SNAPI Guard’s Managed Digital Forensics Service
In recent years there has been an exponential rise in terms of volume, velocity, variety and sophistication of digital activity by criminals and terrorist groups around the world. Today, most crimes have a digital component.
This growth has been exacerbated by dramatic advances in electronic hardware. The growing diversity of consumer electronic devices, all with increasing memory or storage capacity, offer criminals and terrorists a wealth of opportunity to hide harmful information. It is not uncommon for desktops and laptops to come with hard drives that measure 100’s of gigabytes of storage. The latest hard drives include options for 2 or 4 terabytes. Considering that just one terabyte can store 200 DVDs, that’s a vast amount of storage and represents a problem that will only keep growing.
From PCs to laptops, mobile phones to thumb drives and even games consoles, police and security forces are being pushed to the limit to clone, ingest (or image), index and analyse growing amounts of suspect data while preserving the digital chain of custody and protect citizens. When suspected criminals have been charged and pc assets seized, police and agencies are put under enormous pressure to process and analyse potential evidence in a very short space of time and in less than perfect IT environments. And where whole organisations are suspected of criminal or terrorist activity the number of devices to be analysed, can escalate dramatically
Imaging data takes time
Hard drives first have to be copied or “cloned” so as not to “contaminate” the source of data. This is a major challenge for forces or agencies as, in order to preserve data copied from clones, it requires huge storage requirements. It can take hours, or even days, to copy and process confiscated hard drives, together with the systems on which they are working. This has to be done with meticulous care and attention to detail. In order to preserve the chain (or continuity) of custody there are a number of rigid guidelines. Documentation has to include conditions under which the evidence is gathered. The identity of all evidence handlers must be revealed. The duration of evidence custody, security conditions while handling or storing the evidence, and the manner in which evidence was transferred to subsequent custodians must be stated… that takes time.
The current problems with ingestion and analysis
Once cloned, data is “ingested” by digital forensic experts onto one or several workstations, or high performance PCs. Again this can take a great deal of time depending on the amount of data being ingested before data can be indexed, triaged and analysed. Due to the large volume of data to be analysed and the risk of losing data, experts have to be at the lab to carry out analysis. In addition local laws may prohibit remote searches of seized hard drives for analysis by high tech crime units. It’s no surprise therefore that there is a huge backlog of seized hard drive – 18-24 months is typical. At best data can
be shared across file servers but analysis still has to be done at the lab and requires state-of-the-art network capabilities to transfer data backwards and forwards between centrally held servers and the analysts’ PCs. Very often this doesn’t allow for data to be shared between analysts working in the same
location, let alone at remote sites. Real time sharing across agencies or even borders, between multi-government agencies, is out of the question. Consequently the only current solution for further analysis requires lab visits. Additionally, if malicious code is contained on the cloned image, this can
cause damage to the forensic expert’s workstation which could either require a rebuild starting the ingestion process over again, or if left undetected could
potentially compromise the chain of custody. This growth has been exacerbated by dramatic advances in electronic hardware. The growing diversity of consumer electronic devices, all with increasing memory or storage capacity, offer criminals and terrorists a wealth of opportunity to hide harmful information. It is not uncommon for desktops and laptops to come with hard drives that measure 100’s of gigabytes of storage. The latest hard drives include options for 2 or 4 terabytes. Considering that just one terabyte can store 200 DVDs, that’s a vast amount of storage and represents a problem that will only keep growing.
SNAPI Guard’s approach to digital forensics takes what is effectively a serial process and applies the principles of cloud computing using data center capabilities to enable simultaneous parallel processing of digital evidence.
Stage 1 (Triage)
Using a combination of SNAPI Guard’s fully triage software and our teams industry experience. Our digital forensics officers have the opportunity to quickly recover potential evidence from suspect devices for viewing on site. Not only can this save time, all data recovered is evidentially sound, either exported as an EO1 file for loading directly into the data center or imaged as normal by uploading through via USB interface to central storage for processing back at
Stage 2 (Ingest)
In common with existing practices, suspect data is cloned but instead of imaging data onto a single workstation, data is ingested onto a central evidence repository rather than an individual analyst’s PC. By ingesting data immediately into the data center, data transfer from one device to another is minimized, increasing availability of that data to multiple analysts dramatically improving productivity and efficiency.
Stage 3 (Store)
Storing suspect data directly to the data center enables analysts to focus on analysis instead of being concerned whether there is sufficient hard disk space available on their PCs to store and index data. It also means that they are not slowed down having to backup other forensics work to recordable media such as DVDs. Storing data centrally also enables data and workloads to be shared more efficiently and also minimizes the amount of time needed to copy extremely large data sets from one device to another further increasing productivity. Even over the latest high speed networks this can take hours, inefficiently tying up both PC as well as network resources.
Stage 4 (Analyse)
By centrally storing suspect data it is possible to index and triage data within the data center on high performance servers instead of using dedicated analyst PCs. This way, multiple analyst sessions can be run concurrently on single or multiple workstations resulting in greatly increased productivity. And of course, analyst time can be devoted to analyzing data rather than administering it. Each application instance is run in an independent server session that helps protect the rest of the system from malicious code and viruses assisting to preserve system integrity. Where malicious code or applications are required to be run for understanding and evidential purposes, analysts can execute them in secure, isolated, “sandpitted” environments. Previously, if malicious code had been mistakenly executed, it could compromise the integrity of suspected evidence, chain of custody and the time already spent on analysis. Consequently, this would probably have required a rebuild of the analyst’s workstation and starting the imaging and analysis process all over again.
Stage 5 (Present)
Once the data has been processed and potential areas of interest identified, viewing teams involving anything up to 200 police officers (depending on the size of the forensics infrastructure) can be granted real time secure access to potential case evidence. Additionally, the formalized nature of this infrastructure allows for easier secure remote access to qualified experts – reviewing teams do not have to be on site to support larger incidents and there is no need to risk posting out evidence on CDs.
Learn more or request a proposal: