Imagine the following scenario: an inexperienced law enforcement officer enters a crime scene and – on finding a USB key on a potential suspect – inserts it into a nearby Windows desktop computer hoping to find some information which may help an on-going investigation. The desktop crashes and all data on the USB key and on the Windows desktop has now been potentially compromised. However, the law enforcement officer in question is using a Virtual Crime Scene Simulator and has just learned a valuable lesson.
As with any discipline, the opportunity to practice, learn and apply such learning to a real-life scenario instils confidence within oneself. It allows mistakes to be made, actions to be evaluated and tasks to be set. In the sometimes high-pressure environment of a crime scene search involving complex physical and digital evidence, one incorrect action can be detrimental to any future judicial proceedings. In comparison with physical crime scene simulations, virtual environments have a number of distinct advantages:
- virtual crime scenes are less expensive and faster to setup;
- virtual crime scenes could be big, complex, and/or highly unusual;
- virtual crime scenes can be used to perform joint training sessions where team members are geographically far apart ;
- virtual crime scene could allow straightforward simulation of live triage and crime scene processing using virtual machines.
These reasons provided the motivation for the development of the Virtual Crime Scene Simulator, in Unity 3D, over several years as part of the MSc Digital Investigations and Forensics Computing course. The Virtual Crime Scene Simulator provides a realistic crime scene with configurable search options. In addition to physical crime scene simulation it encapsulates virtual machines, imitating digital devices in a crime scene along with an Artificial Intelligence Markup Language (AIML) based chatbot providing interactivity with an avatar.
The following gaming actions were developed and applied to the game objects:
- Issuing of a warrant before a search could commence
- Physical searching of game objects
- Labelling, exhibiting of possible evidential item
- Dismantling, examining and seizure of game objects
- Note taking during crime scene searching
- Interactive avatar who can be treated as a suspect and/or witness and questioned appropriately
- Live examination of digital devices such as mobile phones, desktops, laptops, Smart TVs using multiple options
- Live feedback with reference to ACPO principles depending on device interaction
Virtualbox VMs are called from the simulator using Windows shell scripts (.BAT files), which can be adapted to use a different virtualisation manager. Nircmd utility was also utilised to ensure that the virtual client is always displayed on top of the Unity backdrop and is centred appropriately. This was important, because our initial experiments have shown that the game experience was more enjoyable if the user was not distracted with off-centered displays or having to switch between the Unity game and the Virtual Machine window. If the trainer wishes to turn off any calls to the Windows shell scripts, and therefore disable the Virtual Client integration, this can be achieved via an option on the Admin menu – Virtual Client On/Off. When the user interaction with the virtual device is finished the virtual client is rolled back to its original snapshot and the user is returned to the crime scene. The snapshot rollback ensures that the trainer does not need to restore all the virtual clients back to their original state for the next training session. If the trainer wants to assess what the user has done on the virtual client then this roll back can be disabled by editing the restore statement on a Windows shell script. The switch between the virtual client and the crime scene had to be as seamless as possible so that the user is still immersed within the simulation. When the user returns to the crime screen all exhibits, action logs, times stamps, etc. captured before the switch are still valid. VCSS is continually being updated and improved upon with many exciting functional areas to be added in the near future. In the meantime please have a look at https://www.youtube.com/watch?v=bqaFhffRFM0 to see an overview of the current downloadable version. For further information and instructions on where to download the current version please contact Alleyn Conway at Alleyn.Conway@ucdconnect.ie.