Home > Computer forensics > ACPO, triage tools, and the LE computer forensics backlog

ACPO, triage tools, and the LE computer forensics backlog

An article on PoliceProfessional.Com (original article has vanished and been replaced with new content) contains the following statement:

“ACPO is currently working on a new software tool that will allow forensic officers to operate locally and uncover information almost instantaneously. “What we’re very keen on doing is looking for a forensic triage tool that police officers or forensic officers can use locally. One that is quite simple, one they can ask questions of, such as, ‘in this computer is there the following…?’,” said Ms Williams. “The triage tool can pull that out for them.” She said the current backlog is one of e-crime’s biggest problems and that ACPO is close to identifying the right product to handle it.”

[Note: I’ve been told that the ACPO is looking to the vendor community for this solution. Rereading this quote, I suspect I should focus less on “working on new software” and focus more on “identifying the right product”. I’ll leave the post as originally written but will insert commentary.]

The apparent expectation that a tool will significantly address the backlog is rather disturbing for three reasons:

1)  The tool will not provide context. It may indicate the presence of an encrypted file container on the system but cannot determine its contents. Or that file sharing is present, but not what it was used for. Or that seven different chat programs are in use, but not the information going through them. As several people have pointed out, these PBF tools will get the low hanging fruit and gather disparate facts but cannot put do any analysis to show relationships, or lack thereof. Further, we’ll need to err on the conservative side and may well end up with a lot of false positives.

2) Technology, and the criminal’s use of technology, advances rapidly, often more rapidly than the tools. This is why DriveProphet’s author is very willing to add new capabilities as issues are reported to him. It is why Digital Detective Group’s Blade product has plug in modules that they can develop and release as new capability is required. Keeping a triage tool current requires ongoing investment by the developer and ongoing training for the users. A one time investment in the technology and training will quickly lead to a situation where the triage tool is missing relevant information. [Note: ACPO’s looking to a vendor solution should address the support issue. Keep in mind maintenance costs when investing in a tool. Some vendors charge upwards of 20% of the initial investment each year for maintenance.]

3) I’ve not seen any well researched study on the LE computer forensics backlog that we can use to determine where resources should be spent. The ACPO and others believe that the the backlog is in the triage stage. This appears to be valid, particularly for getting evidence back to the owners, but I suspect that “fixing” the triage stage will simply move the backlog further downstream, even more so if the number of false positives is high.

I also wonder why the ACPO is working on a new tool rather than working with a vendor of an existing tool to tune it to their particular needs. A number of good, well supported, triage tools already exist – Drive Phrophet, Blade, EnCase Portable, e-fense’s suite (now Access Data’s?), to name a few. The ACPO money might be better spent creating a fund to provide training on these existing tools rather than bringing another tool to an already crowded market. [Note: This point is moot given the feedback I received, noted above.]

Triage is an incredibly valuable process, particularly in time critical situations where limited resources are available. Triage, in the medical environment, is performed by trained specialists using diagnostic tools. Computer forensics triage tools often are designed to be used by anyone with minimal training. Witness the Microsoft press release about COFFE – “According to a Microsoft spokesperson ‘an officer with even minimal computer experience can be tutored—in less than 10 minutes—to use a pre-configured COFEE device.'” I believe there is value in this sort of tool when used as part of a well designed forensics process. I fear that, due to vendor marketing, budget issues, and backlog pressures, these tools will be deployed without the necessary framework to properly support them.

Allow me to close with some questions:

  1. Why is the ACPO creating a new tool rather than using an existing one? [Note: Addressed by feedback, noted above.]
  2. Who will use these triage tools and how much training will they get? If they’re designed for lab use to address the backlog will they stay in the lab? Can they safely be deployed earlier in the process?
  3. Are there any well documented studies on the LE computer forensics backlog?
  4. What other options are available for addressing the backlog? Anyone who knows me also knows that I’m very interested in finding ways for the private sector to assist LE with computer forensics and this would be one option.
  1. November 25, 2009 at 6:16 pm

    You mention a lot of potential forensic triage providers but seemed to have left out the dominant provider – ADF Solutions (www.adfsolutions.com). The company’s Triage-ID(R), Triage-Lab(R), and Triage-Live(R) tools have been very successfully implemented by several agencies worldwide to reduce their forensic backlogs. No offense to the other providers but we are the first choice for forensic triage for law enforcement agencies worldwide. We have had particular success in the UK with agencies like Nottingham, Devon & Cornwall, West Mercia, Kent, Northamptonshire, Humberside, Avon etc. We have several thousand users at over 150 clients worldwide that include the FBI, ICE, CBP, DoD, AFP, QPS, Dutch POLITIE, Portuguese Police and many others.

    Here is one white paper with specifics: http://computerforensics.parsonage.co.uk/triage/ComputerForensicsCaseAssessmentAndTriageDiscussionPaper.pdf. I will be happy to send you others if you like. Most importantly, ADF was recently awarded a contract to be the provider of first responder triage by Department of Homeland Security Office & Science Technology Directive – we will issue a press release soon.

    I am reachable at +1301-588-7225 ext. 111 if you have any questions.

    JJ Wallia

  2. Chris
    November 26, 2009 at 7:57 am

    An interesting article, I too wonder why ACPO aren’t looking at existing tools. I understand that they wish to provide a free tool but how much money are they spending to create this ‘free’ tool? Without commercial interests will it be well supported and upgraded/ bug fixed, will it get dropped during the next round of budget tightening?

    I have to say that I wouldn’t necessarily call Drive Prophet a Triage tool; it requires the removal of the hard disk drive and a forensic workstation. This prevents it being used for sex offender visits and limits it use in a lab environment. We have an 8 port KVM so can Triage 8 computers (with multiple drives if present) at once without any worries, you would be tying up 8 workstations with Drive Prophet. I don’t think you’ll find Blade is a Triage tool at all.

    We are using ADF Triage and it has proved instrumental in reducing our backlog. As a commercial company ADF have a vested interest in listening to users, fixing bugs, and producing updates. When we have had corrupt output (our fault for using cheap USB thumb drives) they have fixed the index file and sent it back to us within a couple of hours. We identified a ‘wish list’ of things we wanted the software to do but found they had already been incorporated into the upcoming version of the software! I would recommend it to anyone with a backlog issue.

    Whilst there are many who don’t agree with the use of Triage, I don’t think it can be avoided. Forces just aren’t in a financial position to continue to grow High Tech units to meet demand and excessive delays in examination with offenders on long bail exposes the public to unacceptable risk.

  3. March 31, 2010 at 2:46 pm

    As the publisher of Drive Prophet written by Mark McKinnon, I can tell you that Drive Prophet does not require a forensic workstation or hard drive removal. Depending on how you implement the triage, you can use a tool like F-Response to attach to a computer using a network cable for a forensically sound run of Drive Prophet against the computer.

    You can also, if you so desire, disconnect the hard drive in the subject computer, attach it to a write blocker and use Drive Prophet against it from a laptop.

    You can also run Drive Prophet against an forensic image using tools like Mount Image Pro.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: