White Paper Feb.2015 - Amazon Web Services

White Paper
Feb.2015
Divide, Collaborate and Conquer!
Overcoming computer forensic backlog through distributed
processing and division of labor.
Contents
Obstacles to Overcoming Caseload Backlogs.........................................................................................................................................3
Amplifying Resources Utilizing Enterprise and Collaborative Computing Principles.........................................................4
Lab Technology: Providing a Permanent Solution to an Ever-growing Problem....................................................................6
Detailed Infrastructure Diagram: AccessData Lab...............................................................................................................................8
Benefits.......................................................................................................................................................................................................................9
Summary.....................................................................................................................................................................................................................9
Introduction
Computer forensics labs across the United States and around the world are struggling to keep up with their evergrowing caseloads. The overwhelming increase in cases affects law enforcement, government agencies and large
corporations alike. However, the issue is most often discussed within the context of criminal investigations, for
obvious reasons.
In an ideal American world you don’t expect to see a lot of news coverage on digital investigations and computer
forensics labs, so when this issue makes headlines, you know it is a very real, very dire problem.
Currently, there are not enough computer forensic experts and the amount of data that needs examined is becoming
very large and complex for examiners to investigate themselves. This creates a problem in not only catching criminals
but also in helping the victims of the crimes. The lack of time and equipment to properly examine evidence has
created a huge backlog in computer examinations. Law enforcement agencies have had to move to a priority system.
This increases the backlog for low priority crimes. FBI Executive Assistant Director Stephen Tidwell was quoted
as saying “The pervasiveness of the Internet has resulted in the dramatic growth of online sexual exploitation of
children, resulting in a large increase in the number of cases.” So, it’s not only the number of delayed cases that make
this an urgent matter. It is the nature of most of these cases that dramatically increases the pressure on computer
forensics labs to implement more efficient policies and practices to overcome this issue.
In the case of Melendez-Diaz v. Massachusetts, the Supreme Court found that lab reports prepared by forensic
experts, if introduced into evidence, were subject to the 6th Amendment Confrontation Clause. This means that
if your computer forensics report is used as evidence in court, the defense can call you to the stand for crossexamination. Some analysts are expecting this new ruling to further increase the already significant backlog.
Large corporations are also experiencing the digital investigations bottleneck, and while the corporate cases may not
always seem newsworthy, the impacts consistent investigation delays have on the bottom line and on employee/
customer privacy are significant.
This paper will take a look at the factors that contribute to these burdensome backlogs, and then it will review
the technical requirements necessary to significantly reduce—even overcome—the digital bottleneck that plagues
computer forensic personnel. Finally, it will illustrate how a solution meeting these technical requirements can be
implemented into a lab existing infrastructure and discuss the associated benefits.
www.accessdata.com
Obstacles to Overcoming Caseload Backlogs
A Justice Department audit of the FBI’s cybercrime labs found that 353 requests were awaiting FBI analysis, and it
took an average of 60 days for FBI personnel to examine evidence. Inspector General Glenn Fine said, “The processing
time for the digital evidence in some cases could take up to nine months, which we concluded was too long.” While
the FBI was the unfortunate recipient of this bad press, the fact is virtually every single cybercrime lab throughout the
country is overwhelmed. Likewise, the information security departments in almost every large corporation we’ve met
with tell us that they need more human resources and more hardware resources.
There are several factors that must be addressed to overcome caseload backlog:
Outdated Hardware
For example, a state police agency applying for federal assistance stated that of the 95 members of its statewide
Computer Crime Taskforce, 35 were using mobile forensic computers that are more than six years old. This is
a common complaint among state and local law enforcement agencies. In fact, even commercial organizations
commonly face budgetary limitations with regard to their hardware resources.
Understaffed Departments
The Internet Crimes Against Children (ICAC) Program’s task forces throughout the country were awarded Recovery
Act funds. Among the task forces, one of the primary uses for that money as stated in the ICAC memo is to hire new
investigators/analysts or use that money to retain analysts who would otherwise have to be laid off.
When it comes to commercial organizations, the primary goal is business continuity. The cogs must turn or
production suffers. To many in the corporate arena, “computer forensics” implies that a cog, or cogs, must stop
turning. Therefore, it is often the case that computer forensics is not at the top of the list when budget dollars are
doled out. In fact, according to a previous CSI Computer Crime and Security Survey (surveying information security
practitioners); only 41% of its respondents even use forensics tools to secure help secure their data.
Lack of Training and Training Dollars
Many local law enforcement agencies do not have a trained computer forensic analyst on staff and must send the
seized data into a state or regional lab for analysis. Even departments and labs with computer forensic analysts on
staff find it difficult to provide continuing education to their analysts, which can delay progress on a case. If there
are only two seasoned analysts on staff, and several novices, the two pros will find themselves bogged down with
analysis work. It’s no wonder why most state and local applications for federal aid cite training as one of the top
reasons for requesting the funds.
Evidence Being Processed and Reviewed in Disparate Locations
It is often the case that data seized at the scene of the crime or acquired from a computer at a remote office is actually
processed at a central computer forensics lab. While the investigators, legal personnel and HR personnel responsible
for reviewing that evidence are somewhere entirely different. This makes for an inefficient review process.
The One Case/One Analyst Paradigm
Traditionally, one analyst will be assigned to a case, and that analyst sees the case through from processing to
reporting. That model may have worked in the past, but with the influx of computer crime and the dramatic increase
in computer-related evidence per case, computer forensics labs might take a lesson from Henry Ford. It is becoming
more difficult for examiners to get through a single large case in a reasonable amount of time because data sets and
the problem are continuing to get worse.
Lack of Infrastructure
In most traditional labs, each examiner stores all of the evidence and case information on his or her individual
machine. This makes the backup and restoration of cases, evidence and reports a time consuming and critical part
of the process that is often difficult to manage, if done at all. Even worse, cases often go on for years, and examiners
must bring cases out of storage if and when they make it to court.
© 2015 AccessData Group
It’s interesting to note that in almost every case, agencies and commercial organizations cite their need for more
human resources and more hardware resources. Yet, despite the cry for more, we rarely see a meaningful increase
in those resources. The CSI survey shows that its respondents actually experienced a reduction in budget dollars for
information security. Furthermore, it’s a running joke among radio commentators and local newspapers—no matter
how many more tax dollars are applied to increasing law enforcement numbers, somehow there rarely seems to be a
significant increase. If there is an increase in officers, you can be sure that layoffs are only a couple years away, usually
about the time federal assistance dollars run out.
So, given the relative certainty that resources will usually be scarce, why aren’t law enforcement, government
agencies and corporations looking for a technological solution that will actually amplify their existing resources?
Amplifying Resources Utilizing Enterprise and Collaborative
Computing Principles
In order to successfully overcome case backlog, organizations need to implement a technical foundation that
maximizes the productivity of the resources they have. Until an organization is able to efficiently leverage its
resources, it will find itself trapped in the vicious cycle of too much work, too few people.
In order to effectively amplify an organization’s resources, the following capabilities are necessary:
Distributed Processing
Leverage hardware to significantly reduce processing time. Distributed processing allows organizations to effectively
offset their ever-increasing datasets. With distributed processing capabilities, an organization can turn resources into
assets that reduce the amount of time it takes to process large datasets. The organization now has a scalable resource,
with which to increase or decrease processing power as needed.
FIG. 1
Distributed processing leverages
hardware to reduce processing time.
Utilize a distributed processing farm to
dramatically reduce processing time. This
is a great way to leverage legacy hardware.
EVIDENCE SERVER
INDEX STORAGE
DATABASE SERVER
EXAMINER
www.accessdata.com
DISTRIBUTED
WORKERS
Simultaneous, Collaborative Analysis
Computer forensic departments need to move away from the “One Analyst/One Case” paradigm and take an
“assembly line” approach to their investigations. By distributing the workload across examiners, each person is able
to focus on a single area of expertise. Examiners can work in synchronization with other examiners to get through
cases much faster using the advanced capabilities of FTK. In addition, this solution allows organizations to coordinate
analysts and other players in a case using a secure web interface. So, those who are geographically dispersed are able
to easily contribute their expertise without delay.
Web Review and Analysis Capabilities
There are many players in an investigation. They are not all located in the lab and are not always forensic experts. It is
often the case that key players in these investigations are working in disparate locations, and this can easily delay the
conclusion of a case. A secure web interface provides a quick and easy way for non-technical personnel to review and
comment on the evidence as the analysts identify it. Players in the investigations, such as lawyers, human resources
personnel and representatives from the DA’s office are able to review the data in any easy to consume format as soon
as it is available from any location, which saves a great deal of time. With custom data views reviewers are given
permission by the case manager to review specific areas of cases.
