Reviewed by Scar de Courcier, Forensic Focus.
ADF Solutions’ Digital Evidence Investigator (DEI) reduces the workload on digital forensic analysts by providing a fast, scalable solution for field triage and investigative tasks.
The installation process is very straightforward: you will receive a small package containing a fully licensed Authentication Key, one 250GB high-speed SSD drive to be used as a Collection Key, one USB extender, one four port USB hub and one CD drive opener. Plugging the Authentication Key into your machine and executing the installer will begin the installation process; all you need to do is select your options and click ‘Next’ until it is complete.Once DEI is installed it is easy to prepare the Collection Key for field use using out of the box default Search Profiles to help you collect your data. BitLocker can be activated on the Collection Key with custom Search Profiles should the data be particularly sensitive.
The Collection Key is a bootable USB Device (Samsung T5 256GB SSD) capable of conducting a forensically sound boot, and will boot most computers (BIOS, UEFI, SecureBoot) including Mac and Linux. DEI is also capable of conducting live Windows scans.
Once you’re set up and have loaded your search profiles onto your Collection Key, you can begin to boot or live scan your evidence. Scans from the desktop application don’t require a Collection Key. To scan with the desktop application, click on ‘Scan Devices and Images’ in the main menu. This will take you to a second menu which appears in all types of scans (boot, live and desktop). Here you can select the targets you wish to scan. This could be all available hard disks, or attached storage devices, or a subset of them. For example, you could choose not to scan recovery partitions. In addition the desktop application allows you to scan dd and Expert Witness Format (e.01) forensic images, the contents of folders (including mapped network drives – handy for scanning NAS boxes) and any attached storage devices (preferably connected via a write blocker).
‘Scan Information Fields’ is where you fill in all the basic details about your scans. You can add new fields to this, for example a case number or an investigator’s name; if you do add a new field, it will then be automatically included in future scans when you run the same search profile.
DEI comes with several default search profiles, so you can add your target device, folders or images and select one of these, or you can create a custom profile if you’d prefer. Search profiles are listed in reverse alphabetical order, so if you want your custom profiles to appear at the top you might want to name them appropriately- such as something beginning with ‘Z’.
The built-in search profiles are not editable, but you can copy a default profile and then modify the copy to create a new profile based on a built-in one. Custom profiles are very easy to put together, with a lot of potential options to add, so it should be easy to work out which items would be of the most use to you.
For example, if you do a lot of child protection investigation, the IPOC (‘indecent pictures of children’) profiles will be helpful. These are pre-populated with common search terms and hash sets in the child abuse images arena, and will also bring back images as these are often a large part of such cases. You can also easily add your CAID or Project Vic hash sets into a search profile. If you come across a lot of anti-forensic activity in your investigations, you might want to create a search profile that looks only for these. By default, the ‘anti-forensics traces’ option looks for elements such as CCleaner, TrueCrypt, and others, but you can also add in your own keyword list.
One thing I particularly liked about DEI’s search profiles was the ability to easily run a quick scan in a certain area, then to go back and do a more in-depth scan if interesting results were found. This is great for triage: so often an investigator can take a huge amount of time performing a full scan of a drive or device, only to discover there was nothing of interest there. The ‘quick scan’ options can give you a snapshot of what you’re looking at, so that you can then decide which drives or devices to prioritize.
Searches can be as granular or as simple as you require: you can just scan to see how many pictures are on a drive, for example, or you can specify that it should bring back every image that contains EXIF / geolocation data.
Videos are broken down into frames, so it is possible get an idea of what is contained within the video for a faster preview when large numbers of videos are involved. You can collect 50 frames and not the full video, or 50 frames as well as the full video. This can be handy for analyzing compilation videos or videos within videos, as you can easily flick through the frames to see whether the video suddenly changes at a certain point.
When your scan results begin to appear on the screen, you will start to see icons from each artifact (for example, Firefox and Skype) and numbers will appear next to these icons to demonstrate how many results have been brought back from each. Scans can be paused and the results obtained up to that point can then be viewed. If you have already located what you need, the scan can be terminated and everything found so far will be saved.
Hash sets can be imported (.txt, .csv and JSON format) to DEI and collected files can be auto-tagged, Project Vic and CAID hash sets will be auto-tagged by category. Once you’ve added a hash set it will always be there to use in the future, so if your investigations tend to bring back similar sets of images – in child protection cases, for example – you will be able to search these in future analysis.
As we all know, the world of digital forensics moves at a remarkable pace, and ADF’s DEI tool has built in functionality to make it easier to deal with this. For instance, the ‘Pictures → View’ menu shows you the different types of picture supported and which ones they are; but if there’s a new type of file you need to scan for, DEI allows you to add a custom file type by file signature and file extension.
When hashing files you can of course tell DEI where you want to look and what specifically you are looking for, but it also provides you with a more granular level of control should that be required. For example, you can search deleted and unallocated space; collect matching files; use thorough file identification; search by pixel size, date or timestamp.
DEI has powerful filtering and sorting capabilities allowing, for example, the ability to filter out auto-tagged items. or items you’ve tagged and leave the files left for visual analysis. This provides a simple and useful way to work out what still needs to be reviewed in your investigation.
When it comes to search priorities, DEI is quite intuitive. If you believe your files will be in a certain location (a user’s folders, for example) but you want to check the whole file system including deleted and unallocated space just in case anything is lurking there, you can select all of those options and start the scan. DEI will scan through the targeted locations first before moving on to the rest of the file system, followed by the deleted and unallocated space, so if you discover all the evidence you need within the user’s folders, you can then stop the scan rather than having to go through the whole thing, thereby saving you time.
Keywords are a big part of many investigations, and ADF has allowed for this in their functionality. Keywords can be captured as part of a search profile, but they can also be auto-tagged with an assigned level and a comment. This means that if a keyword is particularly likely to be an indication of something that needs following up, DEI can automatically assign a level to it to denote this. It can also auto-tag it with a comment: for example, if you are dealing with words in a foreign language, you could auto-tag these with their translations. Keywords can also be entered or imported as Regular Expressions.
If you’re collaborating on an investigation, you can export profiles and captures to be shared with other investigators. If they are going to take an active role (for example, using your custom profiles in their own investigations) then they will need a DEI license to perform these tasks. However, reports can be viewed by anyone regardless of whether or not they own a license; more on reports later.
The Timeline view shows you activity over time, and allows you to zoom in on a date, time or activity. It is very customisable and quite easy to use, although it looks very different from most timelines so it might seem a little confusing at first. Rather than having a horizontal graph-type timeline, with times along the bottom and events rising vertically from it, the timeline instead looks like a list of events, similar to a file list you’d see in a computer’s Documents folder. Once I got used to this I found it easy to use, but it did take a little settling into. Clicking on any item in the timeline will show it in a preview pane at the bottom; you can then navigate away from the timeline if you want to examine it further.
Reports can be generated in HTML, CSV, or Standalone Viewer. The latter option refers to an export of the whole scan which can be presented to an investigator even if they were not in the field themselves. Clicking on the exported .bat file will take you right back to where the scan was left when the report was created. This allows you to report on scan results and do further analysis without an additional DEI license. This is a really good way to give a detailed overview of what was found in the field.
Standalone Viewers are often used for archiving purposes; if in several years’ time you want to look back over an old case, you can open it up and it will look exactly how it looked when you worked on it and there’s no need to worry about backward compatibility.
HTML reports work as you’d expect: everything you have bookmarked will be in there. You can either include everything from your investigation, or select specific files of interest or captures such as OS information. The report functionality is complete and detailed. Clicking the items in the left-hand menu will allow the viewer to see more detail; the summary page at the top shows details of the target device and search profile, how long the search took to run, whether it was interrupted, and whether any errors were encountered.
A comprehensive user guide is provided as part of DEI; when you click on this option it will open up a PDF which takes you through everything in a way that is easy to understand.
In summary, I would say DEI is one of the more intuitive tools I’ve used, because it guides you through your investigation step by step and could easily be used without much training, especially if you didn’t want to create any custom profiles. Even these are quite straightforward though; it’s obvious what each button does and at no point did I find myself thinking “What does that mean?”.
Scans can be as quick or as comprehensive as you want them to be; DEI very much puts the responsibility in the hands of its users when it comes to customization, and this in my view is a good thing. I can see how it would be an excellent triage tool in the field, especially when an investigator has to decide which machine to seize from a scene.
ADF Digital Evidence Investigator is used by law enforcement, military, universities and corporations globally. To get more information on DEI or to request a demo or free trial, simply visit http://www.adfsolutions.com/dei-forensic-focus or email [email protected][email protected].