Dell Digital Forensics Solution Solution Guide

Dell™ Digital Forensics

Solution Guide

Notes, Cautions, and Warnings

NOTE: A NOTE indicates important information that helps you make better use of

your computer.

CAUTION: A CAUTION indicates potential damage to hardware or loss of data if

instructions are not followed.

WARNING: A WARNING indicates a potential for property damage, personal

injury, or death.

____________________

Reproduction of these materials in any manner whatsoever without the written permission of Dell Inc. is strictly forbidden.

Trademarks used in this text: Dell™ , the DELL™ logo, PowerEdge™, EqualLogic™, and PowerConnect™ are trademarks of Dell Inc. and/or its affiliates. or other countries.

Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products. Dell Inc. disclaims any proprietary interest in trademarks and trade names other than its own.

Citrix®is a registered trademark of Citrix Systems, Inc. in the United States and/

Oracle® is a registered trademark of Oracle Corporation

2011 - 07 Rev. A00

Contents

1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . 7

The Dell Digital Forensics Lifecycle . . . . . . . . . . . 9

Dell’s Solution Eases Industry Pain Points

. . . . . . . 11

Solution Components . . . . . . . . . . . . . . . . . . 12

In the Field

In the Datacenter

About This Document

Archive

Triage

Present

In recent years there has been an exponential increase in the volume, velocity, variety, and sophistication of digital activity by criminals and terrorist groups around the world. Today, most crimes have a digital component. Some have called it a digital tsunami. This growth has been augmented by dramatic advances in electronic hardware. The expanding diversity of consumer electronic devices and their increasing memory and storage capacity offer criminals and terrorists a wealth of opportunity to hide harmful information.

It is not uncommon for PCs and laptops to come with hard drives that measure in the hundreds of Gigabytes of storage. The latest hard drives include options for one or four Terabytes. Consider that a single Terabyte can store the content of two hundred DVDs: a vast amount of storage representing a problem that will only continue to grow.

From PCs to laptops, mobile phones to thumb drives and even game consoles, digital forensics professionals are being pushed to the limit to clone, ingest, index, analyze, and store growing amounts of suspect data while preserving the digital chain of custody and continuing to protect citizens.

Introduction 7

Table 1-1. How Big is a Zettabyte?

Kilobyte (KB) 1,000 bytes 2 KB a typewritten page

Megabyte (MB) 1,000,000 bytes 5 MB the complete works of

Shakespeare

Gigabyte (GB) 1,000,000,000 bytes 20 GB a good collection of the works

of Beethoven

Terabyte (TB) 1,000,000,000,000 bytes 10 TB an academic research library

Petabyte (PB) 1,000,000,000,000,000 bytes 20 PB production of hard-disk drives

annually

Exabyte (EB) 1,000,000,000,000,000,000

bytes

Zettabyte (ZB) 1,000,000,000,000,000,000,000

bytes

* Roger E. Bohn, et. al., How Much Information? 2009, Global Information Industry Center, University of California, San Diego (January, 2010).

5 EB all words ever spoken by

human beings

2 ZB expected data created

globally during 2010*

When suspected criminals have been charged and computer and other digital assets seized, digital forensics professionals are put under enormous pressure to process and analyze potential evidence in a very short space of time and in environments less than well-suited to ensuring evidentiary requirements. Where whole organizations are suspected of criminal or terrorist activity , the number of devices to be analyzed can escalate dramatically.

Digital forensics provides a means for acquiring data retrieved from computers or other digital devices (mobile phones, games consoles, flash drives, GPSs, etc.), and the scientific examination and analysis of that data in a manner that ensures the information can be used in a court of law. The Dell Digital Forensics Solution comprises the first end-to-end, true enterprise-level solution for law enforcement, corporate and government security agencies, and e-discovery organizations, providing all the hardware, software, and service and support necessary to collect, triage, ingest or image, store, analyze, report, and archive digital evidence.

Using Dell’s scalable and affordable enterprise server and storage hardware and—depending on the requirements of your software environment—Oracle database systems on the back end, a combination of Dell’s ruggedized laptops and SPEKTOR software in the field, and full service and support from Dell,

8 Introduction

investigative personnel can conduct digital forensics data triage and collection quickly and simply, ensuring chain-of-custody from the field to the datacenter, and into the courtroom.

