Over the past few years, there has been an increased interest in using remote capabilities to perform digital forensic functions. The interest until recently was primarily centered on controlling costs. However, in a time where remote work is more prevalent, there has of course been an influx in additional interest and desired capabilities.
Remote forensic operations are a reality. Though there are limitations, most forensic services can be conducted with the forensic examiner accessing the target device from an internet connection. These engagements involve the use of certified and tested forensic applications and encrypted internet connections. The workflows in place are designed to secure the integrity of the digital evidence throughout the processes. The goals remain the same: to use effective, productive forensic protocols to complete the required operation in a verifiable manner that maintains the legal integrity of the evidence.
In digital forensics, the core principle has always been to preserve the evidence without making any alterations to it. At its infancy, digital forensics only dealt with dead box images that were created by imaging a machine while it was powered off or booted to a forensic operating system. Today’s world has seen this principle evolve. Live imaging is acceptable today so long as you validate your tools and the results. This evolution is primarily a result of current security and technology.
This brings us to the capabilities for performing remote collections. Let’s first define what remote means within the context of a forensic collection. “Remote” in the context of this discussion is accessing, analyzing, and forensically preserving data contained on a digital device that is not in the physical possession of the examiner performing the tasks. The following addresses several aspects and issues involved in the execution of remote collections.
Utilization of On-Site Equipment
Remote forensic operations are generally performed by utilizing equipment that is on-site at the target device’s location. The equipment may include external USB hard drives or laptop computers shipped to the client. In some cases, especially where network storage is concerned, it may be possible to conduct the operations by connecting remotely to an on-site computer and installing the necessary tools to collect from the hosted storage of the network. Unfortunately, the infrastructure at most remote locations will not support a direct, over-the-wire forensic imaging of the majority of storage devices. The use of on-site storage and software is still required in most forensic preservations. The primary exception to this would be a targeted network storage collection. These preservations can be performed from a remote connection to a network client computer. If the overall collection is small enough, it could be transmitted from the client site to the data processor via STFP.
Remote Connective Solutions
A concept frequently overlooked in the discussions surrounding evidence preservation is the ability to provide expert attestation to the process and actions involved in the preservation of the digital evidence. The expert involved in digital forensic activities must be able provide an affidavit, declaration, or testimony on the protocols used. To a great extent, this can only be done when they have firsthand knowledge of the actions. We can achieve the witnessing of the forensic operation by utilizing remote connective solutions allowing the expert to perform or witness the operations on remote devices. This of course will require the device to be booted and a live image to be performed. When done correctly, this will result in a verifiable forensic image of the desired data. In so much as the expert performs the collection of documents and all necessary information, the only real difference is in whom is connecting the collection media.
Lately, we have been examining operational protocols and extending our technological capabilities to provide an increased ability to conduct our operations remotely. Our forensic team has yet to encounter circumstances for which a forensic protocol for remote preservation either did not already exist or, in unusual circumstances, could not be developed given the proper information. Existing collection protocols are currently being used to facilitate the preservation of mobile devices (iOS and Android), computers (Mac and Windows, Linux), network-attached storage, email (cloud and on-premise storage), archival systems, document management systems, and database systems, among a few. The key factor in these protocols is connectivity. Since the operations are being performed remotely, there must be connectivity to the site where the data source exists.
Why Not Do Everything Remotely?
Are there circumstances where the preservation of data should require a direct visit on-site? This is a judgment call. The most common reason for a required on-site visit is the lack of technically sophisticated personnel to assist with the collection. While most of the protocols we have developed require little or no technical abilities on the client’s part, there are times where security and network accessibility will require the assistance of IT administrators. Often, we can work through these issues as long as the proper access can be granted. The other consideration for the requirement of on-site work would be where the integrity of the data holders is questionable.
What Does the Future Hold?
During a time of widespread remote working conditions, many have pushed forward with existing matters as there’s been a rare opportunity to catch up. For those who have decided that this prevalence of remote work means the inability to move forward with pending issues, we invite them to contact our Forensic Technology and Consulting team to discuss workflows that will advance current matters. It is likely that we will soon see an influx of work that has been idle for the last few months or has come about in the interim.
Remote work will likely become more commonplace in years to come. From the standpoint of digital forensic operations, this has solidified the use of remote operations for both expediency and cost efficiency.