Last week, I received a phone call to perform a sensitive acquisition for Law Enforcement. A tragedy really, but out of it arises a short story of success with modern forensics tools.
When I arrived on scene I was briefed and went to search for the requisite equipment to perform the acquisition. As it turned out, the entire stock of wiped drives was gone. A 500GB drive was located, but it needed to be wiped. Wiping a 500GB drive takes up to a few hours, so that was no good. I did have some clean space on an acquisition RAID device though. Given the sensitivities of the operation I had to do this quickly, efficiently, and right the first time. The margin for error was slim as there was information on the desktop that couldn't be lost.
I went for the Ace up the sleeve. I had up to this point only used it in testing, but I went for a tool I knew could trust. The tool was none other than F-response TACTICAL. Yeah that's right, I went for live imaging in a Law Enforcement case. There are still plenty of those doubters and naysayers out there, so let me be clear. The time to adapt has passed, the need to preserve evidence when lives are at stake is paramount. It's time you adopt modern techniques. There is no such thing as forensic purity, in any forensic discipline when you've got volatile evidence. That's a myth created by those that have never worked in the field.
Photos taken, and requisite documentation completed, I plugged the victim system in to a local switch I had for this purpose. I then proceeded to insert the subject dongle in to the subject computer. I quickly popped the examiner dongle in to my station attached to the acquisition RAID. Configuration, always quick, included physical memory. Then I simply clicked on "auto connect" on the examiner console. Just like that, the disk and memory objects I needed were exposed. Firing up FTK imager, I made the acquisitions I needed. The case proceeded as many do, with hurried phone calls and stress like no normal incident can create. The evidence was secured for examination and the subject laptop was turned over.
I'm an Incident Responder, and a Forensic Examiner. I need tools I can rely on, tools that work in the clutch, tools that don't break the bank, tools to use when life and limb are at stake. For me, that's F-response. A very big thanks to Matt Shannon and the folks at F-response. I'm not sure how the field got along without you and you've made technology available that makes a real difference.
Wednesday, February 24, 2010
Subscribe to:
Post Comments (Atom)
1 comments:
Even if we were to believe that such a thing exists, "forensic purity" is not, and never has been, the primary determinant in deciding which means of evidence collection or examination to use.
Forensic science has one primary purpose, and one only, and that is investigative support. As such, the methods chosen MUST both (1)comply with the priorities of the investigation and (2)observe the constraints imposed on the investigation. Anything else amounts to forensic malpractice.
This is something that many forensics examiners fail to understand. It is the investigative objectives - in prioritized order, and investigative constraints, that must drive forensic decisions. Of course, at the next level in the decision tree the examiner must also consider constraints imposed by the nature of the evidence itself, limitations of the forensic tools and science, etc., but the top-level determinants are the investigative drivers. Get that wrong and it doesn't matter what else you get right.
When forensics examiners begin to understand their role in investigative support, as opposed to litigation support, they'll begin to get it right when it comes to the decision tree.
Yes, litigation is a top-level driver for SOME investigations, but by no means ALL. For many investigations, real-time interdiction and/or mitigation is the primary driver and TIME and/or COSTS are the chief constraint(s) imposed on the investigation. If the methods you choose run contrary to those elements at the top level of the decision tree, you're no good to anyone.
Post a Comment