FIG. 2
Analysts can collaborate in the lab using FTK, and
with AD Lab, geographically dispersed players in the
investigation can review and comment on data using a
secure web interface.
EVIDENCE SERVER
Non-technical resources and
outside analysts can review and
comment on data via the secure
web interface.
INDEX STORAGE
DATABASE SERVER
Analysts can collaborate in real
time via FTK.
CASE REVIEWERS via
SECURE WEB INTERFACE
SENIOR EXAMINER
REGISTRY ANALYSIS
SENIOR EXAMINER
RAM DUMP ANALYSIS
JUNIOR EXAMINER
GRAPHICS
JUNIOR EXAMINER
EMAIL
The Ability to Control Access and Activity
When orchestrating synchronous collaboration among multiple analysts, it's important that organizations are able to
control which data each analyst can access, which tasks he or she can perform, and to ensure their accountability. For
example, if two analysts are assigned to a case—one a senior member of the team, and the other still in training—the
case manager can tailor their individual roles and permissions to suit their skill levels or clearance levels. The senior
analyst can be given permission to perform more advanced operations, while the junior analyst is assigned to a
particular set of data, such as graphics. With a more advanced lab solution, the seasoned investigator can be given
© 2015 AccessData Group
permission to view specific data sets that might be considered confidential or classified, while the less experienced
analyst is only allowed to work with less sensitive content.
FIG. 3
A designated Manager can assign
cases, tasks and resources to
analysts and monitor their progress
to ensure efficient collaboration.
MANAGER
ASSIGNING TASKS &
MONITORING PROGRESS
EVIDENCE SERVER
Cases and analysts can be
managed from a central
management console.
INDEX STORAGE
DATABASE SERVER
CASE REVIEWERS via
SECURE WEB INTERFACE
SENIOR EXAMINER
REGISTRY ANALYSIS
SENIOR EXAMINER
RAM DUMP ANALYSIS
JUNIOR EXAMINER
GRAPHICS
JUNIOR EXAMINER
EMAIL
Centralized Investigative Infrastructure
Using a Lab platform, organizations can centralize their investigative infrastructure. Instead of each examiner doing
all the work on his or her individual stand¬alone machine, each examiner can leverage a shared infrastructure
where all of the case data and evidence are stored in a centralized and controlled manner. Access to each case is still
controlled by the lab manager or examiner in charge of a specific case, but the actual hardware infrastructure, where
all the work takes place, is centralized. (Note centralized database and distributed processing farm in figures 1–3. Lab
clients have the ability to login to more than one database.)
Lab Technology: Providing a Permanent Solution to an Evergrowing Problem
Human resources come and go, hardware resources become outdated, and the funding to maintain both is never a
sure thing. However, implementing the right lab technology is a permanent solution that will streamline the entire
process and speed up nearly every aspect of the investigation.
AccessData (AD) has engineered lab technology that enables computer forensics labs to implement a digital assembly
line of sorts. Based on the principles of enterprise computing and collaborative computing, this solution allows
analysts to work together seamlessly—not just distributing data processing, but actually distributing their labor,
while sharing a centralized infrastructure (database, storage, evidence server).
www.accessdata.com
Data processing times can be greatly reduced by leveraging Lab’s distributed processing architecture. Analytical
operations are compartmentalized by analyst, so an individual examiner doesn’t need to shift his or her mindset from
email to registry to RAM dumps or have to worry about moving the data around. Each examiner can focus on one or
two areas of expertise and other analysts working on the same case are able to see those findings in real-time as they
are bookmarked, labeled and commented on. Having the abilities to divide workload and to share information with
each other and non¬technical counterparts will speed the analysis, the review, and the communications necessary to
bring a case to its completion.
However, while this lab solution enables real-time collaboration, a single analyst is still able to work an entire case
from beginning to end on his or her machine. Each analyst has an investigative workstation that shares a single
database infrastructure, comprised of one or more databases. Investigator workstations can also share a distributed
processing farm. An analyst is able to utilize this centralized infrastructure, and if he or she desires, can give
permission to another analyst or non¬technical player to review the findings and share expertise.
Case-level Permissions vs. Data-level Permissions
The AD Lab solution allows case managers to assign or restrict access at the data level. For example, if the information
in question or suspects involved were considered extremely confidential, the case manager could restrict a junior
analyst’s access to email and documents of any kind. However, the manager might want to utilize that junior resource
to speed the investigation along. For example, the manager could restrict the junior analyst’s access to include only
log files, assigning that person to create a timeline over the last month showing each time an instant messenger
application had been launched. This more granular security provision is of particular benefit to large corporations or
government agencies handling large caseloads with a great deal of confidential or classified information.
Web Review and Analysis
As discussed earlier, the web review capability is the easiest way to share information and leverage the abilities of
non¬technical players in an investigation or computer forensic experts located outside the lab. This functionality is
only available with AD Lab, which is designed to handle large caseloads for organizations that have a number of
different participants in the investigative process that should be working together.
For example, a computer forensic examiner working in New York wants HR and Legal in Los Angeles to review the
results of a policy violation investigation quickly and in an easy to consume format. These non-technical participants
can log in to the web interface and only see the information the examiner wants them to see. Additionally, large labs
dealing with massive datasets need many analysts of varying skill levels to work together simultaneously, in order to
efficiently tackle their caseloads. The secure web review interface of AD Lab enables those analysts to collaborate with
ease.
The following illustrates the functionality available in each of AccessData’s Lab solutions:
Lab Functionality
Forensic Toolkit (FTK)
AD Lab
4 WORKERS
EXPANDED
4 SIMULTANEOUS
EXPANDED
CENTRALIZED CASE AND TASK
MANAGEMENT
NO
YES
ROLE-BASED PERMISSIONS TO
CONTROL ACCESS AND ACTIVITY
NO
DATA LEVEL
CENTRALIZED DATABASE
INFRASTRUCTURE
NO
YES
WEB REVIEW AND ANALYSIS
NO
UNLIMITED
DISTRIBUTED PROCESSING
INVESTIGATOR COLLABORATION via FTK
© 2015 AccessData Group
Detailed Infrastructure AD Lab
Workflow
•
Beth logs in and creates a case on the database.
•
She processes the evidence or obtains volatile data.
•
Beth needs Jack to look at email that she processed in her NY office.
•
Beth gives Jack rights to the case.
•
Jack logs in.
•
Jack selects Beth’s database from the database selection panel.
•
He can now see her list of cases.
•
Jack selects the case and now sees all the work of Beth did and can perform additional analysis and
bookmarking.
Note: Because it is a database on the back end, any bookmarks/labels are stored. This also means that multiple
examiners can look at the same case at the same time without stumbling over each other.
FIG. 4
Cases can be worked individually or
collaboratively, while controlling who
can access which data.
CENTRALIZED PROCESSING FARM
CENTRALIZED DATABASE
COMPUTER FORENSICS LAB
INVESTIGATORS
MOBILE ANALYSIS
INVESTIGATOR
SUBJECT MATTER EXPERT
www.accessdata.com
DISTRICT ATTORNEY'S OFFICE
Summary
Benefits
“Assembly line” division of labor approach
allows the investigation process to be
streamlined and cases can be brought to
completion more efficiently.
Control that can see which information in a
given case or across cases.
See each other’s results in real time.
Non-technical users can easily support the
investigative process.
As stated earlier, until an organization is able to efficiently leverage
existing resources, it will find itself trapped in the vicious cycle of too
much work, too few people. Implementing a solution that amplifies
existing resources by streamlining the investigative process and getting
the most out of an organization’s hardware is a permanent solution.
AccessData’s lab solutions are scalable, allowing an organization to build
a solution that fits its caseload and resources, then expand as needed.
Division of labor, distributed processing, a centralized infrastructure and
timely sharing of data are the keys to overcoming the backlog faced by
organizations of all kinds. The answer is not simply “more resources.”
The answer is efficiently utilizing your resources.
Advanced users can work alongside nontechnical resources.
Leverage a distributed processing farm to
greatly reduce processing time.
Take an enterprise approach to controlling
data with a centralized infrastructure, instead
of each examiner storing data on his or her
individual machine.
The processing time for the digital evidence in
some cases could take up to nine months. We
concluded this was too long.
Inspector General Glenn Fine
Federal Bureau of Investigation
Creating a collaborative environment with
a shared, centralized infrastructure amplifies
existing resources, allowing analysts of all skill
levels to work more effectively.
LEARN MORE: www.AccessData.com
GLOBAL HEADQUARTERS
+1 801 377 5410
588 West 300 South
Lindon, Utah
USA
NORTH AMERICAN SALES
+1 800 574 5199
Fax: +1 801 765 4370
[email protected]
INTERNATIONAL SALES
+44 20 7010 7800
[email protected]