Lockpicking Forensics - RSS 2.0 Feed
Lockpicking Forensics - ATOM 1.0 Feed



Forensics is a neverending cat and mouse game. Investigators look for better methods to determine what happened while attackers are look for better ways to cover their tracks. This page discusses so called 'anti-forensics,' various techniques and methods to conceal evidence of entry.

Entry techniques that leave no forensic evidence are known as surreptitous entry. While technically surreptitious and leave no forensic evidence, the act of using them may leave non-lock evidence. When we talk about "no forensic evidence" on this page we mean as it relates to the examination of the lock, safe, or related components, other forensic evidence may still be available. For example, forensic evidence may be found in the form of fingerprints on a safe dial, hair, fiber, footprints, surveillance, et cetera.

In many cases the forensic locksmith is asked to provide an assessment of how plausible certain surreptitious entry techniques are against a given lock. This can be done through a series of laboratory tests, an analysis of the required skills, tools, or money required, and examination of the installation and configuration details of the lock. Cases of completely surreptitious entry are viewed by the investigators on the basis of what facts and logical conclusions present themselves.

Note: I am just one person and I certainly do not know every trick in the book from both the perspective of the investigator or attacker. If you can disprove any of the information on this page (from either perspective), please contact me.

You can read more about various anti-forensics techniques on the articles page.

Anti-Forensic Materials

The idea of anti-forensics materials in tools is a popular but not well researched (publicly) area. Lockpicks made of soft materials such as wood or plastic would, in theory, not leave any marks on the considerably stronger brass, nickel-silver, or steel components. While they sound great in theory, they are considerably harder to use in practice. Tools made of these materials are considerably weaker, less maneuverable, and more prone to fracture or breakage than the steel normally used in tools. These types of tools also exhibit drastically reduced feedback capabilities, important in many covert entry techniques, when compared to metal. Coating standard tools with other materials has also been attempted, with limited success. The best example is teflon coated lock picks, which do not leave traditional marks, but still leave marks.

A small half-diamond style carbon fiber lockpick is shown. Carbon fiber picks are NOT surreptitious.

I have been doing my own research into anti-forensics materials and find that most of them are lacking in all areas. To date, no materials that I have tried have been successful at both picking a cylinder once and not leaving any forensic evidence. So far I have tried:

  • Carbon Fiber
  • Fiberglass
  • Brass
  • Teflon coated steel pick

These materials have left various forensic evidence that is detailed on the Lockpicking page under the heading "Non-Metal Lockpicks".

One area that anti-forensic materials may be used in is the production of non-metal keys. Plastic keys are considerably easier to use than plastic picks because their size is much bigger than the common lock pick. Research into this area is rather sparse, as well, with the use of a plastic pen casing to surreptitiously open low-security tubular locks being the most notable example.

Another area is "glue gun" shoulders for bump keys. As we saw on the key bumping page, bumping can cause pronounced, noticeable damage to the face of the lock. This damage can be reduced or eliminated by removing the shoulder of the key and replacing it with a glue gun stick, an inexpensive piece of soft plastic. (Note: This technique does not remove the forensic evidence found inside the plug or on the pins.)

Tryout Keys

Tryout keys are a surreptitious entry technique against pin-tumbler and wafer locks. They use a series of keys with varied cut and spacing configurations to exploit poor tolerances in low-security, master keyed, or extremely worn locks. A tryout key works by being inserted into lock and jiggled back and forth in order to attempt to align components at the shear line. To assess the effectiveness of tryout keys against a particular lock, 25 random keys for the lock are produced. The forensic investigator attempts to use these keys, inserting and jiggling them, to open the cylinder. The investigator can provide a reasonable assumption on their effectiveness based on how many were able to open the cylinder.

Visual/Optical Decoding

Visual and optical decoding of the combination, key, or internal components is another form of surreptitious entry. In this case, observation, surveillance, photography, or optical devices are used in various ways. In all cases, a key can be produced with the information gathered from decoding:

  • Observation of a key's bitting depths or direct code.
  • Photograph of a key's bitting depths or direct code.
  • Observation/surveillance of a combination lock sequence being entered.
  • Visual decoding of a key impression.
  • Visual decoding of a master key system through the analysis of system key(s).
  • Optical viewing of component positions.
  • Optical viewing of component shapes (Medeco Biaxial, for example).
  • Optical viewing of component coloring (indicates depth).
  • Thermal viewing of electronic keypads.
  • Radiological imaging (see below).

When we speak of optical viewing of components we're usually referring to invasive tools such as a borescope or otoscope.

There are several high-profile anecdotes which illustrate the power that visual decoding has. The Diebold company once published a picture of a key used for voting machines across the country on their website. This key (wafer) was visually decoded and it was found that it could be used to gain access to every single voting machine in the country. In the great story of the Antwerp Diamond Heist, thieves obtained the combination sequence by installing surviellance above the combination lock on the overhead alarm used above the safe door.

Combination Manipulation

Almost all low-security combination padlocks and Group 2 safe combination locks are subject to compromise by manipulation. Manipulation may be seen as a method of decoding where diagnostic information is taken through the use of the combination dial in order to determine the proper combination sequence. Manipulation is commonly (though erroneously) portrayed in many films, and is indeed an effective method against many combination locks. Group 1 or Group 1R safe locks are considered "manipulation resistant" because of various design changes the limit the effectiveness or drastically increase the time required to successfully perform manipulation.

Auto-dialers (or computer dialers, robot dialers) are machines that automate the process of manipulation either through sophisticated manipulation software or brute-force cracking of the combination. Auto-dialers may leave forensic evidence depending on how they are mounted to the combination lock and how long it takes to work. The process of auto-dialing accelerates wear on the lock components, and this may be detectable. The use of rotary combination locks with an electronic audit log may also be able to spot and prevent this sort of activity.

Radiological Imaging

Radiological imaging is a form of surreptitious decoding that uses penetrating radiation (X, beta, and gamma rays) to "see" inside the lock or safe, revealing the proper positions of components. This is most often used against Group 2 rotary combination safe locks to determine the position of each gate in the wheel pack. This is a surreptitious entry technique unless the use of such a device can be detected. In many cases, even if the ability to detect this form of entry is available it may be considerably expensive.

The use of low-density wheel materials (such as Delrin) combats this attack. Group 1R safe locks are specifically designed to defeat various radiological attacks as well as provide manipulation protection.

Surreptitious Bypass

There are some forms of bypass that may be surreptitious if used properly. Most padlock bolt shims are made of metal, but some low-security padlocks are of a poor enough quality that they can be shimmed with paper. This, of course, does not leave marks on the padlock bolt. (see Deviant Ollam demonstrating paper shims)

In the case of a thumbturn or lever (handle) lock, there are tools that will reach under the door and attempt to grab the thumbturn or handle and unlock or open the door. Depending on the design and material of the tool and the number of attempts it takes to open the door there may not be any forensic evidence. In this case, the forensic locksmith will note that the potential for this attack exists. If no other evidence is found it may be decided that this was one of the most probable methods of entry.

If you would like to help by donating any anti-forensics tools, please contact me.