The Dell Digital Forensics Lifecycle

The Dell Digital Forensics Solution assists the forensics investigator across the six stages of the forensics lifecycle: Triage, Ingest, Store, Analyze, Present, and Archive.

Figure 1-1. The Dell Digital Forensics Lifecycle

Triage

The triage process allows the digital forensics investigator the opportunity to quickly view the contents of target devices to determine whether or not the device should be removed to the lab for further analysis and preparation for presentation in court.

Introduction 9

Ingest

Ingest is the stage of the digital forensics process in which the target data is imaged (unless it has been imaged in the field as part of the Triage stage), and an exact copy of the suspect storage device is created in such a way that the integrity of the duplicate can be assured by comparing hashes of both the original and duplicate data drives.

In common with existing practices, suspect data is imaged in the Dell Digital Forensics Solution. Instead of imaging data onto a single workstation, however, the imaged data is ingested into a central evidence repository. By ingesting data immediately into the datacenter, data is available to multiple analysts, transfer from one device to another is minimized, and productivity and efficiency is dramatically improved. Ingestion can, however, take place in the field if the target storage capacity is small enough. The Dell Digital Forensics Solution provides onsite ingestion through the use of an optional SPEKTOR Imager module.

Store

The Dell Digital Forensics Solution provides a wide range of possible storage and network access options to suit the individual customer. High-speed storage and retrieval across an enterprise-level network environment allow for a multiuser configuration that increases efficiency and productivity. Analysts will no longer have to allocate their individual computing assets to complete evidence analysis, as all this will happen on the server dedicated for that purpose.

Analyze

The parallel processing capability provided by the Dell Digital Forensics Solution allows the analyst to index and triage data on high-performance servers rather than on far less powerful individual PCs. Additionally, multiple analyst sessions may be run concurrently on single or multiple workstations using the back-end configurations that comprise the Solution. This capability helps protect both system and evidence integrity, helps prevent the need for workstation rebuilds if malicious code is mistakenly executed, helps preserve chain of custody, and obviates the need for analyst workstation rebuilds when moving from one case to the next. In the Digital Forensics environment, Chain

10 Introduction

of Custody may be defined as maintaining the integrity of digital data as evidence from the time it is collected, through the time findings are reported, and until the time it may be presented in a court of law.

Present

Using the Dell Digital Forensics Solution, viewing teams and investigators can access potential case evidence securely and in real time, thus mitigating the need to release evidence on DVDs or to require experts to travel to the lab for file access purposes.

Archive

Present

What is Triage?

Triage allows the digital forensics investigator to browse the data contained on suspect devices and to make decisions as to which devices are actually evidentiary and worth seizing for immediate imaging on site (if the data comprises a small volume) or for later imaging in the datacenter. This ability to preview and seize only select target devices can substantially reduce the delays that affect investigators’ ability to present evidence in a timely fashion. Triage can curtail the backlog of storage devices awaiting imaging back at the forensics lab, using fewer resources, avoiding adding to an already overloaded ingestion queue, and dramatically reducing operating costs.

Dell’s Triage Solution Advantage

Mobile

Dell’s Digital Forensics Solution can be at the crime scene with the investigator; all components have been thoroughly pre-tested to work together, and they cover a broad range of target device ports and connectors that you might expect to find in the field.

Fast

Existing forensic triage solutions can be slow and may even miss data because they perform tasks, such as keyword searches or hash matching during data collection. Dell’s Digital Forensics Solution overcomes this obstacle by using the computing power of the Dell ruggedized laptop rather than the target PC to perform analysis on the collected data. In some cases, you may be able to bypass imaging and indexing processes in the forensics lab altogether.

Triage 17

Easy to Use

The Triage components of the Solution are ready to use right out of the hardshell case. The pre installed software offers an intuitive touch screen interface. User defined, reusable collection profiles for different scenarios may be created for standard deployment.

Forensically Acceptable

Triage software enforces an efficient and forensically acceptable process, ensuring any potential evidence is captured, reviewed, and stored without compromise.

