Dead ForensicsThe best approach to a Digital Forensics (aka Computer Forensics or Cyber Forensics) investigation has been to perform a “Dead” analysis of the data storage devices.  This requires the imaging (or copying) of hard drives, flash drives, discs, etc. for further analysis in a controlled lab environment.  An even simpler approach is to simply take the entire computer to the lab and let someone else image its contents there.  When the evidence may be presented in court, you want to make sure that every step of the investigation was conducted correctly and is well documented.  Its best to perform this process in a lab where you have access to all of your equipment, software, references and trusted advisors as well as time to figure out complex issues, re-search with new terms and maybe even crack encryption codes.
On sight investigationBut, now investigators are being pushed into performing “Live” analysis.  If you find a computer turned on, turning it off may prevent you from ever accessing its data again.  Whole disk encryption typically prompts you for an encryption key each time the computer is turned on.  While it is still on, you can capture an image of its RAM and analyze it later for encryption keys and any evidence of outside tampering.  Then you can image the hard drive and/or turn the computer off and take it to the lab, right?  Not any more!
The Ninth U.S. Circuit Court of Appeals in San Francisco recently made a ruling that may prevent us from performing Dead Forensics.  It says that evidence needs to be gathered on location, and that taking entire hard drives infringes on a person’s rights.  For example, if you’re searching for evidence on one crime and happen to notice child pornography (CP), then you have to just ignore it.  Mobile KitNormally, you could stop your investigation and quickly obtain a second search warrant for CP, because it was “in plain view”.  Then, you could continue your investigations under two warrants and find evidence for both crimes.  In plain view will no longer work for computer investigations, and large collections of computer data will not be allowed to leave the site.
Does this mean that all equipment and software needs to be brought to the scene, and your most talented investigators have to come to each site and perform their analysis there?  So much for the idea of first responders collecting the data and more senior investigators performing the detailed analysis!  What happens when you have some new terms to search for, as a case progresses?  Do you then have to revisit the site and perform another search on data that may have been changed outside of your control?
FI Data Profiler PortableWe are about to send out a prerelease version of our FI Data Profiler Portable product, that will assess each computer/storage device and display charts of what types of data are there.  We have been targeting this product at reducing the backlog on the labs, by eliminating computers and hard drives that have no potential for containing the evidence specified in a search warrant.  But, maybe this new tool will also help the investigators on site to quickly target just the computers that will contain the pertinent data.

The Push for Live Forensics

3 thoughts on “The Push for Live Forensics

  • September 5, 2009 at 1:22 pm

    Looking froward to the FI Data Profiler Portable product. We do use Live Response and Helix Pro from e-Fense for live acquisitions and analysis. I am experiencing the need to capture what is happening on a computer in its native environment. VM is great for loading images but I sometimes find the need in investigations to observe the actual machine on its own hardware platform and do live analysis.

  • September 7, 2009 at 9:36 pm

    Would you be interested in trying our pre-release? We plan to release it in the next week or two, when we complete a few more features. Our intent with the pre-release is to gather as much input as possible to include the features that investigators need most. The first 10 testers that provide valuable feedback (resulting in additional features or improvements) will receive a free license of the final release.
    If you are interested in trying the up coming pre-release, notify to add you to the list.
    Rob Zirnstein
    Forensic Innovations

  • Pingback:Innovations Blog » Blog Archive » Try FI Data Profiler and Tell Us What You Think

Leave a Reply