Finding quality tools is tough, particularly if you’re an independent practitioner or a small company. One tool at $1,000 to $2,500 is affordable, but we need an entire toolbox full of tools and they’re all trending towards $1,000 and 20% per year maintenance. Pretty soon you’re out $20,000 up front and then $4,000 per year to stay current. OSS and free tools are awfully welcome.
Thankfully, if you’re a US citizen, your tax dollars paid for the development of an OS X forensics tool called MEGA. (paper) Quoting from the paper: “This project was supported by Award No. 2007-DN-BX-K020 awarded by the National Institute of Justice….” Very cool, right? Alas, MEGA morphed into Mac Marshal and went commercial. (And when did this happen? The MEGA paper includes screenshots of the tool with the label “Mac Marshal” rather than “MEGA”.)
So go to the Mac Marshal web site where you find:
“Because of a special arrangement with the U.S. National Institute of Justice, Mac Marshal is available free of charge to U.S. Law Enforcement personnel. If you qualify, please use the instructions below.
Mac Marshal is available for purchase by the private sector, and law enforcement agencies outside of the United States, from Cyber Security Technologies.”
So, if you’re in law enforcement, you can get a copy of it for free. If you’re not LE, you get to pay $995 to Cyber Security Technologies for it. (order form)
Wait, didn’t I already pay for at least some of this tool through my tax dollars? I can see a private developer deciding to give their product away for free to LE, and corporations discounting the product to the government on GSA schedules. But in this case, the tool was developed using US tax dollars, and the price to the public isn’t just recovering costs, it is making a substantial profit.
It gets more interesting….
I got onto this because I was working on vfcrack (Google Code link, OpenCiphers link), a tool to brute force the encryption on DMGs. It’s a bit out of date, and I thought I’d bring it up to speed. Turns out that this has already been done – as part of Mac Marshal.
“Mac Marshal also include a modified version of vfcrack , which enables fast dictionary-based brute-force password cracking of FileVault sparseimage and sparsebundle images, as well as other encrypted Apple disk image formats (the original distribution of vfcrack does not support sparseimage and sparsebundle images).” (citation)
So there is open source code in Mac Marshal that may have been updated at the taxpayer’s expense but not been returned to the public domain. The vfcrack license doesn’t explicitly prohibit this, but MacMarshal’s developer’s refusal to put the updated code back in the public domain certainly seems to be in bad form.
A couple of suggestions if you accept tax dollars to support the development your tools:
- Price the resulting product so that the independent practitioner can afford to buy it without having to really think about it too much. A range of $200 – $300 I can see, but $995 is getting greedy. $200 covers distribution costs, the web site, answering questions, and the like.
- If you use open source code in your tool and update it, put the updated code back in the public domain for the rest of us to use. It costs you nothing to do so, it earns you good will, and we (the taxpayers) paid for some of that development.
- Remember that we are all working for the public, not just law enforcement. These tools are obviously used in civil matters, civil matters involving the same taxpayers.
And suggestions to tool vendors in general:
- Price your tools so they are affordable. We (small companies) aren’t going to drop $1,000 on a tool without thinking about it, much less $2,500 or $5,000. My gut (biased, I’ll admit) says that if some vendors dropped their prices significantly, they’d get a boost in sales that covers the decreased per-unit profit, and they’d get their product into more peoples’ hands, which would lead to more sales. (Or am I being idealistic?)
- Don’t discount the influence of someone who appears “small”. Many of us have clients in larger firms, and all of us talk (a lot) amongst ourselves. Check the CCE and HTCIA lists, look at Forensic Focus, go to the forensics conferences and talk to the smaller companies.
- Invest in the long term. The small customers you win over now, and who you help do better work so they can be more profitable in the future, will be your beta testers, promoters, and recurring customers in the future.
None of what I describe here is against the letter, or even the spirit, of the law. It probably even falls under “good business practices”. But in charging a premium for a tool that was funded in part by US tax dollars, and in taking public domain code and not returning the changes to the public, the pricing and failure to publicly update code borrowed from the public domain seems contrary to the spirit of the digital forensics community.
An article on PoliceProfessional.Com (original article has vanished and been replaced with new content) contains the following statement:
“ACPO is currently working on a new software tool that will allow forensic officers to operate locally and uncover information almost instantaneously. “What we’re very keen on doing is looking for a forensic triage tool that police officers or forensic officers can use locally. One that is quite simple, one they can ask questions of, such as, ‘in this computer is there the following…?’,” said Ms Williams. “The triage tool can pull that out for them.” She said the current backlog is one of e-crime’s biggest problems and that ACPO is close to identifying the right product to handle it.”
[Note: I've been told that the ACPO is looking to the vendor community for this solution. Rereading this quote, I suspect I should focus less on "working on new software" and focus more on "identifying the right product". I'll leave the post as originally written but will insert commentary.]
The apparent expectation that a tool will significantly address the backlog is rather disturbing for three reasons:
1) The tool will not provide context. It may indicate the presence of an encrypted file container on the system but cannot determine its contents. Or that file sharing is present, but not what it was used for. Or that seven different chat programs are in use, but not the information going through them. As several people have pointed out, these PBF tools will get the low hanging fruit and gather disparate facts but cannot put do any analysis to show relationships, or lack thereof. Further, we’ll need to err on the conservative side and may well end up with a lot of false positives.
2) Technology, and the criminal’s use of technology, advances rapidly, often more rapidly than the tools. This is why DriveProphet’s author is very willing to add new capabilities as issues are reported to him. It is why Digital Detective Group’s Blade product has plug in modules that they can develop and release as new capability is required. Keeping a triage tool current requires ongoing investment by the developer and ongoing training for the users. A one time investment in the technology and training will quickly lead to a situation where the triage tool is missing relevant information. [Note: ACPO's looking to a vendor solution should address the support issue. Keep in mind maintenance costs when investing in a tool. Some vendors charge upwards of 20% of the initial investment each year for maintenance.]
3) I’ve not seen any well researched study on the LE computer forensics backlog that we can use to determine where resources should be spent. The ACPO and others believe that the the backlog is in the triage stage. This appears to be valid, particularly for getting evidence back to the owners, but I suspect that “fixing” the triage stage will simply move the backlog further downstream, even more so if the number of false positives is high.
I also wonder why the ACPO is working on a new tool rather than working with a vendor of an existing tool to tune it to their particular needs. A number of good, well supported, triage tools already exist – Drive Phrophet, Blade, EnCase Portable, e-fense’s suite (now Access Data’s?), to name a few. The ACPO money might be better spent creating a fund to provide training on these existing tools rather than bringing another tool to an already crowded market. [Note: This point is moot given the feedback I received, noted above.]
Triage is an incredibly valuable process, particularly in time critical situations where limited resources are available. Triage, in the medical environment, is performed by trained specialists using diagnostic tools. Computer forensics triage tools often are designed to be used by anyone with minimal training. Witness the Microsoft press release about COFFE – “According to a Microsoft spokesperson ‘an officer with even minimal computer experience can be tutored—in less than 10 minutes—to use a pre-configured COFEE device.’” I believe there is value in this sort of tool when used as part of a well designed forensics process. I fear that, due to vendor marketing, budget issues, and backlog pressures, these tools will be deployed without the necessary framework to properly support them.
Allow me to close with some questions:
- Why is the ACPO creating a new tool rather than using an existing one? [Note: Addressed by feedback, noted above.]
- Who will use these triage tools and how much training will they get? If they’re designed for lab use to address the backlog will they stay in the lab? Can they safely be deployed earlier in the process?
- Are there any well documented studies on the LE computer forensics backlog?
- What other options are available for addressing the backlog? Anyone who knows me also knows that I’m very interested in finding ways for the private sector to assist LE with computer forensics and this would be one option.
