Rather than sending experts to the computers, organizations use hardware and the Internet to disseminate data around the world.
With Remote Forensics, computer forensics analysts can use a mobile telephone to perform investigations. The system enables forensics analysts to remain at one location and carry out analyses on computers anywhere in the world.
Investigators performing computer forensics can now do their jobs from the beach—or anywhere else. An emerging technology eliminates the need for experts to have hardware in hand before examining a system and works around legalities that prohibit the transport of information across borders. The technology has applications across law enforcement, the military, the intelligence community and private industry.
Computer forensics investigations routinely are expensive and slow to begin because of the travel necessary for experts to reach a site and perform the diagnostics. The time lost during travel is often a critical factor during events such as terrorist attacks, kidnappings, pedophile incidents and murders. According to experts, one of the major problems with forensics investigations over the last several years is bringing the right personnel to the evidence. To remedy the problem, developers at Evidence Talks Limited,
Sheldon wanted to create a process that allowed personnel with limited forensic skills to handle matters on the site of an incident while working with distant forensic experts who perform the actual investigations remotely. He shares that one solution was to preinstall existing software on any computer an organization ever might want to investigate. The approach was cost prohibitive as well as problematic in terms of testing, security and flexibility.
Instead, Evidence Talks developed what the company calls a pod that is effectively a forensics workstation. It has no keyboard or screen, but it contains the tools necessary for forensics, and it incorporates special technologies and security. The pods are placed at key risk areas likely to require forensics analysis, such as an airport or a company headquarters. People on the scene use the pods to send copies of the information on the computers to the distant experts.
Sheldon illustrates the advantages of remote analyses with an
FIMS also creates credentials allowing the forensics investigators to have remote access to the disk in the pod, and all the work is done on a secure, encrypted virtual private network (VPN). “It creates an encrypted VPN for each job,” Sheldon states. Case managers can revoke credentials at any time.
Analysts can open an alternative or remote desktop session to perform their work. The Remote Forensics tool creates the VPN between the forensics analyst and the pod and also creates a remote desktop session allowing users to log into the pod remotely. The only data transmitted are the pixels that change on the screen. The graphic is seized by the analyst’s computer into the memory in a form that can be recovered. After that, only the bitmap changes and no artifacts are left on the analyst’s machine. Instead of sending entire desktop images each time, only a few pixels are exchanged, keeping bandwidth requirements low. Yet, the imaging and analysis are performed at the same speed as if the expert were on site.
After case managers open cases on FIMS, the jobs are advertised to forensics analysts. Once analysts accept a job, the case managers authorize them to perform the work, and FIMS creates a certificate for the specific jobs. The analysts download the certificate and receive a free copy of a VPN, which can run from any workstation anywhere in the world. The license is held on FIMS. When an analyst starts a connection, the VPN is created between the analyst’s machine and the remote forensics pod. Another connection is created between the pod and the network authentication service, and a final connection runs between the pod and FIMS so the pod can report its status to FIMS and keep the contemporaneous notes in FIMS up to date.
The analysts need no special tools on their machines. The devices can be secure or nonsecure on any network. For example, the pod could be on a satellite link from a desert camp, and the analyst could be on a mobile telephone connection in
At a U.S. European Command conference, Sheldon connected to a pod 17 miles away—although he explains that distance is irrelevant—and then initiated a search for e-mail and more on the hard disk via his mobile telephone. “You wouldn’t want to do that every day, but it’s certainly usable,” he shares.
|U.S. Army soldiers enter a home during a raid in the Al Uruba neighborhood of Mosul, Iraq. Remote Forensics could help retrieve information from seized computers faster than through traditional forensics analysis methods.|
Remote Forensics also could allow investigation officials to work around laws in some countries that prevent taking information over national borders. In the past, forensics analysts had to fly to those countries to perform their work. Sheldon explains that with Remote Forensics, the data never leaves the country because analysts have the ability to see it where it is. “That’s one of the nice features from our perspective,” he states.
The capabilities inherent in Remote Forensics suit it toward large-scale operations as well. If an anti-terror raid occurred at 10 locations around the country and included computer seizures, law enforcement and intelligence officials would have to deploy all the necessary experts in encryption data and the investigators to the dispersed raid locations, or the officials would have to gather all the experts and materials at one site. “That takes 12 hours before you’re able to get to the machines,” Sheldon says.
According to Sheldon, the
Detective Sgt. Richard Matthews with the Metropolitan Police Internet Investigation Unit in the
According to Detective Sgt. Matthews, technologies such as Remote Forensics could benefit evidence continuity as well. The main part of the effort remains with an officer, and another person accesses it remotely. It saves the time of having to transport hardware to the forensics experts. “An investigator could start, and another expert could join the investigation without the hard drives being shipped here, there and everywhere,” he says.
The technology especially could impact the results of investigations not only of terrorist actions but also kidnapping, murder and pedophilia. “I think that time is of the essence in all these investigations,” the detective sergeant states.
In addition to the applications for Remote Forensics in the public sector, private industry could use the technology in operations as well. Unlike the dangers to government systems, the two biggest threats to companies are hacking and leaking of proprietary information. Evidence Talks experts could work with a company to identify its risk areas and then place a pod in the risk locations. A company with four office locations might need the pod in only two—probably the two largest offices. Or a bank might want to set up pods in district offices but not in every branch. In addition to the pods, the company would host FIMS on intranet- or Internet-based applications, and the system would be operational. “There’s hardly any set-up required,” Sheldon states.
Use of Remote Forensics involves up-front costs and a monthly service fee based on the number of pods an organization uses over the three-year contract. Companies would have a FIMS administrator who could add forensics contacts from the companies’ personnel or from outside organizations. The FIMS manager would give the forensics analysts accounts on FIMS, and those managers would log on and update their records independently to ensure they remain reachable.