Date post: | 26-Dec-2015 |
Category: |
Documents |
Upload: | sara-carter |
View: | 215 times |
Download: | 0 times |
Copyright © 2013 ADF Solutions, Inc. All rights reserved.
Challenges and Requirements for Media Exploitation and Digital Investigations
Kevin LongAccount ExecutiveADF Solutions, [email protected]+1-301-312-6578
2Copyright © 2013 ADF Solutions, Inc. All rights reserved.
Agenda
1. About ADF2. Digital Forensics - Levels & Users3. Digital Forensics - Problems Today4. USSOCOM & US Army Requirements5. DHS Requirements6. UK East Midlands Project7. CELLEX & MEDEX Kits8. Tool Selections9. Product Demo
4Copyright © 2013 ADF Solutions, Inc. All rights reserved.
ADF is the leading provider for Media Exploitation and Forensic Triage tools
Who We Are
Date Founded: August 2005
Location: Bethesda, Maryland USA (HQ)Clients: Military, Intelligence, Law Enforcement, and
other Civilian agencies
Users (est.): 4,000 worldwide
5Copyright © 2013 ADF Solutions, Inc. All rights reserved.
Current & Future Markets
2005 2009 2014
LawEnforcementInvestigations
Military & Defense
Media Exploitation
Corporations Investigations & e-
Discovery
6Copyright © 2013 ADF Solutions, Inc. All rights reserved.
Global Footprint
USAUSSOCOM
Army DOMEXUS Army TRADOC
DHS ICEDHS CBP
DHS InvestigationsNMEC
DIAUSPS
VA State Police… etc.
UK75% penetration
rate with LE agencies in UK (32
out of 43)
EUROPENetherlands
PortugalFrance
GermanyNorway
ASIAIndiaChina
AUSTRALIANSWAFPQPS
Air ForceSouth Australia
Police
8Copyright © 2013 ADF Solutions, Inc. All rights reserved.
Digital Forensics - Levels
Users Goals Time Deployment Technical Req.
1. Forensic Triage (Level 1)
Investigators & Operators
Identify positive computers
Restricted (30 sec – 2 hrs)
Field & Lab Minimal
2. Targeted Examinations (Level 2)
Investigators, Operators, & Forensic Examiners
Solve obvious cases without full exam
Flexible (2hrs – 48 hrs)
Lab Medium
3. Manual Examinations (Level 3)
Examiners Full deep analysis
Unlimited Lab Deep
9Copyright © 2013 ADF Solutions, Inc. All rights reserved.
Digital Forensics - Users
Sector Users Goals
Media Exploitation(Field/Lab)
Military and Intelligence Operatives
Extract actionable intelligence to identify suspects/threats to national security
Targeted Examinations(Field/Lab)
Forensic Examiners Reduce forensic backlogs by eliminating or qualifying devices
Forensic Triage(Field/Lab)
Investigators Extract and review evidence faster to prioritize and help solve cases quickly
11Copyright © 2013 ADF Solutions, Inc. All rights reserved.
Data Overload
Too many devices, too much data• Manual examinations of all computers is not
an option anymore– will have to be focused on high value devices
• Wide collection of devices for lab analysis is not an option anymore– will require filtering/qualification
12Copyright © 2013 ADF Solutions, Inc. All rights reserved.
Targeted vs. Full Examinations
40%
60%
Current
Targeted Exam-inations & Triage
Manual Exam-inations
90%
10%
Future
13Copyright © 2013 ADF Solutions, Inc. All rights reserved.
Examiners: Identified Pain Factors
Forensic Examiners• Efficiency:
– Focus forensic expertise on computers that warrant them– Avoid imaging drives if possible (time consuming)– Automated tool to scan devices– Provide automated and flexible reporting
• Risk:– Forensically sound
• Quick results:– Avoid long scans; imaging drives
• Reporting:– Scanned results should be conclusive and prioritized for immediate
access
14Copyright © 2013 ADF Solutions, Inc. All rights reserved.
Investigators: Identified Pain Factors
Law Enforcement Investigators• Risk Mitigation:
– Require automated tools– Forensically sound
• Portability:– Avoid carrying laptops into field
• Quick results:– Decide to seize device or not
• Actionable results:– Scanned results should be conclusive and prioritized for immediate access
• Training:– Investigators cannot be trained in using complex digital forensic software– Tool must require minimal training and include self training options
15Copyright © 2013 ADF Solutions, Inc. All rights reserved.
