AccessData Corporation. Divide & Conquer: Overcoming Computer Forensic Backlog through Distributed Processing and Division of Labor.



Similar documents
CRIMINAL JOURNEY MAPPING

Establishing a State Cyber Crimes Unit White Paper

Introducing a New Era in Digital Forensic Investigations BUILDING AN EFFECTIVE, EFFICIENT FORENSICS SOLUTION

Next Generation CRM for Multi-Channel Success

Technology Brochure New Technology for the Digital Consumer

GOVERNMENT. Helping governments transform public service delivery with efficient, citizen-centric solutions

NUIX WHITE PAPER THE INVESTIGATIVE LAB: A MODEL FOR EFFICIENT COLLABORATIVE DIGITAL INVESTIGATIONS WHITE PAPER

New Hampshire Cyber Crime Initiative Overview Briefing. NH Assistant Attorney General Lucy H. Carrillo Internet Crimes Prosecutor

the top 5 best practices for FIELD SERVICE MOBILITY ebook

A White Paper from AccessData Group. The Future of Mobile E-Discovery

E- Discovery in Criminal Law

A White Paper from AccessData Group. The Future of Mobile E-Discovery

Computer Forensics Preparation

Top 10 Ways. Operational Software Can Boost a Contractor s Bottom Line

Computer Forensics and Investigations Duration: 5 Days Courseware: CT

White Paper Automated Digital Evidence Collection and Publishing: Reduce Investigation Time and Costs May 2011

Streamlining Communications at Medical Facilities Across the Globe

Executive Suite Series An Akamai White Paper

INFORMATION SERVICES. Help Desk Technical Assistant Job Application

NEDARC POSITION PAPER

Manufacturing Strategies that Win: Executive View of the Cloud Executive Brief

The Sophos Security Heartbeat:

How To Use Ibm Tivoli Monitoring Software

WHITE PAPER. A Practical Guide to Choosing the Right Clouds Option and Storage Service Levels.

Sensitive Incident Investigations. Digital Risk Management. Forensics Testing.

Digital Forensics Tutorials Acquiring an Image with FTK Imager

Vancouver Toronto Seattle

Remote control/problem resolution

Successfully managing geographically distributed development

Remote Control/Problem Resolution

How To Secure Cloud Infrastructure Security

juggling is easier with remote access power at your fingertips

CA Process Automation for System z 3.1

Grand Challenges Making Drill Down Analysis of the Economy a Reality. John Haltiwanger

Archiving Compliance Storage Management Electronic Discovery

CASE STUDY: Top 5 Communications Company Evaluates Leading ediscovery Solutions

Veritas Enterprise Vault.cloud for Microsoft Office 365

Boosting Business Agility through Software-defined Networking

ScaleArc for SQL Server

Operating System Migration

Overcoming Eight Common Power Management Challenges

case asset management database software electronic case notes

How To Use Sap Hana For Business

Inside the Cloud: Your Key Questions Answered

I m awash in reports, how do I access clear information? Sentry Data Systems Saves You Time and Money

Module 1 Study Guide

BACKUP ESSENTIALS FOR PROTECTING YOUR DATA AND YOUR BUSINESS. Disasters happen. Don t wait until it s too late.

The Essential Guide for Protecting Your Legal Practice From IT Downtime

Modernizing enterprise application development with integrated change, build and release management.

CSN08101 Digital Forensics. Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak

A White Paper from AccessData Group. Cerberus. Malware Triage and Analysis

17 Business Benefits of Endpoint Backup

A SMART CHOICE FOR LAW ENFORCEMENT TODAY

AND RESPONSE. Continuity Insights Conference Chicago June 18-19, Unclassified

Strategies for Developing a Document Imaging & Electronic Retention Program

Analysis of Cloud Solutions for Asset Management

Recovery-Series, Purpose-built Backup Appliances from Unitrends Date: June 2015 Author: Vinny Choinski, Senior Lab Analyst

The CIO s Dream: A Cloud Platform With Lower Cost, More Agility and Better Performance. A publication by:

HYBRID CLOUD: A CATALYST TO DRIVING EFFICIENCIES AND MEETING THE DIGITAL ASPIRATIONS OF THE UK PUBLIC SECTOR

How a global bank is overcoming technical, business and regulatory barriers to use Hadoop for mission-critical applications

Digital and Cloud Forensics

Storage Infrastructure as a Service

Meeting the Challenges of Remote Data Protection: Requirements and Best Practices

Operations Excellence in Professional Services Firms

Vancouver Police Department Crown Counsel Queries Audit

A Closer Look at BPM. January 2005

White Paper FASTFILE / Page 1

Cyber Warfare. Global Economic Crime Survey. Causes of Cyber Attacks. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP. Why Cybercrime?

Mapping Your Path to the Cloud. A Guide to Getting your Dental Practice Set to Transition to Cloud-Based Practice Management Software.

Attorney General Balderas Criminal Affairs Update to Courts, Corrections & Justice Interim Committee

A Microsoft U.S. Public Sector White Paper by Ken Page and Shelly Bird. January government

Modernizing Case Management in the Public Sector A Clear and Present Reality

LANDesk Service Desk. Outstanding IT Service Management Made Easy

The Benefits of Continuous Data Protection (CDP) for IBM i and AIX Environments

Computer Forensics US-CERT

Top 10 Reasons for Using Disk-based Online Server Backup and Recovery

How To Create A Desktop Cloud Computing Solution For Call Centers

CRIMINAL DEFENSE REPRESENTATION IN ENGLAND AND THE UNITED STATES

BRINGING MODERN RECRUITING SYSTEMS TO STATE GOVERNMENTS

How to Leverage Information Technology and Win the Competitive Advantage

GET CLOUD EMPOWERED. SEE HOW THE CLOUD CAN TRANSFORM YOUR BUSINESS.

IT INFRASTRUCTURE MANAGEMENT SERVICE ADDING POWER TO YOUR NETWORKS

stay in control with remote access power at your fingertips

24/7 High Tech Crime Network

Increased Security, Greater Agility, Lower Costs for AWS DELPHIX FOR AMAZON WEB SERVICES WHITE PAPER

IBM Software IBM Business Process Manager Powerfully Simple

Manufacturers Need More Than Just Backup... But they don t need to spend more! axcient.com

National Public Safety Summit on Forensic Science Quality Assurance in the Crime Laboratory

Supporting the Cause of Justice

G-Cloud Big Data Suite Powered by Pivotal. December G-Cloud. service definitions

Business Startups - Advantages of Using Automation

case image management database software electronic case notes

Gain a competitive advantage.

ADRA MATCH CLOUD-BASED SOFTWARE

Cloud Services Catalog with Epsilon

Cloud Computing Paradigm

Business Process. Automation. Automation. David Chernicoff Susan Perschke. sponsored by

BIGFIX. BigFix and configuration management database solutions

An ECM White Paper for Government August Court case management: Enterprise content management delivers operational efficiency and effectiveness

Easing the Burden of Healthcare Compliance

Transcription:

AccessData Corporation Divide & Conquer: Overcoming Computer Forensic Backlog through Distributed Processing and Division of Labor White Paper A Pioneer in Digital Investigations Since 1987

TABLEOFCONTENTS Introduction... 1 Obstacles to Overcoming Caseload Backlogs... 2 Amplifying Existing Resources Utilizing Enterprise and Collaborative Computing Principles... 4 Lab Technology: Providing a Permanent Solution to an Ever-growing Problem... 7 Benefits... 8 Detailed Infrastructure Diagrams: Lab Lite and AccessData Lab... 9 Summary... 10

