Monday, June 13, 2011

No trust in a single tool.

"If the only tool you have is a hammer, you tend to see every problem as a nail."
Abraham Maslow

More and more often I find myself working on a case with at least two forensic tools simultaneously. Depending on a task I select EnCase and X-Ways or FTK and X-Ways in pairs.

All three are great and one is better than another at certain tasks.I like working with EnCase to analyse registries, automate things with enscipts or searching and bookmarking hits in unallocated space. FTK is best with emails and has excellent ‘indexed’ searching capability. X-Ways Forensics is simply fast and reliable.

There is no point in doing ALL operations with a pair of these tools. There are always several the most important pieces of evidence supporting the hypothesis that need extra attention. This is especially true when confirming the absence of certain evidence.

I don’t just use two tools in parallel, in addition I attempt to utilise different methods to confirm the facts. This becomes some sort of Devil's Advocate Peer Review Activity.

Lately, forensic tools became more complex and attempting to provide more interpretation for the sake of convenience. Not surprisingly, I frequently observe different interpretations by different tools and have to dig dipper to find the true.

Although I often use a bunch of open source or free tools like Harlan’s RegRipper or Mandiant’s Highlighter etc., having another full featured forensic tool provides an additional layer of protection. Several times I had a situation when the main tool would start constantly crashing, or be unable to process certain types of evidence in the middle of examination. Sounds famialiar? When time is limited and vendor’s technical support is slow or sometime useless, having a back up tool ready to go is as good as gold.

Selecting the right tools for different investigations requires a good knowledge of forensic tools in your arsenal. For example, Lotus Notes is very popular in the corporate environment, with over 140 million corporate licensees sold worldwide. EnCase would normally work with NSF files and handle emails quite well. You will need FTK, or some other solution, to handle Lotus Notes databases, because EnCase …. well, may be EnCase 7 will do a better job. X-Ways Forensics can’t handle NSF at all. For the sake of completeness I should mention here that since Lotus Notes version 8.5 Databases are now called Applications.

Obviously one needs to be trained on using all of these tools and this might not be economically possible for small organisations or Rookie examiners. In this case there are Open Source Resources/Tools that each examiner must become proficient with and have them ready to go. The new book by Cory Altheide and Harlan Carvey called Digital Forensics with Open Source Tools should provide you with the necessary knowledge and insight.

Sunday, June 5, 2011

Most computer forensic examiners Need Shrinks

Many computer forensic specialists sooner or later get exposed to potentially psychologically harmful material. Images or (worse) videos of people being tortured and killed; children being exploited and raped are often encountered by forensic examiners. Some have only occasional exposure, and some have to constantly work with such material due to the nature of their work. The exposure causes all sorts of problems from stress and loss of productivity to more serious psychological traumas.

The above also applies to private and corporate forensic examiners who often accidentally locate offensive images or videos. What are the ways to minimise negative impacts of exposure to such material?

Prevention is better than cure.
It is technically difficult to completely insulate all personnel from the exposure. The only logical choice is to adequately prepare specialist for such situations by introducing mandatory introductory programs. These programs need to be specifically designed to deal with exposures to potentially harmful material and possible reactions to such exposures. Most importantly new computer forensic specialists must be put through the program before they walk in to the lab.

As part of occupational health and safety, career longevity and work performance initiative we are currently working with professional psychologists to develop such program for our organisation. The program is going to be integrated in the Standard Operating Procedures (SOP), and will also include mandatory reporting, debriefing and follow up. To minimise harmful effects, the arrangements are being made with psychologists to conduct debriefing within the first 24 to 72 hours after the initial exposure.

These procedures are designed to equip computer forensic personnel with knowledge, skills and professional assistance to enable them to cope with exposures to offensive graphics. As an additional benefit, the program  may also assit staff in dealing with other stressful situations. These steps are also designed to insure productivity and retention of the highly trained forensic specialists.