- Crime Lab
- Crime Scene
- Death Penalty
- Digital Forensic Insider
- Digital Forensics
- Evidence Collection
- Expert Forensic Voices
- Forensic Anthropology
- Forensic Psychology
- Impression Evidence
- Medical Examiner
- Mobile Forensics
- Police Procedure
- Sexual Assault Investigations
- Witness Testimony
A More Efficient Approach
Consider this scenario: Law enforcement is made aware that an individual is planning to shoot several people at a popular local nightclub. A tip leads investigators to the probability that the suspect used one or more computers over a period of time at the city’s central library to post information about his intent on social media sites. Arriving at the library, investigators are faced with the daunting task of having to examine 75 computers and several servers to determine if any of them contain probative data. Since it is totally unrealistic to seize the computers and servers, the only practical methodology is to use a robust triage tool to eliminate those that do not contain any relevant information. Consider further that five computers and two servers are identified as containing useful information. However it is spread among ten different hard drives with a combined 20 TBs of data. At this juncture, the computers can be imaged or seized; most likely the servers will be imaged on-site and left in place. (See Streamlining the Digital Forensic Workload: Part 2). To expedite the forensic analysis, examiners and investigators need to somehow collate, analyze, and understand the content of the relevant information such that the suspect can be identified and apprehended. How are they going to proceed?
Establish your company as a technology leader. For 50 years, the R&D 100 Awards, widely recognized as the “Oscars of Invention,” have showcased products of technological significance. Learn more.
Examining and Analyzing Large Data Sets
Depending upon the nature of investigations, timely forensic examinations normally can expedite the apprehension of suspects. Conversely, delayed results can lead to suspects remaining free for extended periods of time, thereby allowing them to potentially commit other crimes. However, providing meaningful information in a timely manner is becoming a daunting task. Most agencies are faced with continually increasing case backlogs, overworked examiners, and extremely long turn-around times. The traditional approach of examiners thoroughly analyzing all the digital media submitted (either by practice or policy) is inefficient, expensive, and is a contributing factor to those long turn-around-times and case backlogs. Faced with these difficult issues, examiners will have to modify their workflow to expedite their examinations.
The use of a triage tool can identify the most likely evidentiary data sources. Ideally, the relevant evidence should then be seamlessly exported and analyzed in-depth by another comprehensive forensic tool which can provide indexing and detailed analysis. Doing so will allow examiners and investigators to gather and cross-reference the data, determine its usefulness, and conduct joint investigations with other investigators. The tool should be capable of managing data from all types of cases (child exploitation, pornography, financial fraud, security intrusions, etc.) while not relying upon devices OS for data collection. Minimally it should incorporate the following functionalities:
- Flexible data extraction from multiple sources:
- Hard drives, smartphones, tablets, memory cards, etc.
- Current and legacy systems
- Mobile device file systems
- Single and multi-user e-mail databases including cloud and archived e-mail systems
- Access e-mail, servers, desktops, laptops, and offsite employee systems across a network
- All types/formats of forensic images and forensic containers
- Provide a history, full audit trail, and detailed access controls
- Handle large data sets
- Reduce/eliminate hardware and database redundancy
- Centralize the management of distributed services
- Index and search TBs of unstructured data on a daily basis
- Filter data based on keywords, hash values, and file system metadata properties
- Collate evidence into manageable data sets
- Allow for simultaneous examination of data by multiple examiners and/or investigators
- In-depth forensic capabilities
- Detailed analysis of common file systems
- Extract NTFS alternate data streams
- Recover data from deleted files and slack space; connect recovered data to similar content in allocated files
- View/index the Microsoft Registry
- Examine artifacts utilizing an internal hex-viewer
- Analyze communication patterns from mobile device images
- Identify inappropriate photos and videos using skin-tone analysis techniques
- Pre-collection analytics which enable search criteria to be tested before data collection commences
- View keyword searches in the context of surrounding words
- Provide a relevance ranking for the search results
- Capture and analyze Web, chat, and social media
- Automatically extract and cross reference intelligence data (names, IP addresses, SSNs, credit card numbers, etc.)
- Unpack and search embedded files several layers deep (i.e. a zip file containing a Word document which has an embedded Excel spreadsheet which has an embedded PowerPoint presentation)
- Identify/group similar data for further examinations
- Reconstruct and identify suspicious patterns in e-mails from multiple sources
- Interactive data visualizations for timelines, date/time trends, etc.
- Automate repetitive tasks for workflows, exporting relevant data, etc.
- Plot locations from embedded data in photos (GPS or IP address geo-positioning)
- Provide bookmarks and export reports
With continued increasing caseloads and backlogs, examiners need to streamline their approach to conducting examinations. One method would be to use a robust triage tool to examine all potential suspect devices. Basic analysis can be conducted either on-site or back in the laboratory. After reviewing the triage tool’s report (which includes keyword searches, USB device history, videos, MD5 hashes, etc.) the examiner and investigator should then be able to determine which other related devices need further examination. Triaging can eliminate devices not containing relevant information, provide almost immediate probative data for investigator use, and can dramatically reduce the number of devices needing in-depth analysis. If further examination is needed, the automated report(s) and image file(s) created by the triage tool then need to be seamlessly examined by another forensic tool which can rapidly process large amounts of data and extract relevant information. In-depth examination of the evidence with a forensic tool incorporating most, if not all, of the items previously indicated should enable the examiner and investigator to answer the “Who, What, When, and Where” questions relating to the investigation.
Note: Before purchasing any tool, examiners should thoroughly research those available and select the tool which provides the best functionality to meet their requirements.
John J. Barbara owns Digital Forensics Consulting, LLC, providing consulting services for companies and laboratories seeking digital forensics accreditation. An ASCLD/LAB inspector since 1993, John has conducted inspections in several forensic disciplines including Digital Evidence. email@example.com