It's 2012, and the suspect in question has a laptop, a 64-GB iPhone, and a desktop computer at work, as well as a game box. Then you find an external HD, and a collection of 2- to 32-GB USB sticks, as well as potentially relevant CDs and DVDs. Checking his system, you discover that he also has a backup "cloud" storage and file-sharing account, a hosted website and a YouTube channel with 86 videos posted. Naturally, he has a Facebook account as well as Twitter, with a few thousand "friends". Moreover, we have reason to think that some of his physical activity might have been captured by a variety of CCTV and access control systems. These, too, must be identified and examined.
But wait. That's just one of the suspects…and there are three others. You'd better have lots of collection and analytical horsepower as well as time.
I am not at all sanguine about the strategy of falling back on "explanations" to the court for an examination that defense counsel could characterize as "incomplete", "slip-shod", "taking shortcuts", etc. The explanations might get past a judge in an evidence hearing, but it's not the judge we must be (most) concerned with - it's 12 people on a jury, who now believe in the "absolute power" of forensics (the CSI effect) and don't want to hear anything about "limitations" when it comes to such matters. These are also people who are aware of miscarriages of justice that have occurred when the forensics wasn't "done right" and will reject such evidence if there is even a whiff of "examiner incompetence", let alone the suggestion that evidence was "ignored", "discounted", "missed" or "overlooked".
Such "overlooked" evidence will, of course, be characterized by the defense as "potentially exculpatory" and the defense bears no burden to do more than introduce the element of doubt.
We have entered an era in which "digital forensics" literally means examination of the binary expressions and electronic detritus that are generated by the billions throughout an individual's entire day, 24x7, by a host of activities, including some of which he may not even be aware, and which may reside potentially anywhere in the world, and in a myriad of formats, both public and proprietary.
Of course it's not the "end of digital forensics", and the headline was obviously provocative. But it is certainly changing. What I think we can reasonably hope is that the forensic technology itself will rise to the challenge of multi-TB, multi-source, multi-format examinations…and that we will someday solve the other major problem - i.e., that of multi-jurisdictional and even multi-national investigations.
I agree. Triage is helpful. But what if you find the evidence that helps your side but don't review EVERYTHING, and the other side finds what you missed.
Did you miss it? Or did you ignore it?
The big issue in NC right now is a blood spatter guy who did field tests that said positive, then lab tests that were negative.
The positive stuff was put n his reports and testimony and people spent years in jail for crimes they did not commit. (One guy did 17 years.)
If I choose not to look at some evidence, I better hope it doesn't contradict what I do choose to look at. No easy answer.
D
Anyone remember when you'd go do a search warrant and come back with a couple of hundred 3.5" floppies? Or a couple of hundred CDs or DVDs? There's always been the potential floods of evidence, and we've always come up with ways to manage it. Encryption, HPA/DCO, networks, they all present challenges, but I harken back to something that I learned in Uni People's usage of computers is driven by the "user experience". I.E., when I click on something, I want it to respond in some period of time. That's why in the dialup days, quality web site design was driven by whether the page could load in 30 seconds or less at 56kbps.
That's why pedos put their stuff in the open when they could encrypt it, or hide it off-site because they want access to their stuff when they want it, and that's more important to them than the security or technology. It's why they may have a password protect access, but the key is going to be laying out in the open for easy access. It's why my favourite piece of evidence ever was an IM from one suspect telling the other suspect that the cops were snooping around and to delete all his message history.
Technology makes things more challenging, and keeps up the learning curve for us all, but it's not yet caused the sky to fall on Digital Forensics.
I agree, Patrick. If "our" technology, forensic standards, etc. can keep up with "them", we'll be okay. However, I think that this won't be a matter of low-level MIPS-type increase in "raw computing power". It will involve the development of forensically-defensible, high-level analytical algorithms (based on pattern recognition, linguistics analysis, semantics, etc.).
Digital forensics –> logical forensics, which will be a transformative shift.
And if, some sweet day, there should ever be cross-jurisdictional and international agreements to allow the remote collection of evidence wherever it resides without ungodly legal impediments…well, I'll buy everyone on this forum a beer and consider it money well spent.
First, I am aware of at least one hardware acquisition device which will compress null/0 blocks though I don't know how this affects overall performance. FTK imager on a dedicated box using SMART and file compression has been pretty fast for me and allowed me to acquire terabytes of data using a single 2 TB drive.
