Posted on

Tips – Field Triage (M – Z)

Here’s part two of our Field Triage Tips (from M – Z).

Forensic triage is the practice of searching and analyzing a digital device (computer, smart phone, and tablets) in the field or at the crime scene. In many investigations crucial digital evidence is essential while at the scene. The traditional method of seizing a device(s), transferring it to the forensics lab, acquiring an image, and then analyzing the image for potential evidence, may no longer be appropriate in cases such as child abductions, pedophiles, or missing persons, when every second counts.

As one of the pioneers in computer triage tool, we have gathered here a set of tips for references.

 


MacLockPick

MacForensics.com Tips - MacLockPickMacLockPick adheres to commonly held forensic principals and does not negate the ability to transfer systems/storage media back to the lab for more detailed investigation after field triage has been concluded.

Comprehensive forensic applications such as MacForensicsLab focus on the analysis of static data. However, the need to capture live data has become paramount in an environment wrought with forensic pitfalls such as encryption, malicious running processes and networked storage pools. In cases such as child abductions, pedophiles, missing or exploited persons, time is critical. In these types of cases, investigators dealing with the suspect or crime scene need leads quickly, sometimes this is quite literally difference between life and death for the victim.

MacLockPick is an indispensable tool designed for first responders and law enforcement professionals performing live forensic triage on most computer systems. The solution is based on a USB Flash drive that is inserted into a suspects computer that is running. Once the MacLockPick software is run it will extract the requisite data providing the examiner fast access to the suspects critical information, that may otherwise be rendered unreadable by modern encryption programs, hardware malfunctions, or simply powering the system down. MacLockPick is the only cross platform solution on the market and therefore the best chance of successfully capturing data critical to any investigation involving running computers. In addition, MacLockPick is minimally evasive, providing results that can hold up in a court of law.
 


Maintain the Validity of Evidence

MacForensics.com Tips - Maintain the Validity of EvidenceTriage tools are a powerful addition to any forensic investigators toolbox. One important aspect of a triage tool is that it minimize the chances of costly mistakes and the potential of altering a suspects system that may cause loss of evidence. First responder triage tools like MacLockPick are designed to minimize the footprint left on the suspect system and insure that the validity of the suspect evidence is maintained.
 


Modification of Suspect Systems

MacForensics.com Tips - Modification of Suspect SystemsOne concern some have with live forensics is the risk of modifying data on the suspect machine and there-by making the suspect evidence inadmissible in court. A good live forensics tool should be designed to minimize the footprint on the suspects system and the footprint left by the tool should be verifiable and reproducible. This allows the investigation to show that no modifications were made to the evidence through use of the live forensics tool. Verifying MAC times (modify, access, and create times) can help establish the time context also.
 


Network Artifacts

MacForensics.com Tips - Network ArtifactsIn these increasingly connected times, most computers are connected to some sort of network. The information about current network connections can help direct an investigation or show examiners new areas that may be of interest to the investigation. Using a triage tool like MacLockPick can show an examiner a suspects ARP tables, open interfaces, and netstat activity.
 


Often Overlooked but Beneficial Artifacts

MacForensics.com Tips - Often Overlooked but Beneficial ArtifactsAny information that allows an investigator to paint a better picture of a suspects activities can be beneficial to an investigation. The clipboard can often contain contents showing what a suspect was recently doing on their system. A screen shot of the suspect system in it’s current state of the machine when investigators first came in contact with the system. MacLockPick can capture both of these items for later examination.
 


Order of Volatility

MacForensics.com Tips - Order of VolatilityWhen collecting data for a computer forensic investigation you want to collect the most volatile data first as it will be lost the quickest. The order of volatility shows which data will be lost first.
 
 

Order of Volatility

  1. Memory contents
  2. Swap files
  3. Network processes
  4. System processes
  5. File system information
  6. Raw disk blocks

Memory contents, swap files, network processes, and system processes will all be lost when the suspect system is shut down.
 


