Join Us!

Something serious (...
 
Notifications
Clear all

Something serious (and something not)  

Page 1 / 2
  RSS
jaclaz
(@jaclaz)
Community Legend

I happened - while looking for completely unrelated reasons - to land on this page
http//www.adfsolutions.com/about/testimonials.php
where the good guys at ADF Solutions list some enthusiastic opinions coming from users of their triage software.

Among the many reports, I found two that puzzled me.

The first one (non-serious) is this one

"When we enter a terrorist suspect's home, we maximize our resources and take apart everything including the plumbing. We do the same for a local robbery suspect; I adapt my resources and level of investigation to fit the crime. Before now, we were not able to maximize our resources for forensic examinations. Adopting the ADF Solutions triage tools has provided us with this much-needed flexibility."
Forensic examiner, Leicestershire Police

I mean, a proprietor/landlord renting a flat in Leicestershire has some added risks, who is gonna re-make the plumbing? 😯

The second one is more serious

"We took possession of five computers from a suspect who had voluntarily submitted them for a forensic examination. The suspect had been unjustly accused of possession of child pornography but wanted to clear his name. We set up our SearchPaks and scanned all five machines. By 400 p.m. that day some four hours after the handover, I was able to inform the investigators that the machines were clean. This would have taken days using conventional methodology. The investigators were impressed, and the suspect was grateful that we quickly identified him as innocent. This is a good example where a negative can have a positive outcome and speedy resolution can prevent claims against law enforcement for undue delay in keeping the machines. I can see this taking off at a pace, when managers recognize its acceptable minimum risk and huge time-saving benefits. To use the old cliché, ‘We need to work smarter, not harder."

Forensic examiner, Durham Police

as it seems to me like implying that a triage tool is not anymore a triage tool but something that can be used to exclude definitely the possibility that something non-legit exists, i.e. a "full replacement" for a "full" digital forensics examination.

Thoughts, ideas, experiences?

jaclaz

Quote
Posted : 25/08/2013 11:07 pm
armresl
(@armresl)
Community Legend

5 computers in a portion of a day? Nah. There is so much work that goes into a CP case and places to look, software present, settings of the software, sharing/not sharing of folders, deleted items, Steg items.

No way I take in 5 computers, hook up triage and give an answer until I've made an image and ran through them really well.

I happened - while looking for completely unrelated reasons - to land on this page
http//www.adfsolutions.com/about/testimonials.php
where the good guys at ADF Solutions list some enthusiastic opinions coming from users of their triage software.

Among the many reports, I found two that puzzled me.

The first one (non-serious) is this one

"When we enter a terrorist suspect's home, we maximize our resources and take apart everything including the plumbing. We do the same for a local robbery suspect; I adapt my resources and level of investigation to fit the crime. Before now, we were not able to maximize our resources for forensic examinations. Adopting the ADF Solutions triage tools has provided us with this much-needed flexibility."
Forensic examiner, Leicestershire Police

I mean, a proprietor/landlord renting a flat in Leicestershire has some added risks, who is gonna re-make the plumbing? 😯

The second one is more serious

"We took possession of five computers from a suspect who had voluntarily submitted them for a forensic examination. The suspect had been unjustly accused of possession of child pornography but wanted to clear his name. We set up our SearchPaks and scanned all five machines. By 400 p.m. that day some four hours after the handover, I was able to inform the investigators that the machines were clean. This would have taken days using conventional methodology. The investigators were impressed, and the suspect was grateful that we quickly identified him as innocent. This is a good example where a negative can have a positive outcome and speedy resolution can prevent claims against law enforcement for undue delay in keeping the machines. I can see this taking off at a pace, when managers recognize its acceptable minimum risk and huge time-saving benefits. To use the old cliché, ‘We need to work smarter, not harder."

Forensic examiner, Durham Police

as it seems to me like implying that a triage tool is not anymore a triage tool but something that can be used to exclude definitely the possibility that something non-legit exists, i.e. a "full replacement" for a "full" digital forensics examination.

