0 evaluări0% au considerat acest document util (0 voturi)
19 vizualizări9 pagini
This paper examines the accepted methodologies and practices used by forensic analysts when responding to an incident. This paper considers the need to perform a forensically acceptable and evidentially sound triage "review" of the incident.
This paper examines the accepted methodologies and practices used by forensic analysts when responding to an incident. This paper considers the need to perform a forensically acceptable and evidentially sound triage "review" of the incident.
This paper examines the accepted methodologies and practices used by forensic analysts when responding to an incident. This paper considers the need to perform a forensically acceptable and evidentially sound triage "review" of the incident.
2010 Evidence Talks Ltd. All rights reserved. 2 Contents 1.0 EXECUTIVE SUMMARY 3 2.0 THE FOUR BIG ISSUES FACING DIGITAL FORENSICS. 4 3.0 COMMONLY USED STRATEGIES 7 4.0 SUMMARY OF CURRENT ISSUES 9
SPEKTOR
Technology Review Guide August 2009
2010 Evidence Talks Ltd. All rights reserved. 3 1.0 Executive Summary Over the next few years, the way Forensic Incident Response is performed will have to be change significantly. The science of digital forensics is and should be continually evolving to take account of advances in the wider IT environment. Over the last few years, there have been many changes in response methodology. Take, for example, the introduction of techniques for the preservation of volatile memory, the acceptance in criminal prosecutions of logical evidence files rather than complete disk images or the introduction of corporate email caching systems to allow rapid and acceptable disclosure. Within the digital forensic community, change is inevitable and probably our biggest issue but it can also be one of our greatest assets as long as it is managed and controlled. So, in order to address the demands of the future role of forensic response, it is essential that we identify . what our limiting factors are what stops us from delivering results what can and cannot be changed How we maintain accuracy, reliability, legal and scientific acceptability. In all cases, speed of appropriate response is of the essence but achieving that is not easy. Appropriate forensic skills may not be available at the scene or even close to the scene and seizing all items that could contain evidence for future forensic analysis has, for some time, been the cause of severe examination backlogs in forensic labs, unavoidable and constant task prioritisation which, in turn, results in unacceptable delays in the legal process. This paper examines the accepted methodologies and practices used by forensic analysts when responding to an incident and considers the need to perform a forensically acceptable and evidentially sound triage review of computers and other digital media devices with the aim of: Quickly identifying those devices that are likely to contain material of interest Avoiding unnecessary seizures of items with no evidential or intelligence value Reducing delays in processing critical evidential items Reducing the time from arrest to sentence Improving the efficiency and effectiveness of forensic analysts Reducing the costs of forensic analysis
SPEKTOR
Technology Review Guide August 2009
2010 Evidence Talks Ltd. All rights reserved. 4 2.0 The FOUR BIG ISSUES facing digital forensics. 2.1 Issue ONE is the number of crime scenes Its often been said that a computer can be analogous to a digital crime scene. Like a bedroom containing a murder victim, it is an environment of multiple objects and information, some of which may be of evidential value and, like a physical crime scene, some things are obvious and some are not. The trouble is that the number of potential crime scenes is increasing every year: In 1986, about 25 million computers were sold. Latest figures indicate that over 300 million computers will be sold in 2009.These figures are cumulative and do not include external digital storage devices. This means that almost every serious crime and every legal dispute will involve some form of digital footprint that should be examined. And if it doesnt now, it will in the future because the number of digital items requiring examination can only increase in the future. 2.2 Issue TWO is the SIZE of the crime scene. If we keep with the analogy of a bedroom containing a dead body and assume that, in 1986, the typical crime scene would have been 10 square. By 2001 the room would have been 100 square with a corresponding increase in the amount of furnishings, ornaments and detritus. Using the same scale, today each potential crime scene is the size of a large hotel. In 1986, typical hard disks were around 10Mb in size. Today, even modest Laptops ship with 100Gb and most desktops are fitted with 320GB drives as standard. And lets not forget external storage with 2TB capacities available in the high street at very reasonable cost. So, not only are there more potential crime scenes, each one is now much larger than we could previously imagine. With such a big increase in the number of potential crime scenes and the size of each one, its no surprise that the volume of data of potential interest is increasing too: 2.3 Issue THREE is the shortage of forensic analysts Although we continue to invest in growing digital forensic capabilities, it is increasingly unlikely that there will ever be sufficient skilled staff to satisfactorily address the growing demand for their services. Over the last few years, various strategies have been tried to achieve a workable solution to this conundrum: OUTSOURCING: Overloaded forensic labs frequently turn to outsourcing their workload to trusted 3 rd parties in order to cope with increasing backlogs. This is a viable but expensive short term option which, ultimately, does not address the core problem of capacity. It simply moves the processing task from one organisation with insufficient staff to another that has capacity.
