Breaching Principle 1 - The Changing Face of Digital Forensics: Less Small and Static and More Big and Live

So you grab the phone of a terrorist, and you want to find out who they have called? What do you do?

A: Archive the storage of the device, and analyse the memory for the call record.

B: Press the call record menu option and scroll through.

Answers:

If you go for A, you are correct with the ACPO guidelines Principle 1, but it is going to take hours, days, months, or even years to image the device and get the call record.

If you go for B, you will not be able to use the evidence in court, as you have damaged the data by operating the phone, and have breached Principle 1 in the ACPO Guidelines for handling digital evidence.

Introduction

If you look at most text books on digital forensics they will analyse Windows partitions and talk through the basic stages of CPAR - Collection, Preservation, Analysis and Report. For an investigator if you wanted to find out what some had been doing, you would simply archive the disk and use EnCase to analysis it. Luckily Windows leaves lots of evidence and fragments of information that could be used to build up a time line of activity. This worked well when we have small disks, but as our disks have increased, it takes longer to image them.  In fact, a traditional hard disk (HDD) will take over 6 hours to image a 3TB disk:

A static hard disk (SSD) of 512GB is much faster, at 17 minutes.

These days, though, digital forensics is changing, with: increasing amounts of storage; a move towards mobile devices; an increase in using the Cloud; and an increase in encrypted content.

Good Practice Guide for Digital Evidence

The handling of digital evidence, in the UK, is often drive by the ACPO Good Practice Guide for Digital Evidence [here]. They define the guidance of:

• Persons who are involved in the securing, seizing and transporting of equipment from search scenes with a view to recovering digital evidence, as well as in the identification of the digital information needed to investigate crime;
• Investigators who plan and manage the identification, presentation and storage of digital evidence, and the use of that evidence;
• Persons who recover and reproduce seized digital evidence and are trained to carry out the function and have relevant training to give evidence in court of their actions.   Persons who have not received appropriate training and are unable to comply with the principles should not carry out this category of activity;
• Persons who are involved in the selection and management of persons who may be required to assist in the recovery, identification and interpretation of digital evidence.

These all seem good, and focus on making sure that those involved with capturing and analysis digital evidence are trained to do so. It is in the principles that we hit problems. The first principle is the most difficult to currently comply with:

Principle 1: No action taken by law enforcement agencies, persons employed within those agencies or their agents should change data which may subsequently be relied upon in court.

This principle causes a major problem, as the second anyone touches a computer and even moves a mouse, the data will be damaged in some way. So the way that investigators coped with this, is just to switch the power off, and send it to the lab for the disk to be imaged, and then analysed. But these days it will not be possible do this with mobile devices.

We would also lose information if we switch the machine off (such current network connections and passwords). If we try and boot back we may be faced with a PIN number or a password, so the device must be kept on. We could overcome this with a write-blocker, but it is often difficult to access the disk interface for this. So Principle 1 is causing a major headache in the UK, and is looking rather old-fashioned now.

Larger storage and Live Forensics

One of great pressures in digital forensics is the ever increasing size of the disks , and with disk arrays, using RAID, we can have many TBs or even PBs, which will take a long time to image. Also, disk arrays using in Cloud systems are often difficult to shut down, without causing a great deal of disruption.

With increasing amounts of s within the public Cloud, there can be limited amounts of information stored on local disk systems. Along with this systems, such as Apple iOS and Google Android, are using encrypted memory system, so the days of just extracting a disk from a machine and examining it on another machine are going. Now it is often difficult to examine a disk, so, if investigators need to access encryption keys and connections, they will often keep the machine running, so that the memory can be examined. Thus there is an increase in live forensics, and in examining the memory of the running system. Often, to, if a device is switched off, it will lose a great deal of information that might be required for an investigation.

The usage of live forensics can often overcome problems of encryption, for investigators, as the encryption key will often be stored in the memory of the running device, along with passwords. A dump of the memory can thus often reveal important information that can open-up other information traces.

Social media and logs

Increasing the main traces of evidence now comes from social media and Cloud-based logs. With the increasing usage of encrypted traffics, the only trace of evidence is often stored within logs on servers. Here are some of the investigation sources that we now need to consider:

Computing Clusters

We are increasing moving to the public Cloud, where information for trails of evidence are not stored on the local machine but on remove disk systems. Within a Cloud, a typical infrastructure used to process large amounts of data is to use a Hadoop Cluster. 

In traditional digital forensics, analysts will examine static traces from hard disks, but increasingly the evidence is found within Cloud-based systems, where the trails of evidence our found on Cloud-based disk systems. Within a Hadoop Cluster we have a number of computers, and where we can run tasks which can taken hours, days or even months to run.

Overall the task is broken up into threads, which are then run across the cluster, and where there is redundancy built-in, so that data and processes can be replicated across the infrastructure. If one computer or disk fails, then the data/process can be recovered. In this way we create a robust environment for Big Data analysis.

Another major change in digital investigations has been the move from analysing static data on disks, towards investigating live data - known as live forensics. This is where the RAM of the computer is investigated, and where the device is left powered-on. This changes investigations, as there can be a great deal of information that can be gained if the device is still powered on, such as usernames and passwords, where, if it is powered off, a great deal of user information might be lost.

So we have created a new method here, and which uses methods that can trace evidence within the RAM of a Hadoop Cluster - which is one of the most typical Big Data infrastructures used. The usage of in-memory analysis causes the least amount of disruption to the business process of the cluster, as most companies would not be able to shut-down the Hadoop cluster when it is in operation:

Conclusions

The days of sending a computer off to a lab and archiving the disk is becoming less relevant. Increasingly we need to perform triage on systems, in order to investigate if there is evidence on them. In a typically seizure from a home, the investigators might take away 50 or more digital devices, and where it is difficult for the forensics labs to cope with the range of devices which are captured.

And so Principle 1 of the ACPO guidelines is caught in the cross-fire of the change in the move towards mobile devices and the Cloud.