Thoughts, ideas, experiences?

jaclaz

ReplyQuote
Posted : 26/08/2013 9:25 am
mitch
(@mitch)
Active Member

I can fully understand the reasoning with regard to a triage tool, and on the surface it seems a good idea. If your a LE agency and have 8 months backlog, its a godsend (in theory) but in practice it does not work, any company/organisation relying upon this, is treading on thin ice.

ReplyQuote
Posted : 26/08/2013 5:20 pm
pbobby
(@pbobby)
Active Member

Don't get caught up in the specific examples, especially the 'clear my name' CP one. Triage in general has its place and can often be the only solution.

Here's my specific example large scale incident. The dropper/payload has been analyzed. You have OS specific indicators of compromise. 500 people received the same email - now go triage each computer. You wouldn't look at each computer with a deep-dive mentality, you would look at each computer from an indicator of compromise perspective.

Triage has its place. The wise investigator should know when or when not to use it.

ReplyQuote
Posted : 26/08/2013 6:54 pm
jaclaz
(@jaclaz)
Community Legend

Don't get caught up in the specific examples, especially the 'clear my name' CP one.

Well, then this thread makes no sense 😯 .

I am specifically and explicitly pointing to that one, as I find it (and all you guys are seemingly confirming my impression) a misuse of the tool (and - at least "philosophically" - a serious matter).

It seems to me like analyzing a supposed infected machine with a single antivirus, and only with it's the heuristical engine, disabling the latest definitions, and come out with the conclusion that the machine has not any virus.

Triage in general has its place and can often be the only solution.
Here's my specific example large scale incident. The dropper/payload has been analyzed. You have OS specific indicators of compromise. 500 people received the same email - now go triage each computer. You wouldn't look at each computer with a deep-dive mentality, you would look at each computer from an indicator of compromise perspective.

Triage has its place. The wise investigator should know when or when not to use it.

Sure ) , the point I was trying to make is that your example perfectly fits "intended usage", "theory of operation" and also "practical use" of a triage tool (and as such it represents "non news"), the posted "clear my name" one represents IMHO a (personally I believe inconsiderate) deviation from those.

jaclaz

ReplyQuote
Posted : 26/08/2013 8:00 pm
EricZimmerman
(@ericzimmerman)
Active Member

triage works when done right and used responsibly. a lot of my work has been directed at improving triage techniques (i wrote and maintain osTriage).

triage works just fine for just about every type of case when used to move the ball forward as soon as taking in a computer or examining it while its running.

while it CAN be used in lieu of a full forensic exam in SOME cases, it is not a replacement for a digital examiner doing his thing against evidence (regardless of what tool used for this purpose)

i can, with accuracy percentages easily in the 90%s, triage a computer and know whether or not CP has been on there or not within a few seconds using triage against a running computer.

if i can get you 90% of what is relevant to your investigation in a few seconds/minutes (or hours tops), doesnt it make sense to triage? the point of triage is the intelligence and evidence that can be used in an initial interview more so than the notion of replacing/killing traditional digital forensics.

i know there are places in the US that do NOT need a full forensic review and officers can pursue charges as the result of triaging a computer. of course you should always follow up and do due diligence with a more in depth review to make sure there isnt any production, etc, but the days of spending weeks or months on each exam is not feasible or practical any more for a lot of investigations imo. of course there are exceptions to this rule.

changing gears to the specific vendor mentioned

ADF is nice and it does what it says it does, but the downside is that it costs you $$$ (1500??) to start and $$ (700??) a year and if you stop paying, it stops working.

mitch, i would love to hear your feedback on why you say triage doesnt work. maybe you need to try a better triage tool? =)

ReplyQuote
Posted : 26/08/2013 9:30 pm
jaclaz
(@jaclaz)
Community Legend

i can, with accuracy percentages easily in the 90%s, triage a computer and know whether or not CP has been on there or not within a few seconds using triage against a running computer.

if i can get you 90% of what is relevant to your investigation in a few seconds/minutes (or hours tops), doesnt it make sense to triage? the point of triage is the intelligence and evidence that can be used in an initial interview more so than the notion of replacing/killing traditional digital forensics.

