Home > Computer forensics > The value of push button forensics

The value of push button forensics

Access Data recently entered into a partnership with e-fense. In the announcement, they wrote: “Digital investigations are no longer the exclusive domain of highly trained experts.” I don’t think Access Data is wrong, and I think the forensics community needs to accept that “push button forensics” is here to stay. Further, I think it can be an important part of our future.

(Two notes: 1) For the purpose of this article, forensics and e-discovery are essentially interchangeable. 2) I’m using “technician” to describe someone with basic to moderate technical skills but lacking in deep forensics and/or e-discovery experience.)

“Push button forensics” (PBF) is often derided by computer forensics professionals. We rail against it, occasionally joke about it, and have even made “Find Evidence” buttons to stick on our keyboards. Certain facts suggest that we should embrace it, though perhaps while wearing PPE.

  1. Tool vendors have a vested interest in selling forensics and e-discovery tools that can be used by people without forensics experience and certifications. If you can make a tool that any technician, lawyer, or IT person can use in a legally defensible manner, you will expand your potential market considerably. We are no match for the combined weight of the marketing departments of the vendors whose tools we are using.
  2. Corporations, LE agencies, law firms, and other consumers of computer forensics services have a financial interest in acquiring tools that will perform complex forensics and e-discovery tasks and that can be used by technicians rather than by experts. The cost per hour of computer forensics services in the San Francisco Bay Area is around $250. There is a lot of appeal in buying a tool and using a $50 per hour in house technician if you can get the same results.
  3. The volume and complexity of digital evidence is growing, and growing faster than we can cope with it. LE agencies at all levels have significant computer forensics backlogs, made worse by current budget issues. Corporate legal departments and law firms are under pressure to sift through enormous volumes of data more quickly, and more efficiently, than ever before. The number of people available who can manually sort through the complex evidence isn’t keeping pace, and the explosion in new computer forensics certification and degree programs will not solve the problem any time soon.

In addition to the facts that suggest we need to accept PBF into our environments, I’d like to suggest that, properly integrated, it can be very good for us personally and for our businesses. Here’s one example:

I’ve quite enjoyed following the development of Harlan Carvey’s timeline analysis tools and procedures. I’ve learned a lot from working through his examples, and I’d strongly encourage others to do so. But, the process is currently far too time consuming to use on any project with any significant pressure. We will need more automation, more “push buttoness”, to effectively employ it. And once it is “push button” AND validated, why can’t I farm that part of the process out to a technician? In doing so, I will:

  • Acquire useful information in a more timely manner, speeding the investigation and saving the client money.
  • Distribute the workload among more junior staff, enhancing their ability to contribute and decreasing the bottleneck on senior resources.
  • Free up senior staff for tasks that truly require more experience and knowledge.

Put another way, from a consulting perspective, I can save my clients money, free up experienced people to work on more difficult problems, and safely incorporate people with less experience. The clients will be happy – better results for less money; the senior people will be happy – real challenges, less grunt work; and the junior people will be happy – more opportunity to gain experience.

Our forums are full of discussions about how to use an enormous number of tools, many of which automate and greatly simplify our processes.

  • Anyone proficient with EnCase, FTK, X-Ways, or Sleuthkit could replicate Drive Prophet’s results but it would take hours longer, and the chance of missing something is greater.
  • Similar point for web browser analysis – if there wasn’t a need to automate this, why do we have Mandiant Web Historian, Gaijin Historian, Cache Back, Pasco, Fox Analysis, NirSoft Mozilla History View, and Passcape History Viewer to name a few?
  • With Mount Image Pro, I can provide a forensically sound image to a reviewer to examine with tools they’re comfortable with – Outlook, Explorer, dtSearch – without any risk that they’ll modify the evidence. This can save me a lot of back and forth to produce directory listings, copies of the My Documents folder, and .pst files.

If we look back through the archives of out discussion forums we’ll see that we’ve been automating and simplifying computer forensics processes since the dawn of the profession. In doing so we’ve made the profession more accessible to new practitioners, more valuable to our clients, and more interesting to ourselves. This mimics developments in the rest of the computer industry, and in every aspect of our lives. We’ve got push button cooking, push button flying (auto-land capability), push button navigation, push button photography, …. Push button forensics is here to stay. Accepting the fact and incorporating it into our processes and companies seems wise.

Mind you, I say this with several important assumptions in mind:

  • The tools work as advertised, their behavior and results are well understood, and the process and results can be verified.
  • The tools are verified internally.
  • The use of the tools is supervised by experienced staff.

“Push Button Forensics” has a place in our business toolkits. Digital investigations are no longer the exclusive domain of highly trained experts. Validated PBF tools in the hands of properly trained and supervised technicians can be a very powerful combination for law enforcement agencies, law firms, corporations, and consulting firms.

I’d like to leave you with perhaps the most important point, one that is frequently overlooked or assumed – Finding the evidence is only a small part of the process. Tools can find keywords, put together a timeline, or show you the CP images. They cannot put any of that information in context. Interpreting the information, whether found manually or by PBF tools, still falls squarely in the pervue of a trained and experienced computer forensics investigator.


[Comments on this post also appear on Forensic Focus, LinkedIn’s DFA Group, and the CCE mailing list.]

  1. November 17, 2009 at 2:00 pm

    Couple of comments…

    What is PPE?

    “…tools that will perform complex forensics…”

    Please, show me one. I have yet to see a tool…commercial or otherwise…that will perform “complex forensics”. In fact, I’m sorry, but now and again I see tools with added bloat that don’t do anything particularly valuable, but that functionality is touted as the Next Great Thing.

    Yes, consulting firms can, in fact, purchase a tool, amortize the price of the tool over a number of engagements, and bill out their “analyst” at a reduced rate in order to make up the difference. However, the end result is simply a poor-quality product for the customer. The fact is that the questions being asked by customers…was data exfiltrated, did the malware make data exfiltration possible, etc…cannot be answered by a $50/hr “analyst” with a dongle. This approach will work for low hanging fruit, but even a relatively unsophisticated compromise will be improperly and incompletely investigated in this sort of environment.

  2. November 17, 2009 at 3:13 pm

    Great article. I agree with what you are saying and love your last paragraph, that really drives it home. I think we all need to understand the underlying tech as best as possible and use the automated tools to speed up the process. With size and complexities of system and software that is here or soon will be here it will be hard to keep up without using some sort of automation. Once again good article.


  3. November 17, 2009 at 3:20 pm

    Good article, and I agree that “PBF” may be fine and dandy for many folks and it would certainly speed things into examination mode. However, I believe most examiners agree that it is not the acquisition that slows things down, it is the proper an full analysis of the evidence. Being able to answer the questions that will be asked by an attorney is vital to the end result of a case.

    I would hate to be the “technician” that doesn’t know the “technical” reason that things happen the way they do. Mixed feelings from me on this.

  4. November 18, 2009 at 12:47 am

    We have questioned a number of senior police officers around the world asking the question:

    Who is better suited to finding useful information, that may lead to finding evidence or be evidence in a case.

    A. Computer forensic examiner with a list of keywords
    B. The investigating officer with a copy of a simple review tool

    Simple answer consistently was B, as the investigating office is more aware of the facts in the case. What would be missed by a keyword may be relevant to the investigator.

    While forensic people are the best people to review the registry, info2 record or malware infections…… Reading emails, documents and other user created data can be done by a lesser trained technician.

    We heard from some officers that if their case had no risk of harm they had little chance of a speedy review due to the workload of the computer forensic department.

    Our questions were to law enforcement but I believe the same applies to the commercial world. Why would a law firm pay the fees of a forensic expert to read email.

    Peter – Intella Email Tool…

  5. November 18, 2009 at 2:10 am

    Hmm. It would seem to me like allowing technicians to do PBF adds an extra layer of potential for human error. Forensic science techniques (as in the blood spatter stuff) have been called into question. Wasn’t there a case recently where not just the forensic expert/analyst, but also the person who did the grunt work, were called to testify?

    I think as more attorneys get to know digital forensics, the same thing will happen in this field. That means putting not just the original hired expert on the stand, but also the technician, and if the technician can’t say how the tool was validated, then bringing in the guy who did the R&D. That’s an additional cost, so I’m not sure it’s accurate to say PBF eliminates cost — I think it just transfers it. (Not to mention the cost of other associated holdups.)

    BTW, PPE = personal protective equipment.

  6. November 18, 2009 at 3:45 pm

    I like any other complex process digital forensics will evolve over time. I think the point is not to be hostile to PBF tools per se but the attitude of the examiner behind it. If you anyone thinks that any function in business can be completely automated to the point of removing human oversight then they are deluded. PBF allows for exactly as David suggested, a method to improve the manpower and resources of culling through TONS of hay to find the needles – there is nothing wrong with taking a magnet to the piles of hay to improve efficiency. In the end a human still has to think about the findings and report on the results. As a practitioner if I can get to that stage faster with less headaches I’ll take it.

  7. Brian
    November 26, 2009 at 3:09 pm

    I thoroughly agree with both the possibilities for PBF and the constraints or limitations that the author describes. This very same model (an appropriate intermixture of manual and automated methods) has been developing with great success in the field of network incident response – but without any of the angst from “practitioners”, probably because incident responders have a great appreciation of both the practical and monetary value of time (read, urgency) – which is something that our side clearly lacks, as evidenced by the IACP’s recent concern over the growing backlog of digital forensics work that is threatening the viability of prosecutions.

    This model has benefited the IR community in a multiplicity of ways, and as someone with experience in this domain I can assure you that there are automated tools that reveal evidence that would *never* be uncovered by manual methods. The way we see it, an automated tool that has been properly developed by subject experts makes their expertise available to us and thereby expands our own expertise.

    And, this model is used in the hard sciences as well. Instrumentation experts are constantly developing scientific equipment that automates the processes that they implement. I have no doubt that an early 20th-century chemist would be amazed at how automated the tools have become.

    Ditto, medicine. We have instruments in medical laboratories that a technician with modest education can use to achieve results that once required an extensive science background. Today, from the time that a phlebotomist draws your blood to the time that the machine spits out the results of 24 complex lab tests, your blood might not have been touched by anyone other than a lab assistant.

    The bottom line is that we ain’t gettin’ the job done, folks. Anything that helps us triage systems for potential evidence more rapidly, brings additional manpower (and, folks, we’re NOT talking about totally ignorant manpower here, as we seem to want to imply) to the process, brings the expertise of the application developers (which is considerable in the case of many packages) into our hands, and that allows the more expert forensics folks to concentrate on the things they do best, is a good thing. A very good thing.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: