AISA Perth Conference 2015

A paradigm shift in digital evidence collection: Empowering IT security professionals!

Richard BoddingtonTeam Leader, Digital Forensic & Data Discovery

TSW Analytical Pty Ltdltdrboddington@tswanalytical.com.au

www.tswanalytical.com.au

Growing reliance on digital information/evidenceposes challenges to forensic practitioners and it admin

3

• Increasingly large AND dispersed datasets

• Law enforcement over committed

• 90% of data captured irrelevant

• Heavy on-site & equipment costs

• Forensic labs making mistakes

• Storing evidence too costly

• Long delays in processing evidence

• Specialists are too costly

The disadvantages evident in current indexing strategies were identified through our review of

various tools and processes

4

Management of the repository requires costly specialists.

Shortcomings with indexing because of a preoccupation with the ‘bucket approach’.

Clients pay for all the data placed in the repository and the time involved in extracting.

Shortcomings with indexing because of a preoccupation with the ‘bucket approach’.

Excessive cost in hosting tied to unwanted data.

Too much data to create massive processing jobs by moving data just to process it.

Costly, time-consuming archiving, transportation, filtering and distillation.

Index server/agent has to be installed = another application to be deployed, maintained, tested.

Indexing and its limitations

5

Indexing is intended to optimise subsequent search and retrieval, and useful for managing captive repositories centralised data archives and business records repositories.

Indexing is highly technical and often not readily available to the non-expert”.

Indexed-based collection can be risky if legal counsel does not fully understand how indexing operates and its limitations.

Then incorporating them into database tables of search terms corresponding to the text files.

The process of indexing using software applications involves scanning the text of numerous electronic files.

Foreign languages/only recognised file types/limitations on word length added to index, etc.

Indexing is flawed

6

Its success is contingent on having the entire original, and complete correct data with which to create an index.

If one cannot find the original string, making a word out of any string becomes statistically flawed.

It is an imperfect process and unlikely to find any data other than 82% of the data that the indexer sees.

Indexing is widely perceived to be a perfect way to find data that might be responsive.

The inevitable result creates a weakness the chain of evidence retrieval leaving numerous unresolvable ‘catch 22’ situations.

Anything it does not understand is either not indexed, or not indexed in its native form.

Typically, an index server excludes over 100 files by type and unpredictable generics by type.

How does this affect the IT crowd?

7

WHAT IF I ALTER THE EVIDENCE?

I HAVE NO TIME!!!!!

IT’S NOT REALLY MY JOB!

WHERE DO I KEEP THE EVIDENCE?

I HAVE NO TRAINING!! I HAVE NO TOOLS! I HAVE NO MONEY

I HAVE NO TRAVEL BUDGET!

I DON’T UNDERSTAND

LAW

Recent developments in the technology

• There is a paradigm shift away from cumbersome processes to recover and identify digital evidence.

• ‘Disruptive’ technologies are heralding a change from traditional digital forensics/eDiscovery processes used to capture digital evidence.

• An automaton, now ready for deployment, has already been adopted in Australia and already used by a Top 50 eDiscovery firm in the US on two engagements, and is being deployed by a group at NASA.

8

9

INCREASED RESULTS - COST + TIME SAVINGS

Evidence identification

without contamination

Simple executables requiring minimal expertise & avoidance of complex capture processes.

Simplicity of access to datasets without internet or software installation and avoidance of site visits and travel.

A ‘safe harbour’ for captured data for speedy, cheap and secure despatch.

Less data requiring capture and less time reduction to complete capture.

Enhanced post capture filtering and analysis.

Customisable search options compatible with analyst and legal team objectives.

The tool provides a broad range of features to help users

• Create Adobe-formatted reports. • Create encrypted data containers for later review. • It has inbuilt viewers for all common file types.• It has the ability to search within itself• It has the ability to index and fast search within itself. • It has the ability to transform the output, such as extraction or exporting

of all internalized forms into html or pdf indexible output.• The ISK container file is impervious to hacking attacks and encompasses a

full set of multiple NIST certified encryption techniques.

Indexing without evidence contamination to produce sound evidence identification

• The values of the automaton’s patented technology:– Uses each machine as its own computing environment.– While a user is still using that machine to do work.

• Does not rely on any central facility such as an enterprise mechanism to do anything.

• Descriptions of relevant evidence, the data and associated metadata are captured without any contamination to the evidence held on computers / network servers.

• An added benefit to IT administrators wishing to capture evidence without tainting it or the dataset where it is held.

11

There is no real distinction between criminal and civil examinations when using digital forensics

• Each group is looking for the same sort of evidence but arguably to different standards.

• eDiscovery on the other hand is almost entirely a civil matter as it involves disputes between different organisations so the concept of 'evidence' is slightly different.

• We contend that the approach used in the past for eDiscovery typically involves large numbers of machines:– Needs to be applied to digital forensics.– With some refinements.– It is the only way to handle large data volumes.– Although not necessarily the same large number of different

sources.

12

Design your own configuration file to search for evidence, leads etc

1. Select as appropriate according to what you are looking for and/or at.

2. Container password protection. 3. Corporate master auto-processing

password. 4. Identify objects.5. Show/Search only these drives. 6. Operational modes – discuss default

selections. 7. Destination folder.8. Temp folder.9. E-mail actions.

DEMONSTRATIONDESIGNING THE CONFIGURATION FILE

14

Searching the Enron email corpus• In this

example, a folder on the C: drive has been selected for file capture.

• The entire Enron email corpus is being searched for two plain search terms

DEMONSTRATION:LAUNCHING THE AUTOMATON

16

View of the “CSV Container”• There are three hit

categories:– Archives.– Emails.– Files

• Each category shows a CSV file holding references to details of the ‘hits’ captured commensurate with the configuration settings.

• These files may be opened and exported as required.

DEMONSTRATION:EXPLORING THE CAPTURED DATA

18

Viewing files

• jh

Results of searches• The search results are listed

in the Explorer Pane under the newly created Search Result folder.

• The name for each sub-folder is based on the search terms selected.

• They may be opened and viewed in the other viewer panes.

• Each of the search folder has a timestamp recording the search terms temporal antecedents.

Empowering the IT crowd and others

• The automaton facilitates information managers and analysts, with minimal training, to undertake searches across a broad range of data repositories

• Without complex forensic tools and the assistance of specialists.

• We believe that lawyers and auditors with a modicum of training can replace expensive specialists with such tools and take control of the management of their own evidence retrieval.

21

Assisting enforcement and information gathering agencies

• We assert that the search and retrieval features offered by such tools can also be used in criminal investigations

• The preoccupations with forensic tools of choice and dependence on forensic images can be replaced with a more pragmatic process.

• Such processes that are search-oriented and evidence-led, offer significant enhancements to forensic analysis and significant savings in terms of resource costs.

22

Current Research and development at the Institute on the automaton and advanced tools

• Malware detection and analysis.• 64GB thumbdrive automaton recovery from servers.• Legal hold.• Pulling information out of forensic images into case management

systems.• Formal papers comparing and contrasting new tools with

conventional ones.• Encryption and bit locker analysis to assist recovery.• Automated ESI Acquisition through a webpage portal to allow

custodian to undertake eDiscovery online using the automaton.

23

Any questions?

24