There must be something wrong in the way I express myself.
From the kind of replies it seems like someone is attacking the concept of triage, and that this concept has to be defended.

Noone (at least not myself) is against triage (when used properly).

I posted to know your opinion on whether the specific use of triage for the specific case (clearing the name of suspect) is appropriate or not.

If something provides 90% on accuracy, or even 95%, I find hard - particularly for a such serious crime as CP - to pass the machines through a triage tool (good as it might be) and then affirm that there is NO CP on them, that corresponds flatly to 100% or certainty.

i know there are places in the US that do NOT need a full forensic review and officers can pursue charges as the result of triaging a computer.

Still in the specific case, Durham is seemingly in the UK, not in the US.

jaclaz

ReplyQuote
Posted : 26/08/2013 10:19 pm
jhup
 jhup
(@jhup)
Community Legend

I was able to inform the investigators that the machines were clean.

When are we able to prove non-existence of something in digital forensics?

When does lack of digital evidence declare someone innocent?

Is someone "innocent", or "not guilty"?

ReplyQuote
Posted : 26/08/2013 10:30 pm
jaclaz
(@jaclaz)
Community Legend

Something "q***r" has happened (irrelevant, but "q***r"), the quote from the Leicestershire policeman has seemingly changed, now it is

"When I enter a terrorist suspect’s home, we maximize our resources and take apart everything including the plumbing. When I do the same for a local robbery suspect, I adapt my resources and level of investigation to fit the crime. Until now, we were not doing this for forensic examinations. Adopting the ADF Solutions triage tools has provided me with this much-needed flexibility."

Forensic examiner, Leicestershire Police

"When we enter a terrorist suspect's home, we maximize our resources and take apart everything including the plumbing. We do the same for a local robbery suspect; I adapt my resources and level of investigation to fit the crime. Before now, we were not able to maximize our resources for forensic examinations. Adopting the ADF Solutions triage tools has provided us with this much-needed flexibility."
Forensic examiner, Leicestershire Police

A Wayback Machine copy October 2012 is identical to the current one.

I may well - while pasting/re-formatting - have changed the "I" and "When I" with "we" by mistake, but surely I cannot have added the "able to maximize our resources" nor changed the "Before" to "until".

What the heck! ! ?

EDIT

Found it! D
I took the quote from this page
http//www.adfsolutions.com/about/
instead of th eone I provided the link to
http//www.adfsolutions.com/about/testimonials.php

The questions are now
Can it be that testimonials are edited/redacted/fabricated? 😯
Would TWO different Leicestershire Police Forensic examiners have such similar opinions and independently send them to ADF?

If this later hypothesis is confirmed, the plumbing stripping must really be common practice.

jaclaz

ReplyQuote
Posted : 26/08/2013 11:54 pm
Ali-B
(@ali-b)
New Member

I've found triage tools such as ADF useful for some jobs - especially when looking for something specific and not having access to a forensic workstation. There are downsides though, firstly you rely on the abilities of the suspects machine and after some testing found that when compared to the likes of Encase it is flawed in areas especially ability to search unallocated disk space.

I would be very wary of relying on it as the only tool used in an examination unless you know exactly what it is you should be looking for and have done some testing on how the triage tools perform.

ReplyQuote
Posted : 27/08/2013 2:15 am
pbobby
(@pbobby)
Active Member

Don't get caught up in the specific examples, especially the 'clear my name' CP one.

Well, then this thread makes no sense 😯 .

I am specifically and explicitly pointing to that one, as I find it (and all you guys are seemingly confirming my impression) a misuse of the tool (and - at least "philosophically" - a serious matter).

Okay, well good job - yes that was a bad example of where triage does not work. Is the discussion you wanted to solicit regarding if that was a valid example or not and not triage in general? *shrug*

ReplyQuote
Posted : 27/08/2013 7:26 am
jaclaz
(@jaclaz)
Community Legend

Okay, well good job - yes that was a bad example of where triage does not work. Is the discussion you wanted to solicit regarding if that was a valid example or not and not triage in general? *shrug*

I was trying to say that I find this particular usage of triage VERY "dangerous" and that it is IMHO a very bad thing that it is highlighted (evidently with the approval of the makers of the tool) as an "example" (or testimonial of success).

