Picture shows an iceberg above and under water, beside it different data; black-and-white-gradient

Bermuda triangle for hackers.

NRW Police Cloud, HiPoS, and B.E.A.S.T. – with a quantum leap for its own cybercrime forensics of the police in North Rhine-Westphalia

Download article as PDF

North Rhine-Westphalia has become safer,” said NRW Interior Minister Herbert Reul at the presentation of police crime statistics in March of this year. The number of crimes reported in 2017 decreased by a solid 6 percent to 1,373 compared to the previous year. And at 52.3 percent, the police’s rate of solved crimes was as high as 50 years ago. One sphere of criminal activity that does not fit this trend at all is cybercrime – and not only in NRW. Between the Weser and the Rhine alone, in the federal state with the highest population and corporate density in Germany, cybercrime increased by 5 percent to 23,000 cases. And these are just the reported cases. According to estimates by Germany’s criminal investigators association, the Bund Deutscher Kriminalbeamter, around 90 percent of cases are unreported.

Whether data theft, manipulation, or fencing: The number of attacks on PCs, laptops, tablets, etc. is increasing. Helmut Picko of the Cybercrime Center of Excellence of the NRW State Criminal Police Office in Dusseldorf confirms that cybercrime is an inherently unreported crime. For fear of damaging their reputation, companies often do not report hacker attacks. In many cases, victims do not realize they have been the target of cyberattacks. Picko heads the project “Hybrid Integrative Platform Police Special Networks” (HiPoS) at the NRW State Office for Central Police Services. And precisely in this role, the expert on cybercrime wants to “encourage victims of cybercrime to report cyber-attacks early on, even when a crime is merely suspected”.

“Cybercrime, by its very nature, is the kind of crime that goes undetected.”

Helmut Picko, Head of the HiPoS Project at the North Rhine-Westphalian State Office for Central Police Services

Spying, intercepting, sabotaging

Whether in networks like Tor or the public Internet – highly available and government-compliant hardware resources are of vital importance for combating criminals first and foremost. Therefore, the State Criminal Police Office in Dusseldorf is equipped with a cybercrime system that simultaneously evaluates ever-increasing amounts of data. The faster the data stream is distributed in the system, the faster data of any format can be analyzed and evaluated with a higher hit rate. The result: faster access to the alleged perpetrators. To this end, T-Systems, together with Dell, implemented an innovative and modern high-speed storage solution in 2016 that meets all the requirements of the NRW police in terms of security, performance, and manageability.

Results every second

Picture shows Mr Helmut Picko, head of the HiPoS project at the NRW State Office for Central Police Services.

Helmut Picko, Head of the HiPoS Project at the North Rhine-Westphalian State Office for Central Police Services

Shortly after its launch, the new system was already 540 times faster than its predecessor, which even then consisted of powerful servers and hard drives. Today, up to one petabyte is copied in the morning – an amount of data that would fit on 213 DVDs. Thus, data from the last 24 hours is fully available at the start of work at seven o’clock. The system is fully compliant with the Federal Office for Information Security’s IT baseline protection approach. A key module of HiPoS is a Big Data enhanced analytics system (or B.E.A.S.T.) − a fast, highly secure, and powerful cybercrime forensics and analysis system commissioned by the State Criminal Police Office in 2016. The new evaluation process with B.E.A.S.T. allows queries to be run through a “database of six billion data sets in about one to three seconds”. At this speed, the forensic methods of the experienced investigators now produce results every second that previously required weeks or months.

Since 2016, B.E.A.S.T. has been almost completely virtualized and transferred to a NRW police cloud. That the NRW police now has a storage capacity in the double-digit petabyte range is only one of its advantages. Today, the agency can carry out high-performance, innovative analyses, particularly in the field of cognitive services. For example, they use artificial intelligence to meaningfully analyze the written and spoken languages of criminals (up to 40 different languages) to understand certain police issues and to apply them to communication of perpetrators.

Another advantage for Helmut Picko is that “today, on a large, uniform infrastructure, we can set up almost any number of IT applications on short notice as a proof of concept and then, if necessary, quickly put them into operation.” This is an aspect that is not unimportant for the police, since police are testing new applications for attack detection and defense constantly to keep up with the pace of hackers and the state of development of their tools. But many products fail in the test phase because the tough police requirements on IT forensics – in image recognition, for example - are significantly higher than usual on the market. “As a result, today we have the forensic analysis tools and resources needed to parse the amount of data that was possible before virtualization many times over,” explains Helmut Picko. “Acquiring up to 55 terabytes of cleaned data in a single investigation, that was impossible for us in the past – today it’s no longer a problem.”

B.E.A.S.T. and HiPoS – essentially the core of the NRW police cloud – go far beyond the C5 requirements of the Federal Office for Information Security for cloud providers. This makes the system something of a trendsetter for authorities with comparable structures and duties in Germany.

Author: Thomas van Zütphen
Photos: iStockphoto, LZPD NRW

Do you visit t-systems.com outside of Germany? Visit the local website for more information and offers for your country.