Will Uk Police have...
 
Notifications
Clear all

Will Uk Police have a triage strategy in 2015 +  

Page 2 / 2
  RSS
jaclaz
(@jaclaz)
Community Legend

1. a. but its not that it proves a negative, but rather shows a lack of positive hits and therefore relevance to an investigation.

Sure, but as long as it is enough to avoid seizing the device for later examination, it effectively excludes the device AND thus it does prove - to all practical effects - a negative.

2. b. for training you are talking half a day max assuming they have some basic general computer skills/have been trained in their types of investigation outside computers.

Good.

3. a. this happens routinely without *need* of a full forensic exam here in the USA across a wide range of departments. charges are regularly filed based on triage results alone

Very good, so there is no need for full examination i.e. "the tool" does replace completely the "full" examination (which is perfectly in line with answer 1.a, BTW)

4. this is not a valid question IMO. the best answer available is c. if i was asked that question on the stand i would say no exam is as complete as possible because i could get more people to look at it, look at different artifacts, by hand, and so the rabbit trail goes. whoever uses the tool would state what they did. if there was some underlying question of how the software works the programs author could be subpoenad perhaps, but in the case of forensics its finding "stuff" that can then be validated with any other tool anyone else wanted to. if you only used triage then it would be the defense who would be reviewing the evidence and then reporting on their findings. triage doesn't fabricate anything that isn't there. it just finds "stuff" quickly makes it available in minutes vs months.

if a tool shows you the contents of a prefetch file that can be validated with any other tool and certainly a hex editor. digital evidence is either present or not. if someone doesn't have the skill to find/access/verify something that is a different story, but that doesn't negate the use of tools by other people.

The point was not about "the tool" fabricating anything of course ) , it was about the possibility of it missing *something* that could be found in other ways (i.e. through a "full" examination) and that - according to current policies/guidelines/whatever should be searched for.
Like in your own explaining of my previous example (explanation that was to me very clear) about not "being enough" to find the 3127 images

if a single image is found (or even indications of their presence), its enough to take a computer. with a warrant you can take everything as specified in the warrant

in cp related cases, you have to go thru all images and videos to make sure the subject is not producing cp. it is not enough to just find known images and charge based on that.

About this

it would be very difficult to testify that something is, for all users, "conforming to policies, guidelines and state of the art" because those things differ pretty much across everyone. rather a tool is minimally intrusive, its results repeatable on the same evidence, and its impact on a computer can be shown to be consistent. many of the quoted things are agency specific and if a given tool is approved by an agency, then those things would be true.

My impression was that a large part of being called as Expert Witness is Court is putting one's face behind the presented results, assuring both the Court and the Jury (if any) that besides the actual results, every possible (within limits of course) attempt to gather ALL data has been carried on and that the procedure was done by qualified personnel using the best possible and latest (within limits of course) technology available.
There are threads on the forum about how to dress, about the "opportunity" of having visible tattoos or piercings, about the way to answer questions asked by the Judge or by the counterpart, all of these would make little sense if the only thing that matters is the results of the examination and the written report.

The risk - as I see it - with "the tool" (which of course is exactly the same as the one involved in having the "full" examination carried by not-qualified enough or not-expert enough or "superficial" or "lazy" digital investigator) is not that it fabricates anything, but that it can miss something.
If noone - periodically - tests and somehow certifies "the tool" ( possibly it being a closed source/proprietary software) there is the risk the "the tool" becomes outdated.
On the other hand if "the tool" is Open Source (and even if it is closed source/proprietary) it's behaviour may become "predictable" and one or more of the bad guys (the few technically advanced/knpwledgeable) may find ways to have their illegal activities go undetected by "the tool".

as i think you mentioned, i dont need to know 100% of everything there is to know about a given system. at some point your return on what you get is far less than the time invested.

And I do follow you in this ) , and I find "the tool" and it's approach very valid for a whole range of investigations, but possibly not suited for the CP/IIOC ones, since there is this *need* for absolute certainty (again within limits) that nothing has been left behind.

If the Law (and/or the policies/guidelines) would say that the 90% "guaranteed" by the tool is "enough" there would be no problems whatsoever.

jaclaz

ReplyQuote
Posted : 03/01/2015 8:34 pm
pfsfsf
(@pfsfsf)
New Member

to add to the argument / constructive criticism, some UK forces have the Aceso Kiosk, lets say we had the same for a computer / laptop acquisition.

The non tech police officer has "triaged" the 5 machines, 1 has a hit with IIOC, the suspect is arrested and the 20,000 live CP images are inputted in a kiosk at the station, the Kiosk generates a report based on the IIOC database, aggravating factors (peer to peer s/w etc) and then the suspect is lead for interview…..

