Streamline Your Digital Investigations

Presenter: Richard Frawley, ADF Solutions


Join the forum discussion here.
View the webinar on YouTube here.
Read a full transcript of the webinar here.
So today we’re going to speak about streamlining your digital investigations, we’re going to cover the forensic challenges facing examiners and investigators, going to reinforce that with some real-world case studies showing how we can do what we’re talking about, and then we’re going to go through a live demonstration of digital evidence investigating. After live demo, we’ll show you how ADF solutions and DI can help you with streamlining your digital investigations and finish off with some product and evaluation information.

So comparing the challenges faced in forensic labs over the last let’s say ten years or so, we can see that money and budgets have only increased just a little bit, which keeps the people and the resources at about the same level, if not the same as where they were back then. When we first started the computer crime unit in the PD back in 1999, we had our initial grant, which was through the internet crimes against children task force, we were an investigative satellite initiative. So we had some money to start the unit, we became a full-fledged unit, and the department supplemented that at the beginning with a $5000 budget per year. That covered everything – training, equipment, supplies, travel. When I left the department 17 years later, the budget was still $5000. So not only did we become good at our jobs, but we also learned how to make things work with what you’re given. So being able to streamline your investigations fits right into this scenario.

So now let’s add to this the change in the popularity of the operating systems, addition of netbooks, laptops, mobile devices, cloud storage, tablets, the availability of large storage capacities and a variety of storage devices. More devices and platforms required, more tools, time, personnel, and above all, that evil money. All that storage at an affordable price – I recall we went to a search warrant one time, just expecting to get a desktop computer, maybe a couple of laptops, maybe a couple of thumb drives. And we spent a good chunk of the day there seizing a lot of devices. I think we walked out with a bag of 37 or so hard drives. It was a backpack filled with hard drives and a baggy filled with thumb drives. And I’m sure that’s happened to quite a few out there. There’s just so much storage out there, and so much to go through once you get it back to the lab.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


So as forensic examiners, we’re facing these numerous devices and drives. You go out, you do a search warrant, and then all of a sudden, besides the backlog that you have, you have this backpack of 37, 38 hard drives, the baggy of thumb drives being seized, they want you to examine it, it’s got to get done fast, it’s creating a backlog, in some cases extending your processing times. You’re utilizing tools that are processing and resource-intense, you’re looking for everything, those [peace of mind] investigations, or those [peace of mind] examinations. Instead of targeting the examination, looking for what you really want, slowing down production, examination times, using multiple licenses, paying maintenance fees, too much, too little tool, you got to look at the toolbox and see what you got.

As an investigator, you want software that’s going to handle your investigation, that’s going to be user-friendly, simple to understand, easy to configure, minimal interruption to your forensic examiner, if you’re an investigator. You [don’t] want to keep knocking on the door and asking questions. As an investigator, at the point of gathering that information, you want the information to targeted, relevant, comprehensive. Generic results aren’t going to cut it. Non-relevant information isn’t going to cut it. It only delays your investigation, now you have to do a deep dive. But if you can streamline that and target the information, that’s what we’re looking to do to help things out.

Not every case requires a deep dive. You know what you’re looking, most of the time you do, you find it, at that point you can make your well-informed decision on probably cause. You want to create a report, present your findings. So now [on scene] you have all these decisions and challenges to make. Can we make an arrest? Being an examiner or investigator on scene, several of these decisions challenge you during your investigation.

Talking with investigators from all over, especially here in Connecticut, the trend is to make these decisions on scene, not to wait several more weeks for another examination, leave this person free out on the street. You want to get the information on scene that you can get, you want to possibly make an arrest decision, get this person off the street.

[Also] we look through this information to guide your interview of them, maybe gather some more probable cause, catch him in that lie, catch him in something that he’s not forthcoming about.

Which computers on scene are we going to seize? You want to be able to target this on scene so that you’re not bringing back 37 hard drives or a baggy full of thumb drives. Maybe you can eliminate some of that on scene.

