Two of our scheduled lectures address issues which nearly every digital forensic examiner faces these days: limited resources. Whether budget-related or not, a lack of people or equipment has backlogged a number of labs – anywhere from six months to over a year.
On Tuesday Sept. 13, Andrew Rosen, president of ASR Data, will talk about computer forensic examinations and how to conduct them in a way that makes exams more efficient. That same day, Jason Weiss, Jim Watkins and Baden Gardner, of the FBI’s Orange County (CA) Regional Computer Forensic Lab (RCFL), will discuss backlog reduction strategies for labs.
How to work 10 times faster with FTK and EnCase
Creator of the Expert Witness forensic software that is now known as EnCase, Rosen believes that the forensic community has focused so much on tools in the last few years that examiners have lost sight of the processes which could make them more efficient. For example, he says, “Segmenting images was important when FAT32 was dominant and you had to segment. But now, it’s part of the forensic canon when it doesn’t need to be.”
Likewise, forensic examiners don’t know how to remediate the problems inherent in searching images of terabyte drives and petabyte collections within the current forensic paradigm. “’Triage’ is a buzzword that reflects how long it takes even for a skilled examiner to figure out where data falls in the analysis stack,” Rosen explains. “The tools reflect an approach that allows examiners to obtain actionable information quickly.
“But getting less than a full forensic image just to save time and money runs contrary to forensic method,” he continues. “So to get to a solution, you have to take a step back, look from the standpoint of a juror or judge and ask why the current way is what it is. And once you understand how the tools’ methods lead to inefficiency, you can remediate that by leveraging simple logic and the specialized knowledge of the investigator”
For example: “On a keyword search, you start with Sector 0 and move forward until you’ve searched all the data,” Rosen says. “This is a simple, linear implementation, and it means you’re searching for data where it is not likely to exist.”
In other words, rather than focus on higher level details like file names, focus instead on the data – the URLs, images, IP addresses and other underlying characteristics of data. “By defining what we are interested in and what we are not interested in, we can eliminate the slowest and most inefficient part of the forensic search process. This allows the examiner to obtain a full image without having to worry about where data can’t exist,” Rosen says.
This is important for examiners who have already invested heavily in FTK and/or EnCase. “The tool isn’t the most important thing; it has to be an extension of the examiner,” he adds. “If you automate an inefficient process, all you’ll get is faster inefficiency. But if you automate an efficient process, you’ll become more efficient over time. In this way, our forensic tools can provide ROI – the more you run it, the more inefficiency it eats.”
Doing more with less in a lab environment
Weiss, Baden and Gardner have taken a different approach at the OCRCFL. Their focus is also on process – but on the practical side, rather than the purely technical side. As Laboratory Director Jason G. Weiss explains, despite the exponential growth in digital media examinations (the LA FBI has seen the amount of processed data increase over 100% per year for the last 8 years), their approach has helped eliminate most case backlog.
In their lecture, they’ll focus on three elements (along with cost and statistical figures) that have brought them the most success: Case Agent Investigative Review (CAIR), Forensic Preview, and “self-service” kiosks for both cell phones and loose media (such as thumb drives).
“CAIR and Forensic Previews are low cost solutions to improving forensic laboratory efficiency,” says Weiss. “Choosing which process is the best fit for any given case comes down to the case’s size and complexity.”
CAIR enables the primary investigator (“Case Agent”) to review their digital evidence quickly in a safe, forensic environment. Once that is complete, lab staff provide the Case Agent with a disk of relevant files from the digital media, which can help further an investigation and allow the Case Agent to determine the next step without having to wait weeks or even months for a traditional data content review.
Forensic Previews, meanwhile, are useful when conducting searches, especially of child pornography suspects. “Some of the computers Case Agents seize during these investigations may have no child porn on them, so a Forensic Preview of those hard drives helps us determine if the computer in question is contraband, or should be returned to the subject,” says Weiss.
He adds, “The preview process is usually very valuable to the Case Agent and allows both us and the Case Agent to quickly understand a case before we spend significant laboratory resources imaging and/or examining computer data that is not even part of the crime.”
Another time saver are the new “self-service” kiosks that enable the RCFL’s partner agencies to come to the lab and review cell phones, iOS devices and most types of loose media in a forensic environment, without the need for a traditional forensic exam. Most of these exams take significantly less time than do traditional exams, and can usually be done in one short visit to the lab.
In all of the processes discussed in this seminar, forensic examiners have the ability to improve their ability to multitask as well – a process that Weiss says is “harder to do if you are looking at every case in the traditional computer forensics model.” Many of these processes are scalable regardless of lab size – whether you have 3 examiners or 30.
Dealing with backlogs in your lab, or simply need more efficient work processes? Come to Indian Wells next month and learn from those who have been there!