Solution Delivers Information to Analysts

October 2007
By Rita Boland

With Remote Forensics, computer forensics analysts can use a mobile telephone to perform investigations. The system enables forensics analysts to remain at one location and carry out analyses on computers anywhere in the world.
Rather than sending experts to the computers, organizations use hardware and the Internet to disseminate data around the world.

Investigators performing computer forensics can now do their jobs from the beach—or anywhere else. An emerging technology eliminates the need for experts to have hardware in hand before examining a system and works around legalities that prohibit the transport of information across borders. The technology has applications across law enforcement, the military, the intelligence community and private industry.

Computer forensics investigations routinely are expensive and slow to begin because of the travel necessary for experts to reach a site and perform the diagnostics. The time lost during travel is often a critical factor during events such as terrorist attacks, kidnappings, pedophile incidents and murders. According to experts, one of the major problems with forensics investigations over the last several years is bringing the right personnel to the evidence. To remedy the problem, developers at Evidence Talks Limited, United Kingdom, developed a technology called Remote Forensics that enables investigators at any location to study a hard disk without having to be in proximity of the device. “The idea is our experts stay in one location,” Andrew Sheldon, managing director and principal forensic consultant at Evidence Talks, explains.

Sheldon wanted to create a process that allowed personnel with limited forensic skills to handle matters on the site of an incident while working with distant forensic experts who perform the actual investigations remotely. He shares that one solution was to preinstall existing software on any computer an organization ever might want to investigate. The approach was cost prohibitive as well as problematic in terms of testing, security and flexibility.

Instead, Evidence Talks developed what the company calls a pod that is effectively a forensics workstation. It has no keyboard or screen, but it contains the tools necessary for forensics, and it incorporates special technologies and security. The pods are placed at key risk areas likely to require forensics analysis, such as an airport or a company headquarters. People on the scene use the pods to send copies of the information on the computers to the distant experts.

Sheldon illustrates the advantages of remote analyses with an Iraq example. During a security operation in Iraq, if troops seize a computer, a forensics expert would have to fly to Iraq and arrive at the computer’s physical location before performing any analysis and intelligence-gathering work. With Remote Forensics, the same expert could receive the information through a pod on the ground in country. Personnel on the ground would remove the hard disk and plug it into the pod. An analyst anywhere could read the information through the Forensic Incident Management Service (FIMS) after a case manager opens a case. FIMS resides on the Internet and coordinates activity and cases.

FIMS also creates credentials allowing the forensics investigators to have remote access to the disk in the pod, and all the work is done on a secure, encrypted virtual private network (VPN). “It creates an encrypted VPN for each job,” Sheldon states. Case managers can revoke credentials at any time.

Analysts can open an alternative or remote desktop session to perform their work. The Remote Forensics tool creates the VPN between the forensics analyst and the pod and also creates a remote desktop session allowing users to log into the pod remotely. The only data transmitted are the pixels that change on the screen. The graphic is seized by the analyst’s computer into the memory in a form that can be recovered. After that, only the bitmap changes and no artifacts are left on the analyst’s machine. Instead of sending entire desktop images each time, only a few pixels are exchanged, keeping bandwidth requirements low. Yet, the imaging and analysis are performed at the same speed as if the expert were on site.

After case managers open cases on FIMS, the jobs are advertised to forensics analysts. Once analysts accept a job, the case managers authorize them to perform the work, and FIMS creates a certificate for the specific jobs. The analysts download the certificate and receive a free copy of a VPN, which can run from any workstation anywhere in the world. The license is held on FIMS. When an analyst starts a connection, the VPN is created between the analyst’s machine and the remote forensics pod. Another connection is created between the pod and the network authentication service, and a final connection runs between the pod and FIMS so the pod can report its status to FIMS and keep the contemporaneous notes in FIMS up to date.

The analysts need no special tools on their machines. The devices can be secure or nonsecure on any network. For example, the pod could be on a satellite link from a desert camp, and the analyst could be on a mobile telephone connection in New Zealand. “All the process takes place on the remote pod,” Sheldon says.

At a U.S. European Command conference, Sheldon connected to a pod 17 miles away—although he explains that distance is irrelevant—and then initiated a search for e-mail and more on the hard disk via his mobile telephone. “You wouldn’t want to do that every day, but it’s certainly usable,” he shares.