Scripted Incident Response

MacForensics.com Tips - Scripted Incident ResponseKeeping track of what has been done is an important part of the first responders job. By scripting the procedures required an investigator can make sure no steps were missed. Scripting the processes run on a suspect computer can also help authenticate any changes made to the machine during a live forensic investigation.
 


Stop Drug Crimes

MacForensics.com Tips - Stop Drug CrimesDrug trafficking has reached epidemic levels in some countries. These criminals are also more commonly using digital means to organize their criminal networks. Through the use of specialize forensic tools like MacLockPick and MacForensicsLab, an investigator can search for evidence common to drug crimes. Spreadsheet files, documents and databases can easily be located using keyword searches.
 


Target Child Pornography

MacForensics.com Tips - Target Child PornographyChild pornography is a serious crime plaguing our society and one of the most commonly investigated crimes for many agencies. Through the use of specialized tools built to target imaged based crimes, like MacLockPick, an investigator can quickly zero in on critical evidence. When time is of the essence, specialized tools can make a big difference.
 


The Focus of Computer Forensic Triage

MacForensics.com Tips - The Focus of Computer Forensic TriageComputer forensic triage is usually defined as the process by which projects or activities are prioritized to determine which should be attempted first, second, etc. and which projects or activities should never be done at all. This process applies to the forensic examination process to determine which data should be investigated first, second, etc. and which data should not be investigated at all. Triage considers the value of investigating, the complexity and the cost and the order in which the investigation should be accomplished.

The focus of forensic triage is to:

  1. Find useable evidence quickly
  2. Identify possible victims that may be at risk
  3. Direct the ongoing investigation
  4. Identify potential charges
  5. Assess the possible danger the suspect poses to society


The Triage Phase

MacForensics.com Tips - The Triage PhaseThe triage phase of the investigation is the foundation on which the other phases after it will be built. All potential evidence must be considered (computer systems, disks, CD/DVDs, PDAs, etc) and then prioritized based on the likely hood they contain potential evidence reliant to the investigation. An investigator will still need to review the evidence collected in the triage phase at a later time in the lab.
 


Time Considerations

MacForensics.com Tips - Time ConsiderationsMaking considerations for the time each process will take within an investigation is important. The time cost of every activity in an examination must be weighed against the potential return of the results of that activity. In general it is best to perform tasks that can be done quickly first.
 


Timing is Critical

MacForensics.com Tips - Timing is CriticalTiming is critical throughout an investigation and even more so at the beginning of an investigation. During the early stages of the investigation it is critical to the investigator to have a detailed knowledge of the crime or involvement of the suspect and possible triggers that may increase the willingness of the suspect to cooperate or confess. It has been shown that suspects are more vulnerable and more likely to cooperate within the first several hours of their initial contact with police. By using triage tools to quickly acquire critical suspect data during the early stages of an investigation, an investigator can increase the likelihood of an arrest and confession.
 


Triage is Proven in the Field

MacForensics.com Tips - Triage is Proven in the FieldThe benefits of field triage have been proven. It has been shown that quick and effective analysis of suspect evidence can be critical to a case. The evidence found through live forensics can provide investigative leads that lead to an arrest and conviction. The information found may also protect others from becoming future victims of crime.
 


Triage Provides Direction for Investigations

MacForensics.com Tips - Triage Provides Direction for InvestigationsTriage at the scene helps to provide time sensitive investigative and interview leads. It also helps to provide helpful direction for later investigation back at the lab. The information acquired through the use of triage tools can help direct investigators in the lab to information of relevance to the case.
 


USB Device History

MacForensics.com Tips - USB Device HistoryUSB has become one of the main standards to connecting all types of devices to computers these days. With the dropping prices of personal flash drives, they’ve become a popular way to transfer information from computer to computer. With MacLockPick an investigator can quickly gather information about the various USB devices that have been connected to a suspects Windows machine. This may point them to other potential evidence in their case.
 


Verification of System Information

MacForensics.com Tips - Verification of System InformationBeing able to confirm that there have been no change made to a suspects system or evidence between the time of seizure and the lab investigation can be important should the integrity of evidence be called into question on trial. By using MacLockPick to record the suspect systems configuration including; username, computer name, operating system, processor, RAM, model, UUID and more, an investigator can have verifiable proof that no changes have been made during the investigation.
 


What is Live Forensics?

MacForensics.com Tips - What is Live Forensics?Live forensics considers the value of the data that may be lost by powering down a system and collect it while the system is still running. The other objective of live forensics is to minimize impacts to the integrity of data while collecting evidence from the suspect system.
 


Click here for part one of our Field Triage Tips (from A – L).

Posted on

Tips – Field Triage (A – L)

Forensic triage is the practice of searching and analyzing a digital device (computer, smart phone, and tablets) in the field or at the crime scene. In many investigations crucial digital evidence is essential while at the scene. The traditional method of seizing a device(s), transferring it to the forensics lab, acquiring an image, and then analyzing the image for potential evidence, may no longer be appropriate in cases such as child abductions, pedophiles, or missing persons, when every second counts.

As one of the pioneers in computer triage tool, we have gathered here a set of tips for references.


Adhere to Commonly Held Forensic Practices

MacForensics.com Tips - Adhere to Commonly Held Forensic PracticesHaving a computer forensic triage model in place for first responders is important. It is also important that the model adheres to commonly held forensic practices and does not interfere with the ability to later analyze the suspect computer more thoroughly back at the lab. Integrity of the suspect data must be insured at all times during the process.
 


Assess the Danger a Suspect Poses

MacForensics.com Tips - Assess the Danger a Suspect PosesThrough the use of field triage and live forensics tools, an investigator can not only gather evidence against a suspect but also use the data gathered to access the possible risk that an offender poses to others in society. By evaluating the evidence of crimes committed they can ascertain the possibility of the offender committing further crimes against others.
 


Automate When Possible

MacForensics.com Tips - Automate When PossibleEven small errors in the investigative process of a suspects machine may mean the difference between a conviction and a criminal going free. To minimize the risk of errors, automation should be used whenever possible. Products like MacLockPick allow the investigator to choose from many automated tasks to be carried out. This helps to insure that the results will be consistent and verifiable should they be challenged in court at a later time.
 


Automated Triage

MacForensics.com Tips - Automated TriageTime is a important factor in any criminal investigation. Both in time critical cases such as child abduction, kidnapping, death threats, missing and exploited children, etc and in dealing with the backlog of evidence that many agencies are experiencing in this increasingly digital-based age.

Automated triage tools allow forensic examiners and investigators to focus on other critical tasks while the triage process is taking place. Automation also decreases the risk of human error and insures that all bases are covered with regards to the data acquired for the investigation. By using "set it and forget it" automation, triage tools can be capturing important suspect information while leaving investigators free to deal with other important investigative tasks.
 


Browser Artifacts

MacForensics.com Tips - Browser ArtifactsWeb browsers create a number of artifacts that can be of interest to an investigator during the triage state of an investigation and later on during the formal lab investigation. While different browser applications vary, they all create cookies, caches, and other temporary internet files that can contain a wealth of information about the history of a suspects online activities. Searching these files can be very beneficial to an investigation but can also take a lot of time. Applications like MacLockPick can significantly cut down on the time required to analyze these files and find relative evidence to the investigation.

If you need a tool in extracting cache files, consider SubRosaSoft Cache Detective. SubRosaSoft Cache Detective is an easy-to-use utility for reading the cache of many browsers/chat applications and extracting the files currently stored in their cache folders.
 


Capture Running Processes

MacForensics.com Tips - Capture Running ProcessesKnowing what a suspect was doing on their computer before an investigation begins can be helpful to most examinations. All running applications open processes on the suspects system. MacLockPick can capture a list of the processes running on a suspect system to show an investigator exactly what the suspect was doing at the time.
 


Cases where Less Traditional Workflows are Required

MacForensics.com Tips - Cases where Less Traditional Workflows are RequiredWhile more traditional workflow’s may work for most cases, when it comes to time critical cases such as child abduction, kidnapping, missing persons, death threats, etc, a different approach is needed. These situations require quick acquisition and analysis of the available evidence to give investigators as much information as possible in the shortest period of time when it really matters. Cases like this require fast working triage tools to get the evidence to the investigators in the shortest time possible.
 


Catching a Murderer

MacForensics.com Tips - Catching a MurdererCriminals always leave a trail for investigators to find. Zeroing in on this critical data can be difficult at times but the use of specialize tools can make the search quicker and easier. In cases like murder the investigators may find contents such as the suspects Google search and email history to be of interest. MacLockPick can quickly analyze and display this information to speed the investigative process.
 


Computer Forensic Field Triage Process Model

MacForensics.com Tips - Computer Forensic Field Triage Process ModelThe Computer Forensic Field Triage Process Model (Rogers, Goldman, Mislan, Wedge, Debrota, 2006) outlines the process and phases of a triage investigation. This process model is a general outline for the field triage process. It is important to qualify the needs of the investigations first as this model isn’t appropriate for every investigative situation.

  • Planning
  • Triage
  • User Usage Profiles
    • Home Directory
    • File Properties
    • Registry
    • Passwords
  • Chronology Timeline
  • Internet
    • Browser Artifacts
    • Email
    • Instant Messages
  • Case Specific

 


Consideration for Common Practices

MacForensics.com Tips - Consideration for Common PracticesWhile time is critical in many investigations, it’s important to insure that investigation procedures used to minimize the time required to find evidence don’t interfere with other important considerations of any investigation. The procedures must still adhere to common forensic principals such as minimizing the contamination of the original scene and the evidence, complying with rules of evidence to insure that it is admissible in court on the Federal and State levels, and maintaining the chain of custody. Well designed field procedures should have considerations for all of these commonly held practices.
 


Departure from The Norm

MacForensics.com Tips - Departure from The NormThe Computer Forensic Field Triage Process Model may be a bit difficult for some investigators to get use to at first as it is a bit backwards from what they have been taught to do in most investigations. In many cases investigators have been taught never to touch a suspect computer and simply unplug it to prevent any alterations to any evidence on the machine. In cases where time is critical, it may be necessary to depart from the commonly held forensic principals in order to get the evidence in time to make a difference.
 


Email Artifacts

MacForensics.com Tips - Email ArtifactsEmail is a valuable tool for all online users. It’s also a common tool used by criminals. The information found in the email messages of a suspect can help to direct an investigation and may help secure a conviction. The procedure to examine email evidence can be time consuming. The use of tools like MacLockPick and MacForensicsLab can significantly cut down on the amount of time it takes to examine email evidence and zero in on suspect data.
 


Evidence has Gone Digital

MacForensics.com Tips - Network ArtifactsThe increase in technology also changes our concept of what constitutes evidence in a criminal investigation. Where previously most evidence was physical document based, the large majority of evidence has now gone electronic and is stored on hard drives, digital media, and web-accounts. Computers and smartphones have become the main source of evidence in many crimes where they use to only be one of the many small parts of the illegal act.

Computer crimes are becoming more common and proper procedures and tools are needed to combat these challenges.
 


Feedback from Triage

MacForensics.com Tips - Feedback from TriageThere are many benifits to field triage such as on site access to evidence.

An additioan benifit to performing triage on the scene is the feedback that can be given to investigators. This allows the computer forensic analyst to modify their search based on feedback from investigators and those that may be in contact with the suspect.
 


Field Triage Tool Benefits

MacForensics.com Tips - Field Triage Tool BenefitsThe use of forensic triage tools can increase the effectiveness of any investigation.

Through the use of forensic triage tools an investigator can quickly:

  • Gain quick access to evidence that may allow them to secure a warrant or confession.
  • Determine if a computer/system requires further analysts.
  • Eliminate or dismiss a computer/system from further analysts.
  • Determine key areas for further investigation.
  • Insure the acquisition of evidence that would be lost by powering the computer/system down.
  • Acquire a snapshot of the suspect systems current state before seizure.

 


Financial Crimes

MacForensics.com Tips - Financial CrimesFinancial crimes such as currency counterfeiting, money laundering, intellectual property crime affect all levels of society. When searching for evidence for a financial crime, a search for documents such as spreadsheets and images of checks or potentially fraudulent financial materials may be high on the list of priorities. Documents for financial applications such as MS Money, Quicken, and QuickBooks may also contain items of interest.
 


Finding Evidence Quickly

MacForensics.com Tips - Finding Evidence QuicklyFinding useable evidence quickly is one of the most important focuses of field triage and live forensics. Being able to zero in on suspect evidence quickly can be very important to an investigation. It may give an investigator new leads, help secure a confession and conviction, or be the difference between life or death for a victim.
 


First Responders

MacForensics.com Tips - First RespondersFirst responders must be very aware of their tasks when first arriving to perform forensic triage. The efforts of the first responder is critical to ensure that the evidence is gathered and preserved in a simple, secure, and forensically sound manner. The initial response to an incident is more important than later technical analysis of the computer system as actions taken by the first responder can greatly impact the subsequent laboratory examinations of the computer/system. The success of evidence recovery and prosecution is dependent on the actions of the individual who initially responders to the scene.
 


Guide an Ongoing Investigation

MacForensics.com Tips - Guide an Ongoing InvestigationField triage and live forensics are key to acquiring critical evidence in an active investigation. This information can be used to guide an investigation. The information obtained through the on site investigation of a suspect computer can give examiners new leads to pursue. The acquired information may also point the investigators to new suspects or victims they were previously unaware of.
 


Identify Criminal Charges

MacForensics.com Tips - Identify Criminal ChargesThe use of triage on scene and live forensic tools can identify evidence that can lead to potential charges. Quickly finding proof of a crime committed can help the investigation secure an arrest warrant and bring forth formal charges against a suspect. Live forensics can play a critical role in this process.
 


Identify Victims of Crime

MacForensics.com Tips - Identify Victims of CrimeThe use of field triage can help to identify current and possible future victims. By quickly examining the evidence on the scene, a forensic examiner may be able to guide the investigation to possible victims of a crime. They may also be able to those that may be at risk to become future victims.
 


Importance of Volatile Data

MacForensics.com Tips - Importance of Volatile Data Capturing information about the current state of a suspect computer before powering it down is important to a forensic investigation. There is a wealth of volatile data that can be lost once the suspect’s computer is powered down. This information may help direct an investigation in the early stages and can be beneficial during other stages of the investigation. First responder triage tools can capture this important data which can play a critical roll in every investigation.

Important information that may be lost when the computer is powered down may include:

  • Clipboard contents
  • Attached device listings
  • Open network ports
  • Current running applications and processes
  • Temporary cache files
  • Active memory contents
  • Connected network drives
  • Active peer-to-peer connections
  • And more…

 


Instant Message (IM) Artifacts

MacForensics.com Tips - Instant Message (IM) ArtifactsInstant messaging is a common method of communication on the internet. Many instant message programs store contact lists along with chat histories. This information can be useful to an investigation as it can provide new leads, help secure a confession, or help to prove intent.
 


Internet Artifacts

MacForensics.com Tips - Internet ArtifactsAlmost every investigation will involve the analysis of internet artifacts. Web browsing caches store records of sites a suspect has visited. Emails may help to prove intent or correlate other events. Instant message conversations can contain evidence that could help to secure a conviction. The investigator must weigh the time costs of investigating such artifacts but with specialized tools, such as MacLockPick, the time requirements to analyze such data can be greatly reduced.

If you need a tool in extracting cache files, consider SubRosaSoft Cache Detective
 


Click here for Part Two (M – Z)