How to Triage Computer Evidence New Articles

Evidence Technology Magazine - How to Triage Computer Evidence
1 of 4
New Articles
How to Triage Computer Evidence
Written by David Kennedy and David Sun
High-Accuracy Wireless
Tool Kit: Microscopy Tools
Online data explosion brings
new forensic collection
Applied CSI Training Leaves its
Mark in the Field
Interview: Donna Kelley
How to Triage Computer Evidence:
Tackle Moore’s Law with Less
Remember me
Lost Password?
No account yet? Register
Latest News
How To: Logging In to ETM
Find ETM on Facebook
Follow ETM on Twitter
ETM Now on Your iPhone or
Free Translation Cards
RSS Feed
IF YOU PROCESS digital evidence on a day-to-day basis, chances are those days
are booked up for weeks to come. How long, on average, does it take your team to
analyze the data in a new case? Security, law enforcement, and corporate computerforensics departments are stretched beyond their resources; reported backlogs of
digital evidence vary but they are often in the eight- to 12-month range or more.
Take a quick glance at why these backlogs exist, and it becomes obvious that things
will not get better by simply doing more of the same. The rapid growth of digital
devices is readily apparent as netbooks, smart phones, and flash drives have joined
desktop computers and laptops as standard computing fare. Underneath the plastic
and metal bits is the true, less discernible reason for the backlog scramble: the
storage capacity of these devices has grown exponentially. Traditionally, the more
storage capacity a device has, the longer it takes to analyze it thoroughly.
Blame Moore’s Law—Sort Of
You may have heard of Moore’s Law. Originally, it was a prediction made 45 years
ago by Intel co-founder Gordon E. Moore, regarding the growing number of
transistors that engineers could cram onto a microchip. Over the years, the
interpretation of Moore’s Law has expanded to generally describe other long-term
trends in computer development—specifically, computer capacity. The amount of
processing speed, memory, and digital-storage capacity per dollar spent have
approximately doubled every two years.
Let that settle in for a moment:
Digital-storage capacity has approximately doubled every two years.
If a corporate or law-enforcement department with four computer-forensics
specialists was able to keep up with new evidence in a timely manner four years
ago, it would have required nearly double the manpower two years later to do the
same work in the same amount of time. In other words, that department would now
require eight employees. Fast-forward another two years, and that same department
would need 16 computer-forensics experts to handle the same load. Assuming a
status-quo approach to the problem, in another two years, you will need 32 experts
to perform in the same capacity.
How many departments have computer-forensics budgets that can keep up with an
800-percent increase in personnel over a six-year period? It simply is not feasible,
which is why we are where we are today.
Triage away the irrelevant
If storage capacity creates a problem for thoroughly analyzing evidence, it may be
time to analyze less evidence—or at least prioritize the evidence to determine what
gets attention first. Among the piles of laptops, desktops, and netbooks, which
device is most likely to contain the critical details needed to build your body of
Hospitals and medical clinics have managed a very similar problem. In high-volume
periods of time, care providers are forced to ask, “Who needs valuable resources
first?” Patients’ symptoms are assessed as soon as they walk though the door.
Patients are not seen by doctors on a first-in, first-out basis. How often does
someone who needs earwax removed see a doctor ahead of the guy with the broken
arm? Chances are a clogged ear will not find its way to a doctor at all; the nurses
are more available and they can readily handle this case. Patients are sorted by the
severity of their condition, and resources are applied first where they are needed
Management at Mass
carefully unearthed from the desert
sands of Iraq tell their own story: the
bones of an adult, still dressed in a
woman’s apparel, lie supine. The skull
is perforated by a bullet hole. Tucked
in the space between the ribs and the
left humerus is a much smaller
skeleton, bones in the skull un-fused,
and the fully clothed body partially
swaddled in a blanket.
This is triage in action.
Out of the hospital...
3/5/2013 6:07 PM
Evidence Technology Magazine - How to Triage Computer Evidence
2 of 4
and back to the crime scene
Ready to tackle that computer-evidence backlog? With a triage procedure and the
right tools in place, first responders can perform a preliminary review on site. With an
ideal tool, investigators can prioritize evidence by likelihood of relevancy.
Consider a crime scene that has 20 computers. If only three of those computers
contain relevant data, a well-executed triage will prioritize those three above the
others for a computer-forensics analyst’s precious time back in the lab. Seventeen of
those computers may never need more than the preliminary triage.
There are a couple of tools already on the market that are being leveraged for
different computer-evidence triage strategies. Many factors go into crafting a triage
procedure. From here on out, this article will focus on considerations for choosing
the tools for your new computer-evidence preliminary-assessment plan.
A quick disclaimer: We are operating under the assumption that installing software
on the computer about to be examined is a bad idea. While conventional free
software (Google Desktop, for example) enables some of the search and preliminary
analysis capabilities we are about to talk about, installing software directly onto a
suspect machine may overwrite the evidence you are trying to capture. Other
options that do not “leave a trace” are rapidly dropping in price with new players on
the field, making it increasingly easier to avoid software installation on evidentiary
media simply as a means of cutting costs.
BitFlare, by SunBlock Systems, is a freely available CD that can be
downloaded directly from their website. Suspect machines are booted off of this
CD. Extracted evidence is saved on standard, readily available external USB
hard drives. There are no up-front software license fees; users are able to
perform a high-level examination for free, and only pay to document and extract
relevant results.
COFEE (Computer Online For-ensic Evidence Extractor), by Micro-soft, is a
USB-drive solution that is available for law enforcement. After registering, you
can download the program and save it on as many USB flash drives as you
would like. It is essentially a collection of tools available publicly for download
from the Microsoft website enabling the collection of files and operating-system
data from the computer.
EnCase Forensic, by Guidance Soft-ware, has been used in the past by trained
forensic investigators in “Preview Mode” on site to assist with triage. The
computer-forensics product is aimed at professionals and is a staple in the
industry. However, some consider it ill-suited for onsite triage, as the license
dongle is limited to one machine at a time.
EnCase Portable was recently released by Guidance Software, partially to
address the first-responder limitations of EnCase Forensic. Users can purchase
an EnCase Portable package that includes USB Hub, CD, and dongle kit.
Triage-ID is one component of several offerings from ADF Solutions. Groups
can license copies of the software. The license itself resides on a USB dongle.
Much like BitFlare, suspect machines can be booted off a CD. Unlike EnCase
Portable, the dongle is not limited to one machine at a time.
Qualities to consider
when choosing your triage toolkit
A triage tool needs to allow for preliminary analysis. Welcome to our most obvious
requirement: You must be able to quickly assess what is on the machine! You will
want to be able to leverage the machine’s computing power itself. To simplify the
process, you will want to avoid removing the hard drive. Key-word searching and
file-metadata analysis are typical tools found in computer forensic software, and your
triage tool should offer no less than these capabilities.
Several options are designed for you to run the software directly on the computer.
BitFlare and Triage-ID each contain their own operating systems and boot off of a
CD. After inserting the disk and powering it up, the suspect computer will serve as
your triage platform onsite or back at the laboratory. EnCase Portable can be run on
the machine while it is running, or you can boot up the suspect computer with an
included CD. Traditionally, while some computer-forensics teams have been
dabbling in triage and have used EnCase Forensic in Preview mode, the industry
(and Guidance Software itself, with its release of EnCase Portable) should move
past this. This method requires you to install the program onto the suspect
computer’s hard drive, or remove the hard drive and connect it to another machine.
Given the ever-increasing amounts of data on hard drives, keyword search-ing is a
critical component of sifting through the bytes. Keywords also play a crucial role in
triaging an incident. If you are investigating a kidnapping and are triaging 100
computers in a school, which ones will you review? Try search-ing for the
individual’s e-mail address on each one. If only one or two computers contain hits for
that keyword, you have very effectively narrowed your scope.
More powerful keyword searches, called regular expressions, can locate patterns of
data, such as Social Security, credit card, and phone numbers. This additional
search feature is commonly available in new computer-forensics triage software, but
it is worth noting this feature in the event that it is missing from your triage software
of choice.
Reviewing file listings and associated metadata can quickly build a general overview
of what has been happening recently on a machine. Metadata includes
characteristics such as file type, the number of times the file was modified or
accessed, file size, and where on the computer the file is located. If you are
responding to an incident that occurred that day, could files deleted that morning be
of interest? If you are interested in utilizing this capability in the field, neither EnCase
Portable nor Microsoft’s COFEE allow for in-situ review of the entire drive. BitFlare
will, and provides broad categories to filter by such as image and video files, or
Microsoft Office files.
Quickly access the “forensic” areas of digital evidence. You may already know that a
good deal of the data on a computer hard drive is not merely found in files. While a
3/5/2013 6:07 PM
Evidence Technology Magazine - How to Triage Computer Evidence
3 of 4
myriad of technical terms such as slack space, unallocated space, and boot
partitions define specific areas of a hard drive not defined by the file system, we can
generally bundle them all together and refer to them as forensic areas. Ignoring
these forensic areas has been one approach some have taken when looking to
improve turnaround times. Analyzing this information is becoming easier and easier.
Do not pass it up!
There is a laundry list of potentially relevant data in these forensic areas. When a
file is deleted, oftentimes pieces of it are left on the hard drive—and sometimes
several copies are scattered about. Many Internet browsers create temporary files
when viewing a web page, only to delete them later. These webpage fragments can
contain key information, including banking statements as well as e-mails read and
sent over popular web-mail services. If you are in computer forensics, you have
likely run across many suspects who turn to web mail for its perceived privacy.
Currently, neither EnCase Portable nor COFEE accesses this part of the hard drive;
BitFlare and Triage-ID offer keyword searches aimed primarily at carving data from
these forensic areas.
Your tool should not limit the scope of your triage. When it comes to triage-capable
software options, there are several different licensing models available. Depending
on the volume of evidence and your triage-procedure goals, differing models can
impact your ability to work. Most dongle-based licensed products, such as EnCase
Forensic or EnCase Portable, will limit the number of machines you can analyze at
one time by the number of licenses you purchase. As long as the machines you are
triaging are in the same location, Triage-ID does allow for parallel processing; its
software dongle is only required at boot-up. BitFlare operates completely
dongle-free and is limited only by the number of BitFlare CDs available (or CD-Rs, if
you have a burner on hand).
Triage with your nurses, not your doctors. In the old days, doctors made house calls:
one patient examined by one doctor. The triage approach at hospitals works so well
because positions requiring less training—such as front-desk receptionists or nurses
or students-in-residency—help handle patients’ needs when they do not require the
doctor’s attention. When implementing electronic-evidence triage, you will want to
leverage less resource-intensive employees, as well.
Many of the newer computer-forensic triage tools on the market today are
specifically aimed at minimizing the amount of training needed for usage. Most
solutions have been designed to easily deploy the solution on the evidentiary
machine, regardless of the user’s level of training.
BitFlare’s interface is even wizard-driven: it uses a step-by-step process for
extracting data, complete with Next and Back buttons. Data extraction is driven by
selecting Evidence Discovery Packs, or EDPs, off of their website. The website
builds the queries customized for the matter on hand. The process is about as
complicated as adding a video to a NetFlix queue.
Forensic-imaging capability is a must. Triaging a situation will not always be perfect.
Ongoing investigations continually generate new leads and relationships.
If you cannot always seize and store all of the computers throughout the duration of
your investigation, you will need a tool that will forensically preserve the computer. A
forensic preservation creates a perfect copy of the data, including forensic areas,
just as it is on the computer in question.
BitFlare, Triage-ID, EnCase Portable, and EnCase Forensic will all allow you to
create forensic copies on-site. EnCase Portable produces images in its proprietary
EWF format, and generally requires EnCase Forensic or another Guidance Software
tool for further analysis. BitFlare’s images are produced in an encrypted format,
enabling security of data during transit and third-party verification of evidence.
Defense, defense, defense!
As with any evidence, be sure that your tool is properly documenting what evidence
it extracts and that all of the files extracted are verifiable. Without a strong chain of
custody, what good is having the evidence? This is especially true when handling
extracted files as computer evidence. For example, consider a confession as
evidence. If someone writes it out by hand, can you tell if someone added the word
“not” to the sentence “I did do it”? If the evidence is an extracted text file, can you tell
if someone made the same change?
Nearly all tools that were specifically designed for computer forensics do this to
some degree. Ensure that digital signatures (such as MD5 or SHA-256) are
calculated for all extracted files.
What next?
Choosing the right set of tools is only a part of a successful triage strategy. Different
organizations are going to have different needs and resources available, and new
tools may be available on the market even as this article is hitting the press. Your
computer-forensics experts already on hand will offer valuable insight into the
challenges their particular group faces. If you are in law enforcement, is it acceptable
to use an approach that does not fully examine all evidence? If you are working with
a team that investigates issues within your corporation, is it a viable solution to bring
IT staff from outside to assist with a triage?
The problem can be a big one to tackle, and different groups will ultimately deploy
different policies that will mature over time and with experience. The nature of digital
evidence, however, is unlikely to change. It will merely continue to explode, and a
strong understanding of desired qualities for a triage tool will aid you regardless of
other tactical decisions that may be made going forward.
About the Authors
David Sun is the founder and president of SunBlock Systems, a privately held
computer-forensics and investigation firm. Sun holds numerous certifications in
computer forensics and information security, and has conducted hundreds of
computer examinations all over the world. He is also an adjunct professor at George
Mason University, and he holds multiple patents for inventions in the field of
3/5/2013 6:07 PM
Evidence Technology Magazine - How to Triage Computer Evidence
4 of 4
computer forensics. To learn more about Sun and SunBlock Systems visit:
David Kennedy, a certified computer examiner, has been in the computer-security
and software-development industries since 2001. During the last nine years, he has
overseen the development and launch of products in the e-discovery and voice over
IP fields, while actively conducting computer and other digital investigations during
the last six years. Kennedy’s e-mail address: [email protected]
Return to April 2010 Featured Products & Services
"How to Triage Computer Evidence," written by David Kennedy and David Sun
March-April 2010 (Volume 8, Number 2)
Evidence Technology Magazine
Buy Back Issue
< Prev
[ Back ]
All Rights Reserved
Kansas City Web Design
3/5/2013 6:07 PM