Acquisition techniq...
 
Notifications
Clear all

Acquisition techniques. How can we do more efficiently?  

  RSS
ForensicITDerby
(@forensicitderby)
New Member

Hi,

I work in a law enforcement DFU in the UK.

We have limited resources.

I have access to 2 acquisition PC’s with USB3 write blockers and network storage.

Daily I might get 3/4 acquisitions done due to size of hard drives.

Takes a good 45mins to do the notes, photographs and strip the machines down for media and storage per exhibit.

Any strategies out there that people use to do things the most efficient way?

Quote
Posted : 24/12/2018 6:17 am
hectic_forensics
(@hectic_forensics)
Junior Member

Are you acquiring directly to your network? What sort of network interface do you have in the PC? You could maybe see if you can upgrade those to get quicker speeds?
Either that, or buy some large drives to acquire to locally, then schedule a task for a robocopy of the data form the local drive to your network storage location overnight when the office is empty.

To be honest, acquiring 3 to 4 devices a day isn't too bad. You have to remember that the acquisition process is vitally important to the overarching forensic process and that everything you do can be scrutinised further down the line, so I would say taking time to write all your notes up is good practice. Although it feels like a sausage factory at times, it is sometimes good to remember that 99% of the time there is someone's life, or liberty at stake so it deserves to be treated with the due care and diligence that you have described. )

ReplyQuote
Posted : 24/12/2018 9:40 am
jaclaz
(@jaclaz)
Community Legend

There was some discussions some time ago about a forensic tool
http//www.forensicfocus.com/Forums/viewtopic/t=11704/

intended to be used in a non-lab scenario, still the "generic" idea was that Read speed is higher than Write speed, so "dividing" the read stream to several write streams i.e. devices (buses) made things much faster.

Besides the usual "fluff" by the vendor, here is some insight by PaulSanderson
https://www.forensicfocus.com/Forums/viewtopic/t=11704/postdays=0/postorder=asc/start=49/

have a look at the thread starting from the above post.

Loosely, you need some seriously fast (and local) "target" devices, as was suggested by hectic_forensics a local pool of disk drives or - nowadays - possibly of SSD's and a provision for copying to "final" location when system is idle/not used.

jaclaz

ReplyQuote
Posted : 24/12/2018 11:51 am
armresl
(@armresl)
Community Legend

I'll add something to this.
After your get your image and want to save it to another drive for storage and disaster recovery, be sure to get something like untracopier to transfer over data. Windows loves to interfere in moving things and doesn't always do the best job.

ReplyQuote
Posted : 25/12/2018 4:47 am
randomaccess
(@randomaccess)
Active Member

as a complete tangent; triage devices first, you may find you dont need to image them and you can get the entire examination done in a day, rather than imaging/processing etc.

Also, looking into Evimetry lab which will allow for concurrent imaging and processing at the same time

ReplyQuote
Posted : 25/12/2018 9:21 am
minime2k9
(@minime2k9)
Active Member

With imaging of hard drives, I always find that more (cheaper) machines images faster than single faster machines.
Do you have a single write-blocker attached to each machine? What Imaging software are you using?

In terms of fastest imaging software, X-Ways arguably holds the title for that, however X-Ways Imager comes at a cost of about £100.
Installing a forensic Linux distribution onto a machine and using Guymager is our preferred method. It removes the requirement for writeblockers (although we use them for old IDE drives) and they can be repalced with USB 3 docks (Approx £20 per unit). You can then image 2 devices per machine without buying additional writeblockers. This also allows you to repurpose an old machine (if you have any) as they don't need to be particularly powerful.

Although your network will start slowing down when you acquire multiple images at once, the trick is to get all the bays going and then come back in the morning. Even if it takes 10%-25% longer because you are doing more drives at once, they will all be done by morning.

DM me if you want to look at some of our procedures, I'm sure your going through the ISO 17025 nightmare as well.

ReplyQuote
Posted : 27/12/2018 11:02 am
jaclaz
(@jaclaz)
Community Legend

DM me if you want to look at some of our procedures, I'm sure your going through the ISO 17025 nightmare as well.

You know that the use of "your" instead of "you are" is a non-conformity per ISO 17025 😯 , and you need to take immediate action to control and correct it, don't you? wink

D

jaclaz

ReplyQuote
Posted : 27/12/2018 4:48 pm
blschatz
(@blschatz)
New Member

Full disclosure - I am the developer of Evimetry, which was mentioned earlier in this thread.

Gaining more efficiency depends on where in your workflow the bottlenecks are (you might like to see [1] and [2] for more detail on that). For example, a gigabit network does ~100MB/s maximum - half the speed of a commodity 3.5" drive; and a USB write blocker might limit the acquisition speed of an SSD from 500MB/s to around 300MB/s.

Following from the suggestion of @jaclaz, using an imaging technology that lets you get the aggregate throughput of multiple portable evidence storage devices can be a real improvement in labs that are still on 1GBe. It is much faster to "sneakernet" a couple of 3.5" HDD's or Samsung T5's containing an image to an analysis workstation and copy it direct to its RAID rather than to use a network (4 or 8x faster for this example). Verification speeds also scale similarly with multiple evidence storage devices and RAID storage.

On the acquisition side the speed gains are mainly for RAID, SSD and NVME, which have high IO rates that often can't be matched by single output devices.

-bradley

[1] https://evimetry.com/presentations/Advanced-AA-AFF4-PUBLIC.pdf
[2] https://evimetry.com/blog/2019/01/efficient-forensic-workflow-is-your-bridge-a-bottleneck/

ReplyQuote
Posted : 24/01/2019 4:17 am
minime2k9
(@minime2k9)
Active Member

DM me if you want to look at some of our procedures, I'm sure your going through the ISO 17025 nightmare as well.

You know that the use of "your" instead of "you are" is a non-conformity per ISO 17025 😯 , and you need to take immediate action to control and correct it, don't you? wink

D

jaclaz

Probably and it will require a non-conformance action that generates so much paperwork that we have to harvest a small forest. If it was picked up during an audit, this would be enough to withhold accreditation until the action has been closed out.
So says the holy text of ISO 17025, so shall it be done!

ReplyQuote
Posted : 24/01/2019 7:49 am
jaclaz
(@jaclaz)
Community Legend

So says the holy text of ISO 17025, so shall it be done!

Thus spoke ISO17025, A Norm for All and None. wink
mrgreen

jaclaz

ReplyQuote
Posted : 24/01/2019 11:00 am
kastajamah
(@kastajamah)
Member

As far as photographing and documentation, there is not much you can do to speed up the photographing process. I recommend photographing not only the outside of the computer and all the identification labels and markings, but also photographing the inside of the computer. Take pictures of any and all damage inside and out. Photograph the HDD/SSD in place, and after removing the HDD/SSD photograph it from all sides and identifying labels. Photograph any optical discs, flash drives, sdCards, etc. that are in the computer or connected to it.

As far as speeding up documentation, I recommend using a fill in the blank form. This form should have boxes for make, model of the computer, serial number, peripherals, and so on. This form should also include space for the HDD/SSD make, model, serial number, size as reported on the label, and so on. You can include in this form spaces for the software you used, the version of the software, if it has been processed, and if any searches were done. This will also help your coworkers know what has and has not been done quickly in case you are not able to be reached to answer any questions.

It may sound like a lot, but once you have the form and know the flow of the form, you will be able to fill out quickly. It will also assist you with getting the information you need and not forgetting something.

ReplyQuote
Posted : 24/01/2019 7:11 pm
Share: