AccessData  Corporation  

Divide  &  Conquer:  Overcoming  Computer  Forensic  Backlog  through  Distributed  

Processing  and  Division  of  Labor  

White  Paper  

A Pioneer in Digital Investigations Since 1987

TABLE OF CONTENTS

Introduction.................................................................................................................................................................... 1

Obstacles to Overcoming Caseload Backlogs .............................................................................................................. 2

Amplifying Existing Resources Utilizing Enterprise and Collaborative Computing Principles ........................................ 4

Lab Technology: Providing a Permanent Solution to an Ever-growing Problem ........................................................... 7

Benefits ......................................................................................................................................................................... 8

Detailed Infrastructure Diagrams: Lab Lite and AccessData Lab .................................................................................. 9

Summary ..................................................................................................................................................................... 10

1 | P a g e

Introduction Computer forensics labs across the United States and around the world are struggling to keep up with their ever-growing caseloads. The overwhelming increase in cases affects law enforcement, government agencies and large corporations alike. However, the issue is most often discussed within the context of criminal investigations, for obvious reasons. In an American Idol world you don’t expect to see a lot of news coverage on digital investigations and computer forensics labs, so when this issue makes headlines, you know it is a very real, very dire problem. In January of 2009, the backlog in the FBI cybercrime labs made national news, largely because the backlog was seriously delaying the progress made on child pornography cases. It is a very sad fact that that the majority of criminal cases involving digital evidence are child pornography/exploitation cases. During that January ’09 coverage, FBI Executive Assistant Director Stephen Tidwell was quoted as saying "The pervasiveness of the Internet has resulted in the dramatic growth of online sexual exploitation of children, resulting in a 2,000 percent increase in the number of cases opened since 1996." So, it’s not only the number of delayed cases that make this an urgent matter. It is the nature of most of these cases that dramatically increases the pressure on computer forensics labs to implement more efficient policies and practices to overcome this issue. To make matters worse, the recent case, Melendez-Diaz v. Massachusetts, the Supreme Court found that lab reports prepared by forensic experts, if introduced into evidence, were subject to the 6th Amendment Confrontation Clause. This means that if your computer forensics report is used as evidence in court, the defense can call you to the stand for cross-examination. Some analysts are expecting this new ruling to further increase the already significant backlog. In his dissent, Justice Anthony Kennedy stated, “The Court threatens to disrupt forensic investigations across the country and to put prosecutions nationwide at risk of dismissal… when a particular laboratory technician… simply does not or cannot appear." The fear is that there a not enough examiners to handle the flood of cases crossing their desks and to still make time to appear in court to defend their findings. Large corporations are also experiencing the digital investigations bottleneck, and while the corporate cases may not always seem newsworthy, the impacts consistent investigation delays have on the bottom line and on employee/customer privacy are significant. This paper will take a look at the factors that contribute to these burdensome backlogs, and then it will review the technical requirements necessary to significantly reduce — even overcome — the digital bottleneck that plagues computer forensic personnel. Finally, it will illustrate how a solution meeting these technical requirements can be implemented into an lab existing infrastructure and discuss the associated benefits.

2 | P a g e

Obstacles to Overcoming Caseload Backlogs A Justice Department audit of the FBI’s cybercrime labs found that 353 requests were awaiting FBI analysis, and it took an average of 60 days for FBI personnel to examine evidence. Inspector General Glenn Fine said, "The processing time for the digital evidence in some cases could take up to nine months, which we concluded was too long." While the FBI was the unfortunate recipient of this bad press, the fact is virtually every single cybercrime lab throughout the country is overwhelmed. Likewise, the information security departments in almost every large corporation we’ve met with tell us that they need more human resources and more hardware resources. There are several factors that must be addressed to overcome caseload backlog:

Outdated Hardware For example, a state police agency applying for federal assistance in April of 2009, stated that of the 95 members of its statewide Computer Crime Taskforce, 35 were using mobile forensic computers that are more than six years old. This is a common complaint among state and local law enforcement agencies. In fact, even commercial organizations commonly face budgetary limitations with regard to their hardware resources.

