±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 1
New Yesterday: 5
Overall: 27487
Visitors: 60

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Something serious (and something not)

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2, 3  Next 
  

Something serious (and something not)

Post Posted: Sun Aug 25, 2013 11:07 am

I happened - while looking for completely unrelated reasons - to land on this page:
www.adfsolutions.com/a...onials.php
where the good guys at ADF Solutions list some enthusiastic opinions coming from users of their triage software.

Among the many reports, I found two that puzzled me.

The first one (non-serious) is this one:
"When we enter a terrorist suspect's home, we maximize our resources and take apart everything including the plumbing. We do the same for a local robbery suspect; I adapt my resources and level of investigation to fit the crime. Before now, we were not able to maximize our resources for forensic examinations. Adopting the ADF Solutions triage tools has provided us with this much-needed flexibility."
Forensic examiner, Leicestershire Police

I mean, a proprietor/landlord renting a flat in Leicestershire has some added risks, who is gonna re-make the plumbing? Shocked

The second one is more serious:
"We took possession of five computers from a suspect who had voluntarily submitted them for a forensic examination. The suspect had been unjustly accused of possession of child pornography but wanted to clear his name. We set up our SearchPaks and scanned all five machines. By 4:00 p.m. that day some four hours after the handover, I was able to inform the investigators that the machines were clean. This would have taken days using conventional methodology. The investigators were impressed, and the suspect was grateful that we quickly identified him as innocent. This is a good example where a negative can have a positive outcome and speedy resolution can prevent claims against law enforcement for undue delay in keeping the machines. I can see this taking off at a pace, when managers recognize its acceptable minimum risk and huge time-saving benefits. To use the old cliché, ‘We need to work smarter, not harder."

Forensic examiner, Durham Police

as it seems to me like implying that a triage tool is not anymore a triage tool but something that can be used to exclude definitely the possibility that something non-legit exists, i.e. a "full replacement" for a "full" digital forensics examination.

Thoughts, ideas, experiences?

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 


Last edited by jaclaz on Mon Aug 26, 2013 11:29 am; edited 2 times in total

jaclaz
Senior Member
 
 
  

Re: Something serious (and something not)

Post Posted: Sun Aug 25, 2013 9:25 pm

5 computers in a portion of a day? Nah. There is so much work that goes into a CP case and places to look, software present, settings of the software, sharing/not sharing of folders, deleted items, Steg items.

No way I take in 5 computers, hook up triage and give an answer until I've made an image and ran through them really well.

- jaclaz
I happened - while looking for completely unrelated reasons - to land on this page:
www.adfsolutions.com/a...onials.php
where the good guys at ADF Solutions list some enthusiastic opinions coming from users of their triage software.

Among the many reports, I found two that puzzled me.

The first one (non-serious) is this one:
"When we enter a terrorist suspect's home, we maximize our resources and take apart everything including the plumbing. We do the same for a local robbery suspect; I adapt my resources and level of investigation to fit the crime. Before now, we were not able to maximize our resources for forensic examinations. Adopting the ADF Solutions triage tools has provided us with this much-needed flexibility."
Forensic examiner, Leicestershire Police

I mean, a proprietor/landlord renting a flat in Leicestershire has some added risks, who is gonna re-make the plumbing? Shocked

The second one is more serious:
"We took possession of five computers from a suspect who had voluntarily submitted them for a forensic examination. The suspect had been unjustly accused of possession of child pornography but wanted to clear his name. We set up our SearchPaks and scanned all five machines. By 4:00 p.m. that day some four hours after the handover, I was able to inform the investigators that the machines were clean. This would have taken days using conventional methodology. The investigators were impressed, and the suspect was grateful that we quickly identified him as innocent. This is a good example where a negative can have a positive outcome and speedy resolution can prevent claims against law enforcement for undue delay in keeping the machines. I can see this taking off at a pace, when managers recognize its acceptable minimum risk and huge time-saving benefits. To use the old cliché, ‘We need to work smarter, not harder."

Forensic examiner, Durham Police

as it seems to me like implying that a triage tool is not anymore a triage tool but something that can be used to exclude definitely the possibility that something non-legit exists, i.e. a "full replacement" for a "full" digital forensics examination.

Thoughts, ideas, experiences?

jaclaz

_________________
Why order a taco when you can ask it politely?

Alan B. "A man can live a good life, be honorable, give to charity, but in the end, the number of people who come to his funeral is generally dependent on the weather. " 

armresl
Senior Member
 
 
  

Re: Something serious (and something not)

Post Posted: Mon Aug 26, 2013 5:20 am

I can fully understand the reasoning with regard to a triage tool, and on the surface it seems a good idea. If your a LE agency and have 8 months backlog, its a godsend (in theory) but in practice it does not work, any company/organisation relying upon this, is treading on thin ice.  

mitch
Senior Member
 
 
  

Re: Something serious (and something not)

Post Posted: Mon Aug 26, 2013 6:54 am

Don't get caught up in the specific examples, especially the 'clear my name' CP one. Triage in general has its place and can often be the only solution.

Here's my specific example: large scale incident. The dropper/payload has been analyzed. You have OS specific indicators of compromise. 500 people received the same email - now go triage each computer. You wouldn't look at each computer with a deep-dive mentality, you would look at each computer from an indicator of compromise perspective.

Triage has its place. The wise investigator should know when or when not to use it.
_________________
Blog: secureartisan.wordpress.com 

pbobby
Senior Member
 
 
  

Re: Something serious (and something not)

Post Posted: Mon Aug 26, 2013 8:00 am

- pbobby
Don't get caught up in the specific examples, especially the 'clear my name' CP one.

Well, then this thread makes no sense Shocked .

I am specifically and explicitly pointing to that one, as I find it (and all you guys are seemingly confirming my impression) a misuse of the tool (and - at least "philosophically" - a serious matter).

It seems to me like analyzing a supposed infected machine with a single antivirus, and only with it's the heuristical engine, disabling the latest definitions, and come out with the conclusion that the machine has not any virus.

- pbobby

Triage in general has its place and can often be the only solution.
Here's my specific example: large scale incident. The dropper/payload has been analyzed. You have OS specific indicators of compromise. 500 people received the same email - now go triage each computer. You wouldn't look at each computer with a deep-dive mentality, you would look at each computer from an indicator of compromise perspective.

Triage has its place. The wise investigator should know when or when not to use it.

Sure Smile , the point I was trying to make is that your example perfectly fits "intended usage", "theory of operation" and also "practical use" of a triage tool (and as such it represents "non news"), the posted "clear my name" one represents IMHO a (personally I believe inconsiderate) deviation from those.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Something serious (and something not)

Post Posted: Mon Aug 26, 2013 9:30 am

triage works when done right and used responsibly. a lot of my work has been directed at improving triage techniques (i wrote and maintain osTriage).

triage works just fine for just about every type of case when used to move the ball forward as soon as taking in a computer or examining it while its running.

while it CAN be used in lieu of a full forensic exam in SOME cases, it is not a replacement for a digital examiner doing his thing against evidence (regardless of what tool used for this purpose)

i can, with accuracy percentages easily in the 90%s, triage a computer and know whether or not CP has been on there or not within a few seconds using triage against a running computer.

if i can get you 90% of what is relevant to your investigation in a few seconds/minutes (or hours tops), doesnt it make sense to triage? the point of triage is the intelligence and evidence that can be used in an initial interview more so than the notion of replacing/killing traditional digital forensics.

i know there are places in the US that do NOT need a full forensic review and officers can pursue charges as the result of triaging a computer. of course you should always follow up and do due diligence with a more in depth review to make sure there isnt any production, etc, but the days of spending weeks or months on each exam is not feasible or practical any more for a lot of investigations imo. of course there are exceptions to this rule.

changing gears to the specific vendor mentioned:

ADF is nice and it does what it says it does, but the downside is that it costs you $$$ (1500??) to start and $$ (700??) a year and if you stop paying, it stops working.


mitch, i would love to hear your feedback on why you say triage doesnt work. maybe you need to try a better triage tool? =)  

EricZimmerman
Senior Member
 
 
  

Re: Something serious (and something not)

Post Posted: Mon Aug 26, 2013 10:19 am

- EricZimmerman

i can, with accuracy percentages easily in the 90%s, triage a computer and know whether or not CP has been on there or not within a few seconds using triage against a running computer.

if i can get you 90% of what is relevant to your investigation in a few seconds/minutes (or hours tops), doesnt it make sense to triage? the point of triage is the intelligence and evidence that can be used in an initial interview more so than the notion of replacing/killing traditional digital forensics.


There must be something wrong in the way I express myself.
From the kind of replies it seems like someone is attacking the concept of triage, and that this concept has to be defended.

Noone (at least not myself) is against triage (when used properly).

I posted to know your opinion on whether the specific use of triage for the specific case (clearing the name of suspect) is appropriate or not.

If something provides 90% on accuracy, or even 95%, I find hard - particularly for a such serious crime as CP - to pass the machines through a triage tool (good as it might be) and then affirm that there is NO CP on them, that corresponds flatly to 100% or certainty.

- EricZimmerman

i know there are places in the US that do NOT need a full forensic review and officers can pursue charges as the result of triaging a computer.


Still in the specific case, Durham is seemingly in the UK, not in the US.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 3
Go to page 1, 2, 3  Next