Join Us!

Something serious (...
 
Notifications
Clear all

Something serious (and something not)  

Page 2 / 2
  RSS
harryparsonage
(@harryparsonage)
Active Member

A few observations -

Digital forensic investigations are analogue, they are not binary, they are not limited to being either a triage or a full forensic examination. Indeed the term a full forensic examination is a misnomer and can be very misleading. Digital forensic examinations can sit anywhere on a continuous scale from the most cursory examination to an extensive and detailed examination.

Software can be labelled triage software and triage describes the intended purpose but it is still software for conducting forensic examinations. What is generally regarded as full forensic tools can be used to conduct a limited or "triage" examination.

In order to be efficient, anyone involved in conducting DF examinations needs to manage their investigations and investigate only to the extent required to fulfil the needs of the investigation.

Triage should be a process to assist in the efficient management of investigations, it can be used to -

- identify from a large batch of computers those which are most likely to contain evidence,

- give an investigator quick access to evidence in order to progress an investigation whilst waiting for a more detailed analysis,

- collect targeted evidence when time is very limited,

and so on.

I regularly encounter digital forensic examiners who are against "triage", often they regard DF exams in isolation from the whole investigative process, as a pure science where an examination will be conducted until all possible processes have been completed. These examiners usually have limited experience of investigating serious crime and fail to appreciate that the resources put into an investigation are finite, have to be managed, and that part of the investigative process is balancing the risks involved in the management of resources.

I am aware of examiners doing a preview (aka triage) by removing a hard drive from a suspect computer, write-blocking and viewing in Encase gallery view to review for pictures. In doing this they will fail to see any pictures in a Mozilla browser cache (for example), of course they could have done a file signature analysis first but I know they often haven't.

A better preview could be done by an investigator with minimal training using the ADF triage tool. With a couple of clicks they could use a default search which will target the collection of pictures by header from the browser cache of the five main browsers on Win, Mac, Linux OS, automatically exclude all pictures below 1K in size and be completed in 10 minutes.

The same could apply to doing a keyword search in a browser cache. A fair proportion of examiners will do a keyword search expecting to find hits in cached web pages from a Mozilla browser cache without first doing a file signature analysis and mounting gzip files.

This can be achieved by an investigator using ADF triage without them knowing the detail of how it has been done.

A good triage tool can be used to package the knowledge and experience of a digital forensic examiner and allow this to be applied by an investigator with minimal training. As long as the decision to be made by the investigator when reviewing results is simple, then this will be an effective and efficient triage process. For example the decision required could be - are the pictures illicit, are there keyword hits that indicate suspect activity.

To deal with jaclaz's specific question raised regarding the Durham example. An examination is required to be conducted to ascertain whether or not there is any illicit material on any of five computers.

To carry out the examination you could conduct the following processes -

Collect Internet History
Collect Internet Search History terms
Identify the user profiles on the computer, how many logons, last logon date
List recent files from registry MRU
List connected USB devices (have I recovered them all)
List installed applications
List most used applications from UserAssist
OS installation date
Collect all items from the Desktop
Search all files for known Child Exploitation terms
Search for known images by MD5 hash
Search for similar images using fuzzy visual matching
Collect sample frames from every video for quick review
Search for anti-forensic programs used for Privacy/Cleaning/Encryption (indicator for a more detailed examination)

The only caveat is that these processes are carried out on live and deleted files only.

It is possible using the results from these processes, taken in the context of the original intelligence (to which we are not party) to make a reliable decision as to whether or not it is likely that the computers were used for CP or whether they need further detailed examination.

The ADF triage tool can do all of the above processes.

On a general note the term triage has its origins much earlier than the medical usage, from the OED care of binarybod -

1. The action of assorting according to quality.

1728 E. Chambers Cycl. at Wool, Each Fleece consists of Wool of divers Qualities and Degrees of Fineness, which the Dealers therein take care to separate… If the Triage or Separation be well made, in fifteen Bales there will be twelve mark'd R, that is, Refine or Prime.

1825 Gentleman's Mag. 95 i. 216/1 These [pickers] sort the [Coffee] berries into three classes; ‘best quality’, ‘middling’, and the third of all the bad broken berries..is called ‘triage coffee’.

H

ReplyQuote
Posted : 28/08/2013 4:35 pm
jaclaz
(@jaclaz)
Community Legend

It is possible using the results from these processes, taken in the context of the original intelligence (to which we are not party) to make a reliable decision as to whether or not it is likely that the computers were used for CP or whether they need further detailed examination.

The ADF triage tool can do all of the above processes.

Sure ) the keyword here is "likely".

The tool in itself, good as it might be, carried all the processes and the results (again as accurate as they can be) made the investigator (together with the undisclosed original intelligence) form his/her (BTW VERY respectable) own opinion that it was "not likely" that those 5 computers could contain CP or that the "probabilities of finding such content were very low" or that "the efforts, in time and money, to conduct a complete forensic investigation and report were unjustified" (this latter is actually the essence of triage, as I see it).

From that to "clear a name" or "proclaim the innocence" there is IMHO a further step, and indirectly the investigator is attributing to the triage tool a 100% success rate, and it seems like the tool is fully capable of replacing a full examination, to the extent of "proving" innocence.

Now, I personally believe that such automated tools can - in most cases - conduct a "quick" investigation with great accuracy, possibly even greater than what a not "top-notch" and very experienced investigator would be able to do with more conventional and "manual" tools (and surely way faster), and that they represent invaluable tools for forensic investigators, but can they be elevated to the role of infallible means for determining innocence?

jaclaz

ReplyQuote
Posted : 28/08/2013 5:40 pm
harryparsonage
(@harryparsonage)
Active Member

Now, I personally believe that such automated tools can - in most cases - conduct a "quick" investigation with great accuracy, possibly even greater than what a not "top-notch" and very experienced investigator would be able to do with more conventional and "manual" tools (and surely way faster), and that they represent invaluable tools for forensic investigators, but can they be elevated to the role of infallible means for determining innocence?

jaclaz

There is rarely an absolute in real life situations regardless of who does the exam and with what tool.

H

ReplyQuote
Posted : 28/08/2013 6:44 pm
jaclaz
(@jaclaz)
Community Legend

There is rarely an absolute in real life situations regardless of who does the exam and with what tool.

Good ) , then the Durham investigator "somewhat" or "relatively" or "almost" (but not "absolutely") cleared the name of the suspect.

A statement like (hypothetical)

To the best of my knowledge and after having examined the 5 computers as thoroughly as possible and with different tools/approaches along common guidelines, best practices and standards in use,

is still "relative" but IMHO less "relative" than

After having quickly run a single automated tool that I believe very accurate on the 5 computers,

as preamble to

it is my conclusion that the suspect is innocent

Unless, as said, the same level of accuracy/reliability as the "standard" procedures is recognized to the tool (in which case, since the tool is much faster, it would make a lot of sense to change the standards in favour of the tool).

jaclaz

ReplyQuote
Posted : 28/08/2013 7:49 pm
Page 2 / 2
Share: