Here’s part two of our Field Triage Tips (from M – Z).
Forensic triage is the practice of searching and analyzing a digital device (computer, smart phone, and tablets) in the field or at the crime scene. In many investigations crucial digital evidence is essential while at the scene. The traditional method of seizing a device(s), transferring it to the forensics lab, acquiring an image, and then analyzing the image for potential evidence, may no longer be appropriate in cases such as child abductions, pedophiles, or missing persons, when every second counts.
As one of the pioneers in computer triage tool, we have gathered here a set of tips for references.
- Maintain the Validity of Evidence
- Modification of Suspect Systems
- Network Artifacts
- Often Overlooked but Beneficial Artifacts
- Order of Volatility
- Scripted Incident Response
- Stop Drug Crimes
- Target Child Pornography
- The Focus of Computer Forensic Triage
- The Triage Phase
- Time Considerations
- Timing is Critical
- Triage is Proven in the Field
- Triage Provides Direction for Investigations
- USB Device History
- Verification of System Information
- What is Live Forensics?
MacLockPick adheres to commonly held forensic principals and does not negate the ability to transfer systems/storage media back to the lab for more detailed investigation after field triage has been concluded.
Comprehensive forensic applications such as MacForensicsLab focus on the analysis of static data. However, the need to capture live data has become paramount in an environment wrought with forensic pitfalls such as encryption, malicious running processes and networked storage pools. In cases such as child abductions, pedophiles, missing or exploited persons, time is critical. In these types of cases, investigators dealing with the suspect or crime scene need leads quickly, sometimes this is quite literally difference between life and death for the victim.
MacLockPick is an indispensable tool designed for first responders and law enforcement professionals performing live forensic triage on most computer systems. The solution is based on a USB Flash drive that is inserted into a suspects computer that is running. Once the MacLockPick software is run it will extract the requisite data providing the examiner fast access to the suspects critical information, that may otherwise be rendered unreadable by modern encryption programs, hardware malfunctions, or simply powering the system down. MacLockPick is the only cross platform solution on the market and therefore the best chance of successfully capturing data critical to any investigation involving running computers. In addition, MacLockPick is minimally evasive, providing results that can hold up in a court of law.
Maintain the Validity of Evidence
Triage tools are a powerful addition to any forensic investigators toolbox. One important aspect of a triage tool is that it minimize the chances of costly mistakes and the potential of altering a suspects system that may cause loss of evidence. First responder triage tools like MacLockPick are designed to minimize the footprint left on the suspect system and insure that the validity of the suspect evidence is maintained.
Modification of Suspect Systems
One concern some have with live forensics is the risk of modifying data on the suspect machine and there-by making the suspect evidence inadmissible in court. A good live forensics tool should be designed to minimize the footprint on the suspects system and the footprint left by the tool should be verifiable and reproducible. This allows the investigation to show that no modifications were made to the evidence through use of the live forensics tool. Verifying MAC times (modify, access, and create times) can help establish the time context also.
In these increasingly connected times, most computers are connected to some sort of network. The information about current network connections can help direct an investigation or show examiners new areas that may be of interest to the investigation. Using a triage tool like MacLockPick can show an examiner a suspects ARP tables, open interfaces, and netstat activity.
Often Overlooked but Beneficial Artifacts
Any information that allows an investigator to paint a better picture of a suspects activities can be beneficial to an investigation. The clipboard can often contain contents showing what a suspect was recently doing on their system. A screen shot of the suspect system in it’s current state of the machine when investigators first came in contact with the system. MacLockPick can capture both of these items for later examination.
Order of Volatility
When collecting data for a computer forensic investigation you want to collect the most volatile data first as it will be lost the quickest. The order of volatility shows which data will be lost first.
Order of Volatility
- Memory contents
- Swap files
- Network processes
- System processes
- File system information
- Raw disk blocks
Memory contents, swap files, network processes, and system processes will all be lost when the suspect system is shut down.
Scripted Incident Response
Keeping track of what has been done is an important part of the first responders job. By scripting the procedures required an investigator can make sure no steps were missed. Scripting the processes run on a suspect computer can also help authenticate any changes made to the machine during a live forensic investigation.
Stop Drug Crimes
Drug trafficking has reached epidemic levels in some countries. These criminals are also more commonly using digital means to organize their criminal networks. Through the use of specialize forensic tools like MacLockPick and MacForensicsLab, an investigator can search for evidence common to drug crimes. Spreadsheet files, documents and databases can easily be located using keyword searches.
Target Child Pornography
Child pornography is a serious crime plaguing our society and one of the most commonly investigated crimes for many agencies. Through the use of specialized tools built to target imaged based crimes, like MacLockPick, an investigator can quickly zero in on critical evidence. When time is of the essence, specialized tools can make a big difference.
The Focus of Computer Forensic Triage
Computer forensic triage is usually defined as the process by which projects or activities are prioritized to determine which should be attempted first, second, etc. and which projects or activities should never be done at all. This process applies to the forensic examination process to determine which data should be investigated first, second, etc. and which data should not be investigated at all. Triage considers the value of investigating, the complexity and the cost and the order in which the investigation should be accomplished.
The focus of forensic triage is to:
- Find useable evidence quickly
- Identify possible victims that may be at risk
- Direct the ongoing investigation
- Identify potential charges
- Assess the possible danger the suspect poses to society
The Triage Phase
The triage phase of the investigation is the foundation on which the other phases after it will be built. All potential evidence must be considered (computer systems, disks, CD/DVDs, PDAs, etc) and then prioritized based on the likely hood they contain potential evidence reliant to the investigation. An investigator will still need to review the evidence collected in the triage phase at a later time in the lab.
Making considerations for the time each process will take within an investigation is important. The time cost of every activity in an examination must be weighed against the potential return of the results of that activity. In general it is best to perform tasks that can be done quickly first.
Timing is Critical
Timing is critical throughout an investigation and even more so at the beginning of an investigation. During the early stages of the investigation it is critical to the investigator to have a detailed knowledge of the crime or involvement of the suspect and possible triggers that may increase the willingness of the suspect to cooperate or confess. It has been shown that suspects are more vulnerable and more likely to cooperate within the first several hours of their initial contact with police. By using triage tools to quickly acquire critical suspect data during the early stages of an investigation, an investigator can increase the likelihood of an arrest and confession.
Triage is Proven in the Field
The benefits of field triage have been proven. It has been shown that quick and effective analysis of suspect evidence can be critical to a case. The evidence found through live forensics can provide investigative leads that lead to an arrest and conviction. The information found may also protect others from becoming future victims of crime.
Triage Provides Direction for Investigations
Triage at the scene helps to provide time sensitive investigative and interview leads. It also helps to provide helpful direction for later investigation back at the lab. The information acquired through the use of triage tools can help direct investigators in the lab to information of relevance to the case.
USB Device History
USB has become one of the main standards to connecting all types of devices to computers these days. With the dropping prices of personal flash drives, they’ve become a popular way to transfer information from computer to computer. With MacLockPick an investigator can quickly gather information about the various USB devices that have been connected to a suspects Windows machine. This may point them to other potential evidence in their case.
Verification of System Information
Being able to confirm that there have been no change made to a suspects system or evidence between the time of seizure and the lab investigation can be important should the integrity of evidence be called into question on trial. By using MacLockPick to record the suspect systems configuration including; username, computer name, operating system, processor, RAM, model, UUID and more, an investigator can have verifiable proof that no changes have been made during the investigation.
What is Live Forensics?
Live forensics considers the value of the data that may be lost by powering down a system and collect it while the system is still running. The other objective of live forensics is to minimize impacts to the integrity of data while collecting evidence from the suspect system.
Click here for part one of our Field Triage Tips (from A – L).