Raphael, tell us about how you first got into digital forensics, and the evolution you've seen in the field since you founded ADF Solutions.
My background is in computer science. I discovered computers at a very young age and have been fascinated by them ever since. 17 years ago, I was working on a technology capable of finding visual similarities between pictures. This technology was used by law enforcement and intelligence analysts on cases that dealt with large amounts of pictures.This is the first time I was exposed to digital investigations. After learning more about digital forensics and how it was mostly conducted in labs with limited resources, I started looking at how these new technologies could help digital forensic investigations by reducing the amount of manual work involved in reviewing large quantities of data. This is how ADF Solutions got started.
At that time, the idea of Early Case Assessment was not widely used and was viewed by many as too risky. For those doing it, they were using inadequate tools for the job.
Our first break happened when one law enforcement agency defined a complete procedure around their newly adopted triage tool. This procedure gave the agents a framework to work with to know when to triage and when not to, removing the guesswork and making everyone comfortable with the process.
Once we realized that in addition to promoting our software application we needed to promote a process, things started to take off. When you don’t have enough resources, you have to triage. It may not be ideal, but it’s realistic.
Today, the forensics community has largely adopted a multi-tiered approach to digital investigations where they don’t let the deep-dive forensic application spend days of processing on every single exhibit that comes through the doors. Instead, early assessment tools like ours are used to prioritize exhibits and quickly provide the case officer with valuable information.
What has interested you most and kept you in the field?
It is easy to stay interested in this field which keeps evolving and is always at the forefront of what computing has to offer.
We spend many hours figuring out the work of other software developers as we research apps and operating systems artifacts, but every once in a while we get to innovate and create something really unique and smart that will benefit the digital forensic community, and this is very exciting and rewarding.
There is also a real purpose behind the tools we create which is to get to the truth in complicated situations where real lives are at stake. As a father I am very sensitive to child abuse and really glad that my professional activity helps make a difference.
ADF’s approach to solving investigations is different than some of your competitors. Can you talk about how you and your team view the world of investigations and why you develop your products with a focus on triage, early case assessment and on-scene investigations?
Our goal from the beginning has always been to improve the efficiency of digital investigations by trying to offer a product that would not just collect everything there is, but instead focus on what is relevant and be easily understood. By focusing the scope of the data collection, you collect less, do it faster, match your search warrant more precisely, and can now solve problems such a limited manpower, limited equipment, limited training and limited time.
To help our users be more efficient, we have spent many years identifying the steps performed in most digital investigations that were effective at providing important information about a case. This is where we focus our software development effort, to make sure these steps are executed quickly and easily for users with limited training, and they provide accurate and understandable information.
Of course, for some high profile cases, you need to recover as much data as possible and have a specialist analyze it thoroughly. This is not a scenario that we focus on, there are other great tools for that.
When people use our tools they realize how much faster and more intuitive they are compared to what they have used before. With this realization, a large percentage of our user base brings our tools on-scene to collect data from the targets, subjects, or witnesses of an investigation.
The ease-of-use makes it possible to involve investigators, who have limited digital forensic training, to participate in the digital data collection. Some investigators are not immediately comfortable with these new tools and responsibility, but when the results of a forensic scan appear on screen and can be used immediately, it completely changes their perspective.
But the ease-of-use and speed is also greatly appreciated in forensic labs to quickly qualify incoming exhibits without tying up expensive equipment for days. Many of our users have set up dedicated “early assessment” workstations that process all incoming exhibits and obtain an initial report within an hour or two.
Overall, I believe that our tools are unique in their ability to quickly give a precise idea of how a target device has been used.
You recently launched version 5.0 of your products. Can you talk about how your products have evolved since your first release?
In general, the information extracted from a digital device should help answer the “what“, “who”, and “how” questions of an investigation. In the early years, our product focused on answering the “what” question by collecting files of interest. Our first product was a Linux bootable CD that automatically collected pictures and saved them on a flash drive.
We then added support for more file types such as videos and documents, while exploring more areas of the target drives such as containers, deleted files, slack space, and unallocated space. As more and more files were collected, we added search criteria to limit the collection based on file size, timestamps, matching keywords or hash values. The tool became very good at collecting valuable files very quickly, but we were still only answering the “what” question.
To answer the “who” question, we started looking at the artifacts created by the operating systems and some applications. Relevant artifacts include user accounts, login information, list of recently accessed files, contact lists, geotags, and networking data. Our tool today supports many applications and artifacts that help associate a person with activities on a device.
To help answer the last question of “how”, we introduced the concept of “referenced files”. They connect files from the file system with artifacts that are indicative of the file provenance such as an email attachment, a web browser download, a peer-to-peer client, a chat message attachment and more.
All of this information can be viewed combined on a global timeline of activities connecting accounts, applications, referenced files, and timestamps.
In the Spring of 2019 we added support for mobile devices. We started working on this capability as far back as 2013, but it was difficult to allocate the resources for this major project without affecting our computer data collection. As our team grew we were able to focus on this massive undertaking and we benefited from a very stable computer forensic tool that was already able to process much more data than can be found on mobile devices.
In addition to the features commonly found in digital forensic applications, you recently added some entity extraction and translation capabilities. Can you explain what this does and why you decided to add it?
As discussed earlier, I have always been interested in increasing the efficiency of digital investigations. The bottleneck of most investigations is the time and human resources it takes to review the extracted data. Our tools have automated the mundane tasks and we are now focusing on reducing the amount of information that has to be reviewed manually. We are not trying to limit what is collected but instead classify, annotate, and summarize it in order to make the review process faster.
The integration of the Rosoka entity extraction/translation technology into our applications is one more tool at our disposal to make the investigation more efficient. This technology processes all the documents, messages, emails, and other textual data that is collected and seamlessly identifies over 30 entities, including people, places, and timestamps in over 200 languages. These entities are then translated or transliterated into English.
For example, when a 50-page document is collected, instead of having to completely read it, I can look at its most common entities and get a sense of what the document is about much quicker. And if this document was in a foreign language, having the entities translated in English would be extremely beneficial.
What is next for ADF?
We are very motivated to continue our mission to make digital investigations more efficient. In addition to keeping up with all the digital artifacts that are available, we are working on new technologies to access mobile data, further organize the collected data, and we continue to focus on user experience so investigators can quickly learn and use our tools.