Challenges and Requirements for
Media Exploitation and Digital
Investigations
Copyright © 2013 ADF Solutions, Inc. All rights reserved.
Kevin Long
Account Executive
ADF Solutions, Inc.
info@adfsolutions.com
+1-301-312-6578
Agenda
1.
2.
3.
4.
5.
6.
7.
8.
9.
About ADF
Digital Forensics - Levels & Users
Digital Forensics - Problems Today
USSOCOM & US Army Requirements
DHS Requirements
UK East Midlands Project
CELLEX & MEDEX Kits
Tool Selections
Product Demo
Copyright © 2013 ADF Solutions, Inc. All rights reserved.
2
About ADF Solutions
3
Who We Are
ADF is the leading provider for Media
Exploitation and Forensic Triage tools
Date Founded:
August 2005
Location:
Clients:
Bethesda, Maryland USA (HQ)
Military, Intelligence, Law Enforcement, and
other Civilian agencies
4,000 worldwide
Users (est.):
Copyright © 2013 ADF Solutions, Inc. All rights reserved.
4
Current & Future Markets
2005
Law
Enforcement
Investigations
2009
Military &
Defense
Media Exploitation
Copyright © 2013 ADF Solutions, Inc. All rights reserved.
2014
Corporations
Investigations & eDiscovery
5
Global Footprint
UK
EUROPE
75% penetration
rate with LE
agencies in UK (32
out of 43)
Netherlands
Portugal
France
Germany
Norway
USA
USSOCOM
Army DOMEX
US Army TRADOC
DHS ICE
DHS CBP
DHS Investigations
NMEC
DIA
USPS
VA State Police
… etc.
Copyright © 2013 ADF Solutions, Inc. All rights reserved.
ASIA
India
China
AUSTRALIA
NSW
AFP
QPS
Air Force
South Australia
Police
6
Digital Forensics:
Levels & Users
7
Digital Forensics - Levels
Users
Goals
Time
Deployment Technical
Req.
1. Forensic
Triage (Level 1)
Investigators
& Operators
Identify
positive
computers
2. Targeted
Examinations
(Level 2)
Investigators,
Operators, &
Forensic
Examiners
Solve obvious Flexible
cases without (2hrs – 48
full exam
hrs)
Lab
Medium
3. Manual
Examinations
(Level 3)
Examiners
Full deep
analysis
Lab
Deep
Copyright © 2013 ADF Solutions, Inc. All rights reserved.
Restricted Field & Lab
(30 sec – 2
hrs)
Unlimited
Minimal
8
Digital Forensics - Users
Sector
Users
Goals
Media Exploitation
(Field/Lab)
Military and Intelligence
Operatives
Extract actionable
intelligence to identify
suspects/threats to
national security
Targeted
Examinations
(Field/Lab)
Forensic Examiners
Reduce forensic backlogs
by eliminating or qualifying
devices
Forensic Triage
(Field/Lab)
Investigators
Extract and review
evidence faster to prioritize
and help solve cases
quickly
Copyright © 2013 ADF Solutions, Inc. All rights reserved.
9
Digital Forensics & Media
Exploitation - Problems Today
10
Data Overload
Too many devices, too much data
• Manual examinations of all computers is not
an option anymore
– will have to be focused on high value devices
• Wide collection of devices for lab analysis is
not an option anymore
– will require filtering/qualification
Copyright © 2013 ADF Solutions, Inc. All rights reserved.
11
Targeted vs. Full Examinations
Future
Current
10%
40%
60%
Copyright © 2013 ADF Solutions, Inc. All rights reserved.
Targeted
Examinations &
Triage
Manual
Examinations
90%
12
Examiners: Identified Pain Factors
Forensic Examiners
• Efficiency:
–
–
–
–
Focus forensic expertise on computers that warrant them
Avoid imaging drives if possible (time consuming)
Automated tool to scan devices
Provide automated and flexible reporting
• Risk:
– Forensically sound
• Quick results:
– Avoid long scans; imaging drives
• Reporting:
– Scanned results should be conclusive and prioritized for
immediate access
Copyright © 2013 ADF Solutions, Inc. All rights reserved.
13
Investigators: Identified Pain Factors
Law Enforcement Investigators
• Risk Mitigation:
– Require automated tools
– Forensically sound
• Portability:
– Avoid carrying laptops into field
• Quick results:
– Decide to seize device or not
• Actionable results:
– Scanned results should be conclusive and prioritized for immediate access
• Training:
– Investigators cannot be trained in using complex digital forensic software
– Tool must require minimal training and include self training options
Copyright © 2013 ADF Solutions, Inc. All rights reserved.
14
Operators: Identified Pain Factors
Military/Intel Operators
• Ease of use:
– Operators cannot be trained in using complex digital forensic software
• Portability:
– Avoid carrying heavy equipment
• Immediate results:
– Cannot wait for long scans of computers & devices
• Actionable results:
– Results should be conclusive and prioritized for immediate access
Copyright © 2013 ADF Solutions, Inc. All rights reserved.
15
USSOCOM & Army DOMEX:
Media Exploitation Requirements
(DFI article handout)
16
Evaluations
• In later 2009 and early 2010, Army DOMEX
conducted an evaluation of triage tools
• In early 2010, USSOCOM conducted an
evaluation of computer media exploitation
and cellular telephone exploitation products,
systems, and tools.
Copyright © 2013 ADF Solutions, Inc. All rights reserved.
17
Identified Goal
• Perform electronic media exploitation in the
field and in the lab
Fast!
Thorough!
discover, categorize,
and use intelligence
Copyright © 2013 ADF Solutions, Inc. All rights reserved.
18
Basic Requirements
•
•
•
•
•
•
•
•
Ease of use for operators - One-click setup
Rapid intelligence identification
View results directly on suspect computer
Custom define keywords and setup scans
Leverage pre-prepared search intelligence
Live & Boot triage, cross-platform
Stand alone product (No expensive hardware)
Simple USB deployment
Copyright © 2013 ADF Solutions, Inc. All rights reserved.
19
Key Technical Requirements
1. Linux/MAC compatibility
2. Remove traces of presence on
the target computer
3. Log file of activity
4. Data captured when
acquisition interrupted
5. Password breaking
6. Altering search parameters
7. User configurable search
parameters
8. Capture summary information
9. Time to capture data
Copyright © 2013 ADF Solutions, Inc. All rights reserved.
10. Data sharing
11. Recognize pre-attached
media
12. Capture Registry data
13. Boolean logic support
14. Recognize e-mail clients
15. View results on target
computer
16. Capture chat logs
17. Capture client based e-mail
addresses
18. Support for booting a
powered down computer
20
Tool Selection
• USSOCOM and Army DOMEX both selected
Triage-G2®
Copyright © 2013 ADF Solutions, Inc. All rights reserved.
21
Key Deployments
Agency
USSOCOM
Users
Non-technical operators
MEDEX
ADF
(RSE JCTD)
US Army/ TRADOC
Non-technical operators
ADF
(RSE JCTD)
DHS-CBP
Non-technical investigators ADF
NSW Police (Australia)
Non-technical investigators ADF
QLD Police (Australia)
Non-technical investigators ADF
UK Met (evaluation in
progress)
Non-technical investigators ADF (Pilot in 5 forces)
Copyright © 2013 ADF Solutions, Inc. All rights reserved.
22
DHS S&T:
Field Triage Requirements
23
Goals
• Develop “universal triage device” to aid law
enforcement officers
– Quick investigation and extraction of evidence
from computers and other devices related to
active criminal or terrorist investigations.
Copyright © 2013 ADF Solutions, Inc. All rights reserved.
24
DHS: Tool Requirements
1.
2.
3.
4.
5.
6.
7.
8.
Lightweight USB deployment
Extreme ease of use - minimal training needed
Find critical evidence in minutes
Single device to triage Windows, Macintosh and
Linux computers
View results directly on suspect computer
Scan computers that are turned on or off
Forensically sound
Advanced image analysis to identify illegal
images
Copyright © 2013 ADF Solutions, Inc. All rights reserved.
25
Training Requirements
• ADF Triage-Responder prototype users are required
to complete the learning tracks built-into the
application prior to first use.
• Online webinars for users who require more
instruction can be requested from vendor (ADF).
Copyright © 2013 ADF Solutions, Inc. All rights reserved.
26
Tool Selection
• DHS selected Triage-Responder®
Copyright © 2013 ADF Solutions, Inc. All rights reserved.
27
Triage-G2®: Demo
28
Devices Exploited/Scanned
Current
Laptops
Coming 2014
Desktops &
Servers
Smartphones
Hard drives
Drive images
Tablets
DVD’s, USB keys, SD cards, etc.
Copyright © 2013 ADF Solutions, Inc. All rights reserved.
29
Q&A
30