Knock and talk – you have consent, you go in, you want a tool that’s quick. You want to have your two investigators start talking to somebody, get the consent to go on the computer, you get the consent you want to be quick, you want to be targeted, you want to be relevant, so he doesn’t get all worked up or [hanked] up that somebody’s on his computer and something’s going to happen. You get your information quick, you have it, you can make your decision there, on scene. And then when you have it, if there is something, maybe it’s a business, can we image that right there, on scene, instead of taking it, and maybe leave the computer behind? These are all decisions that we all face out on these scenes.

So actual case files, backing up what we’ve been talking about, we have a lab here who’s working child exploitation case, again with that whole backpack full of drives. They had seized 37 total drives off computers and secondary drives, 39 TB of data. They wanted to quickly identify which drives had the information, which ones they needed to look at. So they were able to target the search profiles and the file captures and go after exactly what they wanted, kind of triage these computers if you will, go in and find out exactly which ones they were looking for. And by doing that they were able to knock this down to five drives, which saves a lot of time. These high-profile cases, you know it – it comes in, they want an answer, they want it quick, they want you to come up with the answers.

So by getting rid of all the drives that didn’t have the information on it that you wanted, isolating the ones that did have the information on it, they were able to find… like I said, it’s your 1400 videos, 1900 images. That’s using a tool like DEI in the lab – saves the time, quickly scanning computers for the files, knowing which computers contain your evidence, and then you can go back and do either a deep dive or, still with this tool, get the information you need and build your case.

Also, here’s a lab using one of our tools. They do a lot of media examinations a year. And we all see this on the list serves, we all see it being asked, you can go to forums, it’s always a topic: How do I image this hard drive? I can’t get it out of the computer, it’s closed architecture. It may have this operating system on it. How am I going to image this? How am I going to gather the information without breaking the computer?

So you want a tool that can boot all these computers, that can go in and boot the Windows, with secure [unclear] or the Mac computers, if [unclear] 2.0 or better, you want a tool that’s going to be able to boot these from a powered off position, and you want to be able to grab that information, either collect your information and your artefacts right there, and then image it, or image it and look at a different place. But you want a tool that’s going to be able to do that. And we are able to help in that area.

So eliminating that need, booting more computers, booting 90% of what’s coming into the lab, especially with these closed architectures. Being able to booth the Macs without having to take them out, break a [ribbon] cable, lose a screw, have to fix the computer for somebody that you weren’t planning on fixing. All these things really help streamline your investigation and stay within your digital workflow.

Forensically sound, our boot scans, from a powered off position, are forensically. We can also do live scans, and when a live scan is done I’ll go over that layer. The only thing changed is what windows is going to do when you introduce a USB or when you execute a program.

So working within that digital investigation workflow, what we’re going to do in our demo, we’re going to scan a suspect device using one of our DEI search profiles. It’s customized, we’re going to be looking for some hash values, keywords, and our ordinary artefacts that we collect in every case. And I’ll go over that with you. We’re going to acquire it, quickly identify it, and I’ll show you how fast it is to collect the files, the artefacts. We’re going to analyze it, correlate it, document it, and then be able to report. And part of the reporting process I really want to show you is our collaboration. So if you do have an investigator who gives you something, he wants the information to go through, you’ll be able to collaborate with your investigator.

So with that, I’m going to turn it back over to Michelle for a minute, and I will set up our demo.

Michelle: [Great,] thank you, [Rich]. So I’m going to have a quick poll for everyone. What do you find is your biggest challenge in digital forensics – backlogs, lack of training, lack of resources, or complex tools?

[silence]

Michelle: So we are almost tied between our majority of lack of training and lack of resources. Don’t forget, you can also submit your Q&As at any time during Rich’s demo, and we will collect those and get those answered at the end of today’s session.

