Advertisement

In the second part of our discussion about the benefits of government contracts to digital forensic investigation, Forensic Magazine talks to Jonathan Grier, principle of Grier Forensics. Grier's sifting technology speeds the investigation of computer hard drives by pinpointing usable data — the data important to a case. In Part 1 of our discussion, with Martin Novak, we found out how Grier Forensics was awarded the contract from the NIH. In this part, we find out from Jonathan Grier how this technology works. In the next part, Grier tells us about his experiences with government agencies.

Overwhelming amounts of data
The end of digital forensics has been greatly exaggerated. Whether it's Bitlocker encryption, solid state drives or cloud computing, none have brought the demise of digital data retrieval yet. And if Jonathan Grier has a say, neither will the overwhelming amounts of data found on today's hard drives.

"With hard disks becoming so large, so cheap and so numerous, the amount of data officers have to collect, or any forensic investigator has to collect, is overwhelming. It's called the volume challenge," said Grier. "People in throughout the field say this is the largest problem."

If it takes 15 hours to prepare evidence from a single hard drive imagine how much time would be spent on examining the PCs and servers from a major breach like the one at Sony, or Anthem.

The sheer volume of data to be examined is cost prohibitive, but for law enforcement it is also an issue of time. There might be an instance of preventing a crime, or there might be a crime in progress such as a child abduction, when every moment counts. 

And this is where Grier's technology comes in.

"Although a hard drive is very big, not all parts of it are relevant to a case," Grier said. Since people are becoming less frugal, and large hard drives are readily available, much of what is on them is not used. For most hard drives, more than 50 percent has never been used. And unused parts of drives examined are growing as they get larger and cheaper. Quickly identifying which parts have been used and which parts haven't will focus an investigation.

But what about the parts of a hard drive that are used? Grier explains that when examining the parts that are used not everything is valuable to an investigation. "Do I really need to see a copy of your operating system," Grier said," or a collection of your YouTube videos?" An investigator needs to see documents relevant to a case.

Sifted image – data in hh.exe is siftedConventional image – data in hh.exe is presentThe hh.exe file is a Windows executable used to display HTML Help. Since it is of limited forensic relevance, the sifting collector rejected it. The collector was able to completely bypass the region of disk where it is stored, without impeding the collection and analysis of the relevant evidence.

So, Grier's sifting technology also brings greater focus to an investigation by identifying what used parts of a hard drive are important. The technology identifies different regions of a disk. At this point, data collection will be indistinguishable from conventional methods.

"It will fit right into the ecosystem that forensic examiners use." Grier said. It doesn't require throwing away traditional tool and starting from scratch. The technology preserves the digital forensic methods and tools that have built up over time.

By using the sifting technology in lab trials, after decreasing imaging time from 3x to 13x, the technology has gotten from 95 to 100 percent of the evidence in a case, depending on how aggressive the sifting, according to Grier.

The goal now is to mature the technology," Grier said, "so that it's not just used by lab and trial partners but eventually get it in the hands of law enforcement and private practitioners. And I hope it will eventually become a standard."

 

The discussion with Jonathan Grier continues. Grier talks about how his idea entered the realm of possibility. 

Jonathan Grier is principal of Grier Forensics.

Advertisement
Advertisement