My post about the value of push button forensics produced a number of interesting comments for which I am quite thankful. A common thread in many of the remarks was that someone needs to understand the the science, logic, and art behind the PBF tools. I absolutely agree. Anyone depending on a technician and a tool alone is doing a disservice to their clients, and will likely fail spectacularly in court.
As one reader put it:
“I think the point that is being missed is this – at the end of the day the goal is to produce admissible evidence. The fact remains that our system generally looks to an expert to introduce digital evidence into court. “
Harlan made a similar comment, and really got to the heart of the matter:
“The fact is that the questions being asked by customers…was data exfiltrated, did the malware make data exfiltration possible, etc…cannot be answered by a $50/hr “analyst” with a dongle. This approach will work for low hanging fruit, but even a relatively unsophisticated compromise will be improperly and incompletely investigated in this sort of environment.”
A $50/hour analyst with a PBF dongle should not testify in court and their findings alone should not be presented to a client as they lack context and perspective. Their results are only pieces of the larger construct, a construct that should be built and signed off on by people with significantly more experience. A senior examiner can guide a team of less experienced staff using a wide variety of tools, interpret and combine the results into a well constructed report, and sign off on the team’s work product.
Law firms and private investigation firms are but two of many examples of organizations that employ associates to perform many of the simpler tasks involved in preparing cases. Doing so distributes the workload, frees senior staff up for more complex tasks, provides associates with opportunities to learn on the job under the supervision of senior staff, and ensures that work product is reviewed and approved by someone in the firm who is responsible for presenting the case to the court or to the client. The same can hold true in a computer forensics firm, lab, or department. In fact, any firm with more than a few examiners needs to operate in this manner simply for coordination and responsibility purposes. I’m just proposing that the same structure works well to mitigate the risks of using push button forensics.
We build everything from airplanes to software applications to roads out of component parts that are designed to accomplish a specific task but that, standing on their own, have little value. Organizations work in a similar manner, utilizing human components along with their associated skills and tools to streamline many processes and produce better results than one person standing alone could accomplish. Integrate PBF tools and less experienced people into your organization, manage them appropriately, validate the tools, review the results, and let the senior examiners do the heavy lifting with the complex problems, clients, and courts.
Also, I suspect if most people looked around their organization, they’ll see technicians using push button tools as part of the computer forensic process already. Do you have Voom Hard Copy II or a Talon or one of the other hardware imaging solutions? How many button presses does it take to image a drive, and who is usually pushing those buttons? Do you really believe that you’ll need to explain to a client or a court how the Talon creates an E01 image? Your report will say “Imaged the suspect’s drive with a Talon, serial number XXXXX. The hash values reported by the Talon were XXXX and they matched. The Talon was certified to be operating normally during our regular maintenance, conducted per our SOPs.” It is pretty likely that the imaging was performed by a technician, and as was the regularly scheduled testing.
Push button forensics tools are here to stay and they’re already in use in most of our organizations. There clearly are risks to using PBF and inexperienced examiners inappropriately but through sound business practices they can safely contribute to our projects and improve our efficiency in the process.
Access Data recently entered into a partnership with e-fense. In the announcement, they wrote: “Digital investigations are no longer the exclusive domain of highly trained experts.” I don’t think Access Data is wrong, and I think the forensics community needs to accept that “push button forensics” is here to stay. Further, I think it can be an important part of our future.
(Two notes: 1) For the purpose of this article, forensics and e-discovery are essentially interchangeable. 2) I’m using “technician” to describe someone with basic to moderate technical skills but lacking in deep forensics and/or e-discovery experience.)
“Push button forensics” (PBF) is often derided by computer forensics professionals. We rail against it, occasionally joke about it, and have even made “Find Evidence” buttons to stick on our keyboards. Certain facts suggest that we should embrace it, though perhaps while wearing PPE.
- Tool vendors have a vested interest in selling forensics and e-discovery tools that can be used by people without forensics experience and certifications. If you can make a tool that any technician, lawyer, or IT person can use in a legally defensible manner, you will expand your potential market considerably. We are no match for the combined weight of the marketing departments of the vendors whose tools we are using.