Is this fantasy or a potential reality?

ReplyQuote
Posted : 04/01/2015 4:17 pm
neddy
(@neddy)
Active Member

That could be a reality but the issue is that such a low level of diligence will result in false/incorrect charges, reputational damage to the investigating agency and appeals that will mean it was more cost effective to do the job to a higher standard in the first place.

ReplyQuote
Posted : 06/01/2015 8:42 pm
EricZimmerman
(@ericzimmerman)
Active Member

That could be a reality but the issue is that such a low level of diligence will result in false/incorrect charges, reputational damage to the investigating agency and appeals that will mean it was more cost effective to do the job to a higher standard in the first place.

ill have to disagree on that. its not like a prosecutor will just wildly go off and file charges without due diligence. they arent going to just look at some report that someone cant explain and be like "yea lets charge this guy!" i just dont see that happening. on the other hand, if i can take a report generated from triage/live response and explain what we have, why not file charges? i can always supersede an indictment later if something heinous is found.

people act like triage/live response is planting evidence or getting it wrong and that only "real/full" forensics can find evidence. Corroborate your findings from triage with X-Ways or whatever you want. You will find that what the "real" tool shows you is the same as a (well written) triage tool.

can you find MORE with a full tool? most likely yes, but the point of triage is not to find/show/process/report ALL (which is impossible) but to find enough to move the case forward sooner than later.

The bottom line is this did the tool (either triage or a 'full' tool) find evidence that is chargeable that meets the comfort level of a prosecutor?

and pfsfsf, i would take it further. with proper search warrant execution you would have the majority of that information BEFORE YOU ASKED YOUR SUBJECT THE FIRST QUESTION. you would have all the answers to your questions and would know whether he is being honest or not.

contrast this to the "take it all and sort it later" and you miss so much opportunity.

ReplyQuote
Posted : 06/01/2015 9:00 pm
jaclaz
(@jaclaz)
Community Legend

ill have to disagree on that. its not like a prosecutor will just wildly go off and file charges without due diligence. they arent going to just look at some report that someone cant explain and be like "yea lets charge this guy!" i just dont see that happening. on the other hand, if i can take a report generated from triage/live response and explain what we have, why not file charges? i can always supersede an indictment later if something heinous is found.

people act like triage/live response is planting evidence or getting it wrong and that only "real/full" forensics can find evidence. Corroborate your findings from triage with X-Ways or whatever you want. You will find that what the "real" tool shows you is the same as a (well written) triage tool.

can you find MORE with a full tool? most likely yes, but the point of triage is not to find/show/process/report ALL (which is impossible) but to find enough to move the case forward sooner than later.

The bottom line is this did the tool (either triage or a 'full' tool) find evidence that is chargeable that meets the comfort level of a prosecutor?

Still, you are flip-flopping with words. 😯

I believe noone in his right mind can imagine that "the tool" plants evidence.
As well noone would believe that on such a delicate matter a prosecutor will charge someone without "enough" evidence.

And you seem like going over and over (and over) on the point that "the tool" has a very high level of accuracy, comparable to that of a "full" investigation (and again noone doubted that *whatever* "the tool" can and will find will always and fully be confirmed by a later "full" analysis).

But the point is still another one.

Is the *whatever* "the tool" can and will find "enough"?
And can a device where "the tool" hs been run without result be excluded from seizure and further analysis?
I.e. can *someone* (again Law, Court, accepted policies or guidelines) state this in a non-equivocal manner?
And will this happen?

If yes, it's fine and dandy, "the tool" should NOT be connected to "triage" but rather to "automated analysis" and we can get rid of a lot of wasted time with the "full" analysis.
.
If no, it's a pity ( , and if there is the *need* to perform anyway a "full" analysis on ALL devices, no matter the results of the running of "the tool", then "the tool" is an actual "triage" aid that may have some use in changing the order in which the "full" analysis is performed.

To repeat myself, the concept of triage is only that of giving a priority in order to examine fully x before y.

Right now "the tool" (unless and until the mentioned statement about it's use is official) represents IMHO a very, very nice, quick tool that may be extremely useful as "double check" when the "full" analysis is performed.

In a perfect world ) , each and every digital investigator would, starting from tomorrow, run "the tool" right before performing a "full" analysis on a device, then provide BOTH reports, underlining the differences (if any) between what was found in the few minutes that took "the tool" to analyze the device and what was found in the several hours needed for the "full analysis" there will be some objective data.

If after a given period of time - let's say six months from now - a few tens, hundreds or thousands such reports (with no or trivial/minimal differences) land on the desktops of supervisors, prosecutors and judges, then probably policies/guidelines will be amended.

jaclaz

ReplyQuote
Posted : 06/01/2015 10:06 pm
neddy
(@neddy)
Active Member

Digital forensic triage is morphing into evidential methods akin to the streamlined reporting processes that we see in DNA etc and is giving the impression to the untrained that an OS triage report or its ilk may be used in court to support charges without any experienced oversight.

The arguments being discussed here can be defined by whether you agree that this is good practice or not. Having used all of the major OS Triage tools, I do not agree that they alone are robust enough to support charging without proper review or oversight.

ReplyQuote
Posted : 06/01/2015 11:45 pm
mkel2000
(@mkel2000)
New Member

3. a. this happens routinely without *need* of a full forensic exam here in the USA across a wide range of departments. charges are regularly filed based on triage results alone

The legal standard required for filing charges in criminal cases in the US is probable cause - a very low standard. It may be sufficient for prosecutors who don't know any better to base a filing decision on triage results, but if they are taking those cases to court and expecting to prove a case beyond a reasonable doubt (the standard for conviction in US criminal cases) without a full forensic examination of the evidence then they are fools.

It's clear from your posts in this thread that you are trying to sell a tool. I get that. However, your premise that a triage tool should be used in all cases to determine whether a device should be seized pursuant to a search warrant is not based in the reality of criminal investigations. No investigator with several hours of training in any triage tool is going to be able to craft sufficient search terms or other data points for that tool to absolutely determine whether evidence exists or not on that device 100 percent of the time. Even forensic examiners with many years of training and experience have difficulty sometimes finding evidence with full forensic examination of evidence.

I'll admit that cases today involve much more data than they did when I started doing criminal investigations involving digital evidence more than a decade ago. The idea that digital forensic investigations should be reduced to push button operations by untrained cops isn't any more realistic now than it was back then. In my opinion, triage tools operated by untrained individuals in order to determine what gets seized pursuant to a search warrant is a mistake of the highest order.

ReplyQuote
Posted : 08/01/2015 12:11 am
EricZimmerman
(@ericzimmerman)
Active Member

Have you ever used osTriage? if so, what version?

The legal standard required for filing charges in criminal cases in the US is probable cause - a very low standard. It may be sufficient for prosecutors who don't know any better to base a filing decision on triage results, but if they are taking those cases to court and expecting to prove a case beyond a reasonable doubt (the standard for conviction in US criminal cases) without a full forensic examination of the evidence then they are fools.

In utah charges are filed all the time based on triage results AND devices are left behind that arent of interest. in many of those cases a trial isnt necessary because of the volume of evidence recovered on scene.

Additionally, a lot of assistant US attorney's advocate and in fact want triage/LR tools to be used for many of the reasons i have already discussed. I have spoken to a room full of AUSAs on several occasions about osTriage and its capabilities on several occasions at national conferences. It is taught yearly at their training. It is discussed in their newsletters.

The official ICAC training curriculum teaches the use of osTriage as its primary tool for on scene use.

The list goes on and on.

When it comes to a trial, you would almost always follow up with additional info and exhibits, but do you really think showing a jury browser history in X-Ways, Encase, or FTK is somehow better than doing it with any other tool?

*What* tool finds evidence isnt as important as if the tool is doing so *correctly*.

It's clear from your posts in this thread that you are trying to sell a tool. I get that. However, your premise that a triage tool should be used in all cases to determine whether a device should be seized pursuant to a search warrant is not based in the reality of criminal investigations. No investigator with several hours of training in any triage tool is going to be able to craft sufficient search terms or other data points for that tool to absolutely determine whether evidence exists or not on that device 100 percent of the time. Even forensic examiners with many years of training and experience have difficulty sometimes finding evidence with full forensic examination of evidence.

if by "sell" you mean give it away to law enforcement for free, then yes. All my software is, and always will be, free. In fact, its in use by 1000s of LEOs in over 65 countries around the world.

I guess the hundreds of search warrants i have personally participated in as well as the 1000s of warrants where my software has been used do not fall into the "reality of criminal investigations." Bummer.

Your point about not being able to craft search terms or data points is understood, but thats why the ability to easily supply lists of keywords or hash sets exists. In the case of osTriage, it ships with over 300 keywords associated with child exploitation and millions of hash values. Users can extend this or add entirely different lists of keywords and hashes as their investigative needs dictate.

saying anything with 100% certainty is rarely a good idea, but as i have seen and heard from hundreds of users all over the world for the past 3 years, osTriage enables them to get to a very high level of confidence that what they are looking for either is, or isnt, there.

what i am saying is that a triage/live response tool should *always* be used on a running machine for a wide variety of reasons (active network connections, running software, capturing RAM, detecting active encryption, and TONS more), and one of those many reasons is eliminating a device as being of interest. this is done just about every week on search warrants in Utah with the ICAC. it is not some pie in the sky idea. its reality.

it is overly burdensome on LE and people tangentially related to a subject to simply "Take everything and sort it out later" when in some cases 80% of what would be seized has nothing to do with the crime being investigated. Every case is different but effort should be made to separate the wheat from the chaff to the benefit of both parties mentioned above.

I'll admit that cases today involve much more data than they did when I started doing criminal investigations involving digital evidence more than a decade ago. The idea that digital forensic investigations should be reduced to push button operations by untrained cops isn't any more realistic now than it was back then. In my opinion, triage tools operated by untrained individuals in order to determine what gets seized pursuant to a search warrant is a mistake of the highest order.

Who said anything about untrained? who said people with no training or background in these things is making any kind of decision on what to take? i am talking about the use of triage/LR in task force environments that deal with computers on a routine basis. I am talking about an FE using a triage/LR tool to make better decisions within moments of securing a search warrant scene.

i am not saying triage/LR is *the replacement* for full forensics in every case, but it certainly CAN be for some things (or at least the vast majority of artifacts found in an exam). In fact, at least for osTriage, you will get more from it in 10 minutes than from a typical full exam.

Lets be honest here. a lot of forensic reviews are comprised of pretty much entirely low hanging fruit. How many wildly advanced cases have you had to examine where a person hid their tracks so well it was hard to find what you needed?

every case differs, but child exploitation cases are an excellent example of how triage/LR in the field goes a LONG way to moving the case forward. to suggest otherwise, to me, indicates someone hasnt been involved in those kinds of cases for a long time.

In my experience, the downplaying of triage/LR over "more traditional means" is done by old guard examiners who either do not want to change or somehow fear losing control over their kingdom (I am not saying you are in this boat, but typically a strong resistance to new techniques that are clearly effective typically come from people of that mindset. Moreover, these same people have never even used the techniques being discussed but somehow feel compelled/qualified to argue the cons of such an approach.)

The old way works, but it certainly doesn't scale. the problem will continue to get worse as hard drives and data sets continue to grow.

ReplyQuote
Posted : 08/01/2015 1:05 am
flurryofinactivity
(@flurryofinactivity)
New Member

Deleted

ReplyQuote
Posted : 12/01/2015 10:52 am
jaclaz
(@jaclaz)
Community Legend

If we sense the defense doesn't want to take a plea we do further forensic analysis.

On what? 😯
I mean, IF "the tool" was used to avoid seizing devices, i.e. was used NOT as a "triage tool" but rather as an "exculpating tool", you won't be able to carry further analysis on those items, you are limited to the items that already resulted "positive" to "the tool" (and I am quite confident that "the tool" is very good ) and you won't find much more evidence through a traditional analysis on the seized devices, the issue is only if - by any chance - "the tool" misses something when it runs and because of this negative result you leave the device in the possession of the suspect).

So all in all we are back to square #1, is this risk of a "false negative" so trifling to be not considered? ?

Or has it been considered by *someone* and this *someone* has issued a corresponding policy/guideline/whatever that has some form of validity in the UK? ?

jaclaz

ReplyQuote
Posted : 13/01/2015 12:21 am
flurryofinactivity
(@flurryofinactivity)
New Member

Deleted

ReplyQuote
Posted : 13/01/2015 9:03 am
jaclaz
(@jaclaz)
Community Legend

Jaclaz Referring to doing further analysis of the items seized. Regarding not finding more evidence through a traditional analysis, I'd say it all depends on the type of case and what you are looking for. I've really only used triage tools for child exploitation cases and I'd say it all depends on the case as to whether you'd find significantly more evidence. For example, if you case was initiated through means other than peer to peer, such as emails then digging further with other tools may be of benefit. I generally find osTriage gets me everything I need though.

Regarding a false negative with triage software, I have had a few pieces of media that went through osTriage software with child exploitation images that were not identified. Personally, I always use EnCase to preview any media that passes on triage software just in case. To each their own though.

Yep ) , and you are reporting a concrete (IMHO very correct) use of "the tool".
Nothing is excluded, everything is taken into custody and then analyzed, at the first using "the tool" as a quick, automated way to get "the most" and when and if needed followed by a second more "traditional" procedure.

jaclaz

ReplyQuote
Posted : 13/01/2015 5:31 pm
Page 2 / 2
Share: