Shadow 3

Shadow 3

Shadow 3 Product Image

To access a suspect’s computer, traditional procedure involves removing the hard drive, creating a forensic image (a duplicate copy) and then analyzing that copy using sophisticated industry-specific software. 

Although effective, this process takes many hours and allows investigators to view and present information only in a raw state – one that non-computer experts such as attorneys and juries can find difficult to understand. 

As a result, computer forensic investigators are increasingly adopting a complimentary tool that allows them to turn on and operate the suspect’s computer without altering its contents in any way.

By doing so, investigators are able to review and navigate the computer as if the suspect turned it on and then stepped aside.  This includes utilizing whatever operating system is installed, launching programs, opening files, viewing recent e-mails or images, web history, etc.  Literally anything the computer’s owner can see or do, can be accessed without risk of altering the evidence.

This ability to view the computer in its natural state is speeding investigations and increasing the likelihood that the case will be resolved prior to trial.

Because the tool – the Shadow 3 from Voom Technologies – can be installed within minutes rather than the half day or more to copy a hard drive and run forensic software, critical evidence can be accessed more quickly for time-sensitive cases such as abductions, child abuse and homicides.

In addition, any evidence discovered can be copied to an external storage device such as a thumb drive, printed, or captured as a screenshot or screen video.  Because this evidence is presented in a more relatable way, it is often more easily understood by attorneys, investigators, judges and juries.

Accessing, without Altering

When a computer is turned on, thousands of changes are made in the background automatically.  The operating system runs updates, anti-virus scans are conducted, bit logs are changed, Internet files purged – all of which can potentially overwrite or alter evidence. 

To protect against this, digital forensic experts vigorously avoid turning on the computer.  Instead, they remove the hard drive and make several copies before returning the original to the computer and storing it as evidence.

Next, they utilize existing forensic software tools on the market, such as EnCase, Forensic Imager, PTK Forensics, NetAnalysis Forensic Toolkit, and FTK, to index and categorize the contents of the drive copies.

Depending on the size of the hard drive, the process of copying and indexing can take 10-12 hours.  Once completed, the information is available only in a raw data format with file, folder, metadata and time stamp information, and the like. 

The information, though extremely detailed, “can be like a second language,” says one 14 year computer forensic examiner that has worked as a law enforcement officer, corporate investigator, government investigator, and industry consultant.

The Shadow 3, on the other hand, is a small portable hardware device that is inserted between the hard drive and the motherboard.  Originally introduced in 2004, the Shadow product is currently deployed worldwide, in over 100 local, state, and federal law enforcement and justice agencies. 

Once the Shadow 3 is properly connected, the computer can be safely turned on.  All “write” commands (changes intended for the hard drive) are stored within the Shadow 3 device, never making it to the hard drive.  “Read-only” commands that access, but do not change information, are still allowed. 

During the course of the investigation, any saved “write” commands stored in the Shadow 3 device are still available to the processor as if they reside on the hard drive.

With this approach, no changes from boot up through operation ever reach the hard drive.  Because it is repeatable, evidence produced using the Shadow has already been proven in court to be valid and admissible. 

“Prior to using the Shadow 3, I didn’t have a reliable method of looking at a suspect’s computer the same way the suspect would be using it,” says Craig Cilley, a computer forensics expert for the Washington County (Minnesota) Sheriff’s Office since 2006.

Cilley is responsible for cyber crime and ICAC (Internet Crimes Against Children) cases.  The agency also assists the probation department, the county attorney’s office, Internal Affairs and social services with computer related issues on occasion. 

He initially heard about the digital forensics tool two years ago, which was in use at several other agencies in Minnesota.  After a trial of the product, he recommended purchasing it to his superior officer.

“I showed him the capabilities of the Shadow 3 and how we could use it and the time savings it would bring to me,” says Cilley.  “In my business, time is money.” 

Speeding investigations

For Cilley, the Shadow 3 represents a “scalpel forensics” mode that saves time because he can access data without having to review every bit of information on the computer. 

The information in the form of screenshots, printed e-mails, etc. can be retrieved quickly enough to be shown to suspects during questioning, to secure arrest warrants, or to rule out a suspect.

In a recent check forgery case, for example, Cilley was able to launch a check writing application on the suspect’s computer to review all the checks that were printed, as well as all the fictitious bank accounts, routing numbers, and business names and when the checks were printed. 

“It made that investigation easy and less time consuming,” says Cilley.  “With the Shadow 3, you can quickly go in and get the data you need to prove your case.”

Although the Shadow 3 shows everything the user can see, forensic software can show things behind the scenes that the user cannot see.  For this reasons, he still conducts “full forensics” as needed.

“I’m trying to get to a model where I don’t have to do full forensics unless it’s necessary,” says Cilley

The tool also saves time overcoming pesky encryption, user log-in and security dongle obstacles.

If files are encrypted by Windows or third party software, often decryption occurs automatically upon successful login.  If a security dongle exists, it need only be left in the USB port as normal. 

If the user’s login information is not available, investigators must spend valuable time trying to figure out or socially engineer it.  However, there are free tools available that can be installed during the boot up process (while connected to the Shadow 3 to keep the suspect’s drive pristine) that are designed to eliminate the password. 

VMware

The closest alternative on the market is VMware, a virtualization software tool that mimics, as best it can, the various hardware and operating systems in use today to load and operate an image of a hard drive.

If the hardware and operating system are identically, that is to say perfectly, mimicked, the virtualized environment will operate in an identical fashion as the original computer system. 

However, if it does not, frequent crashes and blue screens occur.

Given the vast and ever-increasing variety of operating systems and applications on the market along with the automatic updates, operating system versions, and device drivers virtualization software may not support the requirements of a particular individual’s computer.    