[silence]

Rich: This is ADF’s Digital Evidence Investigator tool. This is the desktop version. You would install it, open it up on your forensic machine. Here we would be able to scan devices and images that were attached to your forensic machine. Obviously, through a write blocker, we are also able to do [DO1] and [DD] files, we could pull those in. We can scan folder location, drives, partitions. From there, we can prepare a USB or collection key, that’s our bootable USB device. You’re going to plug in your USB device into your forensic machine. This is going to prepare with the search profiles you want to take out to your location or use on another computer, and load up your search profiles, make that USB device bootable. And you can also make them bit locker protected, [prevent] loss, you can image, attach devices to this computer, and also get into the others reviewing your scan results, setting up scans and settings.

What I want to do is just set this up a little bit. You have an investigator, seized a laptop, brings it in to the lab. And he says, “Listen, I got this guy, Johnny Gosh. He’s being accused of selling knock-off bags and clothing. Suppose he had a website, the website was taken down. I don’t really have enough, but I have this computer, I have the search warrant for it, I have the legal authority for you to go through and search it. So he’s asking you to go through, take a look, see if it warrants furthering this investigation. Does he have something to go on or should he close this case out? This is something that happens all the time.

The complainant in the case was the Gucci company. They had that website taken down, they have a few pictures they’ve given to you from that website, so what we’re going to do or what I did was I created a profile, put some keywords in there, I was looking for a phone number specifically – and I took those five files that were in a folder from Gucci, and I imported them in. What we can do is point to a file that has pictures in it, it’ll hash those images and add that to the search profile, and search the computer for that.

So we’re going to go in, scan some devices. The target device – my system drive is disabled, if this was your forensic machine, you’re not going to be able to scan your own drive. So what I’m going to do is add an evidence file, in my fraud case. I have my custom search profile. There are seven default profiles that come with the system – you can see the quick internet pictures of children, quick general profiling, quick collection, iOS backups if you want, then we have our intermediate, which take a little longer. The quick are designed to go fast, I’ll show you that in a little bit. Intermediate takes a little longer. These are the custom ones that I made. And then we have comprehensive – these are the ones that you’re going to let the machine run for a few hours. You’re really going to be deeply collecting and looking for artefacts on this computer.

So I’m going to choose my ‘Custom – Gucci’, and we will name it. I always suggest giving it a new name – it defaults to the date and time. But what happens is you end up running several scans and not remembering exactly which ones you did at the time. So we will just… Custom Gucci. I’ll start my scan. What it’s going to do at this point is… it’s loading up the EO1 file, it’s looking at it, and you see the Matches pane right below. Any matches that are found, any files that are found, it’s going to scroll across here, so you’re going to see images, you’re going to see some of the keywords that I ran. If it’s a picture you’ll see the picture; if it’s a document you’ll see the document or the keyword that was run. Down below, you can see as I was talking, it’s already gathered the application usage, the installed applications, the collected email, connection logs, operating system information. These are all the things that we want in every case. So it’s doing that for us really fast. It’s automated, it’s targeted, we got our browsing history. We cover six different browsers – Firefox, Edge, Explorer, Safari, Chrome, and Opera.

Now it’s targeted – we targeted the multimedia. We wanted to look for pictures in the user profile only. We didn’t want to include program data, program files, Windows. We didn’t want to include those at this time. We just targeted that. You can see it’s still waiting to run my keywords against some of the files. And then my hashset.

So you can see pretty quick – it goes, if I wanted to pause it because I saw something scan across or I was interested in looking at something really quick, you have an interview, or somebody asks you a question – you can go back and look. These are all our individual captures. I can go back and look there, I can go back and look at my picture gallery, or I can go back and resume.

At this point, just for time, I’m going to stop this scan. What I’ve done in my review scan results, I’ve done a complete scan prior to starting our webinar. I go in, here’s my summary page – kind of looks familiar, what I was showing you before. It shows you what I scanned, the name of it, this is the scan duration, it took me 15 minutes to run against that, collected 4600 files. And then all the information here that I showed you came in pretty quickly. And I ended up gathering 4500 pictures in the user profile. My keywords, my phone numbers.

So where I’m going to start – again, we have an investigator, he’s looking to see if you can further his case. It’s targeted, it’s quick. We’re not going to spend a lot of time on this. We’re going to get him what he wants. So here’s my… I can hide my detailed panes and look at my gallery. This is pictures collected from all different captures that we may have, whether it was a keyword search, a hash search, or my multimedia search. You can see here, there’s a little magnifying glass that shows that I had a match and a keyword or a hash value.

So I’m going to filter this out. I want to look at all my matches. Hit Apply. Now all my matches come up, and again, those are matches from keywords or hash values. And I could further filter that to the capture. I want to say I don’t want to look at the keywords that I ran, I want to look at the hashset, just for the hashset. So I can apply that, and there are my pictures.

So right away, I can tell the investigator, “Look, we got something.” So I can select all these, I can apply a tag, like bookmarking, and I can give them the hash, ‘Hash Match’. We’re going along good, we didn’t look for any videos, we have some keywords here. Again, it shows you the magnifying glass, we ran some Anti Forensic keywords in regular expression. You can see CCleaner here. There was a link for it, there’s the home page, there’s the download. Looks like he probably downloaded it, and there it is in program files. So this is pretty good information for the investigator, we can check all those and we can tag this information. Anti Forensic. Select those, you can see they are all now tagged.

I can look a little farther, Tor browser, looks like there were a couple of searches. Truecrypt, again, some searches, went to the website, looked it up on… free encyclopedia there, Wikipedia. For the people, by the people.
VeraCrypt – you can see VeraCrypt here. Right away, we have our pre-fetch, we have the link file. You can see that he went to the website, we can see the system files, we can see the user guide. So it’s pretty evident here that he was using VeraCrypt, probably a good reason to tag these. Again, I could just select all those, select the tag for Anti Forensics, and they’re all tagged with that tag level too.

Here was a phone number. It was a European phone number. I did a regular expression search for that. You can see I had seven hits for it. The number is in bold here. I could bring up my Details pane from the bottom. I can preview where that file is. And it opens it up and shows me that was in an email. Tells me exactly where it came from. Gives me the capture name I ran it under. So what I can do again is select all those, make another tag level here…

You can set these tag levels ahead of time if you have certain things that you run all the time – your internet history, your operating system. You could have that all preset, you don’t have to change these every time. I’m just going along to show you, because sometimes every case is a little bit different, and you want to have your tag levels different. But you do have that option.

So we’ll get out of that. We have a timeline. This is a great, powerful tool here. What this does is it gathers all the artefacts – so your operating system, your browser history, your connection logs, your USB devices being inserted, their history, and all your files, all the dates from your pictures or from your documents – and it puts together all in one timeline, and really lets you look at what happened on this computer in real time. Also allows you to filter by activity – so when I want a timeline with the applications, when they were last used… I don’t have USB history on here, but if that was there, I can click that. The browser histories, the URLs, and I could really customize the timeline to see what was going on, really pinpoint who was doing what. You can do it with calls, principal or recipient, that would be incoming/outgoing, location. Really a powerful tool. And I can also filter it by the matches again. I’m looking for those keyword matches or hash matches. I could put that just in my timeline and look at what I have.

There’s our summary page again. And then down here, here’s all our individual captures. That probably looks a little familiar from before. So what we want to do right away – I see my operating system information. I want to go in there, there’s Windows 10, I know what I’m looking at, the installation date. I can tag that, put that under level four, call that OS Info. Along with that, I can go into the user data, look at the user accounts. Here’s the accounts. I can see, well, there’s Jonny Ghosh, and there’s another Jonny. And I can see here the internet user ID for Jonny Ghosh. So he’s logging in with a Microsoft Live account. There’s probably a cloud account, a OneDrive. A little more information for that, for your investigator to have – say, “Hey, here you go. Here’s an email address for you to check out.” Maybe some more search warrants, a little more work for them, but if we want a complete case, that’s what we’re going to do. We could just take that and put that right in the operating system info.

Alright, we have our connection logs up here, so I can give them that if I want to. The user logins. There’s 281 logins here, I might not know the exact dates and times that he’s looking for, so I’m going to leave that for our investigator. I’ll show you how you can do that. I’ve tagged… I can go back and look at that phone number again. It brings up just the phone number. We’ve already tagged those. Browser information – I go and pick my browser information, it shows you everything there again. It’s filterable, I can go in and look at whether it was a typed URL. Say yes, and here’s all the URLs that were typed. I can turn that filter off if I want, and just look for the matches again, for the keywords. All those matches come up in the browser history. So a lot of good things that we can look for.

Email – we have the email messages here, so it’s parsing the PST, the OST, Windows 10 Live Mail, and if it’s on the machine, and Apple mail if we’re scanning a Mac. We do have the ability to scan Macs, not live, but boot. So this email, again, I can select all this, and I can tag this for the investigator. Shows you the timeline…

So as you can see, we went through, collected all this information, just with some bare bones information from the investigator, I was able to give him the information. It looks like I think he has a solid case he can move on with. But again, there’s some things that he may want to look at, such as the user logins. I ran some keywords under Gucci – you can see there’s 383 hits on that. With keywords, we can target our keyword searches to just file and folder names, we could look at the metadata and the data within the file, or we can run it against artefact captures that we’ve captured. So if I’m running a keyword search, I could say run that against all the browsing history that I’ve already collected, or run it against the USB history that I’ve already collected, or I could do it against all of that. And we can specify exactly what type of files we want to run those keywords against so we don’t have to run it against everything.

What I wanted to show you here is the report. We have an HTML report we can put out, you get pretty granular on it. It’s pretty simple to figure out. It looks confusing here, but… here’s my tag level one. Anything that’s tagged here, I’ll want included in any of these captures that I ran. I could capture all records or I could pick and choose what records I want. I can include the summary page, I can include anything that doesn’t have a tag, I can include the original files and export those along with the report, and I could also change it to a list layout instead of the columns that we have.

One of the other types of reports is CSV if you wanted to maybe import that into something else. And then the standalone viewer – here’s the collaboration tool. I really love this viewer. It’s pretty simple. What it’s going to do is take the whole scan that we just did, everything, beginning to end, just like we were going through it. It’s going to put it in a viewer that you can share with your investigator or, let’s say, with a prosecutor, so they can go through it as well. And it didn’t take that long to go out. I’ll go here, open up that file, here it says ‘ADF Viewer’. Scan results are in that file there. And it’s going to open up just like we were looking at it within the software. So you’ll see that this looks really familiar. Left this in the Create Report, just where I was when we exported it. And now it gives me the option, I can create an HTML or CSV report, or I can go back into any of the places [unclear], the filters are still in place, the tags are still in place.

As the investigator I could say, “Okay, I want to go through my Gucci keywords,” and I can start looking through my keywords, tagging what’s relevant. I can go through my replica keywords tagging what’s relevant. And then once I’m done with that I can create a report. I don’t have to go back to the examiner and say, “Hey, listen, can you do this for me?” Now it’s all in my hands as the investigator. I think that’s a pretty powerful tool.

One of the other things with this tool also – we all archive cases. I suggest archiving the scan results that were collected and that are saved. But also, exporting a standalone viewer to go next to it doesn’t require a license. If you’re asked to pull this out three years from now, you can pull it out, open it up just like it was the day you put the case away, show all your tags, show all your filters, show exactly where you were, and create a report again at that time if you needed to. Don’t have to worry about backward compatibility, don’t have to worry about the license not being renewed or, “Oh, geez, I don’t have that installed right now.” You just open it back up, no license required.

So moving along, [for time], what I want to show you now is preparing a collection key. So the next day you have a search warrant, and you have to go out on scene, you want to make some decisions on scene, it’s an indecent picture of children case. So what we’re going to do is prepare a collection key to take on scene. You can see here my search profiles, and here it’s waiting for me to connect my collection key. I’ve put in my drive, I have a Corsair SSD USB device. I’m going to put in my custom cybertip – I have a cybertip, I’m looking for certain pictures that were given to us. We all get those. Again, point it at the file, it imports the pictures, hashes them for you, and we can search for those files out on scene.

So I’m going to put that up, but what I can also do is add another profile or all profiles. Let’s say I go out on scene and I find that computer that had the cybertip pictures on it and had the other information, but I might want to do a little more comprehensive exam. So I’m going to put the intermediate profile on for some other computers, and I’m going to start preparing my key. What that does now is it takes my collection key, my USB device, and it makes it bootable. It will boot BIOS [UEFEE, Secure UEFEE], and MAC EFI2.0, which is about 2010 further. So from a power off position, no problem booting all those computers to closed architectures, or we’re going to be able to run a live scan, which is what I’m going to do with this.

We can bitlocker this key. Again, I can set this profile so when I put it on to the key it bitlockers it. It’ll ask you for a password, and as you all know, if you do that and you forget the password, we lose everything. So you just got to remember what password you’re using. But it really does save you if somebody puts it down or if somebody drops it or it falls out of a pocket. We’re all pretty intense and good at our jobs, but every now and then stuff happens. It automatically unplugs the drive for you, you pull it out, and that is ready for you to go on scene the next morning.

I’m going to close these out. We’re going to go on scene. For dramatic effect, there we go. Here we are on scene. This is my bad guy’s computer. I’m going to take that collection key that I prepared and I am going to plug that into the live machine. I’m not going to boot, it’s a little difficult to show you that on one of these types of demonstrations.

So what I did was I plugged in my key. I look here, there it is. There’s my collection key, CKY. And it’s going to ask me to start. As I said before, the only changes being made to this machine are what a Windows machine will make when you insert a USB device, and also, when you execute a program. After that, there’s no changes made. We do not make any changes to the system, and all dates and times and metadata is all preserved during the collection. Here’s my target devices, this is everything connected to the machine. If there was a thumb drive attached, if there was an external drive, you would be able to see that here.

I am going to choose the ChildX partition, I am going to run my custom cybertips scan, which is looking for some hash values and some images based on indecent pictures of children keywords. I’m going to name it ‘Custom Child’. I’m going to start my scan. And again, just like it was back in the lab, this is out in the scene, right way, you can see those matches going across the top. You can see the keywords, I have some matches on the “loli”, I have some matches on “Lolita”, I have matches on ages, I have matches on some pictures. You can see down here, where it’s working it’s now collecting the videos in the user profile. I’m going to show you that. That is awesome, how this displays it to you, because you’re on scene. You don’t have the ability to play these videos out on scene, especially on a suspect computer, but you do have an ability to see what is in there.

These usually run pretty quick, but you can see here what’s going on. Again, I can pause it on scene, if you wanted to go back and look at your images and see what you had. But for time, what I’m going to do is stop the scan. I’m going to show you really quick here… this is the one I just ran. I’m going to go to the summary page really quick, show you that I interrupted it after 40 seconds. It had already collected 222 files. And this is what it collected. If I had to stop and run out the door for some reason, everything that I collected up to this point is on that collection key. You didn’t lose anything, and you’d be able to review it at another time, granted that you ran out the door with the key in your hand.

Again, I ran it complete earlier. What I’m going to show you is the complete scan. It only two minutes and ten seconds to run, it collected 255 files, it did collect the files in my hashset as well as all the other files that we typically look for. So we’re on scene, we’re looking to make a decision. Here’s the pictures, I’ve already got it filtered here for you. I filtered it by capture and match, I can undo those. I’ll just show you really quick how easy that is. I want to look at all my matches, and I want to do the hashset. And I can see right there – there’s my five pictures, I got a pretty good idea of what this guy’s doing. I could remove that filter and then say now I want to look at the ‘indecent picture of children’ keywords. We ran it against the pictures and the folders and filenames in the user profile. I can apply that, and you can see I have some other pictures as well.

