Will Uk Police have...
 
Notifications
Clear all

Will Uk Police have a triage strategy in 2015 +

27 Posts
8 Users
0 Likes
5,101 Views
(@pfsfsf)
Posts: 6
Active Member
Topic starter
 

With the increase in device seizure on Police raids and heavy burdens being placed on HTCU's will there ever be a system for non technical police officers to triage machines? Is there any plans for a computer triage system similar to the RT Kiosk? Does it exist?

Questions?

Would policy allow?
Is it feasible?
Would this streamline or help in any way?

I ask as I have seen this sort of system proposed at an overseas event.

 
Posted : 01/01/2015 5:50 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Are you asking about tools or about a policy that allows or denies the use of such tools?

Here is a thread from which it is possible to gather indirectly that a given tool is (or has been ) in use by some local Police in he UK
http//www.forensicfocus.com/Forums/viewtopic/t=10931/

You can contact Harry Parsonage of ADF solutions through the Forum, I am pretty sure that he knows about the "state of the art" both from the technical and from the legal/policy point of view.

jaclaz

 
Posted : 01/01/2015 8:34 pm
(@pfsfsf)
Posts: 6
Active Member
Topic starter
 

many thanks Jaclaz, I am looking at the digital influx to High Tech Units in the UK. I am aware of ADF and it's capabilities. I am looking at/or answer to the problem of a Police Raid, presented with 5 computers, atm they are all bagged and tagged and sent for analysis (and triage) or outsourced (time + £).

Would there be or a need for a bobby on the beat to conduct this triage. The enormity of data is only getting worse and will continue to do so.

What is the forensic examiners view on this, the training burden, chain of evidence and potential to harm rather than do good?

 
Posted : 01/01/2015 9:09 pm
EricZimmerman
(@ericzimmerman)
Posts: 222
Estimable Member
 

i have hundreds of LEOs in the UK that use osTriage with great success. been that way for a few years now. its not made just for forensics people tho, its also a tool for first responders and your average investigator. it is also free for LEOs

 
Posted : 02/01/2015 6:00 am
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
 

Here my 2p

The idea of technical officers routinely using Triage software to decide which exhibits to seize, quite frankly, scares me.

Triaging exhibits can be used to reduce the amount of examinations required and we have used it in the recent NCA/CEOP operation which dealt with suspects using Peer-Peer for sharing of IIoC.
However the triage pack used was targeted for this operation only and was used within the HTCU rather than by non-technical officers.

There are many reasons why triage may fail, including but not limited to encrypted drives, raided disks, very old machines and iShite/EFI machines.
Within the HTCU we have the capability to look at why the triage process won't work and make a decision based on the available information. For example if the hard disk is fully encrypted then it is of interest so we'd image it.

A non-technical officer probably wouldn't have the expertise to figure out why and would either seize it or leave it when triage fails. There is also the risk that they would misuse the triage and assume that a negative triage result means the device has no evidence.

Once the triage packs leave the HTCU, all control is lost. The officers may attempt to use them in cases where the pack would not apply (such as grooming jobs) and may be using an old outdated version of the pack.

The only situation currently where I think triage would be used by non technical officers is in units managing registered sex offenders, where it could be used as part of their visits.

 
Posted : 02/01/2015 6:33 pm
EricZimmerman
(@ericzimmerman)
Posts: 222
Estimable Member
 

i assume you meant non-technical officers using triage?

for every reason triage MAY fail, there are 1000 reasons that it will work. in fact some of the reasons you mention, at least for running machines, are the most important reasons you SHOULD triage a computer. most of the reasons you point out seem to be related to dead box forensics vs live response. while there is some use in triage for dead box, it is much more important for running machines.

i am not ever recommending a street cop be given access to a bunch of hardware or run a search warrant scene, but there is no reason that with proper training (hours, not days or weeks) that people with a basic understanding of computers cannot assist in the triage process ("this computer has keyword hits", "i found hashes of interest here", and so on). of course there will be experts around to look at the odd cases (those you mention).

now i cannot speak for all agencies and labs, etc, but i can tell you that, in almost every situation, you will get more information from osTriage in 10 minutes than you will from waiting 6 months for a full review. by essentially getting just about everything you will need while on scene you can now conduct a much better interview of the owners of the computers (by asking questions you already know the answers to).

i dont like the concept of preconfigured packs for the reasons you mention and their inherent lack of flexibility. to not allow all the benefits because "someone might go off the rails" by using an old version or similar seems like a bad idea to me.

one thing i am curious about is your mentioning triage failing when you have full encryption, but then, if such a drive is found, you would want to image it. is it encrypted but the data is accessible? how can triage fail against an unlocked disk that, when off, is encrypted? the encryption is transparent to the imaging program and by extension, any triage software that would be used.

i am unaware of any court cases (in the US at least) where evidence obtained via 'triage' was thrown out. i am aware of many instances where triage made the case however and found stuff in minutes vs months via more traditional forensics. Evidence is either there or it isn't. properly designed software will not change any forensically relevant artifact on a computer and the effects on a computer can be shown to be consistent and minimally intrusive. at least in the cases of osTriage, the only changes are what Windows makes to a machine (prefetch, usbstor keys and some other registry keys windows uses to track program execution). none of those things, if wholly lost, will break a case (if your case rested solely one one of those artifacts its not much of a case to begin with).

again i am not advocating giving triage software to everyone, but in the context of a task force (like the ICACs in the US) it is an essential and, IMO, mandatory thing that should be happening on every search warrant. Once machines are back at the lab a lot more possibilities for triage become available, but to me the most critical triage is live response based.

 
Posted : 02/01/2015 7:12 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Evidence is either there or it isn't.

Well said. )

As a side note, and possibly a bit off topic 😯 , I sometimes wonder when (and if) "enough is enough" (particularly in the case of CP or IIOC), and cannot say if the problems rise from the existence of some given policies or from the lack of them (or from too generic or too specific search warrants or Court orders or similar).

I mean, it seems to me - at least from what I read/can find on related cases - that the "typical" bad guy involved in this kind of activities will have hundreds or thousands (or more) of such images or videos, and additionally - again at least from what I can gather from the forum posts and talked about documentation - that these are usually not the most computer savvy people around.

So WHY exactly a search warrant is given to the police by the Court?
Like, I presume, 80% of the cases because there was evidence of internet connections with known to be hosting this kind of materials sites or the IP address, or e-mail, etc. of the suspect was found on the PC of another known/convicted pedophile, 15% because someone in the family of the suspect went to the Police, 5% for other reasons.

Let's also say (provided that the above percentages are roughly accurate) that a thorough investigation on the given devices will have at least 85% of success in finding illegal material.

Now, how much of it is *needed* to get the suspect to trial (and reasonably be enough to have the Judge/Jury sentence him)?

You find 5 computers.
You go triaging them, on (say) the first of the five you find 3127 IIOC images, do you need more?
You go triaging them and find that the fourth computer has an encrypted volume, is it not enough to have all the 5 computers seized and later fully examined?
And when you start fully examining this fourth computer, and you find in the encrypted volume the 3127 images, it is really needed to examine the other four ones?

As I see it, the only adverse case with triage (as I tried to evidence in the other thread) is when a negative result with it is obtained, which in my mind reads as a N/A and not as a "NO", in all other cases it is useful to limit the amount of "thorough" examinations, provided that a "limit" is somehow set.

jaclaz

 
Posted : 02/01/2015 7:22 pm
EricZimmerman
(@ericzimmerman)
Posts: 222
Estimable Member
 

if a single image is found (or even indications of their presence), its enough to take a computer. with a warrant you can take everything as specified in the warrant

in cp related cases, you have to go thru all images and videos to make sure the subject is not producing cp. it is not enough to just find known images and charge based on that.

this is one of the reasons we created Project Vic for. http//www.projectvic.org/

it is a game changer.

 
Posted : 02/01/2015 7:28 pm
steve862
(@steve862)
Posts: 194
Estimable Member
 

Hi,

Much of my 2p worth has been said in the previous post. Thank you minime.

I was tempted to rant in fact I did but I just deleted it and started again. Without meaning to cause offence to anyone the 'let's triage' approach is being mooted most positively by those who aren't practitioners in this field, including managers that don't understand what we do.

The first thing I'd like to say is triaging at scene to decide what to take is fraught with danger. Why not just seize and decide later whether to submit? Far less risky. Triage tools like Eric's excellent OSTraige are fantastic for capturing live data on systems found that are switched on and particularly if the suspect was using it as we came through the door. Many of the places we go to are not suitable for triaging anyway, so it would be seize and take back to a local mini lab or station.

This brings me to the second point, why we are needing to capture live data more and more. OS Yosemite already has the box ticked to use File Vault when you install. Windows inevitably will follow suit. Pretty soon all new operating systems will encrypt by default (either at disk, partition or profile level). Big problem for practitioners and a big spanner in the works for a boot with a triage tool option.

Triage is not necessarily quicker. I was asked to create a preview process for low intelligence indecent images jobs about 5 years ago. By using experienced analysts we could spot the oddities where we weren't finding anything. Those would have been passed by using a triage tool and in these cases an 'old fashioned' approach was the only way to find the evidence. Previewing via write blocker and conducting a highly intelligent mini exam took about 2 hours per computer. Using triage tools (which my previous management insisted on introducing) was taking more than twice that per computer and I have less confidence in the results.

Cost fits in with time. In the UK officers cost more money than analysts. I don't see the saving in having an officer on £45,000 triaging a computer when I can have a forensic technician with a computer degree and a year or two of experience doing the job for £30,000, (or an analyst with 5+ years experience for about £40,000). If the scene isn't suitable to conduct the triage anyway and you are bringing the computer to a local station or mini lab, why not have the technician/analyst do the work? They are better suited to doing that work and cannot do the officer's job whilst they are now stuck inside.