Superior Evidentiary Presentation

Perhaps the most important value in the system is the creation of more powerful and easier to comprehend presentations for attorneys, investigators, judges and juries. 

The most powerful evidence, to be sure, is the easiest for the layperson to understand.  Those that are not computer experts, but use computers on a regular basis, are most comfortable viewing the information in its native environment – an Excel spreadsheet open in MS Excel, for example.

With the raw data produced by forensic software, computer experts are often tasked with explaining to juries how the data was collected, why it is accurate, and what it means. 

With the Shadow 3, a live presentation using the suspect’s computer can be conducted in court or screen shots/video can be shown on a projector exactly as it appears on the suspect’s computer. 

As a standard operating procedure, Cilley installs a screen video capture utility to make a “movie” as he goes through the contents of a suspect’s machine.  The movie is then turned over to the prosecutor as part of his report.

“If I can show the prosecutor the movie and then they, in turn, show the defense attorney, it makes the case go through the judicial system much faster because everyone can see what the suspect was doing and they are more likely to either plead the case and not go trial,” says Cilley.  “It’s a great visual aid.”

Expand for more details on this Product

Nuix Engine 5.2

Product From NUIX

Nuix, a technology company that enables people to make fact-based decisions from unstructured data, today released version 5.2 of the Nuix Engine and its core eDiscovery and Investigator products. This release includes smarter eDiscovery production and quality control workflows, deeper forensic analysis, support for even more file formats and automated text summarization. It also incorporates technology advances that pave the way for solutions in areas such as cybersecurity and privacy.

Get Info Now

Proof Finder Investigation and eDiscovery Software

Product From NUIX

Proof Finder is an advanced investigation and eDiscovery software tool that Nuix has released as a philanthropic project. Proof Finder has the capacity to investigate up to 15GB per case. With your $100 annual license you can undertake as many cases of up to 15GB per case as you like for one year. What does 15GB look like? 

Get Info Now

LETS 2.0 Investigative Phone Recording Management System

Product From LETS Corp. (dba Orion Systems)

LETS Corporation dba Orion Systems announced the addition of several new features to LETS 2.0 Investigative Phone and Audio Recording System. Our system has been updated to provide Hostage and Crisis Response Personnel to immediately establish a secure, recorded connection with the hostage taker or subject. Additionally LETS allows for notification and connection of command, supervisory or tactical personnel to the real-time audio as it is recorded to a secure server. Command, Supervisors, Tactical and the Negotiators can connect from any landline or cellular phone while responding to the scene, saving valuable time over traditional response equipment.

Get Info Now

Locality Cloud - Troubleshooting Mobile Broadband Issues

Product From NETMOTION WIRELESS

NetMotion Wireless announced a cloud-based solution that gives enterprises the ability to quickly identify and troubleshoot the root cause of connectivity problems on cellular networks for their mobile workers, greatly enhancing user productivity, reducing costs, ensuring mobile applications work as intended, and reducing support time. Locality Cloud is the new hosted version of the industry’s first software to provide detailed visibility into and performance metrics for the mobile broadband networks that companies don’t own or control, something traditional network management solutions can’t do.

Get Info Now

Encryptics Data Rights Management (DRM)

Product From Encryptics

With Encryptics Data Rights Management (DRM), public safety departments can set permissions governing access to and usage of their critical data. DRM enables the data owner (an agency or an individual) to specify authorized recipients; prevent forward, copy, print, and save functions; set file expirations; and recall data anytime. Coupled with powerful data encryption technology, Encryptics DRM protects critical data even when it resides outside the direct jurisdiction of the department. 

Get Info Now

Software and Consulting Services - Fighting Fraud and Financial Crime

Product From IBM

IBM today introduced new software and services to help organizations use Big Data and Analytics to address the $3.5 trillion lost each year to fraud and financial crimes. Through sophisticated business expertise and analytics, organizations can take a holistic approach to address the financial losses caused by fraud while protecting the value of their brands.

Get Info Now

Nuance Forensics Voice Biometrics Technology

Product From Nuance Communications Inc.

Nuance Communications Inc. released Nuance Forensics, a voice biometrics solution that assists law enforcement officials and forensic experts with criminal investigations, as well as with the prosecution and defense of suspects.  This powerful tool uses Nuance’s patented voice biometrics technology to assist in confirming or denying the identity of individuals based on audio files that are used during investigations. Unlike less precise identification techniques, such as a lineup, wherein suspects are identified based on a witness’ visual memory, voice biometrics delivers accurate and unique identifying characteristics, akin to DNA and fingerprint evidence, to help assist investigations.

Get Info Now

SPEKTOR Drive Litigation Support and Forensic Incident Response Tool

Product From Evidence Talks

UK digital forensic experts Evidence Talks released SPEKTOR Drive. It is the latest powerful e-discovery, litigation support and forensic incident response tool designed for non-expert users, and will reduce the need for outsourced expertise, which will lower the cost of responding to litigation, digital incidents and forensic investigations.

Get Info Now

Forensic Toolkit (FTK) Version 5.1

Product From Accessdata Group LLC

The big challenges digital investigators face is the time and effort required to sift through the sheer volume of case data across their devices. They use several third party solutions to handle specific tasks which add greater complexity and resources.  

Get Info Now

MiniDAS

Product From CyanLine

CyanLine's free software grants law enforcement agencies the power to capture and unlock never-before-seen bonus data. Inspired by CyanLine’s Fast Disk Acquisition System (FDAS), MiniDAS allows investigators to obtain critical metadata, also known as “data about the data,” and collect a forensic image, and is available for free to all law enforcement agencies worldwide.

Get Info Now