Parameters for Selecting a Triage Tool
Previous Digital Insider columns discussed the traditional law enforcement protocol for seizing a live system, namely “pulling the plug” to maintain the “gold standard” (the integrity of the hard drive). Over the years, this approach has been clearly articulated to the law enforcement community: “Actions taken to secure and collect digital evidence should not affect the integrity of that evidence.”1 Therefore, “pulling the plug” initially ensures that no data was written to the evidentiary hard drive when it was seized.
The traditional approach does present a number of inherent concerns that originally may not have been considered as relevant or important. For instance, once the power is removed from a computer, potential probative volatile data is lost. Depending upon the type of alleged crime, some of that data could have been germane to the investigation and subsequent prosecution of the subject. Not to be overlooked is the serious issue concerning volume or hard drive encryption. (It would be nice to know that there was an encryption application running before the power is removed)! In recent years, tools have been developed that can overcome some of these inherent concerns and capture data from a live system. Collectively referred to as triage tools, they vary in their technical and operational performance capabilities.
Why Triage a Computer?
An important consideration is a triage tool’s intended use (which can be different for investigators and examiners). Triaging can provide the investigator or first responder with the methodology to quickly assess a computer’s relevance to an investigation prior to removing its power and seizure. For example, an investigator might want to quickly search for suspected pornographic images. Indeed, with the use of a triage tool, it may not be necessary to seize the computer at all if no probative data is found! If seized, an examiner might be interested in examining Registry information. He/she could use a triage tool to perform a more in-depth analysis or quickly triage a number of computers to determine which ones need further analysis using more sophisticated forensic tools. Since a given triage tool may or may not support both of these functionalities or might not be easily configurable to perform both tasks, several may be needed for investigators and examiners to cover potential uses.
The Military Approach to Triaging
For a number of reasons, it is not practicable or feasible for the U.S. Military to have several triage tools in their toolbox while downrange on target. Several months ago, the United States Special Operations Command (USSOCOM—which is charged with overseeing the various Special Operations Commands of the U.S. Armed Forces), conducted an evaluation of computer media exploitation and cellular telephone exploitation products, systems, and tools. The evaluation was organized by the USSOCOM Program Office. Triage tools were included as a separate category along with other computer media exploitation tools. An important part of the evaluation was to include representation from each of the respective military services to ensure that the triage tools were evaluated respective to any service unique requirements. Overall, the objective of the evaluation was to determine which triage tool could best meet the military’s requirements for procurement and world-wide dissemination.
Technical and Operational Performance Parameters
Selection of specific triage tools for evaluation was based upon previous procurements by both the USSOCOM Program Office as well as by individual military operational units. To ensure uniformity, each triage tool vendor demonstrated their product and provided hands-on training that, in their opinion, was sufficient for the military testing personnel to independently evaluate their tool. The evaluation was conducted against known data sets residing on computer hard drives, SD cards, and USB Thumb Drives which were attached to standardized laptops. Additionally, the evaluation investigated and compared each tool against established technical and operational performance parameters. At the same time, additional properties and capabilities that were not part of the established parameters were identified, thereby providing data for potential future tool enhancement. Some of the technical and operational performance parameters evaluated included:
- Linux/MAC compatibility
- Remove traces of presence on the target computer
- Log file of activity
- Data captured when acquisition interrupted
- Password breaking
- Altering search parameters
- User configurable search parameters
- Capture summary information
- Time to capture data
- Data sharing
- Recognize pre-attached media
- Capture Registry data
- Boolean logic support
- Recognize e-mail clients
- View results on target computer
- Capture chat logs
- Capture client based e-mail addresses
- Support for booting a powered down computer.
The Evaluation Results
Each triage tool varied somewhat in its ability to meet the established technical and operational performance parameters. A couple of examples clearly demonstrate that variability. All the triage tools evaluated were provided on USB dongles. Inserting a USB dongle into an available USB port on a computer will obviously make changes to a Windows Registry, specifically to such Registry keys as:
One of the performance parameters was for a tool to remove traces of its presence on a target computer. This is not easy to accomplish. Of the tools evaluated, one did try to remove its presence, however others did not. For law enforcement use, is it acceptable to leave traces of a triage tool on the suspect’s hard drive? It does tend to invalidate the “golden rule” previously mentioned. For military use, does it really matter as long as immediate actionable intelligence, such as chat logs or client based e-mail addresses, are captured from an Internet Café’s computer?
Another performance parameter concerned the amount of time it took for a tool to capture data. Again, all the tools tested varied widely depending upon their configurations. For a military user downrange, this could be of concern since they have limited time to obtain the data from the target computer. On the other hand, once law enforcement serves a search warrant upon a suspect at his residence, the investigator can take as much time as necessary to triage a computer.
At the conclusion of the evaluation, the military testing personnel rated each tool to determine which one best met the technical and operational performance parameters. The one they rated highest was the ADF Triage-G2® tool from ADF Solutions, Inc. (www.adfsolutions.com). Although this tool is limited to defense and intelligence agencies, a similar product, Triage-Examiner® (which uses the same search engine), is commercially available.
(Disclaimer: software or hardware products mentioned in this column should not to be considered as an endorsement of that product by DFI News or by the author. Prior to purchasing any triage tool, investigators and examiners should research those that are available to determine which can best meet their technical and operational performance parameters).
1. Forensic Examination of Digital Evidence: A Guide for Law Enforcement. U.S. Department of Justice, April 2004, page 1
John J. Barbara owns Digital Forensics Consulting, LLC, providing consulting services for companies and laboratories seeking digital forensics accreditation. An ASCLD/LAB inspector since 1993, John has conducted inspections in several forensic disciplines including Digital Evidence. John is the General Editor for the “Handbook of Digital & Multimedia Forensic Evidence” published by Humana Press. He can be reached at firstname.lastname@example.org.