Operators: Identified Pain Factors
Military/Intel Operators• Ease of use:
– Operators cannot be trained in using complex digital forensic software
• Portability:– Avoid carrying heavy equipment
• Immediate results:– Cannot wait for long scans of computers & devices
• Actionable results:– Results should be conclusive and prioritized for immediate access
17Copyright © 2013 ADF Solutions, Inc. All rights reserved.
Evaluations
• In later 2009 and early 2010, Army DOMEX conducted an evaluation of triage tools
• In early 2010, USSOCOM conducted an evaluation of computer media exploitation and cellular telephone exploitation products, systems, and tools.
18Copyright © 2013 ADF Solutions, Inc. All rights reserved.
Identified Goal
• Perform electronic media exploitation in the field and in the lab
Fast!
discover, categorize, and use intelligence
Thorough!
19Copyright © 2013 ADF Solutions, Inc. All rights reserved.
Basic Requirements
• Ease of use for operators - One-click setup• Rapid intelligence identification• View results directly on suspect computer• Custom define keywords and setup scans• Leverage pre-prepared search intelligence• Live & Boot triage, cross-platform• Stand alone product (No expensive hardware)• Simple USB deployment
20Copyright © 2013 ADF Solutions, Inc. All rights reserved.
Key Technical Requirements
1. Linux/MAC compatibility2. Remove traces of presence on
the target computer 3. Log file of activity 4. Data captured when
acquisition interrupted 5. Password breaking 6. Altering search parameters 7. User configurable search
parameters 8. Capture summary information 9. Time to capture data
10. Data sharing 11. Recognize pre-attached
media 12. Capture Registry data 13. Boolean logic support 14. Recognize e-mail clients 15. View results on target
computer 16. Capture chat logs 17. Capture client based e-mail
addresses 18. Support for booting a
powered down computer
1. Linux/MAC compatibility2. Remove traces of presence on
the target computer 3. Log file of activity 4. Data captured when
acquisition interrupted 5. Password breaking 6. Altering search parameters 7. User configurable search
parameters 8. Capture summary information 9. Time to capture data
10. Data sharing 11. Recognize pre-attached
media 12. Capture Registry data 13. Boolean logic support 14. Recognize e-mail clients 15. View results on target
computer 16. Capture chat logs 17. Capture client based e-mail
addresses 18. Support for booting a
powered down computer
21Copyright © 2013 ADF Solutions, Inc. All rights reserved.
Tool Selection
• USSOCOM and Army DOMEX both selected Triage-G2®
22Copyright © 2013 ADF Solutions, Inc. All rights reserved.
Key Deployments
Agency Users MEDEXUSSOCOM
(RSE JCTD)
Non-technical operators ADF
US Army/ TRADOC
(RSE JCTD)
Non-technical operators ADF
DHS-CBP Non-technical investigators ADF
NSW Police (Australia) Non-technical investigators ADF
QLD Police (Australia) Non-technical investigators ADF
UK Met (evaluation in progress)
Non-technical investigators ADF (Pilot in 5 forces)
24Copyright © 2013 ADF Solutions, Inc. All rights reserved.
Goals
• Develop “universal triage device” to aid law enforcement officers – Quick investigation and extraction of evidence
from computers and other devices related to active criminal or terrorist investigations.
25Copyright © 2013 ADF Solutions, Inc. All rights reserved.
DHS: Tool Requirements
1. Lightweight USB deployment2. Extreme ease of use - minimal training needed3. Find critical evidence in minutes4. Single device to triage Windows, Macintosh and
Linux computers5. View results directly on suspect computer6. Scan computers that are turned on or off7. Forensically sound8. Advanced image analysis to identify illegal images
26Copyright © 2013 ADF Solutions, Inc. All rights reserved.
Training Requirements
• ADF Triage-Responder prototype users are required to complete the learning tracks built-into the application prior to first use.
• Online webinars for users who require more instruction can be requested from vendor (ADF).
27Copyright © 2013 ADF Solutions, Inc. All rights reserved.
Tool Selection
• DHS selected Triage-Responder®
29Copyright © 2013 ADF Solutions, Inc. All rights reserved.
Devices Exploited/Scanned
Drive images
DVD’s, USB keys, SD cards, etc.
Laptops Desktops & Servers
Smartphones
Tablets
Hard drives
Current Coming 2014