Who Is

watching out for you?

In today's world you need to understand a few more things...

Who Is

knocking on your virtual front door?

It could be someone down the block or from the Bloc

Uncovering digital nuggets with forensic software

Lee Reiber, Access Data

20-Jan-2015 The state of computer forensic investigation


While storage media has changed from floppy disks and spinning drives, the attack hasn’t changed at the software level. What changed is the volume of data.

As a technology, computer forensic investigation is improving, because using software to uncover digital nuggets has to stay abreast of technology.

Now we’re using small flash drives and micro SDs with 64GB of data. When you know “this is what a header looks like; this is what a footer looks like”, you can wrap your mind around data.

“Where the forensic tools have shifted has to do with processing that amount of data,” said Lee Reiber, VP of Mobile Forensic Solutions, Access Data. “If I can eliminate a lot of knowns from a data set, I can concentrate on the unknowns. So we created knowns values, signatures, and different apps that might run on the desktop. You’re taking 500GB down to 10 or 20GB of data.”

In forensics you fine tune your focus using advanced analysis tools, without spanning all of it. It looks through every 0 and 1 looking for your keyword. When you can search smaller amounts of data, obviously your search is faster.

“Our forensic toolkit brings in a database, and the data is now processed up front,” Reiber said. “What I mean is you’re able to set all your parameters – carving jpg, video files, encrypted containers, and evidence that might be in your dictionary of keywords. And you want to run that through the initial stage of processing.”

Once that’s completed you have immediate access to keywords, because everything is indexed. That lets you search for certain items, and categorized… go in and eliminate say, system files. Suppose you’re looking for pictures or videos. Because it’s now been categorized, there’s a multimedia category you can go into.

“Back in 2000 we went in at Point A and finished at Point C,” said Reiber. “We’ve increased the amount of cases people are working, which means we have to work more intelligently. How can we investigate active memory, where things aren’t yet encrypted? What about info that hasn’t been written to disc yet, or a process that only runs in RAM? This forensic toolkit allows us to capture the data in RAM, create an image of it, and store that image for later analysis.”

In the Enterprise, how can you remotely capture an image, or monitor a computer in another part of the world? That used to require someone onsite.

“Now we’ve captured and monitor any type of threat,” Reiber said. “If illegal pictures are being downloaded, or some HR incident, AD Enterprise lets us capture the live RAM on that computer, create an image, and analyze that information. We do it across the network.”

In addition to large data volumes, companies need to be able to decrypt https certificate-based information.

“We have to react quickly to employees using https, so everything is encrypted across the network until received, or say to Google network,” said Reiber. “We had to be able to decrypt that data through the network to be able to do analysis. Think of it as a man in the middle.”

 Read about forensic investigation of mobile devices in Part 2