Understaffed Departments As of May 21, 2009, the Internet Crimes Against Children (ICAC) Program’s 59 task forces throughout the country were awarded Recovery Act funds totaling $41.5 million. Among the 59 task forces, one of the primary uses for that money as stated in the ICAC memo is to hire new investigators/analysts or use that money to retain analysts who would otherwise have to be laid off.

When it comes to commercial organizations, the primary goal is business continuity. The cogs must turn or production suffers. To many in the corporate arena, “computer forensics” implies that a cog, or cogs, must stop turning. Therefore, it is often the case that computer forensics is not at the top of the list when budget dollars are doled out. In fact, according to the 2008 CSI Computer Crime and Security Survey (surveying information security practitioners), only 41% of its respondents even use forensics tools to secure help secure their data.

Lack of Training and Training Dollars Many local law enforcement agencies do not have a trained computer forensic analyst on staff and must send the seized data into a state or regional lab for analysis. Even departments and labs with computer forensic analysts on staff find it difficult to provide continuing education to their analysts, which can delay progress on a case. If there are only two seasoned analysts on staff, and several novices, the two pros will find themselves bogged down with analysis work. It’s no wonder why most state and local applications for federal aid cite training as one of the top reasons for requesting the funds.

Evidence Being Processed and Reviewed in Disparate Locations It is often the case that data seized at the scene of the crime or acquired from a computer at a remote office is actually processed at a central computer forensics lab. While the investigators, legal personnel and HR personnel responsible for reviewing that evidence are somewhere entirely different. This makes for an inefficient review process.

3 | P a g e

The One Case – One Analyst Paradigm Traditionally, one analyst will be assigned to a case, and that analyst sees the case through from processing to reporting. That model may have worked back in 1996, but with the influx of computer crime and the dramatic increase in computer-related evidence per case, computer forensics labs might take a lesson from Henry Ford. It is becoming more difficult for examiners to get through a single large case in a reasonable amount of time because data sets and the problem is continuing to get worse.

Lack of Infrastructure

In most traditional labs, each examiner stores all of the evidence and case information on his or her individual machine. This makes the backup and restoration of cases, evidence and reports a time consuming and critical part of the process that is often difficult to manage, if done at all. Even worse, cases often go on for years, and examiners must bring cases out of storage if and when they make it to court.

It’s interesting to note that in almost every case, agencies and commercial organizations cite their need for more human resources and more hardware resources. Yet, despite the cry for more, we rarely see a meaningful increase in those resources. The 2008 CSI survey shows that its respondents actually experienced a reduction in budget dollars for information security. Furthermore, it’s a running joke among radio commentators and local newspapers — no matter how many more tax dollars are applied to increasing law enforcement numbers, somehow there rarely seems to be a significant increase. If there is an increase in officers, you can be sure that layoffs are only a couple years away, usually about the time federal assistance dollars run out. So, given the relative certainty that resources will usually be scarce, why aren’t law enforcement, government agencies and corporations looking for a technological solution that will actually amplify their existing resources?

4 | P a g e

Amplifying Existing Resources Utilizing Enterprise and Collaborative Computing Principles In order to successfully overcome case backlog, organizations need to implement a technical foundation that maximizes the productivity of the resources they already have. If funding comes through and new resources are obtained, great. But until an organization is able to efficiently leverage existing resources, it will find itself trapped in the vicious cycle of too much work, too few people. In order to effectively amplify an organization’s existing resources, the following capabilities are necessary. Distributed Processing Leverage both outdated and next generation hardware to significantly reduce processing time. Distributed processing allows organizations to effectively offset their ever-increasing datasets, as well as their lack of budget for new hardware. With distributed processing capabilities, an organization can turn any unused CPU into an asset that reduces the amount of time it takes to process large datasets. The organization now has a scalable resource, with which to increase or decrease processing power as needed. FIGURE 1: Distributed processing leverages outdated and next-gen hardware to reduce processing time.

Utilize a distributed processing farm to dramatically reduce processing time. This is a great way to leverage legacy hardware.

