A short presentation of ISEEK being used for distributed processing in a digital forensics mode. Includes examples of complex search terms and comparisons with the results of alternative approaches.
2. Issues with
traditional
digital
forensics
Storage capacities have increased dramatically since the existing tools
were developed
‘Live’ forensics is often employed but this tends to be selective copies
of files into some form of container and is not very thorough
Expensive and highly-skilled resources are always tied up with
acquiring the data in a forensic manner
Trying to use eDiscovery technology turns out to be expensive and not
appropriate for a forensic investigation
Relying on indexes to identify material of interest introduces severe
limitations in both time and accuracy
It is hard to scale up the processing due to the requirement for dongles
and/or write-blockers
Remote analysis and collection normally requires some form of
reliable link to be established between two points
Remote analysis and collection normally requires expert human
resources at the remote location
Remote analysis and collection is hard to scale up for more than one
site, and impossible to scale up for 100 or more
4. Benefits of leveraging
hybrid technology
• COST – Leveraging an eDiscovery approach but without the cost for deployment
• RESOURCES – Obtain better leverage of your skilled staff by reducing the amount of time they are tied up in
the collection process
• IMPACT – Reduce the impact on organisations during large-scale investigations by:
• 1. dramatically reducing the amount of data crossing their network
• 2. not requiring ‘agents’ with their inherent risk to be installed on their systems
• 3. not requiring an ‘indexing server’ be constantly attached to their network or an
index to be built on the target system
• SPEED – Using the target machines for processing reduces the total collection time to that of the slowest
machine which further reduces the impact on the systems under investigation. Typically collections that
would normally take days are reduced to a few hours through parallelism.
• COMPLETENESS – By undertaking searches at the disk level rather than at the file system level all data is
searched rather than a limited number of file types. Unknown file types and foreign languages are no
impediment to the process.
• CAPABILITY – The tools enable investigations to be undertaken that would have been
impossible/impractical using other tools and methods, e.g. rapid processing of computer systems located
overseas, isolated systems, triaging hundreds of systems instead of just a small sample.
6. CASE STUDY– US financial
institution Fraud
• The case arose from a Grand Jury subpoena for documents relating to finance
transactions by 17 employees of a large California bank based in LA, but owned
overseas.
• The quotes from the ‘Big 4’ to find the records using the traditional approach
(all of which consisted of emails from the custodians) gave an estimated time
for producing the responsive documents to be around 3 months.
• Two IT employees, both foreign nationals, ran the hybrid tool against 4 TBs of
email (PST and OST files) in 48 hours and generated a total of 27,000 emails
that were relevant to the subpoena. 12 Attorneys for the Bank hired as
outside counsel then reviewed the emails over 12 days, generating a final
email encrypted container that provided the Department of Justice with the
subpoena return.
14. Other features of hybrid forensics
• Process large numbers of mounted forensic images
• Monitor remote activity via email notifications
• Receive encrypted results lists via email
• Receive captured files in an encrypted container via email (below a certain practical limit)
• Consistent application of fully objective search criteria through deployment of copies of
an encrypted configuration file
• No reliance on a connection to remote target systems
• Data remains secure and encrypted at all times
• Dramatically reduce work inventory and review volume
• Initiate remote processing via a browser session on the target system
• Ability to run the tool covertly, i.e. completely hidden from the system user
• Immediate review in fully encrypted environment
15. More information
• Website : https://www.xtremeforensics.biz/
• Download demo :
https://www.xtremeforensics.biz/iseek-demo-
download
• Conference paper :
http://ro.ecu.edu.au/cgi/viewcontent.cgi?article
=1171&context=adf