±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36121
New Yesterday: 0 Visitors: 99

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Will Uk Police have a triage strategy in 2015 +

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4 
  

mkel2000
Member
 

Re: Will Uk Police have a triage strategy in 2015 +

Post Posted: Jan 08, 15 01:11

- EricZimmerman

3. a. this happens routinely without *need* of a full forensic exam here in the USA across a wide range of departments. charges are regularly filed based on triage results alone



The legal standard required for filing charges in criminal cases in the US is probable cause - a very low standard. It may be sufficient for prosecutors who don't know any better to base a filing decision on triage results, but if they are taking those cases to court and expecting to prove a case beyond a reasonable doubt (the standard for conviction in US criminal cases) without a full forensic examination of the evidence then they are fools.

It's clear from your posts in this thread that you are trying to sell a tool. I get that. However, your premise that a triage tool should be used in all cases to determine whether a device should be seized pursuant to a search warrant is not based in the reality of criminal investigations. No investigator with several hours of training in any triage tool is going to be able to craft sufficient search terms or other data points for that tool to absolutely determine whether evidence exists or not on that device 100 percent of the time. Even forensic examiners with many years of training and experience have difficulty sometimes finding evidence with full forensic examination of evidence.

I'll admit that cases today involve much more data than they did when I started doing criminal investigations involving digital evidence more than a decade ago. The idea that digital forensic investigations should be reduced to push button operations by untrained cops isn't any more realistic now than it was back then. In my opinion, triage tools operated by untrained individuals in order to determine what gets seized pursuant to a search warrant is a mistake of the highest order.  
 
  

EricZimmerman
Senior Member
 

Re: Will Uk Police have a triage strategy in 2015 +

Post Posted: Jan 08, 15 02:05

Have you ever used osTriage? if so, what version?


- mkel2000


The legal standard required for filing charges in criminal cases in the US is probable cause - a very low standard. It may be sufficient for prosecutors who don't know any better to base a filing decision on triage results, but if they are taking those cases to court and expecting to prove a case beyond a reasonable doubt (the standard for conviction in US criminal cases) without a full forensic examination of the evidence then they are fools.


In utah charges are filed all the time based on triage results AND devices are left behind that arent of interest. in many of those cases a trial isnt necessary because of the volume of evidence recovered on scene.

Additionally, a lot of assistant US attorney's advocate and in fact want triage/LR tools to be used for many of the reasons i have already discussed. I have spoken to a room full of AUSAs on several occasions about osTriage and its capabilities on several occasions at national conferences. It is taught yearly at their training. It is discussed in their newsletters.

The official ICAC training curriculum teaches the use of osTriage as its primary tool for on scene use.

The list goes on and on.

When it comes to a trial, you would almost always follow up with additional info and exhibits, but do you really think showing a jury browser history in X-Ways, Encase, or FTK is somehow better than doing it with any other tool?

*What* tool finds evidence isnt as important as if the tool is doing so *correctly*.

- mkel2000


It's clear from your posts in this thread that you are trying to sell a tool. I get that. However, your premise that a triage tool should be used in all cases to determine whether a device should be seized pursuant to a search warrant is not based in the reality of criminal investigations. No investigator with several hours of training in any triage tool is going to be able to craft sufficient search terms or other data points for that tool to absolutely determine whether evidence exists or not on that device 100 percent of the time. Even forensic examiners with many years of training and experience have difficulty sometimes finding evidence with full forensic examination of evidence.


if by "sell" you mean give it away to law enforcement for free, then yes. All my software is, and always will be, free. In fact, its in use by 1000s of LEOs in over 65 countries around the world.

I guess the hundreds of search warrants i have personally participated in as well as the 1000s of warrants where my software has been used do not fall into the "reality of criminal investigations." Bummer.

Your point about not being able to craft search terms or data points is understood, but thats why the ability to easily supply lists of keywords or hash sets exists. In the case of osTriage, it ships with over 300 keywords associated with child exploitation and millions of hash values. Users can extend this or add entirely different lists of keywords and hashes as their investigative needs dictate.

saying anything with 100% certainty is rarely a good idea, but as i have seen and heard from hundreds of users all over the world for the past 3 years, osTriage enables them to get to a very high level of confidence that what they are looking for either is, or isnt, there.

what i am saying is that a triage/live response tool should *always* be used on a running machine for a wide variety of reasons (active network connections, running software, capturing RAM, detecting active encryption, and TONS more), and one of those many reasons is eliminating a device as being of interest. this is done just about every week on search warrants in Utah with the ICAC. it is not some pie in the sky idea. its reality.

it is overly burdensome on LE and people tangentially related to a subject to simply "Take everything and sort it out later" when in some cases 80% of what would be seized has nothing to do with the crime being investigated. Every case is different but effort should be made to separate the wheat from the chaff to the benefit of both parties mentioned above.

- mkel2000

I'll admit that cases today involve much more data than they did when I started doing criminal investigations involving digital evidence more than a decade ago. The idea that digital forensic investigations should be reduced to push button operations by untrained cops isn't any more realistic now than it was back then. In my opinion, triage tools operated by untrained individuals in order to determine what gets seized pursuant to a search warrant is a mistake of the highest order.


