2010 by Evidence Talks Inc.

All rights reserved

1





SPEKTOR

Forensic Intelligence

Forensic Triage Review Guide



January 2010
Andrew Sheldon MSc.









SPEKTOR

Technology Review Guide August 2009

2010 Evidence Talks Ltd. All rights reserved.
2
Contents
1.0 EXECUTIVE SUMMARY 3
2.0 THE FOUR BIG ISSUES FACING DIGITAL FORENSICS. 4
3.0 COMMONLY USED STRATEGIES 7
4.0 SUMMARY OF CURRENT ISSUES 9



SPEKTOR

Technology Review Guide August 2009

2010 Evidence Talks Ltd. All rights reserved.
3
1.0 Executive Summary
Over the next few years, the way Forensic Incident Response is performed will have to be
change significantly. The science of digital forensics is and should be continually evolving
to take account of advances in the wider IT environment.
Over the last few years, there have been many changes in response methodology. Take,
for example, the introduction of techniques for the preservation of volatile memory, the
acceptance in criminal prosecutions of logical evidence files rather than complete disk
images or the introduction of corporate email caching systems to allow rapid and
acceptable disclosure.
Within the digital forensic community, change is inevitable and probably our biggest issue
but it can also be one of our greatest assets as long as it is managed and controlled.
So, in order to address the demands of the future role of forensic response, it is essential
that we identify .
what our limiting factors are
what stops us from delivering results
what can and cannot be changed
How we maintain accuracy, reliability, legal and scientific acceptability.
In all cases, speed of appropriate response is of the essence but achieving that is not
easy. Appropriate forensic skills may not be available at the scene or even close to the
scene and seizing all items that could contain evidence for future forensic analysis has, for
some time, been the cause of severe examination backlogs in forensic labs, unavoidable
and constant task prioritisation which, in turn, results in unacceptable delays in the legal
process.
This paper examines the accepted methodologies and practices used by forensic analysts
when responding to an incident and considers the need to perform a forensically
acceptable and evidentially sound triage review of computers and other digital media
devices with the aim of:
Quickly identifying those devices that are likely to contain material of interest
Avoiding unnecessary seizures of items with no evidential or intelligence value
Reducing delays in processing critical evidential items
Reducing the time from arrest to sentence
Improving the efficiency and effectiveness of forensic analysts
Reducing the costs of forensic analysis

SPEKTOR

Technology Review Guide August 2009

2010 Evidence Talks Ltd. All rights reserved.
4
2.0 The FOUR BIG ISSUES facing digital forensics.
2.1 Issue ONE is the number of crime scenes
Its often been said that a computer can be analogous to a digital crime scene.
Like a bedroom containing a murder victim, it is an environment of multiple objects and
information, some of which may be of evidential value and, like a physical crime scene,
some things are obvious and some are not. The trouble is that the number of potential
crime scenes is increasing every year:
In 1986, about 25 million computers were sold. Latest figures indicate that over 300 million
computers will be sold in 2009.These figures are cumulative and do not include external
digital storage devices.
This means that almost every serious crime and every legal dispute will involve some form
of digital footprint that should be examined. And if it doesnt now, it will in the future
because the number of digital items requiring examination can only increase in the future.
2.2 Issue TWO is the SIZE of the crime scene.
If we keep with the analogy of a bedroom containing a dead body and assume that, in
1986, the typical crime scene would have been 10 square. By 2001 the room would have
been 100 square with a corresponding increase in the amount of furnishings, ornaments
and detritus. Using the same scale, today each potential crime scene is the size of a large
hotel.
In 1986, typical hard disks were around 10Mb in size. Today, even modest Laptops ship
with 100Gb and most desktops are fitted with 320GB drives as standard.
And lets not forget external storage with 2TB capacities available in the high street at very
reasonable cost. So, not only are there more potential crime scenes, each one is now
much larger than we could previously imagine.
With such a big increase in the number of potential crime scenes and the size of each
one, its no surprise that the volume of data of potential interest is increasing too:
2.3 Issue THREE is the shortage of forensic analysts
Although we continue to invest in growing digital forensic capabilities, it is increasingly
unlikely that there will ever be sufficient skilled staff to satisfactorily address the growing
demand for their services.
Over the last few years, various strategies have been tried to achieve a workable solution
to this conundrum:
OUTSOURCING: Overloaded forensic labs frequently turn to outsourcing their
workload to trusted 3
rd
parties in order to cope with increasing backlogs. This is a
viable but expensive short term option which, ultimately, does not address the core
problem of capacity. It simply moves the processing task from one organisation with
insufficient staff to another that has capacity.

CASE PRIORITISATION: Another tactic is to constantly prioritise cases based on
various criteria. Unfortunately, this often means that cases not meeting high priority
scores are constantly shuffled to the end of the cue by new cases with higher
scores. Typically, in police laboratories, this means that examinations of systems

SPEKTOR

Technology Review Guide August 2009

2010 Evidence Talks Ltd. All rights reserved.
5
involved in economic crimes are often pushed back, justifiably, by crimes that
involve a threat to life or those involving crimes against children.

CAUTIOUS SEIZURES: Another favoured tactic is to reduce the forensic laboratory
caseload by adopting seizure policies that impose severe criteria on the seizure of
systems. This tactic simply ignores the possibility that evidence might exist on
systems that are not directly involved in an offence. Similar to the strategy of
disbanding the drug squad on the basis that no drug squad means no drug
problem.







When evaluating why there can never be sufficient forensic analysts, it is worth noting
what it takes to make a forensic analyst:
TRAINING: in, among other things, technology, tools, elements of law and legal
proceedings, evidence handling, laboratory procedures and security, paperwork,
presenting evidence etc.

EXPERIENCE: of data structures, systems use and abuse,

PRACTICE: in searching, identifying and carving relevant data and in
experimentation to prove or disprove a theory

EQUIPMENT: selection and deployment of the right tools for the job and knowing
when and how to question their results

SKILL: in using the above tools and in identifying what they are NOT reporting

UNDERSTANDING: when the limits of expertise have been reached and when to
call on others to help.


2.4 Issue FOUR the unknown
It does not matter how experienced an analyst is, how well equipped they are or how well
informed they are, unless the job is laboratory based, they will encounter:
UNKNOWN ENVIRONMENTS: whether attending a raid, visiting a crime scene or
collecting data for a corporate disclosure task, prior knowledge of the scene is usually not
detailed enough to plan for every eventuality. Therefore, analysts usually take a wide
variety of equipment with them OR resort to seizing everything. The latter tactic may not
No. of forensic analysts
No. of crime scenes
The number of analysts
and crime scenes
increase over time but
can never become
equal

SPEKTOR

Technology Review Guide August 2009

2010 Evidence Talks Ltd. All rights reserved.
6
always be an option, especially in business premises where it may be seen, at best, as
overkill which may result in allegations of malicious actions.
UNKNOWN TARGETS: Often there is little pre-knowledge about the number, type
or location of digital media when entering premises without prior intelligence.

UNKNOWN LOCATIONS: Exhibit collection may start at one location but, during
the course of events, may move to other locations quickly to gain access to relevant
data.
Each of these unknowns can catch even the most experienced analyst off balance and
force them to think on their feet to find solutions to technical issues that confront them.
Sometimes, there is just so much data, it is difficult to know where to start or end.
Technology can be used to make certain aspects of these tasks easier but due diligence
dictates that the processes must be effective AND accurate
In the laboratory we have the luxury of :
Faster and multiple processing capabilities
Greater, more flexible storage
A clean, organised environment
Scalable assistance
And, once the storage devices containing potential evidence are in the lab, we have time
because we control the process, largely free from the onsite pressures and influences of
others (ie. angry citizens, the other sides lawyers, business interruption risks and Business
As Usual requirements etc.)
So, given that it is possible to get the potential evidence to a laboratory with suitably
qualified and skilled staff, there is at least a chance to spend time analysing it.
However, getting the right exhibits to the laboratory, without flooding it with unnecessary
media in the first place, is one of the biggest future problems facing digital forensics.

SPEKTOR

Technology Review Guide August 2009

2010 Evidence Talks Ltd. All rights reserved.
7
3.0 Commonly used strategies
The most commonly used strategies to collect data of potential evidential interest fall into
the following categories:
3.1 Use staff with limited forensic training and seize everything
This strategy can be the most effective when faced with a simple crime scene comprising
a small number of digital devices, perhaps a mobile phone and a single computer.
However, it is often the case that those attending are faced with multiple devices and
storage media in which case, this strategy often results in:

LABORATORY BACKLOGS: Every item brought into the lab has to be examined even
if its just so that it can be excluded from an investigation. Naturally, in serious cases, this
is the most appropriate course of action but, for the vast majority of cases, this can lead to
items of no relevance being passed for forensic examination which extends the case
processing time and delays the eventual result.

CONSTANT PRIORITISATION: Forensic laboratories are always busy but that does not
stop new work coming in and each new job has a different priority. Therefore, caseload is
constantly shuffled to suit the priorities dictated by policy. This is likely to be the biggest
factor at present leading to work being outsourced from the Police laboratories to
commercial forensic service providers.

UNNECESSARY COLLECTIONS: With a Grab Everything approach it is often the case
that items of no evidential value are taken such as the computer used for homework by
the child of a suspect or the computer used to perform the accounting functions of a small
business not associated with an incident. This can easily result in claims of malicious
action or business interruption and associated loss and also results in unnecessary
pressure being put on the forensic laboratory to return the non evidential items quickly.

RISK OF MISSING DATA: Faced with an overwhelming number of digital media items, it
may be impractical, or impossible, to collect them for analysis. In such circumstances,
those attending may be required to make critical decisions about which items to select.
Making such decisions in the absence of a scientific method for selection is both
unsatisfactory and dangerous in that items containing potential evidence may be
overlooked.

RISK OF DAMAGING EVIDENCE: Without appropriate tools and adequate training,
unskilled staff can potentially damage digital evidence during the process of collection
and/or acquisition. However, these risks can be mitigated to an acceptable level via
appropriate training in the use of suitable techniques, principles of evidence protection and
deployment processes.



SPEKTOR

Technology Review Guide August 2009

2010 Evidence Talks Ltd. All rights reserved.
8
3.2 Skilled experts selective acquisition
A common strategy in both criminal and civil cases is to ensure that appropriately skilled
forensic staff are present during a collection exercise or visit to a crime scene.
Interestingly this, and the rise in civil litigation involving discovery, are probably the main
drivers behind the steep rise in the number of forensic analysts over the last five years.
In all cases involving serious crime or major incidents, this technique certainly has merit.
However, it also has a number of disadvantages:
It removes valuable core skills from the forensic laboratory resulting in:
o Reduced caseload throughput and capacity to respond in the laboratory
o Delays current caseload progress
Introduces risks of Business as Usual interruption complaints because:
o Forensic analysts tend to seize items rather than image on site
o When they do image onsite they often image everything rather than being
selective.
o They may use forensic tools designed for lab work to perform previews.
However, these tools are not optimised for speed and can result in
prolonged times on site
Imaging onsite is already taking extended times and, with the continued growth in
disk capacities, these times can only continue to grow.


SPEKTOR

Technology Review Guide August 2009

2010 Evidence Talks Ltd. All rights reserved.
9
4.0 Summary of Current Issues
Given the above, it is clear that the following issues pose significant challenges and will
influence the future approach taken to the task of forensic investigation of digital media:
ISSUES
In the user community
Rapid growth in availability of digital storage media
Continual expansion in storage capacities
Increasing user IT awareness and skills
Increasing availability of network connectivity
Increasing dependence on electronic identities and transactions
Inevitable increase in systems requiring forensic examination

In the forensic community
Increasing imaging times
Inability to perform onsite imaging due to times/size
Consequential increase in analysis and examination times
Increasing data complexity requiring expert analysis rather than just data carving
Shortage of experts (ie. those skilled enough to perform analysis rather than data carving)
Increasing time to perform complex analysis

SUMMARY
The old adage If we keep doing were doing, well keep getting what weve got is
particularly appropriate in this case.
It is obvious that the current strategies for addressing the need for forensic
examinations must change if we are to meet future capacities and analysis needs.