Here’s the videos. Love this tool. Again, I’m going to bring up my details. This is the pane where you see everything about the file, where it was saved, filename, dates, times, you can look at your metadata, and you can look at your frames.

So we’ve collected about 26 videos I believe on here. I can start out at the top, I can look at the frames – first frame, last frame, and 48 frames from in between. So I’m getting a pretty good idea of what is in this vide. I can grab some more real estate so I can see them all. And then all I have to do is arrow down through each video, and I get to see right on scene what’s in each one of these videos, not having to worry about the codecs back at the lab or on your machine. If it’s there, it pulls the frames, and you’re able to look at it one by one and make a decision. So if these were all child exploitation videos, we’ve got a pretty good idea of who we’re taking away with us, as well as the computers.

Keywords, again, it shows you all the information on the files here, the matches, the keyword match symbol, the ages. These were all regular expression searches for those terms that are used in these types of investigations. I can look up “Lolita” if there’s [a text doc given here], I can take a look at the properties of that, and then I can preview it. I can un-dock this in an internal viewer, not anything on the suspect machine, and I can look at it, it’s usernames and passwords, great information. You can see it was quick, it was targeted, we went after the low-hanging fruit and we were able to really scan this and get what we wanted in under five minutes.

We’d be able to take this back. We can tag, we can filter, we can do whatever we want. We bring it back to the lab, we can put this into your lab computer, it’ll automatically back up for you, and then you’d be able to make that report ready for the prosecutor, your investigator, right there, that day, and you’re ready to go.

So with that, I’m going to turn it back over to Michelle for a minute, and while we prepare for the end of the presentation and question/answers.

Michelle: Thank you, Rich. So we have one more poll question before we get started, and just another reminder – if you have any questions for Rich to answer, feel free to put them in the Q&A pod. How many different tools do you use in your investigations? 1-5, 6-10, or 10 or more?

[silence]

Michelle: Great. It looks like a majority of us use 1-5 tools in our investigations. So we’ll turn it over to Rich for the very end of our presentation.

Rich: Alright, thank you. Yeah, that’s a pretty typical toolkit. Some of them may have a little more, some of you may not have counted the free ones that you have. We’re always using those, those ones to help with the budget, and sometimes you don’t even think that you have them. But yeah, that’s awesome.

So what we do is we went through our workflow, we scanned the suspect device. As I said, we acquired it, quickly identified, collected the files and the artefacts, stuff that we want in every case. It’s targeted, we can make that as comprehensive as we want, and take as long as we want. We can do intermediate scans that’ll be a little quicker for you in the lab, maybe take a half hour, hour, and then you can do your quick ones that take minutes to maybe 15 minutes, and you have your information. Those are great for out on scene. You can analyze with that, I showed you how easy it is. It’s just a matter of getting used to where things are. But it’s quick to tag, to filter, to sort, to timeline, and really put the screws to the person that you’re looking at by going through their information quickly and getting the information that you wanted. And then easily, quickly, generate that report. The HTML reports, as I said, if we could just export that, pretty much looks like what we were looking at in the machine. And then you have the standalone viewer, which I think is a great tool for collaboration.

It’s automated, it’s fast, it’s easy to use, doesn’t require a lot of training, there’s not a big learning curve to it. Creating these search profiles and file captures is very simple. We can find these files… if you’re looking for images, you can do it quick by looking for just file extension, or you can make it a little slower by looking for file header and file extension. It’s a lower cost than some of the other deep dive tools that you may be using. In that Property pane that I showed you, there is ways to validate where this information comes from. So if you do need to look at this later and say, “Where did you find this?” you can say exactly where it was, and if a deep dive needs to be done on a bigger tool, you’re able to do that. It addresses the forensic workflow, comprehensive reporting, hashsets – I told you I ran a couple of hashes, they were small. We’ve tested this to over 30 million. We have a tool we can import, the Project VIC and CAID hashsets. Like I said, we tested it to over 30 million. Everybody has their own custom hashsets that they want to import into every case. We can do that, no problem. You can import as many sets as you want on that timeline that’s there. Highly configurable, you could make this look for and collect just about anything you want, and really tune it into your evidence and your keywords, and just collect the stuff that you need.