Flexible

The Triage components devices and platforms, including devices running under both Windows and Apple’s Mac OS X operating systems, as well as a wide array of digital storage device types, such as MP3 players, external hard drives, memory cards, mobile and satellite phones, GPS units, iPads and iPhones, and flash drives. Furthermore, triage results using the Dell Digital Forensics Solution are exportable to other programs.

can be used to examine the most common digital storage

Powerful

The Dell ruggedized laptop controls the entire process from performing an automated analysis of targeted data to delivering detailed results in easy-to-use report format within a few minutes of data capture. Using the Dell Solution, the investigator will be able to run multiple triage scans in parallel with a single license key.

18 Tr ia ge

secure scene

Are trained

personnel

available?

do not turn the device

off.

document and

photograph information

request

assistance

remove power cord

from device(s)

label all connections

on device(s)

locate and secure

evidence

process all

devices

secure evidence

Is the

device on?

Is the

device a networked

environment?

Are

destructive processes

running?

Is evidence

visible on the

screen?

do not

turn device

on.

Collecting Digital Forensics Evidence

Figure 2-1. Collection Workflow

Triage 19

Standard vs. Live Acquisition

The Dell Digital Forensics Solution offers two types of acquisition: Standard and Live. During a standard acquisition procedure, the Dell ruggedized laptop uses the SPEKTOR boot disk to capture triage data from an already powereddown target storage device. A live acquisition triage procedure, on the other hand, aims to capture triage data from a still powered-up target storage device, obtaining evidence not otherwise available.

Previously, industry standards required that the investigator unplug and seize a digital device for transport and examination back at the lab. This practice meant the loss of potentially valuable evidence in the form of stored volatile data: any data stored on the clipboard, currently open files, the contents of RAM, and cached passwords, etc. Additionally, encrypted data may be lost should the computer be shut down prior to imaging the disk. Furthermore, many computers have BIOS and hard drive passwords that are user-determined, and removing power from a live system with a BIOS password can cause loss of access to the entire content of the device.

Industry best practices require the investigator to approach a suspect data storage device with the following guidelines in mind:

• If the device is powered on, keep it on where possible until a thorough investigation can be performed.

• If the device is powered off, leave it off.

The reason for these guidelines is that the investigator must be careful to preserve the storage device as he finds it at the scene, and to introduce as little change as possible to the device and its contents.

How to Perform Triage Using the Dell Digital Forensics Solution

Turn on Your Dell Ruggedized Laptop

Press the power button to log on to the Dell ruggedized laptop. The laptop automatically loads the SPEKTOR software.

Tap or click

20 Tr ia ge

Accept EULA

. The

Home

screen opens.

Figure 2-2. Home Screen

Burn a Boot CD for Standard Acquisition Procedures

At the

Home

screen, tap or click

Figure 2-3. Burn Boot CD Button on the Home Screen

Admin

. Then tap or click

Burn Boot CD

Follow the instructions on the screen, and then click

Finish

NOTE: Collectors must be licensed and configured by SPEKTOR before they can be

used with your Dell Digital Forensics Solution. Contact your systems administrator if you need additional Collectors or licenses.

Plug in a new Collector or store disk to one of the USB ports on the left hand side of the Dell ruggedized laptop. The device appears on the screen as an unrecognized device.

Triage 21

Figure 2-4. Unknown Collector or Store Disk Status Indicator

Tap or click the

Status Indicator

icon that corresponds to the Collector or store disk you plugged into the Dell ruggedized laptop. The icon for the device that has been registered will turn green (for a Collector) or orange (for a store disk).

The

Unknown Device Menu

Figure 2-5. Unknown Device Menu

will display.

T ap or click

Stor e Disk

Tap or click

Yes.

The status indicator will show the new Collector or store disk number, and its status will change to

Dirty

22 Tr ia ge

Figure 2-6. Dirty Collector and Store Disk Icons

NOTE: Collectors and store disks, whether newly registered or previously used on

other data collections, must be cleaned before they can be deployed against a target.

For a store disk only

, enter the serial number of the store disk.

Clean a Collector or Store Disk

NOTE: Allow approximately two hours per 100 GB of Collector volume.

