Hello,
I am basically just after seing what people think about these triage tools and the opinions of people considering using one. The tools I mean are the ones that "will allow forensic officers to operate locally and uncover information almost instantaneously". Do you think that this is a good idea or do people thinik that we are just playing with fire and increasing the chances of missing evidence?
In a nutshell and IMHO
If they are ABSOLUTELY read only, they are OK, we are just "increasing the chances of missing evidence".
If they are not, "we are just playing with fire and increasing the chances of missing evidence"
jaclaz
Would anyone use one/has used one/ had any success with one?
I agree jaclaz we may be increasing the chances of missing data, but when you weight up time and cost factors surely gathering evidence in a fraction of the time would be good!
I think there needs to be a better definition of triage/tools to operate locally and uncover information almost instantaneously as it relates to this thread. For example I use F-Response with X-Ways and other tools to "triage" remote machines. This combination fits the triage but not really the local requirement.
I also use the e-fense/AccessData Live Response USB tool, which is not really a triage tool but operates locally and allows the quick local capture of information that can be analyzed/triaged at a nearby exam machine.
I also use tools on the Helix3 Pro CD to make quick determinations (triage) if evidence exists that might justify further examination of the suspect computer.
A couple of the examiners (and parole officers) I work with use SurfRecon to search for and categorize pornographic images and videos. SurnRecon is clearly the most automated of the tools if one is searching or trying to triage that type of evidence.
These tools are being used to determine if further examination is warranted, not to look for every scrap. Is there a possibility that evidence is missed? Absolutely. However in the context that they are being used they are very effective.
What particulary interests me is the comcept of triage tools being used by less technical members, i.e. just your average police officer with no forensic knowledge who attends the scene where a computer is present (no offence ment to anyone here I just trying to use this as an example). Are these tools doing a good job in this situation? I just attended F3 a while ago where the topic of triage tools for less technically minded people was discussed and I wondered if we currently are sending out police officers with such tools and asking them them to preform a triage. This type of examination fascinates me as I have never seen a tool of the types mentioned by BitHead - e-fense/AccessData Live Response USB tool and surfRecon in action.
tootypegs - I would say that the parole officers that are using SurfRecon are definitely in the "less technical" category. When they go out on a knock and talk they check if any computers are in the residence and then check for pornography. The tool allows them to perform that check even though they are not performing a complete forensic examination of the suspect computer. If the tool hits on images/videos, then an examiner can be called to seize the computer and perform a more thorough exam.
Much like officers are trained in the use of a radar gun or a breathalyzer they are trained to use a "triage" tool. Is every speeder or impaired driver caught? No. Is every image caught? Not likely. Is it better than not looking? Yes.
Yep, after all triage is nothing but "applied heuristics".
So, we have as a result a "quick and easy" tool that has a given (greater or lesser) probability to find what one is searching for.
There are three factors that need to be considered
- the minor cost for the society of using such "automated" tools by "less trained" personnel (as compared to a "proper" forensic examination)
- the actual probabilities that such a tool will find (if existing) the whatever it is meant to find
- the actual probabilities of "false positives" that will "trigger" - without reason - a "full forensic examination"
- the minor cost for the society of using such "automated" tools by "less trained" personnel (as compared to a "proper" forensic examination)
- the actual probabilities that such a tool will find (if existing) the whatever it is meant to find
- the actual probabilities of "false positives" that will "trigger" - without reason - a "full forensic examination"
- the risk that the performed analysis can delete traces of other crimes (or - viceversa - remove any trace of a possible alibi for the suspect related to another crime)
- 897 positive results confirmed by the later examination
- 1625 negative results confirmed by the later examination
- 317 negatives resulted positives after examination
- 161 false positives
- In all 3,000 runs, no difference were found in images before and after using the tool
- saving the money and time of forensic examinations for roughly 50% of cases
- having a detection rate of roughly 75% of positives
- having a rate of false positives below 15%
- having NO chances of altering the evidence
[/listo]
If the tool used (or the "clumsyness" of the untrained operator) causes any kind of modification to the target, we have a curious situation, not completely unlike the quantum physics problem of the Uncertainty principle
http//
Let's say that we have a probation officer that uses one of this tools to search for forbidden pornography on a suspect PC, but while doing this, he deletes any trace of other criminal activity of the suspect (say somehow the tool wipes the remains of a deleted e-mail that could have been used for nailing the suspect for stalking).
If this is the case, we have four variables to take into account
[/listo]
As always is a matter of decisions, and compromises, and we haven't even taken into account, with all due respect for the category ) , that not "all" forensic experts are expert at the same level, and not "all" forensic examinations are "perfect".
My doubt is that decisions about using triage tools or not are taken often without a sufficient knowledge of the advantages and drawbacks of such a choice.
I would like to see some "big" numbers, for example, say that we take 3,000 cases, and the (imaged) disks are examined BOTH by the given "quick and easy" tool AND by a forensic expert.
Then we could draw some lines, like
Tool xy, tested in 3,000 real life cases has given
With data like this, we can take a decision, Tool xy allows
[/listo]
The fictional tool described above would have so many advantages that there would be no doubt about adopting it as standard, but what if the tool had a lower detection rate and a higher rate of false positives?
Are there field reports and reliable studies with data similar to the above? ?
jaclaz
Well, this is going to be the subject of an upcoming column but, in general, there is a somewhat inverse correlation between sensitivity, which is the ability to identify positives (no true positives missed), and specificity, which is the ability to exclude negatives.
This is why, in medicine, we have screening tests, which are typically low cost and very sensitive but identify a lot of false positives, and these are followed with diagnostic tests which tend to be more expensive and more invasive but less likely to result in false positives.
It is understood at the outset that some of those who test positive on the screen test will, ultimately, test negative with more specific testing, but the goal of the screen is not to miss people with disease even if it means that we are wrong in some cases.
The "problem" with this from criminal/legal perspective is that a false positive can be ruinous to the accused so there needs to be tight control over how the information obtained from a screening test is actually used in public.
In response to some request for triage implementation specifics, here is one white paper http//
Here is another blog on forensic triage and one of our clients has responded with some feedback that will interest this group - http//
Several triage tools are mentioned in eth above postings, but one notable name has been left out – Triage-ID® by ADF Solutions, Inc. (
We will shortly be releasing a new line of triage tools that has been in development for over 2 years now. These offerings will be specific to both forensic examiners who want to eliminate computers from backlogs, as well as investigators who want to identify conclusive evidence immediately.
J.J. Wallia
CEO/Co-founder
ADF Solutions, Inc.