Frank Adelstein
Senior Principal Scientist, ATC-NY

Abstract
Digital forensics experts perform investigations of machines for "triage" to see if there is a problem, as well as to gather evidence and run analyses. When the machines to be examined are geographically distributed, an investigator could benefit greatly if he could conduct the investigation, or even its initial stages, remotely.

The Mobile Forensic Platform (MFP) is a tool for performing remote network forensics. With it, investigators can gather evidence on a remote running system, maintain a copy of the original evidence (protected by a cryptographic hash), and run various analyses on the data to determine the next steps in the investigation (e.g., seize the machine, run tests, look elsewhere). The MFP maintains audit logs on all tasks it performs.

ATC-NY (formerly Odyssey Research Associates) has designed the framework for, and implemented a prototype of, the MFP. We have modeled the investigative process to define the tasks investigators perform. The framework defines the interface for each modular component in the process. The prototype serves as a proof-of-concept to demonstrate how the different components of the system will function together. We implemented the MFP on a laptop computer with a platform-independent web interface serving as the GUI. The investigator runs a web browser on his desktop computer, connecting remotely to the MFP's web server to perform the investigative tasks.

The preliminary version of the MFP supports a small set of analysis tools that illustrate the potential of the MFP. In particular, we created 3 sample logfile analysis tools. They detect if the data in a log file has been tampered, and also served to define how the analysis tools fit into the overall MFP framework. We describe each of the tools.

1 Introduction
After a crime, investigators must perform forensic investigations on any computers that might contain evidence. Investigators could be military personnel, law enforcement officials, company employees doing internal investigations, or external consultants. Because skilled investigators may be unavailable and machines may be physically far apart, there is a need for remote network-based forensics that includes gathering and analyzing evidence. It is typically impractical for an investigator to download the necessary information across the net. Firewalls, resource constraints (i.e., bandwidth), and security policies may prevent that—and even if they don't, an investigator may simply lack the resources to store it all. The goal of the MFP is to ease the burden on the investigator who needs to examine various, geographically dispersed sites.

2 The Need for Remote Forensics
A typical forensic investigator now performs the investigation by hand-reading mail and data files, checking for system activities through different log files, and verifying the consistency of the data through the time stamps associated with files on the file system. Protections such as firewalls often force the investigator to perform these tasks on-site.

The difficulties of performing a local analysis can limit the investigation. First, forensic software must be running on the local machine, and may have to be installed. Second, running such software locally risks damaging or contaminating data. Third, if the machine has been compromised, the investigation may produce suspect results - or worse, may alert the attacker. And finally, even if the forensic software does not alter the data (e.g., boot an O/S from a floppy or CD-ROM), it still makes the machine unavailable, and may disrupt mission critical services. Additionally, this method loses transient state information, such as running processes and network connections.

Working through a remote login also poses problems. The network may not be configured to allow such remote connections (e.g., because of a firewall or because the network contains classified data). The network connection may not be fast enough to support the transfer of a large amount of data; and transmitting data across a public network (the Internet) risks divulging too much internal information.

What is needed is an approach that combines the advantages of both methods, accessing data locally on a secure platform with known tools, and keeping raw data within the network (to provide data integrity and to limit communications overhead).

3 How the MFP Works
The Mobile Forensic Platform (MFP) is a stand-alone machine, connected to the same local subnet as the machine to be investigated, allowing for high-speed transfer of data. The investigator, or an administrator, connects to the MFP through a secured connection (either through the Internet via a VPN or a phone line), encrypting all data transferred between the machines, such as via HTTPS. The particular mechanisms that provide the connection and encryption are beyond the scope of this paper.

We envision two ways in which the MFP can be used. In Option One, a large organization with multiple geographically distributed sites could keep an MFP on-site, ready to be deployed. Before it was ever needed, it would be configured for that site (e.g., dynamic vs. static IP addresses, server names, services that are run, etc.). A system administrator could then deploy the MFP at the direction of the investigator, who need not be present. This would involve essentially little more than plugging it into the network and a power outlet, and turning it on. We minimize the risk of a "rouge" MFP, since an investigator controls it remotely, and only after authenticating himself with a password.

In Option Two, the MFP could be configured at the time it is deployed. The configuration should be straightforward and again could be done under the supervision of the investigator, via a phone call. In both situations, the investigator can begin gathering and analyzing evidence without having to go on-site.

The MFP tries to limit the amount of trust an organization must put into the investigator. In reality, he will have virtually unrestricted access to the machines that are under investigation. However, the MFP maintains its own audit log of every transaction performed, from every data file downloaded to every analysis or browsing of the data files.