Institute for Advanced Studies 16 th June 2010 Digital Triage

Transcription

1 Institute for Advanced Studies 16 th June 2010 Digital Triage Mike Dickson Forensic Analyst SCDEA e-crime

2 What Is Triage?

3

4 Three Casualty States Those who are likely to live, regardless of what care they receive Those who are likely to die, regardless of what care they receive; Those for whom immediate care might make a positive difference in outcome.

5 Triage is a means of prioritising tasks and allocating limited resources It is also NOT an exact science

6 The expression has other uses too, such as in banking to assess debt management: Good debt which is not a risk Manageable debt which needs assistance

7 The expression has other uses too, such as in banking to assess debt management: And toxic debt which anyone with any sense in their head would know could never be repaid no matter how much help you gave them.

8 The expression is also used in terms of gathering digital evidence at the scene Computers from which we know we have to gather evidence regardless Computers we definitely do not want to take Computers that we might want to take Triage establishes the last two categories

9 A triage may not be needed always if there is little material to take

10 Way Back A house used to have a PC Now there are generally multiple computers plus old ones plus the childrens computers plus laptops plus netbooks plus other joys such as iphones, Blackberries, hundreds of writeable CDs, DVDs, pen drives, media cards All likely with substantial data capacity and requiring to be forensically copied and examined

11 But What If.

12 What Does Digital Triage Give To Us? The ability to be selective about what items are taken that the scene of a search This allows us to manage to flow of items requiring examination This speeds up the overall examination process Ideally, triage can be run by persons who are unskilled in computer forensics

13 More Importantly it helps to avoid backlogs

14 How Does Digital Triage Work In Practice? Triage software is introduced to a suspect system The software has been preconfigured with information pertinent to the case, e.g. key words, hash values, file names The software conducts its search on the target and gives a simple YES/NO equivalent to say whether or not it has found anything of interest.

15 Considerations Triage has to run on the actual suspect system. This comes with all the usual disclaimers about the possibility of altering files, etc. However, as the computer being examined is not yet an exhibit we are trying to establish whether it is or not - then it follows that the examination of the system live is not fatal to the enquiry. The ACPO guidelines are only a guide; they were never drawn up with anything like triage (or massive backlogs) in mind.

16 Considerations The manufacturers of triage products should be able to articulate exactly what forensic impact their product has on any computer system on which it runs. Naturally, this should be minimised! There is little need for triage products to alter much other than the last accessed times on files it checks and perhaps a few registry entries showing that an external device (USB etc) has been introduced to the target system.

17 Some Triage Tools Currently Available ADF Triage ID (requires a bootable CD and a USB attached for output) Evidence Talks SPEKTOR (stand-alone, close to a forensic tool, rather pricey) EnCase Portable Field Search (USB software, geared for registered sex offender examinations) Helix (boots from CD, complicated interface)

18 I have reservations about them all! Most are quite complicated to use Some are so complicated (ahem like Helix) that they would require some form of training course, which will only add to the cost Not all of them are even user programmable; they make assumptions about what it is you are after!

19 So I Designed My Own Simple to use, runs straight off a USB pen drive which can be removed before the program has completed. Comes with a tool that will configure the pen drive and software for the types of files it should search and the keywords it is looking for Hash values in a binary tree (up to maybe 10,000 of them, perhaps more) Has a list of words to search for in file names Has a further list of file types we may be interested in (File sharing? Root kits? Wiping Tools? Accounts software?) Detects container data encryption Outputs the result in a simple way

20 What Can t Triage Do? It can t make your existing backlog disappear If you have taken the item then it s an exhibit and there is less excuse for running live tools on it More forensically secure tools are close to being a forensic examination so you may as well do it properly.

21 As said before TRIAGE IS NOT AN EXACT SCIENCE Unlike hindsight

22

23

24

25 Questions? Mike Dickson Forensic Analyst SCDEA e-crime