CASE PRIORITISATION: Another tactic is to constantly prioritise cases based on various criteria. Unfortunately, this often means that cases not meeting high priority scores are constantly shuffled to the end of the cue by new cases with higher scores. Typically, in police laboratories, this means that examinations of systems
SPEKTOR
Technology Review Guide August 2009
2010 Evidence Talks Ltd. All rights reserved. 5 involved in economic crimes are often pushed back, justifiably, by crimes that involve a threat to life or those involving crimes against children.
CAUTIOUS SEIZURES: Another favoured tactic is to reduce the forensic laboratory caseload by adopting seizure policies that impose severe criteria on the seizure of systems. This tactic simply ignores the possibility that evidence might exist on systems that are not directly involved in an offence. Similar to the strategy of disbanding the drug squad on the basis that no drug squad means no drug problem.
When evaluating why there can never be sufficient forensic analysts, it is worth noting what it takes to make a forensic analyst: TRAINING: in, among other things, technology, tools, elements of law and legal proceedings, evidence handling, laboratory procedures and security, paperwork, presenting evidence etc.
EXPERIENCE: of data structures, systems use and abuse,
PRACTICE: in searching, identifying and carving relevant data and in experimentation to prove or disprove a theory
EQUIPMENT: selection and deployment of the right tools for the job and knowing when and how to question their results
SKILL: in using the above tools and in identifying what they are NOT reporting
UNDERSTANDING: when the limits of expertise have been reached and when to call on others to help.
2.4 Issue FOUR the unknown It does not matter how experienced an analyst is, how well equipped they are or how well informed they are, unless the job is laboratory based, they will encounter: UNKNOWN ENVIRONMENTS: whether attending a raid, visiting a crime scene or collecting data for a corporate disclosure task, prior knowledge of the scene is usually not detailed enough to plan for every eventuality. Therefore, analysts usually take a wide variety of equipment with them OR resort to seizing everything. The latter tactic may not No. of forensic analysts No. of crime scenes The number of analysts and crime scenes increase over time but can never become equal
SPEKTOR
Technology Review Guide August 2009
2010 Evidence Talks Ltd. All rights reserved. 6 always be an option, especially in business premises where it may be seen, at best, as overkill which may result in allegations of malicious actions. UNKNOWN TARGETS: Often there is little pre-knowledge about the number, type or location of digital media when entering premises without prior intelligence.
UNKNOWN LOCATIONS: Exhibit collection may start at one location but, during the course of events, may move to other locations quickly to gain access to relevant data. Each of these unknowns can catch even the most experienced analyst off balance and force them to think on their feet to find solutions to technical issues that confront them. Sometimes, there is just so much data, it is difficult to know where to start or end. Technology can be used to make certain aspects of these tasks easier but due diligence dictates that the processes must be effective AND accurate In the laboratory we have the luxury of : Faster and multiple processing capabilities Greater, more flexible storage A clean, organised environment Scalable assistance And, once the storage devices containing potential evidence are in the lab, we have time because we control the process, largely free from the onsite pressures and influences of others (ie. angry citizens, the other sides lawyers, business interruption risks and Business As Usual requirements etc.) So, given that it is possible to get the potential evidence to a laboratory with suitably qualified and skilled staff, there is at least a chance to spend time analysing it. However, getting the right exhibits to the laboratory, without flooding it with unnecessary media in the first place, is one of the biggest future problems facing digital forensics.
SPEKTOR
Technology Review Guide August 2009
2010 Evidence Talks Ltd. All rights reserved. 7 3.0 Commonly used strategies The most commonly used strategies to collect data of potential evidential interest fall into the following categories: 3.1 Use staff with limited forensic training and seize everything This strategy can be the most effective when faced with a simple crime scene comprising a small number of digital devices, perhaps a mobile phone and a single computer. However, it is often the case that those attending are faced with multiple devices and storage media in which case, this strategy often results in:
LABORATORY BACKLOGS: Every item brought into the lab has to be examined even if its just so that it can be excluded from an investigation. Naturally, in serious cases, this is the most appropriate course of action but, for the vast majority of cases, this can lead to items of no relevance being passed for forensic examination which extends the case processing time and delays the eventual result.
CONSTANT PRIORITISATION: Forensic laboratories are always busy but that does not stop new work coming in and each new job has a different priority. Therefore, caseload is constantly shuffled to suit the priorities dictated by policy. This is likely to be the biggest factor at present leading to work being outsourced from the Police laboratories to commercial forensic service providers.
UNNECESSARY COLLECTIONS: With a Grab Everything approach it is often the case that items of no evidential value are taken such as the computer used for homework by the child of a suspect or the computer used to perform the accounting functions of a small business not associated with an incident. This can easily result in claims of malicious action or business interruption and associated loss and also results in unnecessary pressure being put on the forensic laboratory to return the non evidential items quickly.
RISK OF MISSING DATA: Faced with an overwhelming number of digital media items, it may be impractical, or impossible, to collect them for analysis. In such circumstances, those attending may be required to make critical decisions about which items to select. Making such decisions in the absence of a scientific method for selection is both unsatisfactory and dangerous in that items containing potential evidence may be overlooked.
RISK OF DAMAGING EVIDENCE: Without appropriate tools and adequate training, unskilled staff can potentially damage digital evidence during the process of collection and/or acquisition. However, these risks can be mitigated to an acceptable level via appropriate training in the use of suitable techniques, principles of evidence protection and deployment processes.
SPEKTOR
Technology Review Guide August 2009
2010 Evidence Talks Ltd. All rights reserved. 8 3.2 Skilled experts selective acquisition A common strategy in both criminal and civil cases is to ensure that appropriately skilled forensic staff are present during a collection exercise or visit to a crime scene. Interestingly this, and the rise in civil litigation involving discovery, are probably the main drivers behind the steep rise in the number of forensic analysts over the last five years. In all cases involving serious crime or major incidents, this technique certainly has merit. However, it also has a number of disadvantages: It removes valuable core skills from the forensic laboratory resulting in: o Reduced caseload throughput and capacity to respond in the laboratory o Delays current caseload progress Introduces risks of Business as Usual interruption complaints because: o Forensic analysts tend to seize items rather than image on site o When they do image onsite they often image everything rather than being selective. o They may use forensic tools designed for lab work to perform previews. However, these tools are not optimised for speed and can result in prolonged times on site Imaging onsite is already taking extended times and, with the continued growth in disk capacities, these times can only continue to grow.
SPEKTOR
Technology Review Guide August 2009
2010 Evidence Talks Ltd. All rights reserved. 9 4.0 Summary of Current Issues Given the above, it is clear that the following issues pose significant challenges and will influence the future approach taken to the task of forensic investigation of digital media: ISSUES In the user community Rapid growth in availability of digital storage media Continual expansion in storage capacities Increasing user IT awareness and skills Increasing availability of network connectivity Increasing dependence on electronic identities and transactions Inevitable increase in systems requiring forensic examination
In the forensic community Increasing imaging times Inability to perform onsite imaging due to times/size Consequential increase in analysis and examination times Increasing data complexity requiring expert analysis rather than just data carving Shortage of experts (ie. those skilled enough to perform analysis rather than data carving) Increasing time to perform complex analysis
SUMMARY The old adage If we keep doing were doing, well keep getting what weve got is particularly appropriate in this case. It is obvious that the current strategies for addressing the need for forensic examinations must change if we are to meet future capacities and analysis needs.