Copyright © 2013 ADF Solutions, Inc. All rights reserved. Challenges and Requirements for Media Exploitation and Digital Investigations Kevin Long Account.

Copyright © 2013 ADF Solutions, Inc. All rights reserved.

Challenges and Requirements for Media Exploitation and Digital Investigations

Kevin LongAccount ExecutiveADF Solutions, [email protected]+1-301-312-6578

2Copyright © 2013 ADF Solutions, Inc. All rights reserved.

Agenda

1. About ADF2. Digital Forensics - Levels & Users3. Digital Forensics - Problems Today4. USSOCOM & US Army Requirements5. DHS Requirements6. UK East Midlands Project7. CELLEX & MEDEX Kits8. Tool Selections9. Product Demo

3

About ADF Solutions


ADF is the leading provider for Media Exploitation and Forensic Triage tools

Who We Are

Date Founded: August 2005

Location: Bethesda, Maryland USA (HQ)Clients: Military, Intelligence, Law Enforcement, and

other Civilian agencies

Users (est.): 4,000 worldwide


Current & Future Markets

2005 2009 2014

LawEnforcementInvestigations

Military & Defense

Media Exploitation

Corporations Investigations & e-

Discovery


Global Footprint

USAUSSOCOM

Army DOMEXUS Army TRADOC

DHS ICEDHS CBP

DHS InvestigationsNMEC

DIAUSPS

VA State Police… etc.

UK75% penetration

rate with LE agencies in UK (32

out of 43)

EUROPENetherlands

PortugalFrance

GermanyNorway

ASIAIndiaChina

AUSTRALIANSWAFPQPS

Air ForceSouth Australia

Police

7

Digital Forensics:Levels & Users


Digital Forensics - Levels

Users Goals Time Deployment Technical Req.

1. Forensic Triage (Level 1)

Investigators & Operators

Identify positive computers

Restricted (30 sec – 2 hrs)

Field & Lab Minimal

2. Targeted Examinations (Level 2)

Investigators, Operators, & Forensic Examiners

Solve obvious cases without full exam

Flexible (2hrs – 48 hrs)

Lab Medium

3. Manual Examinations (Level 3)

Examiners Full deep analysis

Unlimited Lab Deep


Digital Forensics - Users

Sector Users Goals

Media Exploitation(Field/Lab)

Military and Intelligence Operatives

Extract actionable intelligence to identify suspects/threats to national security

Targeted Examinations(Field/Lab)

Forensic Examiners Reduce forensic backlogs by eliminating or qualifying devices

Forensic Triage(Field/Lab)

Investigators Extract and review evidence faster to prioritize and help solve cases quickly

10

Digital Forensics & Media Exploitation - Problems Today


Data Overload

Too many devices, too much data• Manual examinations of all computers is not

an option anymore– will have to be focused on high value devices

• Wide collection of devices for lab analysis is not an option anymore– will require filtering/qualification


Targeted vs. Full Examinations

40%

60%

Current

Targeted Exam-inations & Triage

Manual Exam-inations

90%

10%

Future


Examiners: Identified Pain Factors

Forensic Examiners• Efficiency:

– Focus forensic expertise on computers that warrant them– Avoid imaging drives if possible (time consuming)– Automated tool to scan devices– Provide automated and flexible reporting

• Risk:– Forensically sound

• Quick results:– Avoid long scans; imaging drives

• Reporting:– Scanned results should be conclusive and prioritized for immediate

access


Investigators: Identified Pain Factors

Law Enforcement Investigators• Risk Mitigation:

– Require automated tools– Forensically sound

• Portability:– Avoid carrying laptops into field

• Quick results:– Decide to seize device or not

• Actionable results:– Scanned results should be conclusive and prioritized for immediate access

• Training:– Investigators cannot be trained in using complex digital forensic software– Tool must require minimal training and include self training options


Operators: Identified Pain Factors

Military/Intel Operators• Ease of use:

– Operators cannot be trained in using complex digital forensic software

• Portability:– Avoid carrying heavy equipment

• Immediate results:– Cannot wait for long scans of computers & devices

• Actionable results:– Results should be conclusive and prioritized for immediate access

16

USSOCOM & Army DOMEX: Media Exploitation Requirements

(DFI article handout)


Evaluations

• In later 2009 and early 2010, Army DOMEX conducted an evaluation of triage tools

• In early 2010, USSOCOM conducted an evaluation of computer media exploitation and cellular telephone exploitation products, systems, and tools.


