So we’re in this situation where a search warrant has been executed in relation to illegal images in a residential property. The search has recovered a number of items: we have a laptop from which I’ve removed the hard drive, we have an external USB drive and five USB thumb drives.
Now, normally if we wanted to establish if any of these devices contained our known illegal content, we need to examine them one at a time, examine every file on each device, convert them to a hash, and compare those to a high set of our known illegal images.
While this may be OK if we have just a small number of low capacity thumb drives, given that a 500 gig USB hard drive like this will take about three or four hours to run a full high scan, it’s not really practical to do this in a unseen situation, and it’s likely that we would have to seize all these devices, take them back to the lab, and given that many digital forensics units around the country have growing backlogs, that could be a matter of months before these get examined at all.
Cyacomb’s Fast Forensics Triage technology now gives investigators the ability to very quickly scan devices like this on scene in a triage scenario.
Let’s have a look at how quickly Cyacomb Examiner can scan all these devices. Cyacomb Examiner has the ability to scan multiple devices at once without a loss of performance. So we can connect all seven devices up at one time to our examination computer through our USB hub.
With our devices connected, we only have three things to do in Cyacomb Examiner to start the scan. First we have to select each of our devices here on the left hand side, then we have to load a contraband filter. A contraband filter filters secure alternative to a traditional high set.
And today we’ll be using a contraband filter built from space travel images, and set of scan confidence. Confidence is basically a trade off between speed and fairness of the scan. In most operational scenarios, 99% confidence is suitable, so we’ll choose that.
Now all we have to do is start the scan. We can see here, we have a progress arc gives color coded result of the overall scan, of all the devices being scanned, where on the left hand side in the devices, we can see a color coded progress bar for each of the devices being scanned.
Now we can see already after just 19 seconds that all of our devices have a color coded result. We have four devices which have turned red, and three which have turned green. Red results mean that something has been found on this device that matches our known illegal content.
And if we want to confirm that on scene, we can just simply click “view results”. Click on one of the results to get a preview of a file. There we can see a preview of an astronaut, one of our space travel images.
Green results mean that nothing has been found on the device that matches known illegal content, and the decision can be made based on all the intelligence and all the information known about the devices, whether to seize them or leave them behind and exclude them from the examination.
So what we have in 19 seconds, we have seven devices scanned, four of which we know contain illegal content, and three which we can make an informed decision about to leave behind.
Cyacomb Offender Manager is based on Cyacomb’s award-winning fast forensic triage tool Cyacomb Examiner, but optimized for offender managers to use during offender visits. All the offender manager has to do is plug in the Cyacomb dongle and to the offender’s computer and run Cyacomb Offender Manager directly from the dongle.
In Cyacomb Offender Manager all the settings such as the devices to scan, the scan confidence, and the contraband filter to use are preconfigured back at the police station before the offender visit. All the offender manager has to do is press start and the software will scan every internal hard drive on the computer and any attached external hard drives.
So, where previously an offender manager may have had to rely on a manual exam of the offender’s computer, with Cyacom Offender Manager, we can perform a comprehensive scan of the computer very quickly and identify any known illegal content, including any deleted content that the offender may have tried to dispose of before the visit.
With Cyacomb Mobile Triage on the data pilot DP10, we now have the ability to use Cyacomb’s award-winning Fast Forensic Triage technology to scan devices such as mobile phones and tablets. Here, as you can see, we can choose to scan an Android device or an Apple device.
Here we have an Android phone connected up, so we’ll choose Android. Just like Cyacomb’s other fast forensic triage technology, all we have to do is select a contraband filter and scan confidence. Here we’ll choose 99% and press start.
As you can see, just like Cyacomb’s other Fast Forensic Triage technology, when illegal content is found on this phone, our progress arc turns red. At any point we can click to view the results. Here we can see an astronaut, one of our space travel images that we use as illegal images.
So, instead of seizing all the devices recovered during our search and putting them into a backlog for future examination, we know even before leaving the scene that an informed decision can be made at how to progress the investigation at this early stage.
