The Forensic Technologist: trends in digital investigations

A few weeks ago I was fortunate enough to attend the Computer Enterprise and Investigations Conference (CEIC) 2012 in Las Vegas (www.ceicconference.com). Despite allegations that I pick my conferences based on location and weather, this event really is ‘the hottest ticket in town’ for the international computer forensic community.

Believe me… Like Paris and its myriad fashion shows, everything that’s talked about and exhibited here are considered to be ‘the future’ for next season’s forensic investigations.

Organised by Guidance Software, CEIC has been running for a number of years and is a content rich hybrid of training seminars, conference sessions and trade show. The show gathers computer forensic practitioners, ‘eDiscovery professionals’ and anyone interested in digital investigations and cutting-edge issues.

This year saw exhibitions of everything from the latest disk duplicators through to debates about games console and e-reader forensics.

What, then, of the latest kit on display and any pointers towards any future trends likely to emerge in the forensic technology sector?

Future trends in forensic technology

Computer forensic practitioners love to take things apart. It’s pretty much what our job is all about, so it’s no surprise that we’re always drawn to new kit.

There’s a good reason for this. When collecting evidence, it’s advisable to take into the field as many different tools as you can. That way, you always have plenty of options if something isn’t working for you. Often, there will not be the opportunity to pop out to Maplins and pick up an extra cable or hard drive so we need to come prepared.

Many of us call this tool chest the ‘raid kit’ in reference to a traditional search and seizure (and to add some drama).

Despite an increasing move towards network-based evidence collection, the forensic disk duplicator is still the workhorse of any decent raid kit. These are standalone devices that can make a complete bit-by-bit copy of a computer hard drive very rapidly. They also have various other forensic features, among them disk hashing, auditing bad sectors and recording case information.

Particularly impressive at CEIC were the new Tableau TD2 units (www.tableau.com) which are relativity small, but allow an examiner to make two copies of an image at the same time. They can also be field-upgraded to use the new EnCase encrypted image format. The Logicube units dubbed the ‘Talon’ and ‘Dossier’ have similar features (www.logicube.com).

Personally, I loved the multicoloured ICS Rapid Image 7020 unit (www.ics-iq.com): a mammoth disk duplicator that can image ten hard drives simultaneously. I’m continually amazed at how many hard drive duplicators come contained within brightly coloured yellow pelican cases. Anyone trying to get through a customs gate with this equipment will know that these ‘beacon bags’ have the ability to create lots of unwanted attention.

These duplicators are handy because they’re very compact and work quickly. A more traditional rig consists of a write blocker (to prevent alterations to the suspect hard drive), a laptop and a destination hard drive to copy the images onto.

Factors affecting forensic imaging

There’s a myriad of factors that can affect the performance of forensic imaging: laptop bus speed, firmware versions, interface, drive speed and multireading, etc.

I’ve often searched for a White Paper that really looks at these factors in depth, so I was delighted to listen in on a presentation given by Paul Pelzl of Guidance Software comparing the real world performance of various types of serial bus for forensic purposes. At present, the verdict appears to lie in favour of USB3 while the industry waits to see what will happen with Thunderbolt.

Some vendors (such as Dell) are increasingly focused on the requirements of the forensic lab (www.dell.com/Forensics). When undertaking computer forensics analysis you need a lot of big, fast storage, plenty of memory and processing capability. I met a chap from a US law enforcement agency who expressed the requirement quite simply: “You need big computers to compute other computers.”

Indeed, as I’m writing this blog we’re currently spec’ing out a high powered rig to do some malware analysis.

There are still a number of vendors who sell large powerful desktops with write-blockers built in (www.forensiccomputers.com). However, it’s increasingly the case that practitioners are moving towards server-based environments. It’s also useful to have a large quantity of deep freeze storage. These are sometimes called MAID systems (Massive Array of Inexpensive Disks). Following more intensive processing activities these systems allow you to maintain large volumes of data online using cheaper storage.

Finally, on the subject of new ‘toys’, I attended a very interesting session on Xbox forensics. Professor David Collins covered the original Xbox hacks (ie unlocking the Xbox by injecting some code into a game save) and the FATX/XFAT file systems.

More and more, we’re seizing game consoles because of their potential to be adapted into high powered workstations or FTP servers. I would like to see the Kinetic system adapted for forensic use – I’m not sure for what – but I challenge someone to make this happen by CEIC 2013!

Social media: current thinking

The issues surrounding the Cloud, BYOD and social media featured heavily this year. Social media websites have rapidly become a common aspect of everyday life, and so we are starting to see forensic software that can deal with evidence captured from these sites.

Craig Ball and Chris Dale gave a lecture on some of the challenges surrounding privacy, chain of custody and evidence collection in respect of social media.

With respect to collection, social media sites are in continuous use, much like a company file server. The phrase we use to refer to an image that’s taken over time is a ‘smear’ image. Social media forensics require an ability to continually observe changes over time, but this can be tricky using traditional capture tools. New products from firms such as Cernam (www.cernam.com) and X1 Social Discovery (www.x1discovery.com) are starting to tackle the issues of cloud and social media collection more explicitly.

Mike Wilkinson of Champlain College also gave a talk on Kindle forensics. Never before have forensic investigators needed to be so aware of the evidence residing in their ambient environment.

A forensic update of Windows 8 has been deferred, although many cyber investigators are already looking into Microsoft’s latest OS. In the corporate world, it’s possible that many organisations may be prompted to upgrade their platforms as Microsoft will cease to support XP in 2014.

The more familiar option of Windows 7 may be next. I enjoyed John Marsh’s whirlwind tour of Windows 7 artefacts. From my perspective, there seems to be more evidential artefacts than ever before in Windows. This is good news for forensic investigators.

One example is the new pre-fetch structure (super-fetch). Pre-fetch files are the files created by Windows when an application is run. They contain useful data that’s used by Windows to launch applications more quickly. We can find out if an application has been run, the number of times executed, when it was last run and (with a bit of effort) the path of the original executable. This is particularly useful when trying to identify how certain software, such as pirated products or peer-to-peer systems, has been used.

Transactional logging (actually brought in with Vista) allows file system operations to be logged in case they fail (so that they can be reversed). This is another source of information an examiner can review to understand a user’s deletion and copying behaviour.

‘Angry birds’ forensics, anyone?

Guidance Software, makers of the forensic tool EnCase (www.guidancesoftware.com), is also launching a new online store for the publication and distribution of forensic scripts (EnScripts) that run within the EnCase tool. Similar syntactically to Java, the EnScript language allows a forensic examiner to explore, parse and search the contents of a forensic image in a very powerful fashion.

For example, scripts have been written that can ‘carve’ different file types out of the deleted portions of a hard drive, or that parse Internet history. We recently had a case where we wrote a script to harvest thousands of deleted instant chat utterances together and combine them into an Excel Spreadsheet. I once wrote a script to visualise Internet history in a similar way to an earthquake seismograph. This is because I was frustrated with looking at Internet records as long lists of tabulated data where it was difficult to see the wood from the trees.

For example, the downloading of hundreds of images can result from a single visit to a webpage. When reviewed in a tabulated format, the perception of the level of user activity can be skewed by the sheer amount of artefacts.

The script used a metaphor whereby each website domain was represented by a horizontal line. If the user accessed that site it would generate a vertical spike and the size of that spike indicated data volume or frequency of access.

The new online store will hopefully encourage the sharing of such tools among the community and Guidance Software is currently seeking developers to sign up to the programme.

Leaving Las Vegas

I think I profited from my visit to a city where the odds are usually against you (if you’ll pardon the pun). I lost $20 on video poker, gained a couple of kilos of body mass and also gained some new contacts across this sparsely populated field of niche professionals.

I advise you to visit the CEIC website and gain a fuller appreciation on the breadth and depth of subjects covered at the event.

There are also other conferences worth your attention. The Access Data Users Conference (accessdata.com/aduc), also hosted in Vegas, was held in early May.

The Evidence Conference (www.theevidenceconference.com) takes place in October (in Washington DC) and, here in the UK, we have the annual F3 Workshop (which runs in November) (www.f3.org.uk).

Simon Placks leads the Ernst & Young IT Forensics team

Free Download: The Video Surveillance Report 2023

Discover the latest developments in the rapidly-evolving video surveillance sector by downloading the 2023 Video Surveillance Report. Over 500 responses to our survey, which come from integrators to consultants and heads of security, inform our analysis of the latest trends including AI, the state of the video surveillance market, uptake of the cloud, and the wider economic and geopolitical events impacting the sector!

Download for FREE to discover top industry insight around the latest innovations in video surveillance systems.

Download The Video Surveillance Report