? What to do with this information with this data?

You have to think about that before. In our case it was, let’s say, likely no problem because our car is a part of our own police cloud infrastructure. The infrastructure is containing about 22-25 petabytes of data capacity and we are storing all the child abuse data and all capital things directly in that cloud and the people all over Nordrhein-Westfalen working at police forces can use this data everywhere.

So for us it is no problem to drive home in our car, to put the car into the garage and to pump the data into the cloud. We have 10G, it is working with a 6,800 megabytes per second maximum. But our MODAL is doing likely like 900 megabytes per second.

It still takes a longer time if you have 200 terabytes, but we have the capacity to clean our car. I recommend you really intensively think about that if you are working with this kind of big data and if you try to work with Paladin. You need the infrastructure around.

Well, I think we were using nearly everything we had on the car. Some little things. Some of you have seen that with Wi-Fi Pineapple, with a Wi-Fi hunter.

We were more satisfied with the Wi-Fi Hunter by the way. It’s from Switzerland. We were really, really happy to buy that little device and of course you all know the products you might have at your house too.

So here we have Cellebrite UFED Touch. We know that it is difficult to open phones directly on site. In this case it was working, and in this case we just needed the browser history. That was kind of easy. But as you can see from network scanning techniques, to mobile phones, to Axiom where you can analyze it to other products, we needed the complete portfolio to see what Rainbowboy was doing.

So at the end of the day, it was a small case, for us it was a big impact and a big work until we were at that point where we can tell him, “Hey boy, that’s what you did and now it’s your time to talk with us.”

Well, some additional benefits. I have to tell you that because my boss was creating these sentences. We have the expansion of the range of the services.

Of course, it’s clear all these things we are doing now with Paladin and the products on this car are enabling us to offer this wide range of services now to all police stations. Before, yes, we were kind of assistants, we had all these luggage boxes and we were throwing that into a car and driving to the crime scene, but this is what everybody was doing and that was not the kind of help our police stations were waiting for.

Triage is a big point for us. Let’s say these cars are always only ready for 90%. The last 10% is always evaluation and a kind of process of how we handle new kinds of modus operandi, whatever.

For us, triage at the moment is one of the main points because it makes it possible to figure out what is happening on the crime scene immediately. Some products really need hours to figure out what’s up, especially when we are going deeper into crawling, into parsing of evidence, it really needs a long time because they are always doing the full scan.

The triage products are offering us, let’s say, some spot-wise ideas. Is this the right offender? Is this the one we’d like to catch? More professional handling of missions is clear and, well, we have set up a kind of cooperation now.

At the moment the idea is that our DEG, our rapid intervention team, is now seven people with this car and it is not enough. So we have had a lot of bookings in the last month.

And it is going upwards because the police stations are now knowing what kind of service we are offering and we figured out that for us we need maybe a second dessert. Well, at the end we will have seven of these groups in Nordrhein-Westfalen at the start of next year.

Well, we are proud to work with one of these tools mhService is offering us. We are always happy to be here. We are always happy to be served here. We never had any issues, never any problems. We had a straight working process and learning process even all together with Martin Herrmann and his team because it was a kind of thing that was really invented by creativity.

And still we have the next appointment next week because we want to improve something, so the contact will stay. For me and my group, we are really happy to be here today again, and we are really excited by what you guys are telling us about your experiences you have had in the field.

And well, if you have questions, please right now. Thank you so much.

Leave a Comment

Latest Videos

Cyacomb Examiner and Cyacomb Offender Manager Tools

Forensic Focus 5th December 2022 12:00 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...