Identified Goal

• Perform electronic media exploitation in the field and in the lab

Fast!

discover, categorize, and use intelligence

Thorough!


Basic Requirements

• Ease of use for operators - One-click setup• Rapid intelligence identification• View results directly on suspect computer• Custom define keywords and setup scans• Leverage pre-prepared search intelligence• Live & Boot triage, cross-platform• Stand alone product (No expensive hardware)• Simple USB deployment


Key Technical Requirements

1. Linux/MAC compatibility2. Remove traces of presence on

the target computer 3. Log file of activity 4. Data captured when

acquisition interrupted 5. Password breaking 6. Altering search parameters 7. User configurable search

parameters 8. Capture summary information 9. Time to capture data

10. Data sharing 11. Recognize pre-attached

media 12. Capture Registry data 13. Boolean logic support 14. Recognize e-mail clients 15. View results on target

computer 16. Capture chat logs 17. Capture client based e-mail

addresses 18. Support for booting a

powered down computer

1. Linux/MAC compatibility2. Remove traces of presence on

the target computer 3. Log file of activity 4. Data captured when

acquisition interrupted 5. Password breaking 6. Altering search parameters 7. User configurable search

parameters 8. Capture summary information 9. Time to capture data

10. Data sharing 11. Recognize pre-attached

media 12. Capture Registry data 13. Boolean logic support 14. Recognize e-mail clients 15. View results on target

computer 16. Capture chat logs 17. Capture client based e-mail

addresses 18. Support for booting a

powered down computer


Tool Selection

• USSOCOM and Army DOMEX both selected Triage-G2®


Key Deployments

Agency Users MEDEXUSSOCOM

(RSE JCTD)

Non-technical operators ADF

US Army/ TRADOC

(RSE JCTD)

Non-technical operators ADF

DHS-CBP Non-technical investigators ADF

NSW Police (Australia) Non-technical investigators ADF

QLD Police (Australia) Non-technical investigators ADF

UK Met (evaluation in progress)

Non-technical investigators ADF (Pilot in 5 forces)

23

DHS S&T: Field Triage Requirements


Goals

• Develop “universal triage device” to aid law enforcement officers – Quick investigation and extraction of evidence

from computers and other devices related to active criminal or terrorist investigations.


DHS: Tool Requirements

1. Lightweight USB deployment2. Extreme ease of use - minimal training needed3. Find critical evidence in minutes4. Single device to triage Windows, Macintosh and

Linux computers5. View results directly on suspect computer6. Scan computers that are turned on or off7. Forensically sound8. Advanced image analysis to identify illegal images


Training Requirements

• ADF Triage-Responder prototype users are required to complete the learning tracks built-into the application prior to first use.

• Online webinars for users who require more instruction can be requested from vendor (ADF).


Tool Selection

• DHS selected Triage-Responder®

28

Triage-G2®: Demo


Devices Exploited/Scanned

Drive images

DVD’s, USB keys, SD cards, etc.

Laptops Desktops & Servers

Smartphones

Tablets

Hard drives

Current Coming 2014

30

Q&A

Copyright © 2013 ADF Solutions, Inc. All rights reserved. Challenges and Requirements for Media Exploitation and Digital Investigations Kevin Long Account.

Documents

filteringqualification

digital forensics problems

product demo slide

forensic triage level

ussocom us army requirements

forensic backlogs

forensic triage tools

targeted examinations