But I would agree with the statements of others that digital forensics is far more than hard drive imaging and, frequently, requires far less.
In addition, I'm also seeing a trend where "eDiscovery" is increasingly being moved in house for the trial preparation part, but contracted to firms such as mine for the data collection and analysis. This has required us to develop support for various LOADFILE format but it also tells me that we are a better value than the typical eDiscovery client, at least for our clients.
Rather then figuring out what to skip, which leaves a huge potential to argue that you failed in your duty to search equally for exculpatory evidence as for inculpatory evidence, I rather think the answer is simply massive parallelism, combined with thankfully a reduction in the size of people's primary data store with the movement from large (physical size) devices to handhelds.
And I am aware of all the arguments about how we can justify processes, and certainly since almost all my work these days is ED I'm used to limited scope collections, but I've believed ever since I read Sherlock Holmes as a child that our preconceptions mar our questioning and by extention, may cause us to incorrectly scope a collection for CF and cause us to miss something that may have changed our result had we taken a full image.
Certainly when I started in CF in '00 I was able to substantially increase my case throughput when I appropriated a second computer from a colleague who left and hadn't had his position backfilled. Ever since I've been looking for ways to apply additional processing power to problems without lowering the overall quality of work.
Triage works great in incidents - is a machine is compromised? It is all based on the malware indicators. But for investigations, it doesn't work that way.
Compromise based on indicators - trying to prove a positive. Easy.
Triage of data sets of an employee/perp/spouse etc - trying to prove a negative. Much harder if not impossible. For example, that 500gig external hard drive - how do you triage that device and decide if you should NOT look at it deeper?
Triage of data sets of an employee/perp/spouse etc - trying to prove a negative. Much harder if not impossible. For example, that 500gig external hard drive - how do you triage that device and decide if you should NOT look at it deeper?
I'll tell you how it was handled in a case on which I worked. The judge was reluctant to allow us to make a forensic image of an individual's home computer for privacy reasons but he was willing to hear arguments why we should be allowed.
The following agreement was reached.
The computer wad delivered to counsel for the party. I was given one business day (8 hours) to examine the computer with whatever forensic tools I wished to bring on the condition that nothing on the subject device would be altered or retained, electronically. I was allowed to take notes and make screen captures.
The purpose of the 8 hour examination was for me to establish why I should be alllowed to image the entire drive for examination.
So, for that 8 hours, I looked at the typical registry artefacts, Prefetch, event logs, installed software, unallocated space, etc.
In that time I was able to establish that there was significant evidence that data belonging to my client was recoverable from the system and that a more detailed investigation was warranted, including carving of data from free space.
Actually, I enjoyed the experience. Though I wouldn't want to make it standard practice it did force me to target my investigation and to keep my focus on what I needed to do to justify further investigation.
how do you triage that device and decide if you should NOT look at it deeper?
This cuts to the heart of Triage. Any triage procedure needs to be led by the information to hand and not be just a fishing expedition for evidence that might be there. It also goes hand-in-hand with risk management decisions. Such decisions are above my pay grade but in my organisation I am fortunate enough to have senior managers who understand the issues and are willing to shoulder the responsibility. Anyone who has been in this business for a while can quote an example of when a triage would have missed some evidence or other. The trick is using the right tool, knowing what might be missed, and developing procedures and policies that will mitigate such problems. Each case should be taken on its own merits. In the end though, having the authority to be able to say 'so far and no further' and having the backing of a senior manager in that decision is great.
Lots of data, the end of forensics? no, I don't think so, but we may have to review and tune the way we work depending on the prevailing pressures.
Paul
Large data sets do present a problem for digital forensics practitioners. However, vendors are responding to this issue by improving their tools to take advantage of multi-core systems and distributed processing. I also know of several individuals who are attacking this problem with some fairly cutting edge development efforts.
There are significant improvements to distributing the work across multiple cores, something that some commercial forensic software now offers, though few shops take advantage of it.
For a relatively minor example check out the post I made at the
Several years ago, I built a 30 node cluster for distributed processing of 3D renderings for under $40K US. Today larger enterprises can build far more powerful clusters on commodity hardware for less money and use those systems to take advantage of the current distributed processing offerings in forensics tools. Shops that don't do this will be left behind as data set sizes continue to grow. The investigator processing cases with a single desktop workstation will be a relic of the past in a few short years… or we'll start buying workstations with 16 cores.