We have three different tools – I showed you Digital Evidence Investigator up top, and that lets you customize, that lets you take things out into the field, it lets you create and customize as granular as you want. Triage Investigator just comes with the seven default profiles on it. You cannot customize with that tool. However, you may be able to collaborate with somebody who has Digital Evidence Investigator. And then there’s Triage-G2, which is geared more towards military, and has just a few other functions in it specifically for…

So with that, for sitting through, listening to my dulcet tones of my voice today, you’re going to be able to get a 90-day full license. It comes with a 16 GB USB collection drive, a boot CD. It is not in place of the USB, it’s actually a boot manager for those older machines. Should you not be able to boot directly to USB, that’ll get you to it. It’ll come with a quick start guide, and also, along with this, you get the full support and service of the ADF team. On the forensic team we have well over 60 years of experience sitting here, we’ll help you with just about anything you need – setting up, getting used to it, creating profiles. And if that 16 GB USB drive isn’t big enough, you really want to go out in the field and test something, we’ll get you around that limitation as well. We don’t want frustrated users. We want you to be informed, and know how to do it, and really give it a good workout.

So with that, we can go into some questions and answers. Hopefully answers.

So how many hashes can you import? We’ve tested to over 30 million. No hiccups, no choking, no issues with that.

Can we use it on images that we’ve already ripped from a different computer or drive? Absolutely. If you have some images of a previous case, EO1 or DD, we can import those. It’s one of the things I did on the first case. So you can absolutely run it against that.

How long do scans typically take? The quick ones, within minutes, up to 15; your intermediate, probably 15 up to maybe an hour, maybe a little more than an hour, maybe two, depending on the computer, what kind of information you’re looking for, what you’re trying to grab; and your comprehensive is really going to go for a lot of stuff, really going to grab everything to let you go through it, and those you’re going to let run for a few hours. So those, comprehensive, aren’t going to be taken out on to scene. You’re going to more want the quick, or you’re going to want to create something that’s quick for on-scene, that’s really going to go for that low-hanging fruit.

And then can this tool be used in the lab with the write blocker? Absolutely, all write blockers have been fine. No issues, and that’s expected… we have our policies and procedures that we have to follow. So yeah, write blockers are not an issue.

And that looks like that’s about it for the questions. I want to thank everybody for listening to me. Hopefully you got something out of it. Like I said…

We got another one. What is the advantage of this tool compared to other conventional tools like Encase? You’re not having the overload. This tool is designed for quick, targeted, and relevant searches. It’s just going to collect that information. You’re going to be able to go in and do that without having to make [an EO1] image first. You can boot the machine and collect from a boot. So you have that image in there, you’ll be able to do that.

Does the software detect cloud-based accounts? We do have over 70 different captures in there by default that you can turn on or off. One of them is for detecting cloud-based – like I ran the [ANR] Forensics. There’s cloud-based… so you’ll be able to see if some of those clients are on there. There’s one that looks… there’s also a bitcoin capture that’s looking for those types of artefacts.

And here’s another question. Sorry, so late to the game, but can you capture over a large network? We do not support network captures at this time. It’s what’s attached to your computer or your [EO1] or your DD files.

So I hope I answered everybody’s questions. Again, I want to thank everybody for tuning in and listening, and hopefully we got something out of this. And I hope to hear from you soon, so we can help you out and get you started.

Michelle: Thank you, Rich. And thank you, everyone, for attending today’s webinars, ‘Streamlining Your Digital Investigations’. If you do have any other questions, please contact the ADF team at info@adfsolutions.com. A member of the team will also be contact –

End of Transcript

Leave a Comment