±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 36006
New Yesterday: 0 Visitors: 147

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Will Uk Police have a triage strategy in 2015 +

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4  Next 
  

EricZimmerman
Senior Member
 

Re: Will Uk Police have a triage strategy in 2015 +

Post Posted: Jan 02, 15 20:28

if a single image is found (or even indications of their presence), its enough to take a computer. with a warrant you can take everything as specified in the warrant

in cp related cases, you have to go thru all images and videos to make sure the subject is not producing cp. it is not enough to just find known images and charge based on that.

this is one of the reasons we created Project Vic for. www.projectvic.org/

it is a game changer.  
 
  

steve862
Senior Member
 

Re: Will Uk Police have a triage strategy in 2015 +

Post Posted: Jan 02, 15 20:58

Hi,

Much of my 2p worth has been said in the previous post. Thank you minime.

I was tempted to rant in fact I did but I just deleted it and started again. Without meaning to cause offence to anyone the 'let's triage' approach is being mooted most positively by those who aren't practitioners in this field, including managers that don't understand what we do.

The first thing I'd like to say is triaging at scene to decide what to take is fraught with danger. Why not just seize and decide later whether to submit? Far less risky. Triage tools like Eric's excellent OSTraige are fantastic for capturing live data on systems found that are switched on and particularly if the suspect was using it as we came through the door. Many of the places we go to are not suitable for triaging anyway, so it would be seize and take back to a local mini lab or station.

This brings me to the second point, why we are needing to capture live data more and more. OS Yosemite already has the box ticked to use File Vault when you install. Windows inevitably will follow suit. Pretty soon all new operating systems will encrypt by default (either at disk, partition or profile level). Big problem for practitioners and a big spanner in the works for a boot with a triage tool option.

Triage is not necessarily quicker. I was asked to create a preview process for low intelligence indecent images jobs about 5 years ago. By using experienced analysts we could spot the oddities where we weren't finding anything. Those would have been passed by using a triage tool and in these cases an 'old fashioned' approach was the only way to find the evidence. Previewing via write blocker and conducting a highly intelligent mini exam took about 2 hours per computer. Using triage tools (which my previous management insisted on introducing) was taking more than twice that per computer and I have less confidence in the results.

Cost fits in with time. In the UK officers cost more money than analysts. I don't see the saving in having an officer on £45,000 triaging a computer when I can have a forensic technician with a computer degree and a year or two of experience doing the job for £30,000, (or an analyst with 5+ years experience for about £40,000). If the scene isn't suitable to conduct the triage anyway and you are bringing the computer to a local station or mini lab, why not have the technician/analyst do the work? They are better suited to doing that work and cannot do the officer's job whilst they are now stuck inside.

Where appropriate we can prioritise and examine only certain exhibits in many cases. Either we find more than enough to prove the offences or we rule out suspects and/or exhibits from the key exhibits. The computer the suspect was using when we entered the property and the two old ones in the loft [attic], can we rule out the ones in the loft in this scenario, or in another case it is the ones in the loft that give greater cause for concern. You have to look at the suspect, the offence type and the circumstances on a case by case (even exhibit by exhibit) basis to make this work but you can intelligently prioritise and even exclude exhibits from the examination.

One option (and it's been done before many times) is to arrest, seize and conduct a limited examination in order to determine if evidence is present. This can be conducted whilst the suspect is being processed and information found can be put to them in interview on the day of arrest. This may result in some early admissions and if it doesn't it may provide such telling information, (by reading between the lines), that enables the analyst to very quickly locate the evidence and explain it. Or, it could enable the analyst to exonerate the suspect so much faster because an early interview took place in which the information was discussed.

Many of the cases where people are considering a triage approach are indecent images cases. Unfortunately this has become a growth crime and is now considered to be a volume crime. I've been in this field a long time and I've yet to hear of a strategy being discussed on how to prevent this continued growth, other than discussing sites being shut down or blocked by ISPs. Where is the political discussion on preventing the next generation from starting? The other consideration is can we not monitor existing offenders better. There are credible options available and we are seeing second and third time around offenders more frequently now.

To say there is a simple answer would be simplistic. There is very rarely a one size fits all solution in my experience, in fact I would say it is a one size fits one solution approach. We can do better but it is about working with the judiciary and being better represented at a political level in a way that just doesn't seem to happen here in the UK and I suspect anywhere else. There are too many layers of management such that the message is lost by the time it is reported to those that organise our judiciary and make laws. There are too many departments in policing where the focus isn't on the big picture but is on small departmental gains, often resulting in comparable or even larger losses for another department.