Select the

On the

Tap or click

Indicator

When cleaning has completed, the software will run a verification program to confirm that the only characters on the Collector drive are zeros.

Figure 2-7. Registered, Clean Collector and Store Disk Status Indicators

Status Indicator

Collector Menu

Yes

to confirm your selection. Cleaning begins, and the

representing the Collector you want to clean.

, tap or click

Clean Collector

will confirm the cleaning progress.

Status

NOTE: If the cleaning process has not been successful, the status indicator will

indicate that the Collector remains dirty. You will need to re-initiate the cleaning process. If cleaning is unsuccessful a second time, try another Collector or store disk.

Configure a Collector Profile

NOTE: By default, configuration settings in the triage software are set to collect no

files. Specify a restricted subset of all files on the target device to lower collection time and avoid exceeding the capacity of the Collector.

Triage 23

Configuring a Collector allows the user to determine a series of specific filetypes or files created between a specific set of dates that the Collector will pull from the suspect storage device for triage. The more you are able to restrict your collection parameters, the more quickly the target data can be acquired for review.

Dell recommends establishing a set of standard configuration profiles that you or your agency encounter repeatedly. Examples of such standard configuration profiles are as follows:

• Photos and Videos would capture filetypes such as *.jpg, *.png, *.swf, *.vob, and *.wmv, which are associated with photographs, video, or other types of visual media

• Documents would specifically collect filetypes, such as all *.pdf, *.doc, *.docx, *.txt.

• Audio_Files would gather *.mp3, *.mp4, *.wav, and other audio files.

Configuring a Collector for Acquisition

NOTE: For an explanation of the differences between standard and live acquisition,

see "Standard vs. Live Acquisition" on page 20.

NOTE: When a Collector is configured for standard or live acquisition, it must be

cleaned before it can be reconfigured for use in the other type of acquisition.

From the

Collector Menu

, tap or click

Configure Collector

Figure 2-8. Collector Menu

24 Tr ia ge

If you have previously created a configuration profile that you want to use, select the profile and tap or click configuration of the Collector; otherwise, tap or click

Configure using selected profile

New

to create a new

profile.

NOTE: Figure 2-9 shows the Selected Profile screen at first use of the software

before any profiles have been defined and saved. when you have begun creating configuration profiles, they will appear in this screen for your use.

NOTE: Navigation from one of the Collector Configuration screens to the next is

accomplished by tapping or clicking the left- and right-arrow buttons at the top and to one side of the screen.

Figure 2-9. Select Profile

to initiate

Determine the type of acquisition you want to perform, Live or Standard (see "Standard vs. Live Acquisition" on page 20 for further information on the difference between Live and Standard Acquisition types), then tap or click either

Live Acquisition

Standard Acquisition

Triage 25

Figure 2-10. Profile Configuration Step 1: Acquisition Type

Determine the timestamp settings for your new profile. The more specific you can be, the shorter time it will take to process the captured files.

Figure 2-11. Profile Configuration Step 2: File Timestamp Settings

26 Tr ia ge

Click the right arrow in the upper-right corner of the screen.

In the

File Extension Filter

screen, select the filetypes you want to collect. Use the right arrow to move the selected filetypes and their associated extensions from the

Figure 2-12. Profile Configuration Step 3: File Extension Filter

Click the right arrow in the upper-right corner of the screen when you have

Not Selected

to the

Currently Selected

list box.

finished selecting filetypes and extensions.

Triage 27

NOTE: Unless specifically required, it is suggested that you leave Quick Mode off.

In the

, or

Quick Mode

Entire File

screen, select the number of megabytes (

1 MB, 5 MB, 10

) of the first part of files that you want to capture. By collecting only the first part of very large files (usually multimedia files), you will be able to review enough of the files to determine the subject matter while minimizing the amount of processing time required.

NOTE: If you did not select file extensions in step 6, no files will be collected and no

step 6

filetypes will be displayed for selection in this screen. Return to the required filetypes to activate for step 8.

Figure 2-13. Profile Configuration Step 4: Quick Mode

and select

Click the right arrow in the upper-right corner of the screen.

T ap or click the appropriate button to select any system files that you want to include your collection.

28 Tr ia ge

+ 74 hidden pages