For the digital forensic investigator, the more appropriate way to coin this phrase would probably be “The needle in the haystacks”. The difference being that in the digital world, there are multiple haystacks to search and the haystacks are getting larger by the day. 20 years ago we had hard drives. 10 years ago we added silicone based flash drives that could be carried in your pocket and hidden just about anywhere. And today we have “The Cloud”.
The moment we take a photo or save a file or send an email, it will potentially be saved to our device, synced to our tablet or phone, shared on our social media and backed up to the cloud. In seconds it now exists on multiple devices and on cloud based storage mediums halfway across the country. And this doesn’t just pertain to photos, files and emails. Now, as we browse the web, our browsing history, searches and settings are often synced to the cloud as a convenience so that all of our devices can act as one, allowing us to pick up on one device where we left off on the other without missing a beat.
While all of this automation is meant to enhance and improve the “user experience”, it can create a logistical nightmare for the digital forensic investigator as storage capacity continues to increase exponentially. Not only is imaging all of these locations unfeasible, but this expansion also carries with it potential legal issues surrounding ownership of data. Investigations that rely on digital forensics are facing increasing economic and human resource constraints. The digital world has changed and with it so must the strategy of the digital forensic investigator. The paradigm must shift from the shotgun “copy and process everything” mentality to a more refined, targeted approach. An approach that requires the ability to quickly ascertain the value of every potential piece of evidence so time is spent only on those that have the highest probability for success. Much like the hospital emergency room triages patients, digital forensics requires triaging evidence in order to determine which evidence to target.
Digital triaging involves the analysis of key artifacts from the operating system and attached storage devices. This process will indicate with a significant degree of certainty whether or not damaging evidence exists and therefore whether a full image acquisition and analysis is warranted. With the exponential increase in storage capacity of today’s devices, and therefore full image acquisition times, this is a crucial time saving component. However, in many cases this is a process that must be carried out on-site during a limited time window after business hours. Given that the number and variety of storage devices types has also dramatically increased, even completing the triage analysis in this time window is challenging. The solution is to create a “triage image”.
A triage image is simply making a forensically sound copy of all the components (and perhaps a few more) involved in the triage analysis process. They can be created relatively quickly and then analyzed off-site when more time and where more forensic resources are available. In many cases the triage image alone contains enough evidence to support the case without the need to perform the more time intensive full device acquisition and analysis.
While triage imaging and analysis process deserves a separate article to fully explain, by analogy, it might be easiest to imagine it as a trail of breadcrumbs. By following the trail we see a vision into the past, so to speak. The artifacts captured on the triage image yield a wealth of information that can be compiled and analyzed to reveal a timeline of user activity. Even if the user has erased files, deleted email or uninstalled programs, these artifacts retain, in essence, a “log” of user actions. The following are some of the key artifacts acquired in a triage image:
- File activity (recent and frequently used files; deleted file and folders)
- Account profile usage (what users logged into this system and when)
- Program execution history
- Browsing history (website visits (which ones, how often and when))
- USB device usage (what USB devices were plugged into this system, what drive letter assigned)
- Contents of user “My Documents”, “My Pictures” and other targeted folders
- Local copy of email (PST, OST, MBOX, etc.)
- Snapshot of the current contents of RAM
The triaging process requires a knowledge of the various device types, operating systems and encryption tools used to store and encrypt data. While again, another more extensive article would be needed to cover all of these, they include fixed and mobile devices using Microsoft Windows, Apple iOS, Android and Linux along with encryption tools like Windows BitLocker, Apple’s FileVault and the now defunct but widely used TrueCrypt just to name a few. A forensic examiner will undoubtedly have several software and hardware tools in their “toolkit” in order to accomplish these tasks efficiently. These include hardware and software tools that at the very least perform:
- Forensic imaging – Bit by bit exact duplication of a device
- Write blocking – Preventing the examiner’s machine from over writing any part of the evidence device and thereby preserving the integrity of the original device
- Drive encryption detection – Determining if a drive has hidden or encrypted partitions
- Forensics analysis – The primary software for analyzing the device (keyword search, lost/deleted file retrieval, etc.)
In forensic and fraud investigations the evidence is collected from a number of resources. Often, the most critical piece of evidence exists only on the subject’s computer or mobile device which can only be obtained from a forensic analysis of that device. With proper data triaging the investigator can gain insight into the actions and potential wrongdoings of a subject within a significantly shorter amount of time than using traditional methods regardless of the size of the storage medium. Triage images and techniques combined with the latest forensic tools and the knowledge and experience employing them allows digital forensic examinations to remain an economically viable and vital element in the investigations that rely on them.