We do need live data capture tools in the hands of officers in the future because there aren't enough practitioners to go to every scene attendance. Once we regularly see full disk/partition encryption we can't just have officers pull plugs any more. We need to capture data from any machines that are on but exactly what and how much is one issue and the other is can a tool be created that is simple enough that an officer can deploy it and not find themselves having to answer difficult questions in court. There's the word simple again and you could now say one tool won't suit all computers (PC/Mac etc). Yes that's another challenge.

I think the challenge of encryption is a bigger problem on our horizon than quantities of exhibits and quantities of data. We could find ourselves having little or no data to examine if we aren't prepared.

I think in the end I did rant. I do feel passionate about the work that I do and can't stop myself sometimes. Please forgive me, I mean no offence.

Happy New Year,

Steve
_________________
Forensic Computer Examiner, London, UK 
 
  

jaclaz
Senior Member
 

Re: Will Uk Police have a triage strategy in 2015 +

Post Posted: Jan 03, 15 01:49

- EricZimmerman
if a single image is found (or even indications of their presence), its enough to take a computer. with a warrant you can take everything as specified in the warrant

in cp related cases, you have to go thru all images and videos to make sure the subject is not producing cp. it is not enough to just find known images and charge based on that.

Thanks for the clarification.

Now I see Smile . but if this is the case the triage becomes rather irrelevant in this kind of cases Shocked , I mean, still in the 5 computers example posted, there are as I see it two possible outcomes of the triage tool, pretty much binary or 0/1:
  1. when (IF) and as soon as the triage tool finds in any of the 5 computers a single image or only an "indication of its presence" you MUST seize ALL devices and later examine them "fully" to squeeze from them ALL possible info.
  2. IF the triage tool (let's for the moment set aside the reason why this happens, i.e. if it is due to a limitation of the specific tool or to an exceptional ability in hiding data by the suspect) finds nothing in the 5 computers then you EITHER (a) seize all computers nonetheless for later "full" examination OR (b) you do not seize them

So , IF once the triage gives the first "positive" you anyway need to "seize everything" and "examine everything" AND at the same time you cannot trust the triage tool to actually find something that may be "better hidden than usual" and you have to "seize everything" and "examine everything" the tool becomes of little use (please read as NONE).

On the other hand, while IF once the triage gives the first "positive" you anyway need to "seize everything" and "examine everything" BUT at the same time you can avoid "seizing everything" and "examine everything" because of the negative result of the triage tool, THEN this equates to give the exact same "dignity" to the triage tool and to the "full" examination.

Logically the latter would mean that there is no need whatsoever of any "full" examination anymore and that simply all devices should go through the triage tool and whatever it finds is the actual evidence to be produced in Court.

We are again in the original Catch22. Exclamation

Triage means "priority in examining" this or that, not "deciding to examine or not to examine":
en.wikipedia.org/wiki/Triage

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

minime2k9
Senior Member
 

Re: Will Uk Police have a triage strategy in 2015 +

Post Posted: Jan 03, 15 02:59

“now i cannot speak for all agencies and labs, etc, but i can tell you that, in almost every situation, you will get more information from osTriage in 10 minutes than you will from waiting 6 months for a full review. by essentially getting just about everything you will need while on scene you can now conduct a much better interview of the owners of the computers (by asking questions you already know the answers to).
i dont like the concept of preconfigured packs for the reasons you mention and their inherent lack of flexibility. to not allow all the benefits because "someone might go off the rails" by using an old version or similar seems like a bad idea to me.”


Herein lies the danger, Officers will begin to see triage exams as replacements for a standard forensic examination. As mentioned by someone else, triage is deciding which order to examine exhibits, not excluding exhibits or a “forensic exam lite”.
If we are looking for a quicker method of getting results then maybe the answer is a 'forensic exam lite', where a technician or similar uses an automated tool to extract 'high value' areas from an exhibit (such as the registry, windows edb, live internet history, contents of peer – peer download folders etc) and run automated keyword searches against them. As an automated step through a writeblocker, this would provide a quick overview for an interview. My original post relates to using a triage tool to triage, not mini exams.

“one thing i am curious about is your mentioning triage failing when you have full encryption, but then, if such a drive is found, you would want to image it. is it encrypted but the data is accessible? how can triage fail against an unlocked disk that, when off, is encrypted? the encryption is transparent to the imaging program and by extension, any triage software that would be used. “

From my experience, 9 times out of 10 when a warrant is executed, the computers are turned off. Hence the problems and as you alluded to triage loses some of its value if the computer isn't on and in use. For the most part, using a triage tool will show an encrypted drive in the same manner as a raid 0 drive (i.e. unreadable).


“i am unaware of any court cases (in the US at least) where evidence obtained via 'triage' was thrown out. “


No neither am I, minor changes can be explained, even if the system accidentally boots. I've got no problems with what a triage produces, however sometimes it can be over interpreted. For example, you get hash matches for IIC on an exhibit, then CPS authorise charge based on that. Without the supporting evidence, the images are almost worthless but CPS/Officers often just see images and run with them.


