I was recently reading an article in Forbes Magazine about the importance of a good foundation when building a home. When we build a house, we think about how big it will be, how it will be decorated, what kind of a view it will have or whether it will be close to schools and shopping. But rarely does one think about the most important part of the house – the foundation. It’s the underpinning of any building and can either support that house for generations to come or be the source of significant instability.
This article made me think about how the same is true in digital forensic acquisitions. A digital forensic investigation typically involves three steps: acquisition, analysis and reporting. The acquisition portion involves capturing an image of a computer’s RAM and creating an exact duplicate of the media. This step is the foundation of the investigation. The analysis and reporting is only as good as the information that was acquired and without a stable foundation, the investigation could easily crumble.
I often think about how technology changes have impacted the digital forensic acquisition process. I can’t even count the number of computer interfaces I’ve seen come and go in my career. From SCSI to FC to SAS to SATA … and the list goes on. And not that long ago, 2.5GB was an impressive amount of storage on a corporate computer – now your kid’s MacBook probably has at least 500GB of storage. In today’s tech-savvy world, a variety of data encryption technologies have become available, and criminals often encrypt the data on their device to ensure they aren’t discovered. Imagine the challenge law enforcement faces when they show up at a suspect’s house and need to conduct forensic acquisitions of the devices in that house. Considering the average American household now has 11 electronic devices and those devices can vary by size and interface type, and may or may not be encrypted, investigators need acquisition tools that provide the flexibility needed to accommodate a variety of scenarios. Broaden that scope to an investigation done by the FBI or the Department of Homeland Security and the number and types of devices they encounter in an investigation, the flexibility of a forensic acquisition tool becomes even more important.
A successful digital forensic acquisition doesn’t stop with the ability to accommodate different interface types, storage capacities or encryption techniques. Law enforcement resources are strained everywhere you turn, so the ability to quickly kick off an investigation with a successful acquisition operation is paramount to law enforcement efficiency and improving public safety. This makes speed another key element to consider in forensic acquisitions. Hardware-based forensic imaging, by nature, is faster than that of software-based acquisition because it occurs on a portable, standalone device dedicated solely to that imaging operation, generating forensically sound images that are not subject to some of the performance and virus issues that a computer running acquisition software might introduce. However, not all forensic imaging tools are created equal, so the ability to provide high-performance acquisition is another key capability to consider.
There are other elements to consider with forensic imaging tools. Ease of use is important when you consider the variety of expertise investigators may have and the importance of conducting the acquisition quickly. Affordability is another factor, recognizing that even with an increase in funding from the federal levels, budgets are still tight for law enforcement and government agencies.
There’s a lot to consider to get the right forensic acquisition tool in place, but because this step builds the foundation for an investigation, it’s important to make the right decision.
Law enforcement and government agencies have depended on OpenTextTM Tableau Forensic solutions for more than 20 years to provide that foundation and facilitate digital forensic investigations with imaging, duplication and write-blocking capabilities. As the pioneer in digital forensic investigations, OpenText Tableau Forensic and EnCase digital forensic solutions provide investigations with the information advantage needed to help make the world a safer, more secure place by finding the truth in data. Visit our website for more information on Tableau Forensic imagers, duplicators, bridges/write blockers and accessories.
