Three forensic acqu...
Clear all

Three forensic acquisition sites merged to one

New Member

Hi, all.

I work in a Norwegian LEA as a computer forensic investigator. I'm reaching out to you to get some inputs/ideas for how to solve an issue regarding technical setup.

In the precinct where I work we used to have three separate CF sites, where acquisition and analysis were done locally. Items that were/will be seized range from mobile phones to ordinary computers (with GPS, routers, servers from companies +++). Each site has their own "solution" with local network, and how they store data (NAS, locally etc).

Now these three CF sites will be merged to one organisation. Two of the sites will still do acquisition, but only one site will do processing with e.g. Griffeye/IEF, along with ordinary analysis. All three sites should be able to view processed material from e.g. Griffeye/IEF locally. The idea is to gather all the competence in one place so they can do analysis, but the investigators that need access to processed data must have access locally.

Present day - three sites (A, B and C) with capability to acquire and analyze seized data.
Future - Site A will acquire some data, process and analyze all data from the three sites. Site B and C will only acquire data, and create image files.

From location A to B there are roughly 41km and from A to C there are 100km. There will be a need to transfer up to (estimated) 1TB of data each day from location B to A and from C to A. Each image file is divided into chunks of roughly 4GB.
Processed data from e.g. Griffeye will produce up to 1 million tiny files that must be transferred from A to B and from A to C.

I don't think we are the only agency/company that has faced this challenge before. Therefore I am reaching out to you to hear if you have similar challenges, or if you have suggestions for a solution that might work.

VPN have been suggested, and if we are really lucky we will get a intern network with dedicated fiber line. But my experience is that one should not count on the most favorable outcome, as that seldom happens.

This is my first post here, so I hope I have been thorough enough and that I have provided enough details.

Topic starter Posted : 19/04/2017 3:40 pm
Community Legend

Fiber will not solve the issues you face. Setting up a strong VPN based on IPSec and encrypting tunnel and content running inside slows down too much. The cloud is faster - but hold your horses!

AWS GovCloud in the U.S. used by the FBI is a secure solution. If you get access in Norway to this for Gov reserved and dedicated datacenters you have to check. If your internal decision maker tend to to refuse to a Gov!-cloud-based solution, then you should go for a fiber-based solution with very fast and performant load balancers (network side). To get a fast access to AWS look for AWS Direct Connect.

Related to to speed. A on both locations accessible 10Gbps to the cloud fiber solution would enable the cloud for 'caching & backuping'. This expands the otherwise point-to-point solution to a point-to-cloud-to-point solution which is more reliable related to redundancy and stability as very large images (4TB) have still a risk to fail during any circumstance at transmission.

The cloud - correctly set up - nowadays for these long distances is faster.

We here tested this approach over AWS and the results (Swiss-India) were fine.

Posted : 19/04/2017 10:57 pm