“I mean, it seems to me - at least from what I read/can find on related cases - that the "typical" bad guy involved in this kind of activities will have hundreds or thousands (or more) of such images or videos, and additionally - again at least from what I can gather from the forum posts and talked about documentation - that these are usually not the most computer savvy people around.”


There are a wide range of offenders who range from future nominations for the Darwin Award to similar knowledge to the examiners. Some of the suspects I've dealt with have gone to great lengths to avoid prosecution, not just in technical terms but habits as well (deleting images after viewing, using CCleaner or similar tools immediately after). Virtual machines, encryption, wiping software, VPN's, TOR etc are becoming more widely used as once offenders are caught and spend some time in a cell together, they seem to discuss how they got caught and think of better ways not to get caught.


“Now, how much of it is *needed* to get the suspect to trial (and reasonably be enough to have the Judge/Jury sentence him)? “


Maybe not that much to sentence for a possession/making charge of IIC (making for those not familiar with IIC jobs means downloading/copying etc. Production is the offence for creation of brand new IIC). But first I think its important to understand sentencing in the UK. Images are graded as one of three categories A- C, with A being most serious. In the sentencing guidelines, there is a table with 3 headings; Making/taking, distributing and Production . Underneath is the 3 categories and each box has a starting sentence for small quantity and large quantity.
So back to the question “how much is needed?”, firstly once you have a large quantity of the highest category of images (approx 200 say), then in terms of the possession/making charge you have enough for the higher level of sentence.
However distributing image carries a much higher sentence (staring 3 year custodial for Cat A images as opposed to 1 year for possession). Distributing includes making available via peer to peer and other similar methods. So we need to prove that, if we can.
Proving production is rarer than the other 2 offences, however if it exists then it definitely needs to be looked for.
Next we have agrivating factors of which there are 18 (2 statutory and 16 IIC specific), including Collection includes moving images, Attempts to dispose of or conceal evidence, Active involvement in a network or process that facilitates or commissions the creation or sharing of indecent images of children and Deliberate or systematic searching for images portraying young children, category A images or the portrayal of familial sexual abuse.

BTW guidance on this can be found at: http://sentencingcouncil.judiciary.gov.uk/docs/Final_Sexual_Offences_Definitive_Guideline_content_%28web%29.pdf
Section 75 covers IIC

So with all that in mind, this is the way I see triage tools being used most effectively:
All items are seized by officers from an address.
Items are then triaged using a pre-configured pack specific to the offence.
The results are used to identify whether an item is MORE LIKELY to contain the evidence we need.
We then take a subset of these exhibits (the highest scoring ones) for a full forensic exam.
The others can be examined at a later date if necessary or evidence on another exhibit suggests something of use will be on one of them.

This approach is most likely to be used for jobs where the intelligence is very generic (CEOP referrals being a key candidate – this IP download/uploaded IIC on this date/time to this site). Even in these types of jobs, the triage pack would have to look for encryption tools, cleaning tools and connected devices, not just indicators of IIC.

If we are looking for evidence to present at interview whilst waiting for the exam to take place, I would argue that this is no longer in the realms of triage, we are then in the realm of “previewing”.

As Steve alluded to, triage is often seen as a “magic bullet” to cut backlogs, often by those with little (read NO) technical experience. This is why it gets such a hostile reaction from many examiners who get annoyed by Officers and Management who believe what we do can be replaced by a piece of software.

Sorry this has been so long, I've been controlling the triage software in our HTCU so while I've seen and am keen to promote it use where possible, it needs to be controlled. Also sorry if any of this has come across as offensive to anyone, I apologise as its not meant to be.  
 
  

EricZimmerman
Senior Member
 

Re: Will Uk Police have a triage strategy in 2015 +

Post Posted: Jan 03, 15 05:11

i am glad you mention your definition of triage. what you and i are taking about are distinct things (with a bit of interplay for sure).

in all things law enforcement should seek to be as minimally intrusive as possible. to me this also includes NOT taking every computer in the house if you do not need to. the computers to leave behind are determined by a mix of interview and live response/triage (even to the point of turning a machine on). for example. if there is a PC in grandma's room that is password protected and no one else has access to, i should NOT be taking it if it has nothing to do with the reason i am there in the first place.