Introduction Computer forensics labs across the United States and around the world are struggling to keep up with their ever-growing caseloads. The overwhelming increase in cases affects law enforcement, government agencies and large corporations alike. However, the issue is most often discussed within the context of criminal investigations, for obvious reasons. In an American Idol world you don t expect to see a lot of news coverage on digital investigations and computer forensics labs, so when this issue makes headlines, you know it is a very real, very dire problem. In January of 2009, the backlog in the FBI cybercrime labs made national news, largely because the backlog was seriously delaying the progress made on child pornography cases. It is a very sad fact that that the majority of criminal cases involving digital evidence are child pornography/exploitation cases. During that January 09 coverage, FBI Executive Assistant Director Stephen Tidwell was quoted as saying "The pervasiveness of the Internet has resulted in the dramatic growth of online sexual exploitation of children, resulting in a 2,000 percent increase in the number of cases opened since 1996." So, it s not only the number of delayed cases that make this an urgent matter. It is the nature of most of these cases that dramatically increases the pressure on computer forensics labs to implement more efficient policies and practices to overcome this issue. To make matters worse, the recent case, Melendez-Diaz v. Massachusetts, the Supreme Court found that lab reports prepared by forensic experts, if introduced into evidence, were subject to the 6 th Amendment Confrontation Clause. This means that if your computer forensics report is used as evidence in court, the defense can call you to the stand for cross-examination. Some analysts are expecting this new ruling to further increase the already significant backlog. In his dissent, Justice Anthony Kennedy stated, The Court threatens to disrupt forensic investigations across the country and to put prosecutions nationwide at risk of dismissal when a particular laboratory technician simply does not or cannot appear." The fear is that there a not enough examiners to handle the flood of cases crossing their desks and to still make time to appear in court to defend their findings. Large corporations are also experiencing the digital investigations bottleneck, and while the corporate cases may not always seem newsworthy, the impacts consistent investigation delays have on the bottom line and on employee/customer privacy are significant. This paper will take a look at the factors that contribute to these burdensome backlogs, and then it will review the technical requirements necessary to significantly reduce even overcome the digital bottleneck that plagues computer forensic personnel. Finally, it will illustrate how a solution meeting these technical requirements can be implemented into an lab existing infrastructure and discuss the associated benefits. 1 P age

Obstacles to Overcoming Caseload Backlogs A Justice Department audit of the FBI s cybercrime labs found that 353 requests were awaiting FBI analysis, and it took an average of 60 days for FBI personnel to examine evidence. Inspector General Glenn Fine said, "The processing time for the digital evidence in some cases could take up to nine months, which we concluded was too long." While the FBI was the unfortunate recipient of this bad press, the fact is virtually every single cybercrime lab throughout the country is overwhelmed. Likewise, the information security departments in almost every large corporation we ve met with tell us that they need more human resources and more hardware resources. There are several factors that must be addressed to overcome caseload backlog: Outdated Hardware For example, a state police agency applying for federal assistance in April of 2009, stated that of the 95 members of its statewide Computer Crime Taskforce, 35 were using mobile forensic computers that are more than six years old. This is a common complaint among state and local law enforcement agencies. In fact, even commercial organizations commonly face budgetary limitations with regard to their hardware resources. Understaffed Departments As of May 21, 2009, the Internet Crimes Against Children (ICAC) Program s 59 task forces throughout the country were awarded Recovery Act funds totaling $41.5 million. Among the 59 task forces, one of the primary uses for that money as stated in the ICAC memo is to hire new investigators/analysts or use that money to retain analysts who would otherwise have to be laid off. When it comes to commercial organizations, the primary goal is business continuity. The cogs must turn or production suffers. To many in the corporate arena, computer forensics implies that a cog, or cogs, must stop turning. Therefore, it is often the case that computer forensics is not at the top of the list when budget dollars are doled out. In fact, according to the 2008 CSI Computer Crime and Security Survey (surveying information security practitioners), only 41% of its respondents even use forensics tools to secure help secure their data. Lack of Training and Training Dollars Many local law enforcement agencies do not have a trained computer forensic analyst on staff and must send the seized data into a state or regional lab for analysis. Even departments and labs with computer forensic analysts on staff find it difficult to provide continuing education to their analysts, which can delay progress on a case. If there are only two seasoned analysts on staff, and several novices, the two pros will find themselves bogged down with analysis work. It s no wonder why most state and local applications for federal aid cite training as one of the top reasons for requesting the funds. Evidence Being Processed and Reviewed in Disparate Locations It is often the case that data seized at the scene of the crime or acquired from a computer at a remote office is actually processed at a central computer forensics lab. While the investigators, legal personnel and HR personnel responsible for reviewing that evidence are somewhere entirely different. This makes for an inefficient review process. 2 P age

The One Case One Analyst Paradigm Traditionally, one analyst will be assigned to a case, and that analyst sees the case through from processing to reporting. That model may have worked back in 1996, but with the influx of computer crime and the dramatic increase in computer-related evidence per case, computer forensics labs might take a lesson from Henry Ford. It is becoming more difficult for examiners to get through a single large case in a reasonable amount of time because data sets and the problem is continuing to get worse. Lack of Infrastructure In most traditional labs, each examiner stores all of the evidence and case information on his or her individual machine. This makes the backup and restoration of cases, evidence and reports a time consuming and critical part of the process that is often difficult to manage, if done at all. Even worse, cases often go on for years, and examiners must bring cases out of storage if and when they make it to court. It s interesting to note that in almost every case, agencies and commercial organizations cite their need for more human resources and more hardware resources. Yet, despite the cry for more, we rarely see a meaningful increase in those resources. The 2008 CSI survey shows that its respondents actually experienced a reduction in budget dollars for information security. Furthermore, it s a running joke among radio commentators and local newspapers no matter how many more tax dollars are applied to increasing law enforcement numbers, somehow there rarely seems to be a significant increase. If there is an increase in officers, you can be sure that layoffs are only a couple years away, usually about the time federal assistance dollars run out. So, given the relative certainty that resources will usually be scarce, why aren t law enforcement, government agencies and corporations looking for a technological solution that will actually amplify their existing resources? 3 P age

Amplifying Existing Resources Utilizing Enterprise and Collaborative Computing Principles In order to successfully overcome case backlog, organizations need to implement a technical foundation that maximizes the productivity of the resources they already have. If funding comes through and new resources are obtained, great. But until an organization is able to efficiently leverage existing resources, it will find itself trapped in the vicious cycle of too much work, too few people. In order to effectively amplify an organization s existing resources, the following capabilities are necessary. Distributed Processing Leverage both outdated and next generation hardware to significantly reduce processing time. Distributed processing allows organizations to effectively offset their ever-increasing datasets, as well as their lack of budget for new hardware. With distributed processing capabilities, an organization can turn any unused CPU into an asset that reduces the amount of time it takes to process large datasets. The organization now has a scalable resource, with which to increase or decrease processing power as needed. FIGURE 1: Distributed processing leverages outdated and next-gen hardware to reduce processing time. Utilize a distributed processing farm to dramatically reduce processing time. This is a great way to leverage legacy hardware. 4 P age

Simultaneous, Collaborative Analysis Computer forensic departments need to move away from the One Analyst One Case paradigm and take an assembly line approach to their investigations. By distributing the workload across examiners, each person is able to focus on a single area of expertise. Examiners can work in synchronicity with other examiners to get through cases much faster using the advanced capabilities of FTK. In addition, this solution allows organizations to coordinate analysts and other players in a case using a secure web interface. So, those who are geographically dispersed are able to easily contribute their expertise without delay. Web Review and Analysis Capabilities There are many players in an investigation. They are not all located in the lab and are not always forensic experts. It is often the case that key players in these investigations are working in disparate locations, and this can easily delay the conclusion of a case. A secure web interface provides a quick and easy way for non-technical personnel to review and comment on the evidence as the analysts identify it. Players in the investigations, such as lawyers, human resources personnel and representatives from the DA s office are able to review the data in any easy to consume format as soon as it is available from any location, which saves a great deal of time. With custom data views reviewers are given permission by the case manager to review specific areas of cases. FIGURE 2: Analysts can collaborate in the lab using FTK, and with AD Lab, geographically dispersed players in the investigation can review and comment on data using a secure web interface. Non-technical resources and outside analysts can review and comment on data via the secure web interface. Analysts can collaborate in real time via FTK. 5 P age

Centralized Case Management Organizations need a better way to manage case work and to manage analysts case assignments and tasks. This capability allows a designated manager to rapidly assign cases, resources, tasks and case permissions to analysts. The manager can view the status of assigned tasks and has the flexibility to update or reassign tasks and resources as needed to orchestrate the most efficient completion of cases. The Ability to Control Access and Activity It s important when orchestrating synchronous collaboration among multiple analysts that organizations are able to control which data each analyst can access, which tasks he or she can perform, and to ensure their accountability. For example, if two analysts are assigned to a case one a senior member of the team, and the other still in training the case manager can tailor their individual roles and permissions to suit their skill levels or clearance levels. The senior analyst can be given permission to perform more advanced operations, while the junior analyst is assigned to a particular set of data, such as graphics. With a more advanced lab solution, the seasoned investigator can be given permission to view specific data sets that might be considered confidential or classified, while the less experienced analyst is only allowed to work with less sensitive content. FIGURE 3: A designated Manager can assign cases, tasks and resources to analysts and monitor their progress to ensure efficient collaboration. Cases and analysts can be managed from a central management console. 6 P age

Centralized Investigative Infrastructure Using a Lab platform, organizations can centralize their investigative infrastructure. Instead of each examiner doing all the work on his or her individual stand-alone machine, each examiner can leverage a shared infrastructure where all of the case data and evidence are stored in a centralized and controlled manner. Access to each case is still controlled by the lab manager or examiner in charge of a specific case, but the actual hardware infrastructure, where all the work takes place, is centralized. (Note centralized database and distributed processing farm in figures 1 3.The centralized Oracle infrastructure can be comprised of one or more databases.) Lab Technology: Providing a Permanent Solution to an Ever-growing Problem Human resources come and go, hardware resources become outdated, and the funding to maintain both is never a sure thing. However, implementing the right lab technology is a permanent solution that will streamline the entire process and speed up nearly every aspect of the investigation. AccessData (AD) has engineered lab technology that enables computer forensics labs to implement a digital assembly line of sorts. Based on the principles of enterprise computing and collaborative computing, this solution allows analysts to work together seamlessly not just distributing data processing, but actually distributing their labor, while sharing a centralized infrastructure (database, storage, evidence server). Processing the data can be as fast as you want it to be with unlimited distributed processing capabilities. Analytical operations are compartmentalized by analyst, so an individual examiner doesn t need to shift his or her mindset from email to registry to RAM dumps or have to worry about moving the data around. Each examiner can focus on one or two areas of expertise and other analysts working on the same case are able to see those findings in real-time as they are bookmarked, labeled and commented on. Having the abilities to divide workload and to share information with each other and non-technical counterparts will speed the analysis, the review, and the communications necessary to bring a case to its completion. However, while this lab solution enables real-time collaboration, a single analyst is still able to work an entire case from beginning to end on his or her machine. Each analyst has an investigative workstation that shares a single Oracle infrastructure, comprised of one or more databases. Investigator workstations can also share a distributed processing farm. An analyst is able to utilize this centralized infrastructure, and if he or she desires, can give permission to another analyst or non-technical player to review the findings and share expertise. AccessData provides two levels of its lab technology, Lab Lite and AD Lab. There are two capabilities differentiating the two solutions: Case-level Permissions vs. Data-level Permissions While AD Lab Lite allows the forensic analysts to be assigned to or restricted from viewing cases, the AD Lab solution allows case managers to assign or restrict access at the data level. For example, if the information in question or suspects involved were considered extremely confidential, the case manager could restrict a junior analyst s access to email and documents of any kind. However, the manager might want to utilize that junior resource to speed the investigation along. For example, the manager could restrict the junior analyst s access to include only log files, assigning that person to create a timeline over the last month showing each time an instant messenger application had been launched. This more granular 7 P age

security provision is of particular benefit to large corporations or government agencies handling large caseloads with a great deal of confidential or classified information. Web Review and Analysis As discussed earlier, the web review capability is the easiest way to share information and leverage the abilities of non-technical players in an investigation or computer forensic experts located outside the lab. This functionality is only available with AD Lab, which is designed to handle large caseloads for organizations that have a number of different participants in the investigative process that should be working together. For example, a computer forensic examiner working in New York wants HR and Legal in Los Angeles to review the results of a policy violation investigation quickly and in an easy to consume format. These nontechnical participants can log in to the web interface and only see the information the examiner wants them to see. Additionally, large labs dealing with massive datasets need many analysts of varying skill levels to work together simultaneously, in order to efficiently tackle their caseloads. The secure web review interface of AD Lab enables those analysts to collaborate with ease. The following illustrates the functionality available in each of AccessData s Lab solutions: LAB FUNCTIONALITY LAB LITE AD LAB DISTRIBUTED PROCESSING expanded expanded INVESTIGATOR COLLABORATION via FTK unlimited unlimited CENTRALIZED CASE AND TASK MANAGEMENT yes yes ROLE-BASED PERMISSIONS TO CONTROL ACCESS AND ACTIVITY case level data level CENTRALIZED DATABASE INFRASTRUCTURE no yes WEB REVIEW AND ANALYSIS no unlimited Benefits By utilizing an assembly line, division of labor approach, the investigation process is streamlined and cases can be brought to completion more efficiently. Control who can see which information in a given case or across cases. Examiners can see each other s results in real time. Non-technical users can easily support the investigative process. Advanced users can work alongside non-technical resources. Leverage a distributed processing farm to greatly reduce processing time. Utilize outdated hardware for distributed processing. Take an enterprise approach to controlling data with a centralized infrastructure, instead of each examiner storing data on his or her individual machine. 8 P age

Creating a collaborative environment with a shared, centralized infrastructure amplifies existing resources, allowing analysts of all skill levels to work more effectively. Detailed Infrastructure Diagrams: Lab Lite and AccessData Lab FIGURE 4: Distributed examiner and database infrastructure, using Lab Lite Workflow Beth logs in and creates a case on her local database. She processes the evidence or obtains volatile data. Beth needs Jack to look at email that she processed in her NY office. Beth gives Jack rights to the case. Jack logs in. Jack selects Beth s database from the database selection panel. He can now see her list of cases. Jack selects the case and now sees all the work of Beth did and can perform additional analysis and bookmarking. NOTE: Because it is a database on the back end, any bookmarks/labels are stored. This also means that multiple examiners can look at the same case at the same time without stumbling over each other. 9 P age

FIGURE 5: Shared database infrastructure, using AccessData Lab Summary As stated earlier, until an organization is able to efficiently leverage existing resources, it will find itself trapped in the vicious cycle of too much work, too few people. Implementing a solution that amplifies existing resources by streamlining the investigative process and getting the most out of an organization s hardware is a permanent solution. AccessData s lab solutions are scalable, allowing an organization to build a solution that fits its caseload and resources, then expand as needed. Division of labor, distributed processing, a centralized infrastructure and timely sharing of data are the keys to overcoming the backlog faced by organizations of all kinds. The answer is not simply more resources. The answer is efficiently utilizing the resources you have. 10 P age

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information