5 | P a g e

Simultaneous, Collaborative Analysis Computer forensic departments need to move away from the “One Analyst – One Case” paradigm and take an “assembly line” approach to their investigations. By distributing the workload across examiners, each person is able to focus on a single area of expertise. Examiners can work in synchronicity with other examiners to get through cases much faster using the advanced capabilities of FTK. In addition, this solution allows organizations to coordinate analysts and other players in a case using a secure web interface. So, those who are geographically dispersed are able to easily contribute their expertise without delay. Web Review and Analysis Capabilities There are many players in an investigation. They are not all located in the lab and are not always forensic experts. It is often the case that key players in these investigations are working in disparate locations, and this can easily delay the conclusion of a case. A secure web interface provides a quick and easy way for non-technical personnel to review and comment on the evidence as the analysts identify it. Players in the investigations, such as lawyers, human resources personnel and representatives from the DA’s office are able to review the data in any easy to consume format as soon as it is available from any location, which saves a great deal of time. With custom data views reviewers are given permission by the case manager to review specific areas of cases. FIGURE 2: Analysts can collaborate in the lab using FTK, and with AD Lab, geographically dispersed players in the investigation can review and comment on data using a secure web interface.

Non-technical resources and outside analysts can review and comment on data via the secure web interface.

Analysts can collaborate in real time via FTK.

6 | P a g e

Centralized Case Management Organizations need a better way to manage case work and to manage analysts’ case assignments and tasks. This capability allows a designated manager to rapidly assign cases, resources, tasks and case permissions to analysts. The manager can view the status of assigned tasks and has the flexibility to update or reassign tasks and resources as needed to orchestrate the most efficient completion of cases. The Ability to Control Access and Activity It’s important when orchestrating synchronous collaboration among multiple analysts that organizations are able to control which data each analyst can access, which tasks he or she can perform, and to ensure their accountability. For example, if two analysts are assigned to a case — one a senior member of the team, and the other still in training — the case manager can tailor their individual roles and permissions to suit their skill levels or clearance levels. The senior analyst can be given permission to perform more advanced operations, while the junior analyst is assigned to a particular set of data, such as graphics. With a more advanced lab solution, the seasoned investigator can be given permission to view specific data sets that might be considered confidential or classified, while the less experienced analyst is only allowed to work with less sensitive content. FIGURE 3: A designated Manager can assign cases, tasks and resources to analysts and monitor their progress to ensure efficient collaboration.

Cases and analysts can be managed from a central management console.

7 | P a g e

Centralized Investigative Infrastructure Using a Lab platform, organizations can centralize their investigative infrastructure. Instead of each examiner doing all the work on his or her individual stand-alone machine, each examiner can leverage a shared infrastructure where all of the case data and evidence are stored in a centralized and controlled manner. Access to each case is still controlled by the lab manager or examiner in charge of a specific case, but the actual hardware infrastructure, where all the work takes place, is centralized. (Note centralized database and distributed processing farm in figures 1–3.The centralized Oracle infrastructure can be comprised of one or more databases.) Lab Technology: Providing a Permanent Solution to an Ever-growing Problem Human resources come and go, hardware resources become outdated, and the funding to maintain both is never a sure thing. However, implementing the right lab technology is a permanent solution that will streamline the entire process and speed up nearly every aspect of the investigation. AccessData (AD) has engineered lab technology that enables computer forensics labs to implement a digital assembly line of sorts. Based on the principles of enterprise computing and collaborative computing, this solution allows analysts to work together seamlessly—not just distributing data processing, but actually distributing their labor, while sharing a centralized infrastructure (database, storage, evidence server). Processing the data can be as fast as you want it to be with unlimited distributed processing capabilities. Analytical operations are compartmentalized by analyst, so an individual examiner doesn’t need to shift his or her mindset from email to registry to RAM dumps or have to worry about moving the data around. Each examiner can focus on one or two areas of expertise and other analysts working on the same case are able to see those findings in real-time as they are bookmarked, labeled and commented on. Having the abilities to divide workload and to share information with each other and non-technical counterparts will speed the analysis, the review, and the communications necessary to bring a case to its completion. However, while this lab solution enables real-time collaboration, a single analyst is still able to work an entire case from beginning to end on his or her machine. Each analyst has an investigative workstation that shares a single Oracle infrastructure, comprised of one or more databases. Investigator workstations can also share a distributed processing farm. An analyst is able to utilize this centralized infrastructure, and if he or she desires, can give permission to another analyst or non-technical player to review the findings and share expertise. AccessData provides two levels of its lab technology, Lab Lite and AD Lab. There are two capabilities differentiating the two solutions: Case-level Permissions vs. Data-level Permissions While AD Lab Lite allows the forensic analysts to be assigned to or restricted from viewing cases, the AD Lab solution allows case managers to assign or restrict access at the data level. For example, if the information in question or suspects involved were considered extremely confidential, the case manager could restrict a junior analyst’s access to email and documents of any kind. However, the manager might want to utilize that junior resource to speed the investigation along. For example, the manager could restrict the junior analyst’s access to include only log files, assigning that person to create a timeline over the last month showing each time an instant messenger application had been launched. This more granular

8 | P a g e

security provision is of particular benefit to large corporations or government agencies handling large caseloads with a great deal of confidential or classified information. Web Review and Analysis As discussed earlier, the web review capability is the easiest way to share information and leverage the abilities of non-technical players in an investigation or computer forensic experts located outside the lab. This functionality is only available with AD Lab, which is designed to handle large caseloads for organizations that have a number of different participants in the investigative process that should be working together. For example, a computer forensic examiner working in New York wants HR and Legal in Los Angeles to review the results of a policy violation investigation quickly and in an easy to consume format. These non-technical participants can log in to the web interface and only see the information the examiner wants them to see. Additionally, large labs dealing with massive datasets need many analysts of varying skill levels to work together simultaneously, in order to efficiently tackle their caseloads. The secure web review interface of AD Lab enables those analysts to collaborate with ease. The following illustrates the functionality available in each of AccessData’s Lab solutions:

LAB FUNCTIONALITY LAB LITE AD LAB DISTRIBUTED PROCESSING expanded expanded

INVESTIGATOR COLLABORATION via FTK unlimited unlimited CENTRALIZED CASE AND TASK

MANAGEMENT yes yes

ROLE-BASED PERMISSIONS TO CONTROL ACCESS AND ACTIVITY

case level data level

CENTRALIZED DATABASE INFRASTRUCTURE

no yes

WEB REVIEW AND ANALYSIS no unlimited Benefits

By utilizing an “assembly line,” division of labor approach, the investigation process is streamlined and cases can be brought to completion more efficiently.

Control who can see which information in a given case or across cases. Examiners can see each other’s results in real time. Non-technical users can easily support the investigative process. Advanced users can work alongside non-technical resources. Leverage a distributed processing farm to greatly reduce processing time. Utilize outdated hardware for distributed processing. Take an enterprise approach to controlling data with a centralized infrastructure, instead of each

examiner storing data on his or her individual machine.

9 | P a g e

Creating a collaborative environment with a shared, centralized infrastructure amplifies existing resources, allowing analysts of all skill levels to work more effectively.

Detailed Infrastructure Diagrams: Lab Lite and AccessData Lab FIGURE 4: Distributed examiner and database infrastructure, using Lab Lite Workflow Beth logs in and creates a case on her local database. She processes the evidence or obtains volatile data. Beth needs Jack to look at email that she processed in her NY office. Beth gives Jack rights to the case. Jack logs in. Jack selects Beth’s database from the database selection panel. He can now see her list of cases. Jack selects the case and now sees all the work of Beth did and can perform additional analysis and bookmarking.

NOTE: Because it is a database on the back end, any bookmarks/labels are stored. This also means that multiple examiners can look at the same case at the same time without stumbling over each other.

10 | P a g e

FIGURE 5: Shared database infrastructure, using AccessData Lab

Summary As stated earlier, until an organization is able to efficiently leverage existing resources, it will find itself trapped in the vicious cycle of too much work, too few people. Implementing a solution that amplifies existing resources by streamlining the investigative process and getting the most out of an organization’s hardware is a permanent solution. AccessData’s lab solutions are scalable, allowing an organization to build a solution that fits its caseload and resources, then expand as needed. Division of labor, distributed processing, a centralized infrastructure and timely sharing of data are the keys to overcoming the backlog faced by organizations of all kinds. The answer is not simply “more resources”. The answer is efficiently utilizing the resources you have.