We are not talking here of someone (say) suspected to cheat on his wife, we are talking of CP.

If someone - actually suspected of this - can be excluded from further investigations because a triage tool did not detect anything, it is equivalent to say that the tool is not a triage one but a complete, infallible equivalent to a "full" digital forensic examination.

This has nothing to do with the specific tool or it's qualities/capabilities/features/probabilities of finding something, but a lot about the philosophy of triage and it's practical use as an investigative approach.

Traditional triage, as it is commonly applied in the field in which it was devised (human care in emergency)
http//en.wikipedia.org/wiki/Triage

Is all about priorities in providing assistance/cures (but cure - before or later - is provided, or at least a physician/doctor does visit the patient anyway and decides that no cure is needed).

The example you made is a perfect example of a proper use of triage, the one in the cited snippet is not.

Another "testimonial" on that page

"The ADF tools are our only option to search a suspect computer and find evidence quickly in thirty minutes or less."

Forensic examiner, U.S. border agency

makes also a lot of sense to me, the US border are not investigating a specific crime, they use a "statistical" approach to fight crime, and they do have limited time to operate on the device(s) of someone who has been deemed suspect by "random" (like "extracted", looking nervous during routine check of his/her baggage, having been flagged for precedents, etc.).

But if the triage tool finds nothing, it doesn't mean that there is nothing, it simply means that the tool found nothing.

jaclaz

ReplyQuote
Posted : 27/08/2013 7:16 pm
96hz
 96hz
(@96hz)
Active Member

I wanted to come at this debate from a different angle, if I may.

If you (meaning anyone reading this thread) had to perform a triage for a CP case, what would you consider enough information to decide as to whether or not you needed to perform a "full analysis" or whether or not the machine could be considered "clean" ?

How do the tools out there that offer Triage capability meet these requirements ?

Here is a short list where I would consider that the machine would have to receive a deeper analysis, "red flags"

*Picture files (incl. those recovered from unallocated space) matching known CP by hash
*Keywords/code words associated with CP identified (within filenames, registry, internet history files, unallocated space, pagefile etc.)
*Any indication of the use of encryption/steg
*Any indication of the use of file wiping

I think fairly quickly you could spot a few of these things and decide that it was necessary to perform a proper forensic examination. However, the opposite of these doesn't necessarily hold as a case of "nothing more to see here". So then, how many of the picture files would you review before you considered it proportionate to determine a negative finding ? How far would you look for sophisticated data hiding that you haven't considered before, how much data recovery would you perform ? How up to date would your hashes and keywords need to be ? - I don't think this can be done with a triage tool.

There is a world of difference between IOC (Indicators of Compromise) and IIOC (indecent images of children) - scanning a box and moving on because you haven't found evidence of a breach is a world away from moving on from someone distributing CP.

I think the principle of Triage is fine, but it seems to me it's only useful for getting to the low hanging fruit faster, rather than returning a negative result. For example if a suspect had 10 machines, triaging those to prioritise the order of analysis seems fair. Triaging 10 suspect's machines and ignoring those that didn't throw up a result seems irresponsible IMHO ?

Perhaps people who are more experienced with Triage tools/processes could explain how they are using them ?

ReplyQuote
Posted : 28/08/2013 3:28 am
Adam10541
(@adam10541)
Senior Member

I just assume that all testimonials for software/hardware are fabricated D

ReplyQuote
Posted : 28/08/2013 7:32 am
jaclaz
(@jaclaz)
Community Legend

I just assume that all testimonials for software/hardware are fabricated D

Heck!
I was thinking to put up a new plumbing service in Leicestershire ( .

@96Hz
Excellent "angle". )

jaclaz

ReplyQuote
Posted : 28/08/2013 3:33 pm
Page 1 / 2
Share: