Jessica, Magnet AUTOMATE allows examiners to focus less on repeatable evidence processing and more on actual analysis and review of evidence. On November 6, Magnet Forensics released the new version of Magnet AUTOMATE, the key feature of which is the integration of Atola TaskForce into its workflow. How does the integration of TaskForce enhance your product?
Jessica: We are excited about the release of AUTOMATE 2.0, with the highlight being the integration of Atola TaskForce. In a world where data volumes will continue to increase, it is important to have solutions to deal with the time it takes to image and process the content. From there, digital forensic examiners can focus on their exams and get to that data more quickly.By leveraging the speed and simultaneous imaging features of Atola TaskForce, processing can start sooner, which gets the user to analysis sooner. This is a major win for our users to directly create workflows that start with TaskForce. Examiners no longer need to wait until imaging is complete to kick off all workflows or to utilize slower command line imaging utilities in automated workflows.
When I worked in a lab, I remember going back to the lab at 2:00AM on a Saturday on high-priority cases in order to start processing when imaging completes — with continual stops throughout the weekend to kick off additional stages.
With the integration between AUTOMATE and Atola TaskForce, you can kick off the imaging process and know that when the image is finished, AUTOMATE will begin processing the image through the desired workflow using a myriad of forensic tools and scripts in your lab. I have friends who schedule stopping by the lab to monitor activity as part of their weekend rituals and others who draw straws to determine who has the weekend task of pushing the next button.
With AUTOMATE, you can take advantage of your hardware and process 24/7, eliminating the need to come back to the lab to kick off the next step. You can also check in on the status of your process (providing you have access to log in from home), by simply looking at the dashboard to see which cases are completed or what stage of processing is currently occurring on your case.
Overall, these efficiencies can lead to reduction in backlogs and the ability to take on more cases. As turnaround times are consistently decreased, other groups in the organization may be more willing to send evidence to the lab, public trust can increase, and turnaround times can be guaranteed.
Vitaliy, Atola TaskForce provides users with exceptional evidence processing capabilities. How do you see forensic examiners benefiting from TaskForce’s integration into AUTOMATE?
Vitaliy: TaskForce has been all about acquisition pattern automation ever since we started to work on the concept of this product. Our customers have always expressed concern with the constantly growing data volumes, which naturally makes evidence acquisition a lengthy process. This is exactly why we designed a product that could save our customers’ precious time and help them concentrate on other aspects of their investigations.
Magnet AUTOMATE is even more ambitious as it automates the whole evidence processing workflow and it is a breakthrough solution for the market in that respect. I see the two products as perfectly aligned to enhance each other’s productivity and save data processing time. To achieve this goal, earlier this year we introduced Web API to allow smooth integration of TaskForce into AUTOMATE’s ecosystem. And we are very pleased with the result.
The combination of the two tools presents a unique solution for forensic professionals that expedites evidence processing. What other problems does it solve for the users?
Jessica: Great question. In addition to substantially expediting evidence, the combined solution can also help with other key areas — including standardizing workflows as well utilizing tools and hardware more effectively. This allows expert examiners to focus on complex problems and shorter turnaround times. Labs that deal with accreditation standards like ISO 17025 can utilize these workflows to ensure compliance with Standard Operating Procedures and Lab policies.
The automated workflows also allow for other team members, like evidence technicians or investigators, to potentially kick off workflows; allowing forensic examiners to do the highly skilled forensic exam and analysis work such as working on attribution and discovering new artifacts.
The efficiency gains also lead to other benefits, such as the flexibility to run multiple tools simultaneously. This allows the examiner to quickly validate results and use more tools in concert. In turn, the team gets more from their existing software and hardware. By running secondary tools in parallel, you save time and get the most out of your current licensure.
Distributed workflows allow you to take advantage of running parallel processes simultaneously. This means you can run multiple tools against the same image on different nodes. In AUTOMATE 2.0, we also added a case merging feature. This allows you to take multiple pieces of an evidence on a case, image and process them on separate machines in parallel and then merge them into the same AXIOM case for analysis. This is fantastic as you can parallelize the processing and still be able to use features in AXIOM, like Connections and Timeline, to correlate pertinent artifacts across multiple pieces of evidence in the same case.
Coupling that with being able to image multiple drives simultaneously using Atola TaskForce means that complex analysis of multiple evidence items simultaneously can be achieved more quickly.
Vitaliy: Atola TaskForce is a beast that can run up to 18 imaging sessions simultaneously and allow their smooth integration into AUTOMATE workflows. Imagine the possibilities it presents! Say, a TaskForce unit is processing 18 imaging sessions, while 18 workstations that would have otherwise been taken by the imaging sessions analyze the images for artifacts.
From an examiner’s point of view, it means that instead of personally tracking progress and pushing buttons for a few days in order to process evidence on all these devices, the job takes a fraction of the time! The examiner receives a complete stack of evidence faster and can focus on more complex assignments.
In fact, the workflow provided by AUTOMATE ticks many boxes for forensic professionals! Not the least of which is reducing the possibility of human error while operating multiple tools. AUTOMATE makes the process more predictable for an examiner. And with the amounts of data in cases these days, predictability becomes a pain point for organizations at large. Not only does this tool create automated data processing workflows, but it frees up resources and simplifies internal procedures of whole investigative units!
Looking back, how did the two companies come to the idea of integration and how did the vision that the two products could complement each other come about?
Jessica: It is really kind of a neat story. I was at the Techno Security and Digital Forensics Conference in San Diego in March 2019, walking through the vendor hall to see what new technologies were available. I came across the Atola booth and was able to see TaskForce in action for the first time. Yulia and the rest of the team were there and were demonstrating its features. I was blown away by several things: the speed at which drives could be imaged, the capability to image multiple drives simultaneously, the ability to handle drives that other imagers would have trouble with, and the user-friendly design of the interface.
It was obvious that Atola, like Magnet Forensics, cared about providing capabilities that stretch boundaries while delivering an easy-to-use interface. Clearly, Atola TaskForce would be complementary to AUTOMATE — which we had recently released.
I briefly explained the premise of AUTOMATE to the Atola folks and the vision was immediately apparent: allowing examiners to combine the capabilities of the groundbreaking speed and parallelization in imaging of Atola TaskForce with the orchestration and automation for processing with Magnet AUTOMATE. This would allow users to have the most efficient forensic processing possible. There was instant chemistry between the teams and the vision and by November we had released AUTOMATE 2.0 with full integration for Atola TaskForce.
Integration of two different tools is a tricky business, as there are two teams of software developers working on two ends of it. The teams may have different technical approaches and cultures; how has the experience turned out for the two teams, how did they sync up, and what have you learned from this experience?
Jessica: I am impressed by the smoothness of the collaboration. Culture and passion are key parts of our identity at Magnet Forensics and it was immediately apparent that the team at Atola were of the same breed of passionate folks. Once the two teams were able to meet, there was a fit for both the technologies and the talent in both organizations.
Throughout both organizations, there was alignment of roadmaps, product vision, and development. We were impressed by how Atola continued to work with us so well throughout the iteration and development of the integration. It is truly wonderful to not just have complementary tools but to share the same vision and zeal!
Vitaliy: Our cooperation started with a meeting on the sidelines of a conference where the idea was born. After a video call with product and engineering team managers, during which we agreed on the most important activities and milestones, most of the coordination happened through iterations of correspondence that supported and directed the development pipelines of both teams. I am grateful to Magnet’s engineers for our great communication and for integrating TaskForce so smoothly into their system.
Team culture and effective communication is one of my passions. I am a proponent of agile product development, when you iterate a lot and go for options that are easier to change rather than the fastest or the cheapest ones. It helps a lot in getting people on the same page and focused on the result.
So I would like to praise the great energy and enthusiasm that Magnet and Atola teams demonstrated in the course of this cooperation. Such an attitude is gold!
Automation is now at the center of the conversation in the market. How do you see the future of automation? Automating which other tasks could help forensic examiners in their work? Is there a potential for further integration of TaskForce – including its secondary features – into an automated workflow?
Jessica: Absolutely! Automation can be used for a multitude of forensic tasks in the future beyond the traditional processing and imaging everything on the drive. That process is time-consuming.
The future of automation and forensic processing involves targeted acquisitions of specific areas of disk where high-value information can be found, and processing of those areas to get rapid results to the examiner. This is where we can really take advantage of secondary features such as targeted images. While the examiner is already analyzing those results, additional processing can continue to run in the background.
AUTOMATE allows for complex processing, so tools like Magnet OUTRIDER, which takes minutes to run, can be run first, followed by processing of targeted acquisitions, then the full acquisition and processing. This means the examiner can look at the results from key hits on file names and applications of interest while targeted acquisition and processing occurs.
The examiner then looks at those key areas, where most pertinent artifacts are found. While the examiner is conducting the examination on the targeted files, the full image is created and more intensive tasks like carving unallocated are run as a final step. Potentially, the examiner has all they need for the case before the full image is even completed!
Vitaliy: Further steps for TaskForce’s deeper integration are already in our product roadmap! Among highly anticipated features are triage (acquisition of a specific area of the drive) and extension of Web API with new commands. We will also be adding new image file formats and drive interfaces.
Essentially, all the new features and hardware products we develop are designed to minimize evidence acquisition time through automation and integration with forensic tools. In addition to that, TaskForce, being a mighty piece of hardware that it is, has a huge potential of expedited imaging through further software optimization. Our talented team of software engineers is in a constant search of ways to enhance imaging algorithms, and we are definitely focusing on this ambition. The combination of these two approaches helps us in providing examiners with unbeatable speed and convenience.
How do you see the future of digital forensics and what kind of technology does the market require today?
Jessica: The future of forensics is always changing! We must continue to adapt to the ever-changing applications, operating systems, and types of evidence – everything from cloud data to the Internet of Things.
However, that isn’t necessarily the biggest hurdle. As the amount of human interactions with sources of digital evidence increases, so will the data. The key will be finding the pertinent information in a scalable way. In order to meet these changes, we will need to think differently (or DFIRently!) and reimagine our current procedures in order to deal with the increase of data available. This means collection from new sources, but also changes in how we process and analyze. For example, today most agencies and users process on cold steel; in the future, processing in the cloud with automation will allow organizations to dynamically scale resources as needed.
Additionally, as those interactions increase, labs need to look at ways to democratize analysis. How do we do things smarter? Can we leverage investigators and analysts to look at contextual elements (chats, emails, pictures, videos, etc.) first?
We can automate processing and create subsets of reports to deliver to the content matter experts first, have them find the things of potential importance, and then the forensic lab can do the difficult task of working on attribution and timelining around the content of interest as deemed by the investigator or analyst who knows the content best.
Changing the starting point can be the future. We can leverage automation and orchestration to create workflows that provide this content to the content experts first.
In addition to leveraging analysts sooner on processed evidence, what if we can create ways to get evidence that we otherwise are missing? Today, most of the evidence that finds its way into the lab is from the suspect or the suspect system. What if we were able to quickly collect evidence from witnesses and victims at the scene — all without seizing their devices?
Targeted collection where the witness and victim can control what they are sharing can lead to evidence that is currently missed. The key here is leveraging first responders with easy-to-use collection tools. Providing these tools to first responders can allow for evidence in all kinds of cases from victims and witnesses — including domestic violence, human trafficking, and school incidents — that is often not collected.
I love working at Magnet Forensics. We are working to build solutions for these additional challenges — and that is exciting! At Magnet Forensics, we continue to look at the future of how we can meet the needs of forensic examiners and the entire agency to help seek justice and protect the innocent.
Vitaliy: Here is the thing. I profoundly believe in the following formula: Future of business = Automation multiplied by Emotions. This formula is what keeps my fuel burning when we design Atola products. It means that everything that can be automated should be automated to produce maximum possible performance.
At the same time, I want a product to be exciting in terms of user interaction. A product should evoke positive emotions and not be perceived as dull. A good example is gamification, which has become a global trend in software development.
And as distant as it may sound from the world of forensics, I see value in helping forensic experts perform their important and at times very difficult work with efficiency, convenience and less of a routine feel about it. And the cooperation between Atola and Magnet is yet another effort to achieve exactly that result.
