The number of procedures necessary in incident response and evidence cataloguing is constantly growing. These procedures need to be standardized and must perform clearly defined actions. Additionally, they must all be documented in detail to provide proof of their validity. Hence the need for a software tool to facilitate the work of investigators. This tool must provide clear process steps and methods and generate all the final documentation for the entire operation. In this article we introduce a completely 'made in Italy' forensic case management tool, which has also been presented at 66th IETF Meeting in Montreal.

Dario Forte, CISM, CFE,
Founder DFLabs Italy
www.dflabs.com

The Fruit of Long Experience

DFLabs D.I.M. (Digital Investigation Manager) is designed and developed for IT applications, particularly during Incident Response or Forensic Acquisition measures. The application allows the user to catalogue all pertinent information gathered in the above operations and to generate reports.

D.I.M. is available in two versions:

- Stand-Alone
- Enterprise

The Stand-Alone version allows users to save information to a local database on the machine running the application. This mode allows only one user at a time to work on the case. The Enterprise version operates via a real time Internet connection to a remote database and thus makes it possible for a number of investigators to work simultaneously on one or more cases. The Stand-Alone version has an optional Back End and Management Module providing synchronization and backup functions for each local workstation running the application while offering itemized query functions to supervisors monitoring the progress of each investigator and of the overall project. This module is particularly recommended for companies and institutions which have a plurality of operators who work at different times and thus need to coordinate and manage the work.

1 SYSTEM REQUIREMENTS

The tool does not require any special hardware. A high speed Internet connection is recommended for the Enterprise version since the transmission of photographic documentation may require a large bandwidth. However, if the user does not require the execution of simultaneous tasks then the use of the Back End Module and Stand Alone applications is recommended.

2 SOFTWARE STRUCTURE

The Stand-Alone version of D.I.M. 1.0 allows the user to work on a local database residing on the machine running Case Manager. Thus only one user at a time can use the database. The tool automatically numbers the pieces of evidence and hosts entered for each case based on the information contained in the database.

The Enterprise version interacts with a remote shared database. Currently only MySQL databases can be used but Oracle database capability will soon be introduced. The centralized database means that a number of different users working on the same or different cases can be connected simultaneously. The evidence is numbered on the basis of the contents of the database and thus remains coherent for all workstations. The tool allows a case-based organization of investigation procedures. Each case may include one or more hosts1. Evidence is associated with each host. The evidence comprises the acquired supports, which may include:

- Media: HD, floppy, CD, flash card, zip disks, etc.;
- Network Dumps;
- Log Files (Binary or Text).

Detailed reports must be completed for each new host and piece of evidence when they are acquired.

D.I.M. is currently organized in the following sections:

- General info;
- Photo documentation;
- Process Timeline;
- Report Generation.

The General Info tab provides detailed information on each selected item (Case, Host, Evidence). Case information generally includes:

- The name of the firm investigating the case;
- Operation starting time and place;

1 A "host" is any system (workstation or laptop, handled or otherwise) subjected to investigation.

- Time zone of place where the operation began;
- Client information.

Information regarding the Host includes:

- ID;
- Type;
- Owner;
- Model;
- Serial Number;
- System BIOS date and time

Figure 1: D.I.M. new case entry screen.

The evidence differs based on whether it is a network dump or actual media. The associated information may include:

- Disk type;
- Brand;
- Model;
- Serial Number;
- Size;
- Sectors;
- Partitioning System;
- Presence of HPA/DCO;
- MD5;
- SHA1.

All information entered into this section is used to compile the final reports. The report may be customized by the user, who may add his or her company logo and decide which information to include/exclude.

Figure 2: Evidence info entry screen. DFLabs D.I.M. offers unlimited evidence cataloguing capacity and real-time or offline queries.

Photographic Documentation

Photographic documentation of the operations carried out may be included in each case. Demand has recently increased for this type of documentation, both for judicial and internal audit purposes. D.I.M. allows users to add photos at both the host and media level. Thus each operation may be associated with a photograph and included in the Timeline module. In order to keep the working database manageable, each photo is resized according to user selected parameters before being incorporated. If the photographic documentation is original, i.e., if it comes directly with no modifications from a digital camera, D.I.M. reads the original timestamp for each photo. The program recognizes and saves each photo in EXIF format. If the photo does not contain this information the timestamp is null. In order to provide further assurance that the original photo has not been modified, an MD5 or SHA1 hash is generated and saved to the database together with the resized photo. Users also have the option of instructing D.I.M. to save the original photos in a local folder.

Figure 3: Case Manager Photos tab.

Timeline Management, Reports and Labels

The Timeline module automatically generates a record of events covering everything the investigator does. In addition to the entries automatically generated with the creation and inclusion of each new host and piece of evidence, the investigator has the option of including any other events he or she deems relevant. There are also "Note" fields for any other pertinent information. This feature allows operators to keep continuous "minutes" of the operations. An absolute requisite in judicial cases, the Timeline is also indispensable for managers and supervisors who need to keep track of time and tasks.

DFLabs Digital Investigation Manager also produces automatic and itemized reports, including acquisition and investigation reports and also expense reports, which are needed for invoicing and damage assessments. Lastly, labels with optional bar codes are generated automatically for each piece of evidence.

3 BACKUP AND SYNCHRONIZATION MODULE

Digital Investigation Manager offers a variety of data security and team coordination options. The former, which for simplicity's sake we will term "backup options", allow the user to create a copy of local data in a centralized archive. This has a dual purpose: the user is assured of having a copy of the work performed; and a central historical record is maintained of all cases involving a particular investigator. The backup option requires a properly configured back-end database server. Supervisors may access the back end for itemized queries.

The coordination option, designed for management of investigation teams and thus available only with D.I.M. Enterprise version, keeps case information updated. For example, if a number of investigators work in succession on the same case, they will be able to synchronize their copy of the database and keep it constantly updated to keep up with the overall progress on the job. An example may help to make this clearer. An investigator takes on a case and notes down all the available data on her laptop. That evening, back at the office or at home using a network connection, she synchronizes her local database with the remote back-end database. Another investigator continuing with the same case the next day just has to "upload" the case information from the back-end database and carry on the work. The only thing the user has to worry about is to know the name or ID of the case he or she is working on. If local case information is present, the program verifies just how recent it is and synchronizes it with the back end, which thus remains constantly updated in terms of progress on the investigation.

Figure 4: One of the general investigation reports.

Figure 5: An automatically generated detailed report (possible also in pdf).

Future Developments

DFLabs D.I.M. is already available worldwide. Features currently under development include digital signature on PDF files, atomic clock coordinated timestamping, and email, secure browser, and instant messaging clients incorporated into the program. The tool has lab management capabilities as well as full logging and full searching functions to ensure an optimized level of control for supervisors, even years after the investigation.

--