- Corporations, LE agencies, law firms, and other consumers of computer forensics services have a financial interest in acquiring tools that will perform complex forensics and e-discovery tasks and that can be used by technicians rather than by experts. The cost per hour of computer forensics services in the San Francisco Bay Area is around $250. There is a lot of appeal in buying a tool and using a $50 per hour in house technician if you can get the same results.
- The volume and complexity of digital evidence is growing, and growing faster than we can cope with it. LE agencies at all levels have significant computer forensics backlogs, made worse by current budget issues. Corporate legal departments and law firms are under pressure to sift through enormous volumes of data more quickly, and more efficiently, than ever before. The number of people available who can manually sort through the complex evidence isn’t keeping pace, and the explosion in new computer forensics certification and degree programs will not solve the problem any time soon.
In addition to the facts that suggest we need to accept PBF into our environments, I’d like to suggest that, properly integrated, it can be very good for us personally and for our businesses. Here’s one example:
I’ve quite enjoyed following the development of Harlan Carvey’s timeline analysis tools and procedures. I’ve learned a lot from working through his examples, and I’d strongly encourage others to do so. But, the process is currently far too time consuming to use on any project with any significant pressure. We will need more automation, more “push buttoness”, to effectively employ it. And once it is “push button” AND validated, why can’t I farm that part of the process out to a technician? In doing so, I will:
- Acquire useful information in a more timely manner, speeding the investigation and saving the client money.
- Distribute the workload among more junior staff, enhancing their ability to contribute and decreasing the bottleneck on senior resources.
- Free up senior staff for tasks that truly require more experience and knowledge.
Put another way, from a consulting perspective, I can save my clients money, free up experienced people to work on more difficult problems, and safely incorporate people with less experience. The clients will be happy – better results for less money; the senior people will be happy – real challenges, less grunt work; and the junior people will be happy – more opportunity to gain experience.
Our forums are full of discussions about how to use an enormous number of tools, many of which automate and greatly simplify our processes.
- Anyone proficient with EnCase, FTK, X-Ways, or Sleuthkit could replicate Drive Prophet’s results but it would take hours longer, and the chance of missing something is greater.
- Similar point for web browser analysis – if there wasn’t a need to automate this, why do we have Mandiant Web Historian, Gaijin Historian, Cache Back, Pasco, Fox Analysis, NirSoft Mozilla History View, and Passcape History Viewer to name a few?
- With Mount Image Pro, I can provide a forensically sound image to a reviewer to examine with tools they’re comfortable with – Outlook, Explorer, dtSearch – without any risk that they’ll modify the evidence. This can save me a lot of back and forth to produce directory listings, copies of the My Documents folder, and .pst files.
If we look back through the archives of out discussion forums we’ll see that we’ve been automating and simplifying computer forensics processes since the dawn of the profession. In doing so we’ve made the profession more accessible to new practitioners, more valuable to our clients, and more interesting to ourselves. This mimics developments in the rest of the computer industry, and in every aspect of our lives. We’ve got push button cooking, push button flying (auto-land capability), push button navigation, push button photography, …. Push button forensics is here to stay. Accepting the fact and incorporating it into our processes and companies seems wise.
Mind you, I say this with several important assumptions in mind:
- The tools work as advertised, their behavior and results are well understood, and the process and results can be verified.
- The tools are verified internally.
- The use of the tools is supervised by experienced staff.
“Push Button Forensics” has a place in our business toolkits. Digital investigations are no longer the exclusive domain of highly trained experts. Validated PBF tools in the hands of properly trained and supervised technicians can be a very powerful combination for law enforcement agencies, law firms, corporations, and consulting firms.
I’d like to leave you with perhaps the most important point, one that is frequently overlooked or assumed – Finding the evidence is only a small part of the process. Tools can find keywords, put together a timeline, or show you the CP images. They cannot put any of that information in context. Interpreting the information, whether found manually or by PBF tools, still falls squarely in the pervue of a trained and experienced computer forensics investigator.
