Don't get caught up in the specific examples, especially the 'clear my name' CP one.
Well, then this thread makes no sense 😯 .
I am specifically and explicitly pointing to that one, as I find it (and all you guys are seemingly confirming my impression) a misuse of the tool (and - at least "philosophically" - a serious matter).
Okay, well good job - yes that was a bad example of where triage does not work. Is the discussion you wanted to solicit regarding if that was a valid example or not and not triage in general? *shrug*
Okay, well good job - yes that was a bad example of where triage does not work. Is the discussion you wanted to solicit regarding if that was a valid example or not and not triage in general? *shrug*
I was trying to say that I find this particular usage of triage VERY "dangerous" and that it is IMHO a very bad thing that it is highlighted (evidently with the approval of the makers of the tool) as an "example" (or testimonial of success).
We are not talking here of someone (say) suspected to cheat on his wife, we are talking of CP.
If someone - actually suspected of this - can be excluded from further investigations because a triage tool did not detect anything, it is equivalent to say that the tool is not a triage one but a complete, infallible equivalent to a "full" digital forensic examination.
This has nothing to do with the specific tool or it's qualities/capabilities/features/probabilities of finding something, but a lot about the philosophy of triage and it's practical use as an investigative approach.
Traditional triage, as it is commonly applied in the field in which it was devised (human care in emergency)
http//
Is all about priorities in providing assistance/cures (but cure - before or later - is provided, or at least a physician/doctor does visit the patient anyway and decides that no cure is needed).
The example you made is a perfect example of a proper use of triage, the one in the cited snippet is not.
Another "testimonial" on that page
"The ADF tools are our only option to search a suspect computer and find evidence quickly in thirty minutes or less."
Forensic examiner, U.S. border agency
makes also a lot of sense to me, the US border are not investigating a specific crime, they use a "statistical" approach to fight crime, and they do have limited time to operate on the device(s) of someone who has been deemed suspect by "random" (like "extracted", looking nervous during routine check of his/her baggage, having been flagged for precedents, etc.).
But if the triage tool finds nothing, it doesn't mean that there is nothing, it simply means that the tool found nothing.
jaclaz
I wanted to come at this debate from a different angle, if I may.
If you (meaning anyone reading this thread) had to perform a triage for a CP case, what would you consider enough information to decide as to whether or not you needed to perform a "full analysis" or whether or not the machine could be considered "clean" ?
How do the tools out there that offer Triage capability meet these requirements ?
Here is a short list where I would consider that the machine would have to receive a deeper analysis, "red flags"
*Picture files (incl. those recovered from unallocated space) matching known CP by hash
*Keywords/code words associated with CP identified (within filenames, registry, internet history files, unallocated space, pagefile etc.)
*Any indication of the use of encryption/steg
*Any indication of the use of file wiping
I think fairly quickly you could spot a few of these things and decide that it was necessary to perform a proper forensic examination. However, the opposite of these doesn't necessarily hold as a case of "nothing more to see here". So then, how many of the picture files would you review before you considered it proportionate to determine a negative finding ? How far would you look for sophisticated data hiding that you haven't considered before, how much data recovery would you perform ? How up to date would your hashes and keywords need to be ? - I don't think this can be done with a triage tool.
There is a world of difference between IOC (Indicators of Compromise) and IIOC (indecent images of children) - scanning a box and moving on because you haven't found evidence of a breach is a world away from moving on from someone distributing CP.
I think the principle of Triage is fine, but it seems to me it's only useful for getting to the low hanging fruit faster, rather than returning a negative result. For example if a suspect had 10 machines, triaging those to prioritise the order of analysis seems fair. Triaging 10 suspect's machines and ignoring those that didn't throw up a result seems irresponsible IMHO ?
Perhaps people who are more experienced with Triage tools/processes could explain how they are using them ?
I just assume that all testimonials for software/hardware are fabricated D
I just assume that all testimonials for software/hardware are fabricated D
Heck!
I was thinking to put up a new plumbing service in Leicestershire ( .
@96Hz
Excellent "angle". )
jaclaz
A few observations -
Digital forensic investigations are analogue, they are not binary, they are not limited to being either a triage or a full forensic examination. Indeed the term a full forensic examination is a misnomer and can be very misleading. Digital forensic examinations can sit anywhere on a continuous scale from the most cursory examination to an extensive and detailed examination.
Software can be labelled triage software and triage describes the intended purpose but it is still software for conducting forensic examinations. What is generally regarded as full forensic tools can be used to conduct a limited or "triage" examination.
In order to be efficient, anyone involved in conducting DF examinations needs to manage their investigations and investigate only to the extent required to fulfil the needs of the investigation.
Triage should be a process to assist in the efficient management of investigations, it can be used to -
- identify from a large batch of computers those which are most likely to contain evidence,
- give an investigator quick access to evidence in order to progress an investigation whilst waiting for a more detailed analysis,
- collect targeted evidence when time is very limited,
and so on.
I regularly encounter digital forensic examiners who are against "triage", often they regard DF exams in isolation from the whole investigative process, as a pure science where an examination will be conducted until all possible processes have been completed. These examiners usually have limited experience of investigating serious crime and fail to appreciate that the resources put into an investigation are finite, have to be managed, and that part of the investigative process is balancing the risks involved in the management of resources.