U.S. Army soldiers enter a home during a raid in the Al Uruba neighborhood of Mosul, Iraq. Remote Forensics could help retrieve information from seized computers faster than through traditional forensics analysis methods.
Sheldon explains that an important facet of Remote Forensics is its ability to provide time-critical information to those who need it quickly. The military and other organizations are interested in obtaining intelligence as soon as possible, and current methods often take too long. Experts have a limited amount of time between when they take possession of a computer and when information must be delivered. Data must be extracted from a computer, sent to an analyst, aggregated and backed up and then sent wherever it needs to go. If those who seize the computers had a pod in place, they close all loops in the information delivery process.

Remote Forensics also could allow investigation officials to work around laws in some countries that prevent taking information over national borders. In the past, forensics analysts had to fly to those countries to perform their work. Sheldon explains that with Remote Forensics, the data never leaves the country because analysts have the ability to see it where it is. “That’s one of the nice features from our perspective,” he states.

The capabilities inherent in Remote Forensics suit it toward large-scale operations as well. If an anti-terror raid occurred at 10 locations around the country and included computer seizures, law enforcement and intelligence officials would have to deploy all the necessary experts in encryption data and the investigators to the dispersed raid locations, or the officials would have to gather all the experts and materials at one site. “That takes 12 hours before you’re able to get to the machines,” Sheldon says.

According to Sheldon, the United Kingdom wants to avoid that time loss by equipping every police force with at least one pod. During a raid, local officials can plug the hard disk into the pod and start a case, and the forensics experts can begin analyzing information from all the raid locations within minutes. Because of Remote Forensics’ security measures, officials in one country can take advantage of expertise in another nation. A customs agent in London could intercept potential terrorists and confiscate their laptops at an airport. The agent could plug the hard disk into a pod, and intelligence officials in London could log on and examine the data and discover the suspects’ nationality. If the suspects were American, for example, the Federal Bureau of Investigation would be alerted, and the U.S. experts would be invited to log on and examine the information in the pod. “You can create these dynamic networks and invite people to see this data and share these networks much more efficiently,” Sheldon shares.

Detective Sgt. Richard Matthews with the Metropolitan Police Internet Investigation Unit in the United Kingdom says the benefits speak for themselves, but adds that the police are in only the early stages of examining the technology. He explains that Remote Forensics could have been used in recent terrorist investigations in the United Kingdom because investigators needed to perform forensics analyses on computers located in another country. “For me, it seems very time-saving,” Detective Sgt. Matthews states. He also says that keeping experts in one location instead of sending them around the world would eliminate cost constraints associated with investigations as well as provide intelligence more quickly.

According to Detective Sgt. Matthews, technologies such as Remote Forensics could benefit evidence continuity as well. The main part of the effort remains with an officer, and another person accesses it remotely. It saves the time of having to transport hardware to the forensics experts. “An investigator could start, and another expert could join the investigation without the hard drives being shipped here, there and everywhere,” he says.

The technology especially could impact the results of investigations not only of terrorist actions but also kidnapping, murder and pedophilia. “I think that time is of the essence in all these investigations,” the detective sergeant states.

In addition to the applications for Remote Forensics in the public sector, private industry could use the technology in operations as well. Unlike the dangers to government systems, the two biggest threats to companies are hacking and leaking of proprietary information. Evidence Talks experts could work with a company to identify its risk areas and then place a pod in the risk locations. A company with four office locations might need the pod in only two—probably the two largest offices. Or a bank might want to set up pods in district offices but not in every branch. In addition to the pods, the company would host FIMS on intranet- or Internet-based applications, and the system would be operational. “There’s hardly any set-up required,” Sheldon states.

Use of Remote Forensics involves up-front costs and a monthly service fee based on the number of pods an organization uses over the three-year contract. Companies would have a FIMS administrator who could add forensics contacts from the companies’ personnel or from outside organizations. The FIMS manager would give the forensics analysts accounts on FIMS, and those managers would log on and update their records independently to ensure they remain reachable.

Web Resources
Evidence Talks Remote Forensics:
United Kingdom Metropolitan Police Service: