The best approach to a Digital Forensics (aka Computer Forensics or Cyber Forensics) investigation has been to perform a “Dead” analysis of the data storage devices. This requires the imaging (or copying) of hard drives, flash drives, discs, etc. for further analysis in a controlled lab environment. An even simpler approach is to simply take the entire computer to the lab and let someone else image its contents there. When the evidence may be presented in court, you want to make sure that every step of the investigation was conducted correctly and is well documented. Its best to perform this process in a lab where you have access to all of your equipment, software, references and trusted advisors as well as time to figure out complex issues, re-search with new terms and maybe even crack encryption codes.
But, now investigators are being pushed into performing “Live” analysis. If you find a computer turned on, turning it off may prevent you from ever accessing its data again. Whole disk encryption typically prompts you for an encryption key each time the computer is turned on. While it is still on, you can capture an image of its RAM and analyze it later for encryption keys and any evidence of outside tampering. Then you can image the hard drive and/or turn the computer off and take it to the lab, right? Not any more!
The Ninth U.S. Circuit Court of Appeals in San Francisco recently made a ruling that may prevent us from performing Dead Forensics. It says that evidence needs to be gathered on location, and that taking entire hard drives infringes on a person’s rights. For example, if you’re searching for evidence on one crime and happen to notice child pornography (CP), then you have to just ignore it. Normally, you could stop your investigation and quickly obtain a second search warrant for CP, because it was “in plain view”. Then, you could continue your investigations under two warrants and find evidence for both crimes. In plain view will no longer work for computer investigations, and large collections of computer data will not be allowed to leave the site.
Does this mean that all equipment and software needs to be brought to the scene, and your most talented investigators have to come to each site and perform their analysis there? So much for the idea of first responders collecting the data and more senior investigators performing the detailed analysis! What happens when you have some new terms to search for, as a case progresses? Do you then have to revisit the site and perform another search on data that may have been changed outside of your control?
We are about to send out a prerelease version of our FI Data Profiler Portable product, that will assess each computer/storage device and display charts of what types of data are there. We have been targeting this product at reducing the backlog on the labs, by eliminating computers and hard drives that have no potential for containing the evidence specified in a search warrant. But, maybe this new tool will also help the investigators on site to quickly target just the computers that will contain the pertinent data.