I am aware of examiners doing a preview (aka triage) by removing a hard drive from a suspect computer, write-blocking and viewing in Encase gallery view to review for pictures. In doing this they will fail to see any pictures in a Mozilla browser cache (for example), of course they could have done a file signature analysis first but I know they often haven't.
A better preview could be done by an investigator with minimal training using the ADF triage tool. With a couple of clicks they could use a default search which will target the collection of pictures by header from the browser cache of the five main browsers on Win, Mac, Linux OS, automatically exclude all pictures below 1K in size and be completed in 10 minutes.
The same could apply to doing a keyword search in a browser cache. A fair proportion of examiners will do a keyword search expecting to find hits in cached web pages from a Mozilla browser cache without first doing a file signature analysis and mounting gzip files.
This can be achieved by an investigator using ADF triage without them knowing the detail of how it has been done.
A good triage tool can be used to package the knowledge and experience of a digital forensic examiner and allow this to be applied by an investigator with minimal training. As long as the decision to be made by the investigator when reviewing results is simple, then this will be an effective and efficient triage process. For example the decision required could be - are the pictures illicit, are there keyword hits that indicate suspect activity.
To deal with jaclaz's specific question raised regarding the Durham example. An examination is required to be conducted to ascertain whether or not there is any illicit material on any of five computers.
To carry out the examination you could conduct the following processes -
Collect Internet History
Collect Internet Search History terms
Identify the user profiles on the computer, how many logons, last logon date
List recent files from registry MRU
List connected USB devices (have I recovered them all)
List installed applications
List most used applications from UserAssist
OS installation date
Collect all items from the Desktop
Search all files for known Child Exploitation terms
Search for known images by MD5 hash
Search for similar images using fuzzy visual matching
Collect sample frames from every video for quick review
Search for anti-forensic programs used for Privacy/Cleaning/Encryption (indicator for a more detailed examination)
The only caveat is that these processes are carried out on live and deleted files only.
It is possible using the results from these processes, taken in the context of the original intelligence (to which we are not party) to make a reliable decision as to whether or not it is likely that the computers were used for CP or whether they need further detailed examination.
The ADF triage tool can do all of the above processes.
On a general note the term triage has its origins much earlier than the medical usage, from the OED care of binarybod -
1. The action of assorting according to quality.
1728 E. Chambers Cycl. at Wool, Each Fleece consists of Wool of divers Qualities and Degrees of Fineness, which the Dealers therein take care to separate… If the Triage or Separation be well made, in fifteen Bales there will be twelve mark'd R, that is, Refine or Prime.
1825 Gentleman's Mag. 95 i. 216/1 These [pickers] sort the [Coffee] berries into three classes; ‘best quality’, ‘middling’, and the third of all the bad broken berries..is called ‘triage coffee’.
H
It is possible using the results from these processes, taken in the context of the original intelligence (to which we are not party) to make a reliable decision as to whether or not it is likely that the computers were used for CP or whether they need further detailed examination.
The ADF triage tool can do all of the above processes.
Sure ) the keyword here is "likely".
The tool in itself, good as it might be, carried all the processes and the results (again as accurate as they can be) made the investigator (together with the undisclosed original intelligence) form his/her (BTW VERY respectable) own opinion that it was "not likely" that those 5 computers could contain CP or that the "probabilities of finding such content were very low" or that "the efforts, in time and money, to conduct a complete forensic investigation and report were unjustified" (this latter is actually the essence of triage, as I see it).
From that to "clear a name" or "proclaim the innocence" there is IMHO a further step, and indirectly the investigator is attributing to the triage tool a 100% success rate, and it seems like the tool is fully capable of replacing a full examination, to the extent of "proving" innocence.
Now, I personally believe that such automated tools can - in most cases - conduct a "quick" investigation with great accuracy, possibly even greater than what a not "top-notch" and very experienced investigator would be able to do with more conventional and "manual" tools (and surely way faster), and that they represent invaluable tools for forensic investigators, but can they be elevated to the role of infallible means for determining innocence?
jaclaz
Now, I personally believe that such automated tools can - in most cases - conduct a "quick" investigation with great accuracy, possibly even greater than what a not "top-notch" and very experienced investigator would be able to do with more conventional and "manual" tools (and surely way faster), and that they represent invaluable tools for forensic investigators, but can they be elevated to the role of infallible means for determining innocence?
jaclaz
There is rarely an absolute in real life situations regardless of who does the exam and with what tool.
H
There is rarely an absolute in real life situations regardless of who does the exam and with what tool.
Good ) , then the Durham investigator "somewhat" or "relatively" or "almost" (but not "absolutely") cleared the name of the suspect.
A statement like (hypothetical)
To the best of my knowledge and after having examined the 5 computers as thoroughly as possible and with different tools/approaches along common guidelines, best practices and standards in use,
is still "relative" but IMHO less "relative" than
After having quickly run a single automated tool that I believe very accurate on the 5 computers,
as preamble to
it is my conclusion that the suspect is innocent
Unless, as said, the same level of accuracy/reliability as the "standard" procedures is recognized to the tool (in which case, since the tool is much faster, it would make a lot of sense to change the standards in favour of the tool).
jaclaz