with Lindsey J. Bertomen
5 digital forensics tools
Tools to track evidence on digital devices help preserve evidence
During an investigation, when a computer is found with potential data on it, investigators have to make some immediate — and specific — decisions because a running computer can change the state of evidence through software running in the background.
In U.S. v. Wurie and Riley v. California, oral arguments were made about officers freezing the phone for a warrant as an indication of the ways technology is changing the business. For those who testify on criminal matters, this has probably already created a question mark in your mind. If it’s not the same when it was initially gathered, how can it be presented as best evidence?
Most “non-technical” officers are at a loss when they find a suspect’s computer. Should it be shut it off and shipped the whole tower to the technician or leave it running in place? In addition, what products should be deployed to address the issue?
According to subject matter expert Danny O’Day, forensic evidence products for examining data have to do several things for a successful case. They must maintain the integrity of the evidence; demonstrate the seized evidence is the same as what is being communicated in court; and what the bad guy had is the same as what is being presented in court.
The traditional procedure is to remove the hard drive, duplicate it on another machine, then analyze the copy. One such product is the Shadow III from Voom Technologies. This is a small portable device installed between the hard drive and the motherboard.
Write commands are stored on the device, allowing the user access to the suspect drive, once installed.
There are some advantages to the Shadow III. It definitely is quicker. Investigators can retrieve screenshots and data that takes hours and days using the traditional method.
Write blocking methods also lets an investigator use a suspect machine without altering the drive, although actual forensic analysis is more thorough, O’Day said.
Getting around logins creates another issue. There are shareware or freeware booting system devices like Hiren’s Boot CD or FalconFour. The commercial product, which I have used myself, is VMware.
VMWare Workstation is the product to use when to create a machine within a machine. Since I use VMWare, I can tell you that its native advantage besides its stability is it lets you examine a drive where there is some kind of proprietary software used to access data.
Paraben Device Seizure
Paraben Device Seizure is the product to use when the data is on a mobile product. Like similar products, the industry changes so quickly, agencies purchase an initial license and maintain a subscription.
Paraben is pretty cost effective for the agency that needs robust support. Remember, some devices use unique (but simple) security, like Android Pattern Lock.
Seagate SED drive
What’s in our near future? Barbara Craig of Seagate explained to me that a SED drive looks, operates and is indistinguishable from a standard hard drive. It differs from a standard drive because all data written on it is encrypted as it is written.
The encryption is coded by an algorithm, which is developed independently. Whoever owns the algorithm, owns the data on the drive. Without the key, the drive cannot be read.
As far as I know, no technology can create easy access to a Seagate SED drive. According to Craig, without the key, little can be done to access the drive.
On a non-encrypted drive, data still remains on a drive even after it is “deleted” by the user. The standard is to write over the drive seven times, if data areas are going to be repurposed by deleting the key. On an SED drive, it can be repurposed right away, Craig said.
The NEXTO DI (model NVS DI) can assist a technician capturing digital evidence in the form of pictures and videos of the crime scene. The NEXTO DI is pocket-sized and primarily designed as an on location video backup device. That is, one simply puts a CF/SD/SDXC/SDHC/MS card into its multi-slot and the NEXTO DI will copy, and even burn it.
As a video backup device, it was designed to give a videographer complete confidence that what was captured was backed up.
For the technician at the crime scene, it ensures redundancy in evidence and confirms the card status, according to the company. The NEXTO DI can provide an audio and video confirmation of the evidence. It uses X-copy technology, which means it writes quickly, avoiding a lot of stand around time.
For the officer collecting evidence from a card, this tool has another forensic advantage. It can do a quick preview or copy it.
The data business changes by the minute. What’s next? Stay tuned.