Triage is one of the hot topics in the digital forensics field right now. Large-capacity hard drives and the proliferation of storage media mean that digital evidence can exist virtually anywhere, and in massive quantities. Most forensic examiners can’t possibly keep up over the long term, so the promise of triaging evidence in order of importance is very attractive.
WetStone Technologies, a subsidiary of Allen Corp., is a leader in investigative technology, research and training. Although their lab on their new triage tool US-LATT is currently marked as law enforcement only, they tell us they’re opening it up to everyone. Here’s why, along with more about the tool itself, from trainer Matt Davis:
HTCIA: In changing the lab format from LE-only to everyone, what are you hoping each group will be able to take away? How will non-LE be able to utilize the US-LATT tool, and also, do you think it can help facilitate cooperation between LE and corporate investigators?
MD: In changing the lab format, we are hoping that each group will walk away with the ability to effectively utilize US-LATT in real-life scenarios that they may come across on a daily basis. This includes not only having a firm grasp on how to use US-LATT to collect volatile data from live running systems, but also being able to easily and efficiently interpret the data that is collected.
Non law enforcement individuals can use US-LATT in a number of ways. Individuals in a corporate environment can use the device to quickly and easily triage live running company computer systems. US-LATT can be used to quickly identify contraband, malware, or even intellectual property theft taking place. In each of these cases, a rapid response is absolutely essential in damage control. The tool is also very useful in a server based environment where a system cannot be taken offline to triage it.
US-LATT can help facilitate cooperation between law enforcement and corporate investigators. By providing both sides with this technology, they will be able to share results and findings with each other and work together to analyze and interpret those results. Joint investigations could also be conducted as both sides would be familiar with the technology and the form that the collected data is presented in.
HTCIA: What will the lab entail — scenario based, lecture, or some other format? What do you most want to see from your attendees?
MD: The lab will entail lecture, hands on scenario based exercises, and an instructor led demonstration of the technology. We are hoping to see the attendees having fun but also learning valuable skills that they can take away with them to assist in their day-to-day job.
HTCIA: Tell us more about US-LATT and what need it fills among triage tools? Which types of investigators will benefit most (for instance, probation/parole, incident responders, etc.)?
MD: US-LATT is unique in the fact that it is able to gather volatile information from live running computer systems without requiring a reboot. Some of this volatile information includes physical memory, running processes, network state, and encrypted volumes. This is all done in an automated fashion so users will not need advanced computer knowledge to run a triage.
A wide range of groups could benefit from this technology. Incident responders benefit from being able to quickly and easily triage the live running system and retrieve the volatile data before it is lost. Individuals such as probation or parole officers will also benefit from the tool as it has a comprehensive file collection and search capability in addition to the volatile data triage to help identify potential contraband.
HTCIA: What is your background? How did you come to be an instructor, and what can you tell us about the rest of the instructor team? What do you like best about teaching?
MD: My background is in the computer forensics field. This is what I went to school for and strived to do once I graduated from school. While in school, I conducted an internship at WetStone Technologies. Upon graduation, I became a full time employee and was asked to assist in a few training classes a year. By assisting in a number of classes, I was able to gain the necessary experience to start training classes on my own.
The rest of the instructor team has similar backgrounds. They grew up with a computer background and then applied that knowledge into the training side of the business.
The best part about teaching and training is the ability to meet individuals from all walks of life and not only instill new knowledge in these individuals, but also learn from these individuals as well and gain new perspectives in the industry.