Wednesday, 29 August 2012

Forensic previewing with Linux

I s'pose the first question is why do any form of previewing?   Most LE agencies that I know of experience very high volumes of request for digital forensic services, this often leads to backlogs in cases.  To combat this, agencies have adopted a wide variety of reponses including combinations of outsourcing, prioritising cases, triaging, introducing KPIs, setting policies to only view the files in the live set on some systems.   All of these approaches are practical solutions, however they do have some drawbacks such as cost or risk in evidence being missed.   The squeeze on budgets is already impacting on many agencies abilities to outsource cases, hire more staff or buy new hardware/software.  My approach is to make sure every piece of digital storage is processed, using open source tools.  Often my processes go deeper than what is done during a "full" forensic examination in many labs.   Costs of this approach are minimal - some external drives and some 4-port KVM switches so that many systems can be previewed in parallel.   You really want to make sure that your costly forensic tools are being focussed on media that is known to contain evidence.   Of course, the commercial forensic tools (many of which I like A LOT!) do give you the ability to do some previewing, however this ties up your software dongles and your forensic workstations.  You also need to be at the keyboard, as the approach often involves configuring a process, running it, then configuring the next process and running it and so on...

I leverage the processing power of the suspect system, processing the system in a forensically sound manner by booting the suspect system with a forensic CD then running a single program to do the analysis that I require, selecting various options depending on circumstances.  The processing may take many hours (sometimes up to 18 hours), however, my forensic workstation and software is free to tackle systems that I have previously processed and found evidence on.  I can view the output from my previewing in a couple of hours, a establish if there is evidence on the system or not.   Therefore, I overcome the problem of potential evidence being missed that exist in some other approaches to reducing backlogs of cases.  Most linux forensic boot disks can be installed to a workstation to process loose hard disks and USB storage devices.  Ultimately the majority of storage devices can be eliminated from the need to undergo costly and time-consuming forensic examinations, only disks/media known to contain evidence are processed, everything that is seized gets looked at...double gins all round.

So, that is about as serious and po-faced as this blog is going to get.   The next post will look at customising your forensic boot CD for your own needs (it's A LOT simpler than most people realise).

No comments:

Post a Comment