Who said anything about untrained? who said people with no training or background in these things is making any kind of decision on what to take? i am talking about the use of triage/LR in task force environments that deal with computers on a routine basis. I am talking about an FE using a triage/LR tool to make better decisions within moments of securing a search warrant scene.

i am not saying triage/LR is *the replacement* for full forensics in every case, but it certainly CAN be for some things (or at least the vast majority of artifacts found in an exam). In fact, at least for osTriage, you will get more from it in 10 minutes than from a typical full exam.

Lets be honest here. a lot of forensic reviews are comprised of pretty much entirely low hanging fruit. How many wildly advanced cases have you had to examine where a person hid their tracks so well it was hard to find what you needed?

every case differs, but child exploitation cases are an excellent example of how triage/LR in the field goes a LONG way to moving the case forward. to suggest otherwise, to me, indicates someone hasnt been involved in those kinds of cases for a long time.

In my experience, the downplaying of triage/LR over "more traditional means" is done by old guard examiners who either do not want to change or somehow fear losing control over their kingdom (I am not saying you are in this boat, but typically a strong resistance to new techniques that are clearly effective typically come from people of that mindset. Moreover, these same people have never even used the techniques being discussed but somehow feel compelled/qualified to argue the cons of such an approach.)

The old way works, but it certainly doesn't scale. the problem will continue to get worse as hard drives and data sets continue to grow.  
 
  

flurryofinactivity
Newbie
 

Re: Will Uk Police have a triage strategy in 2015 +

Post Posted: Jan 12, 15 11:52

Completely agree with you Eric.

I can't even recall how many cases I have triaged with osTriage or other triage software and no other forensics was done and a plea agreement was reached. I've presented the results at several reviews/meetings with AUSA's and defense attorneys and haven't had any issues yet. If we sense the defense doesn't want to take a plea we do further forensic analysis. If a plea agreement seems likely to happen we rarely do further forensic analysis and the AUSA's I've worked with have been onboard with this triage model. If someone has a better suggestion for handling or triaging the increasing amount of media submitted, particularly in child exploitation cases, I'm open to suggestions.  
 
  

jaclaz
Senior Member
 

Re: Will Uk Police have a triage strategy in 2015 +

Post Posted: Jan 13, 15 01:21

- flurryofinactivity
If we sense the defense doesn't want to take a plea we do further forensic analysis.

On what? Shocked
I mean, IF "the tool" was used to avoid seizing devices, i.e. was used NOT as a "triage tool" but rather as an "exculpating tool", you won't be able to carry further analysis on those items, you are limited to the items that already resulted "positive" to "the tool" (and I am quite confident that "the tool" is very good Smile and you won't find much more evidence through a traditional analysis on the seized devices, the issue is only if - by any chance - "the tool" misses something when it runs and because of this negative result you leave the device in the possession of the suspect).

So all in all we are back to square #1, is this risk of a "false negative" so trifling to be not considered? Question

Or has it been considered by *someone* and this *someone* has issued a corresponding policy/guideline/whatever that has some form of validity in the UK? Confused

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

flurryofinactivity
Newbie
 

Re: Will Uk Police have a triage strategy in 2015 +

Post Posted: Jan 13, 15 10:03

Jaclaz: Referring to doing further analysis of the items seized. Regarding not finding more evidence through a traditional analysis, I'd say it all depends on the type of case and what you are looking for. I've really only used triage tools for child exploitation cases and I'd say it all depends on the case as to whether you'd find significantly more evidence. For example, if you case was initiated through means other than peer to peer, such as emails then digging further with other tools may be of benefit. I generally find osTriage gets me everything I need though.

Regarding a false negative with triage software, I have had a few pieces of media that went through osTriage software with child exploitation images that were not identified. Personally, I always use EnCase to preview any media that passes on triage software just in case. To each their own though.  
 
  

jaclaz
Senior Member
 

Re: Will Uk Police have a triage strategy in 2015 +

Post Posted: Jan 13, 15 18:31

- flurryofinactivity
Jaclaz: Referring to doing further analysis of the items seized. Regarding not finding more evidence through a traditional analysis, I'd say it all depends on the type of case and what you are looking for. I've really only used triage tools for child exploitation cases and I'd say it all depends on the case as to whether you'd find significantly more evidence. For example, if you case was initiated through means other than peer to peer, such as emails then digging further with other tools may be of benefit. I generally find osTriage gets me everything I need though.

Regarding a false negative with triage software, I have had a few pieces of media that went through osTriage software with child exploitation images that were not identified. Personally, I always use EnCase to preview any media that passes on triage software just in case. To each their own though.


Yep Smile , and you are reporting a concrete (IMHO very correct) use of "the tool".
Nothing is excluded, everything is taken into custody and then analyzed, at the first using "the tool" as a quick, automated way to get "the most" and when and if needed followed by a second more "traditional" procedure.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 

Page 4 of 4
Page Previous  1, 2, 3, 4