Digital Evidence Collection Kit
Collecting evidence accurately is clearly a foundational element for any ediscovery or forensics analysis project. The equipment required is important, but so are the supporting items – office supplies, forms, and documentation tools. – as well as the processes and procedures governing how they are applied. And if you cannot find the items, or get them to the destination, it doesn’t matter how great your tools are.
This kit, and the thoughts and processes behind it, attempts to address concerns I’ve encountered while doing collections all over the world. The novice investigator or experienced examiner can use this as a foundation for their own kit, or just find insight to fine tune their existing processes.
Bear in mind that, in addition to this kit, I carry a laptop backpack everywhere. The backpack has my primary laptop for note taking and Internet research with WiFi and a cellular modem, cell phone cables, spare USB thumb drives, food, reading materials, and other basic necessities of any computer forensics analyst.
Collection Kit – items with serial numbers
The following table includes all the items that might be of interest to a customs agent. Everything on this list should accurately reflect the actual contents of the collection kit. It may seem odd to include the Brother labeler and the Targus external DVD-ROM drive, but I had these flagged by customs.
|Item||Description||Serial Number||Quantity||Country of Origin||Internal Name||Unit Price ($USD)|
|Lenovo ThinkPad T-60||Laptop Computer||1||China||CK-01||$1,000.00|
|Wiebetech Forensic UltraDock||Write Block Hardware||5 pcs||China||UD-01||$1,000.00|
|Wiebetech ADAv4-18-TOSH||Hard Drive Adapter||USA|
|Wiebetech ADAv4-10||Hard Drive Adapter||USA|
|Wiebetech ADAv4-25||Hard Drive Adapter||USA|
|Wiebetech ADAv4-PCCARD||Hard Drive Adapter||USA|
|Nikon COOLPIX L18||Digital Camera||1||China||-||$100.00|
|Brother PT-80||Electronic Labeler||1||China||-||$30.00|
|Targus PADVD010U||External DVD-Rom Drive||1||Indonesia||-||$140.00|
|Western Digital 1TB MyBook||External hard drive||2||Thailand||-||$300.00|
|Western Digital 320MB Passport||External hard drive||2||Thailand||-||$120.00|
|eSATA PCMCIA card||PCMCIA interface card||1||Unknown||-||$80.00|
Item – Name of the item, from the manufacturer’s label.
Description – Self descriptive
Serial Number – Self descriptive
Quantity – Self descriptive
Country of Origin – Self descriptive
Internal Name – Either a name or a bar code number. Used to keep contents of the kit in line with inventory sheet.
Unit Price – Replacement value, what it would cost if you looked it up on the Internet.
Collection Kit – items with without serial numbers
The following items lack serial numbers and generally are not of interest to customs though I’d still include all of these on the list I gave to customs. Customs issues aside, you still want to ensure that they are in the kit before heading out the door, of course.
|Pelican 1510 LOC||Complete set of UltraDock cables|
|Pelican 1515 case organizer||Cross over cables (2x)|
|Pelican TSA lock||Extra SATA and IDE cables|
|Electrical power strip|
|Office Supplies||Network tap|
|Small magnifying glass|
|Small stapler w/ extra staples||Tools|
|PostIt notes||Set of precision screwdrivers|
|Ball point pen||Needle nose pliers|
|Sharpie – extra fine point|
|Sharpie – fine point|
|AA batteries||Powered USB hub|
|Pill boxes||100Mb network hub|
|Media card reader – USB|
|Software||Forensic evidence bags|
|USB Thumbdrive Case (6 slots)||Cable ties – velcro|
|CD case||Cable ties – plastic|
|Helix 1.9 – CD and USB|
|Helix 2 – CD and USB||Spare hard drive jumpers|
|EnCase – CD and USB||Printed copies of forms|
|General purpose 2GB stick||Spare battery and media for camera.|
Explanation of items:
Pelican Case – This Pelican case will fit in the overhead compartment of domestic and international flights. The “LOC” designation means that it is designed to carry a laptop in the lid and clothes in an insert. Remove the insert and install the case organizer instead.
- PostIts – For labeling drives and systems temporarily.
- Pillboxes – Hold screws from disassembled laptops. I had one laptop that required the removal of seven different sets of screws. The pillboxes kept them organized.
- Sharpies – For labeling evidence and for filling in the notecards.
- Notecards – The notecards get the following information on them:
- System serial number
I then place the notecard for that system in each photograph taken of the system or its components. It allows me to sort a couple hundred photographs out later without too much difficulty.
- The best precision screwdriver set I’ve found is the Boxer 40 Piece 4mm Precision Screwdriver set, model PK-30.
- Wiresnips are for cutting cable ties.
- I include a bootable version of each tool on both CD and USB thumb drive. I can clone either one in the field and run an essentially limitless number of collections in parallel. We tend to think about the speed of individual imaging solutions and forget about parallelization of processes..
- I maintain an SOP/Documents repository on my laptop and a Software Tools repository. The former contains forms, processes, articles, etc. The latter contains installers, source code, and stand alone apps for everything I need to build a new forensics analysis station. I periodically sync these repositories with the thumb drive in the collections kit as well as other systems.
- The tools included will pass TSA scrutiny for carryon items based on the TSA website and personal experience.
- You could bar code all the media before you go into the field. I often label mine when I wipe them, and set up a TrueCrypt volume up on them at the same time.
- TrueCrypt volumes – I can ship the disks, hand them to customs, or flat out lose them without worrying about data being exposed. It can take hours to wipe and encrypt a drive so you really want to do a number of them in the lab rather than in the field. This is another reason not to assume you can get enough drives while you’re running around a foreign country, or even domestically. More than once I had multiple laptops running in my hotel room overnight doing the wipe/encrypt cycle with an alarm set to wake me so I could change drives out every few hours.
- Each drive pair covers a single set of images. One is the primary, one is the backup. You can create both at the same time or use Robocopy to create the backup copy when you’re not imaging.
- There’s not enough room in the kit for a dedicated hardware imager plus the bare drives it would require. The laptop isn’t quite as fast but it is more flexible, a useful characteristic when in the field. I do try to include a dedicated imaging solution in other luggage.
- For long collection projects, I’ll carry a second case full of drives and/or ship drives to various locations. I’ve bought drives in the field, but it consumed a lot of shopping and prep time.
- If you need to expand this kit for a larger project, all your office supplies are in this kit and other kits can hold more equipment – laptops, hardware imaging solutions, etc.
- If multiple people are working on a project, each one gets a kit so they can split up if necessary without losing access to office supplies.
- Whenever possible, I prepare collections forms in advance with the common information included – matter, custodian, address, etc. In addition to these forms, I include blank copies of all the common forms.
- One copy of the inventory goes in the case, under the inserts. One goes in the case, on top of the inserts to give to Customs. One goes in my laptop bag.
Other items for consideration
There are a number of items missing from this kit that you might want to consider including. For example:
- It doesn’t include anything for collecting cell phones.
- It doesn’t contain a dedicated hardware imaging solution.
- There are no packing materials – pre-printed FedEx labels, packing tape, evidence tape, etc.
- Spares of many things.
The entire kit fits into the Pelican 1510 LOC using the case organizer.
(Note: I bought mine through Amazon but this company will sell you all the pieces and will custom cut inserts for you as well – http://www.casesbypelican.com/app-1510.htm)
- There aren’t quite enough dividers for my taste.
- The power supplies for the write blocker and laptop go in the lid, side by side. I’m not certain that a Tableau power supply would fit.
- Pack the stuff you really need on top.
- I wish there was room for a clipboard with a forms storage compartment.
- Put a business card under the organizer and another one elsewhere in the kit.
- Laptop is in lid, left side.
- Power supplies are in lid, right side.
- UltraDock and adapters are in case, upper left.
- Labeler and some cables are next to adapters.