So much of our lives are online. The work we do, the music we listen to, the videos we watch and the people we chat with and email. We make business transactions and keep memories on our computers.
And with this giant central hub of activity comes logistical challenges for police trying to solve crimes. A thorough online search can quickly become an overwhelming undertaking for officers with plenty else to do and limited resources. In the interest of speeding things along, the National Institute of Justice recently sponsored a cybersecurity research program, particularly focused at the law enforcement community, which helps investigators comb through computer evidence at record speeds.
Martin Novak, a computer scientist at NIJ, acknowledges the “acquisition/analysis phases of digital forensics are time-consuming…in the best circumstances it can take 16.5 hours to image a 1-terabyte drive, and that’s if you only have one 1-terabyte drive awaiting imaging.” He adds, the problem’s compounded by the fact that multiple media is seized at a crime scene and the backlogs of digital media keep growing.
The proposed solutions, of which Grier Forensics and Rand Corp. are a part, will significantly reduce time officers spend sifting through digital evidence. Instead of spending 16.5 hours to comb through that one, 1-terabyte drive, it might only take 5.5 hours—a tremendous savings in time and resources.
The two companies submitted applications to the NIJ, which were then reviewed on technical merit, and finally approved for funding. Both propose a way for law enforcement to process large capacity digital media in forensically sound manner that preserves the appropriate amount of evidence.
“When you browse around [on a computer] you’re modifying the evidence; you’re spoiling it,” says Jonathan Grier of Grier Forensics. That is why investigators make images of the hard disk… to find items that don’t meet the eye. It’s important, too, to preserve the evidence for chain of custody. It can take a day just to prepare an image from one computer’s hard drive. But what if you had a tool that looked only in the right places, and did so quickly?
Grier’s prototype sifts through the disk as the image is being created. “It looks at the parts of the disc that are relevant, and parts that might be relevant, and parts we know for sure are not relevant. We can bypass large parts of the disc … we don’t need to include them in that image,” says Grier. The resulting image is shorter, smaller and quicker … but looks just like the regular disc image.
This “sifting collector” (a working title) looks into user-created files: documents, images, movies, spreadsheets, etc. created by various programs. This method of forensic acquisition sifts through a compressed disc image (which Novak says will be compatible with existing forensic tools) in place of a standard disc image. He mentioned Grier is partnering with the Louisiana Chapter of the U.S. Secret Service Cybercrime Task Force and the Jefferson Parish Sheriff’s Department. “We encourage all of our grantees to work with a state and local partner of some kind… [so] they’re not working in a vacuum; they’re getting feedback during the development process from law enforcement practitioners, which makes it a better tool in the long-run,” says Novak.
The sifting collector was tested in a sample case which included a forensic investigation into an (ex) employee viewing NSFW content at work. The real-life case involved three hard drives. “I would estimate it took about 9 hours to produce the image and we got one of the drives reduced by a factor of 2.9 and another of 9.2. In one case we were able to get 100 percent of the NSFW images; there were thousands of them … our goal is to get everything,” says Grier.
Likewise, Rand Corporation is doing work in parallel processing. Meaning, they are developing a forensic computer cluster using open source software that lets many key tasks be executed at the same time, on many contributing nodes.
Novak feels this type of work could signal a significant paradigm shift in policing. “Up until now standard practice has been to image everything. We’re beginning to realize you don’t necessarily need to image everything to demonstrate a commission of crime. And in terms of Rand’s work, we’re really looking at speeding up the analysis phase….the processing of data.”
Jonathan Grier says if everything comes together as expected it will be very easy for law enforcement to use this product without having to learn anything new. He and Novak anticipate these tools could reach the hands of law enforcement in a year … or even sooner.
Streamlining data much, much faster, but maintaining accuracy that will hold up in court: This is the future of investigations.