I can use osTriage and look at just the registry tabs and determine whether a computer is "of interest" within a few seconds with an accuracy in the high 90s.

from what some seem to advocate, its a "take everything and sort it out later" approach. that doesnt scale well at all and is overly intrusive to the people in a residence that have nothing to do with the crime being investigated. Now if i cannot determine a computer is irrelevant i am going to take it, but if i can look at a PC and eliminate it i am going do it and leave it behind.

now every examiner is different, but osTriage does provide more information to investigators than you will normally get back from a "full exam" in almost every case (at least based on the exam reports i have seen) you will also get information not seen in exams as well. In both cases it will be in a format that is much more useful for an investigator.

i disagree that triage is not determining what to leave behind. thats one of the tenants of triage (or at least as it relates to live response). there has been massive success (at least in the US in a wide variety of cases) in doing triage this way. i liken taking everything to the old school and IMO outdated approach of wiping drives before imaging to them and "dont change anything ever" approaches so many of the old guard FEs still cling to.

in many cases, for most crimes, using a tool like osTriage can indeed replace the need for a full forensic review. in fact many districts at the local, state, and federal levels, are getting charges off of what osTriage is telling them and doing PC arrests vs waiting 6 months to continue the investigation.

of course you always have to do your due diligence for production of CP and other related evidence for different crime types, but i feel confident good live response/triage produces information that is on par or exceeding full exams in a fraction of the time.

if you havent tried osTriage, give it a whirl. it may just change your mind. if you try it and find it wanting, id like to know that too so i can make it better.

thanks for the discussion! good stuff!  
 
  

jaclaz
Senior Member
 

Re: Will Uk Police have a triage strategy in 2015 +

Post Posted: Jan 03, 15 17:06

Eric, with all due respect Smile , you are now starting to play on words.

Let us set aside the "name" of the tool which may (or may not) be accurate or the etymology or meaning of the word "triage", let's for the moment call it neutrally "the tool".

The questions are still the same and they are simple enough:

Question #1:
Is it enough that on a PC/device "the tool" is run and provides a "negative" to avoid seizing (and later "fully" examine) it?
1.a Yes.
1.b No

Question #2:
Since "the tool" is pretty much automatic/automagic/smart/intelligent (please put here the appropriate attribute) WHO should operate it?
2.a Anyway a fully trained digital investigator, ideally the same one that would later make if needed the "full" examination.
2.b Any officer with a basic specific training. <- (without any offence intended a "trained button pusher")
2.c Any officer with a basic generic familiarity with PC's/Softwares <- (again without any offence intended an "untrained button pusher")

Question #3:
Since "the tool" is accurate (your words) "in the high 90s", can it be used without further "full" examination to go to Court directly? (or if you prefer, isn't "accuracy in the high 90s" the same level of accuracy of a full examination? or again is "accuracy in the high 90s" ENOUGH?)
3.a Yes
3.b No

Question #4:
While in the case of a full examination, the actual digital investigator is testifying in court and "certifying" that the examination was "thorough", "as complete as possible" and "conforming to policies, guidelines and state of the art", WHO does that for "the tool"?
4.a The software firm that makes/sells it
4.b A given national or international organization/certification entity (if you choose this, WHICH one)
4.c Someone else (please specify)

Can you please just answer to the above questions ?

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

EricZimmerman
Senior Member
 

Re: Will Uk Police have a triage strategy in 2015 +

Post Posted: Jan 03, 15 20:43

1. a. but its not that it proves a negative, but rather shows a lack of positive hits and therefore relevance to an investigation.

2. b. for training you are talking half a day max assuming they have some basic general computer skills/have been trained in their types of investigation outside computers.

3. a. this happens routinely without *need* of a full forensic exam here in the USA across a wide range of departments. charges are regularly filed based on triage results alone

4. this is not a valid question IMO. the best answer available is c. if i was asked that question on the stand i would say no exam is as complete as possible because i could get more people to look at it, look at different artifacts, by hand, and so the rabbit trail goes. whoever uses the tool would state what they did. if there was some underlying question of how the software works the programs author could be subpoenad perhaps, but in the case of forensics its finding "stuff" that can then be validated with any other tool anyone else wanted to. if you only used triage then it would be the defense who would be reviewing the evidence and then reporting on their findings. triage doesn't fabricate anything that isn't there. it just finds "stuff" quickly makes it available in minutes vs months.

if a tool shows you the contents of a prefetch file that can be validated with any other tool and certainly a hex editor. digital evidence is either present or not. if someone doesn't have the skill to find/access/verify something that is a different story, but that doesn't negate the use of tools by other people.

it would be very difficult to testify that something is, for all users, "conforming to policies, guidelines and state of the art" because those things differ pretty much across everyone. rather a tool is minimally intrusive, its results repeatable on the same evidence, and its impact on a computer can be shown to be consistent. many of the quoted things are agency specific and if a given tool is approved by an agency, then those things would be true.

as i think you mentioned, i dont need to know 100% of everything there is to know about a given system. at some point your return on what you get is far less than the time invested.  
 

Page 2 of 4
Page Previous  1, 2, 3, 4  Next