Where appropriate we can prioritise and examine only certain exhibits in many cases. Either we find more than enough to prove the offences or we rule out suspects and/or exhibits from the key exhibits. The computer the suspect was using when we entered the property and the two old ones in the loft [attic], can we rule out the ones in the loft in this scenario, or in another case it is the ones in the loft that give greater cause for concern. You have to look at the suspect, the offence type and the circumstances on a case by case (even exhibit by exhibit) basis to make this work but you can intelligently prioritise and even exclude exhibits from the examination.

One option (and it's been done before many times) is to arrest, seize and conduct a limited examination in order to determine if evidence is present. This can be conducted whilst the suspect is being processed and information found can be put to them in interview on the day of arrest. This may result in some early admissions and if it doesn't it may provide such telling information, (by reading between the lines), that enables the analyst to very quickly locate the evidence and explain it. Or, it could enable the analyst to exonerate the suspect so much faster because an early interview took place in which the information was discussed.

Many of the cases where people are considering a triage approach are indecent images cases. Unfortunately this has become a growth crime and is now considered to be a volume crime. I've been in this field a long time and I've yet to hear of a strategy being discussed on how to prevent this continued growth, other than discussing sites being shut down or blocked by ISPs. Where is the political discussion on preventing the next generation from starting? The other consideration is can we not monitor existing offenders better. There are credible options available and we are seeing second and third time around offenders more frequently now.

To say there is a simple answer would be simplistic. There is very rarely a one size fits all solution in my experience, in fact I would say it is a one size fits one solution approach. We can do better but it is about working with the judiciary and being better represented at a political level in a way that just doesn't seem to happen here in the UK and I suspect anywhere else. There are too many layers of management such that the message is lost by the time it is reported to those that organise our judiciary and make laws. There are too many departments in policing where the focus isn't on the big picture but is on small departmental gains, often resulting in comparable or even larger losses for another department.

We do need live data capture tools in the hands of officers in the future because there aren't enough practitioners to go to every scene attendance. Once we regularly see full disk/partition encryption we can't just have officers pull plugs any more. We need to capture data from any machines that are on but exactly what and how much is one issue and the other is can a tool be created that is simple enough that an officer can deploy it and not find themselves having to answer difficult questions in court. There's the word simple again and you could now say one tool won't suit all computers (PC/Mac etc). Yes that's another challenge.

I think the challenge of encryption is a bigger problem on our horizon than quantities of exhibits and quantities of data. We could find ourselves having little or no data to examine if we aren't prepared.

I think in the end I did rant. I do feel passionate about the work that I do and can't stop myself sometimes. Please forgive me, I mean no offence.

Happy New Year,

Steve

 
Posted : 02/01/2015 7:58 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

if a single image is found (or even indications of their presence), its enough to take a computer. with a warrant you can take everything as specified in the warrant

in cp related cases, you have to go thru all images and videos to make sure the subject is not producing cp. it is not enough to just find known images and charge based on that.

Thanks for the clarification.

Now I see ) . but if this is the case the triage becomes rather irrelevant in this kind of cases 😯 , I mean, still in the 5 computers example posted, there are as I see it two possible outcomes of the triage tool, pretty much binary or 0/1

  1. when (IF) and as soon as the triage tool finds in any of the 5 computers a single image or only an "indication of its presence" you MUST seize ALL devices and later examine them "fully" to squeeze from them ALL possible info.
  2. IF the triage tool (let's for the moment set aside the reason why this happens, i.e. if it is due to a limitation of the specific tool or to an exceptional ability in hiding data by the suspect) finds nothing in the 5 computers then you EITHER (a) seize all computers nonetheless for later "full" examination OR (b) you do not seize them
  3. [/listo]

    So , IF once the triage gives the first "positive" you anyway need to "seize everything" and "examine everything" AND at the same time you cannot trust the triage tool to actually find something that may be "better hidden than usual" and you have to "seize everything" and "examine everything" the tool becomes of little use (please read as NONE).

    On the other hand, while IF once the triage gives the first "positive" you anyway need to "seize everything" and "examine everything" BUT at the same time you can avoid "seizing everything" and "examine everything" because of the negative result of the triage tool, THEN this equates to give the exact same "dignity" to the triage tool and to the "full" examination.

    Logically the latter would mean that there is no need whatsoever of any "full" examination anymore and that simply all devices should go through the triage tool and whatever it finds is the actual evidence to be produced in Court.

    We are again in the original Catch22. !

    Triage means "priority in examining" this or that, not "deciding to examine or not to examine"
    http//en.wikipedia.org/wiki/Triage

    jaclaz

 
Posted : 03/01/2015 12:49 am
Page 1 / 3
Share: