White Paper Feb.2015 - Amazon Web Services
Transcription
White Paper Feb.2015 - Amazon Web Services
White Paper Feb.2015 Divide, Collaborate and Conquer! Overcoming computer forensic backlog through distributed processing and division of labor. Contents Obstacles to Overcoming Caseload Backlogs.........................................................................................................................................3 Amplifying Resources Utilizing Enterprise and Collaborative Computing Principles.........................................................4 Lab Technology: Providing a Permanent Solution to an Ever-growing Problem....................................................................6 Detailed Infrastructure Diagram: AccessData Lab...............................................................................................................................8 Benefits.......................................................................................................................................................................................................................9 Summary.....................................................................................................................................................................................................................9 Introduction Computer forensics labs across the United States and around the world are struggling to keep up with their evergrowing caseloads. The overwhelming increase in cases affects law enforcement, government agencies and large corporations alike. However, the issue is most often discussed within the context of criminal investigations, for obvious reasons. In an ideal American world you don’t expect to see a lot of news coverage on digital investigations and computer forensics labs, so when this issue makes headlines, you know it is a very real, very dire problem. Currently, there are not enough computer forensic experts and the amount of data that needs examined is becoming very large and complex for examiners to investigate themselves. This creates a problem in not only catching criminals but also in helping the victims of the crimes. The lack of time and equipment to properly examine evidence has created a huge backlog in computer examinations. Law enforcement agencies have had to move to a priority system. This increases the backlog for low priority crimes. FBI Executive Assistant Director Stephen Tidwell was quoted as saying “The pervasiveness of the Internet has resulted in the dramatic growth of online sexual exploitation of children, resulting in a large increase in the number of cases.” So, it’s not only the number of delayed cases that make this an urgent matter. It is the nature of most of these cases that dramatically increases the pressure on computer forensics labs to implement more efficient policies and practices to overcome this issue. In the case of Melendez-Diaz v. Massachusetts, the Supreme Court found that lab reports prepared by forensic experts, if introduced into evidence, were subject to the 6th Amendment Confrontation Clause. This means that if your computer forensics report is used as evidence in court, the defense can call you to the stand for crossexamination. Some analysts are expecting this new ruling to further increase the already significant backlog. Large corporations are also experiencing the digital investigations bottleneck, and while the corporate cases may not always seem newsworthy, the impacts consistent investigation delays have on the bottom line and on employee/ customer privacy are significant. This paper will take a look at the factors that contribute to these burdensome backlogs, and then it will review the technical requirements necessary to significantly reduce—even overcome—the digital bottleneck that plagues computer forensic personnel. Finally, it will illustrate how a solution meeting these technical requirements can be implemented into a lab existing infrastructure and discuss the associated benefits. www.accessdata.com Obstacles to Overcoming Caseload Backlogs A Justice Department audit of the FBI’s cybercrime labs found that 353 requests were awaiting FBI analysis, and it took an average of 60 days for FBI personnel to examine evidence. Inspector General Glenn Fine said, “The processing time for the digital evidence in some cases could take up to nine months, which we concluded was too long.” While the FBI was the unfortunate recipient of this bad press, the fact is virtually every single cybercrime lab throughout the country is overwhelmed. Likewise, the information security departments in almost every large corporation we’ve met with tell us that they need more human resources and more hardware resources. There are several factors that must be addressed to overcome caseload backlog: Outdated Hardware For example, a state police agency applying for federal assistance stated that of the 95 members of its statewide Computer Crime Taskforce, 35 were using mobile forensic computers that are more than six years old. This is a common complaint among state and local law enforcement agencies. In fact, even commercial organizations commonly face budgetary limitations with regard to their hardware resources. Understaffed Departments The Internet Crimes Against Children (ICAC) Program’s task forces throughout the country were awarded Recovery Act funds. Among the task forces, one of the primary uses for that money as stated in the ICAC memo is to hire new investigators/analysts or use that money to retain analysts who would otherwise have to be laid off. When it comes to commercial organizations, the primary goal is business continuity. The cogs must turn or production suffers. To many in the corporate arena, “computer forensics” implies that a cog, or cogs, must stop turning. Therefore, it is often the case that computer forensics is not at the top of the list when budget dollars are doled out. In fact, according to a previous CSI Computer Crime and Security Survey (surveying information security practitioners); only 41% of its respondents even use forensics tools to secure help secure their data. Lack of Training and Training Dollars Many local law enforcement agencies do not have a trained computer forensic analyst on staff and must send the seized data into a state or regional lab for analysis. Even departments and labs with computer forensic analysts on staff find it difficult to provide continuing education to their analysts, which can delay progress on a case. If there are only two seasoned analysts on staff, and several novices, the two pros will find themselves bogged down with analysis work. It’s no wonder why most state and local applications for federal aid cite training as one of the top reasons for requesting the funds. Evidence Being Processed and Reviewed in Disparate Locations It is often the case that data seized at the scene of the crime or acquired from a computer at a remote office is actually processed at a central computer forensics lab. While the investigators, legal personnel and HR personnel responsible for reviewing that evidence are somewhere entirely different. This makes for an inefficient review process. The One Case/One Analyst Paradigm Traditionally, one analyst will be assigned to a case, and that analyst sees the case through from processing to reporting. That model may have worked in the past, but with the influx of computer crime and the dramatic increase in computer-related evidence per case, computer forensics labs might take a lesson from Henry Ford. It is becoming more difficult for examiners to get through a single large case in a reasonable amount of time because data sets and the problem are continuing to get worse. Lack of Infrastructure In most traditional labs, each examiner stores all of the evidence and case information on his or her individual machine. This makes the backup and restoration of cases, evidence and reports a time consuming and critical part of the process that is often difficult to manage, if done at all. Even worse, cases often go on for years, and examiners must bring cases out of storage if and when they make it to court. © 2015 AccessData Group It’s interesting to note that in almost every case, agencies and commercial organizations cite their need for more human resources and more hardware resources. Yet, despite the cry for more, we rarely see a meaningful increase in those resources. The CSI survey shows that its respondents actually experienced a reduction in budget dollars for information security. Furthermore, it’s a running joke among radio commentators and local newspapers—no matter how many more tax dollars are applied to increasing law enforcement numbers, somehow there rarely seems to be a significant increase. If there is an increase in officers, you can be sure that layoffs are only a couple years away, usually about the time federal assistance dollars run out. So, given the relative certainty that resources will usually be scarce, why aren’t law enforcement, government agencies and corporations looking for a technological solution that will actually amplify their existing resources? Amplifying Resources Utilizing Enterprise and Collaborative Computing Principles In order to successfully overcome case backlog, organizations need to implement a technical foundation that maximizes the productivity of the resources they have. Until an organization is able to efficiently leverage its resources, it will find itself trapped in the vicious cycle of too much work, too few people. In order to effectively amplify an organization’s resources, the following capabilities are necessary: Distributed Processing Leverage hardware to significantly reduce processing time. Distributed processing allows organizations to effectively offset their ever-increasing datasets. With distributed processing capabilities, an organization can turn resources into assets that reduce the amount of time it takes to process large datasets. The organization now has a scalable resource, with which to increase or decrease processing power as needed. FIG. 1 Distributed processing leverages hardware to reduce processing time. Utilize a distributed processing farm to dramatically reduce processing time. This is a great way to leverage legacy hardware. EVIDENCE SERVER INDEX STORAGE DATABASE SERVER EXAMINER www.accessdata.com DISTRIBUTED WORKERS Simultaneous, Collaborative Analysis Computer forensic departments need to move away from the “One Analyst/One Case” paradigm and take an “assembly line” approach to their investigations. By distributing the workload across examiners, each person is able to focus on a single area of expertise. Examiners can work in synchronization with other examiners to get through cases much faster using the advanced capabilities of FTK. In addition, this solution allows organizations to coordinate analysts and other players in a case using a secure web interface. So, those who are geographically dispersed are able to easily contribute their expertise without delay. Web Review and Analysis Capabilities There are many players in an investigation. They are not all located in the lab and are not always forensic experts. It is often the case that key players in these investigations are working in disparate locations, and this can easily delay the conclusion of a case. A secure web interface provides a quick and easy way for non-technical personnel to review and comment on the evidence as the analysts identify it. Players in the investigations, such as lawyers, human resources personnel and representatives from the DA’s office are able to review the data in any easy to consume format as soon as it is available from any location, which saves a great deal of time. With custom data views reviewers are given permission by the case manager to review specific areas of cases. FIG. 2 Analysts can collaborate in the lab using FTK, and with AD Lab, geographically dispersed players in the investigation can review and comment on data using a secure web interface. EVIDENCE SERVER Non-technical resources and outside analysts can review and comment on data via the secure web interface. INDEX STORAGE DATABASE SERVER Analysts can collaborate in real time via FTK. CASE REVIEWERS via SECURE WEB INTERFACE SENIOR EXAMINER REGISTRY ANALYSIS SENIOR EXAMINER RAM DUMP ANALYSIS JUNIOR EXAMINER GRAPHICS JUNIOR EXAMINER EMAIL The Ability to Control Access and Activity When orchestrating synchronous collaboration among multiple analysts, it's important that organizations are able to control which data each analyst can access, which tasks he or she can perform, and to ensure their accountability. For example, if two analysts are assigned to a case—one a senior member of the team, and the other still in training—the case manager can tailor their individual roles and permissions to suit their skill levels or clearance levels. The senior analyst can be given permission to perform more advanced operations, while the junior analyst is assigned to a particular set of data, such as graphics. With a more advanced lab solution, the seasoned investigator can be given © 2015 AccessData Group permission to view specific data sets that might be considered confidential or classified, while the less experienced analyst is only allowed to work with less sensitive content. FIG. 3 A designated Manager can assign cases, tasks and resources to analysts and monitor their progress to ensure efficient collaboration. MANAGER ASSIGNING TASKS & MONITORING PROGRESS EVIDENCE SERVER Cases and analysts can be managed from a central management console. INDEX STORAGE DATABASE SERVER CASE REVIEWERS via SECURE WEB INTERFACE SENIOR EXAMINER REGISTRY ANALYSIS SENIOR EXAMINER RAM DUMP ANALYSIS JUNIOR EXAMINER GRAPHICS JUNIOR EXAMINER EMAIL Centralized Investigative Infrastructure Using a Lab platform, organizations can centralize their investigative infrastructure. Instead of each examiner doing all the work on his or her individual stand¬alone machine, each examiner can leverage a shared infrastructure where all of the case data and evidence are stored in a centralized and controlled manner. Access to each case is still controlled by the lab manager or examiner in charge of a specific case, but the actual hardware infrastructure, where all the work takes place, is centralized. (Note centralized database and distributed processing farm in figures 1–3. Lab clients have the ability to login to more than one database.) Lab Technology: Providing a Permanent Solution to an Evergrowing Problem Human resources come and go, hardware resources become outdated, and the funding to maintain both is never a sure thing. However, implementing the right lab technology is a permanent solution that will streamline the entire process and speed up nearly every aspect of the investigation. AccessData (AD) has engineered lab technology that enables computer forensics labs to implement a digital assembly line of sorts. Based on the principles of enterprise computing and collaborative computing, this solution allows analysts to work together seamlessly—not just distributing data processing, but actually distributing their labor, while sharing a centralized infrastructure (database, storage, evidence server). www.accessdata.com Data processing times can be greatly reduced by leveraging Lab’s distributed processing architecture. Analytical operations are compartmentalized by analyst, so an individual examiner doesn’t need to shift his or her mindset from email to registry to RAM dumps or have to worry about moving the data around. Each examiner can focus on one or two areas of expertise and other analysts working on the same case are able to see those findings in real-time as they are bookmarked, labeled and commented on. Having the abilities to divide workload and to share information with each other and non¬technical counterparts will speed the analysis, the review, and the communications necessary to bring a case to its completion. However, while this lab solution enables real-time collaboration, a single analyst is still able to work an entire case from beginning to end on his or her machine. Each analyst has an investigative workstation that shares a single database infrastructure, comprised of one or more databases. Investigator workstations can also share a distributed processing farm. An analyst is able to utilize this centralized infrastructure, and if he or she desires, can give permission to another analyst or non¬technical player to review the findings and share expertise. Case-level Permissions vs. Data-level Permissions The AD Lab solution allows case managers to assign or restrict access at the data level. For example, if the information in question or suspects involved were considered extremely confidential, the case manager could restrict a junior analyst’s access to email and documents of any kind. However, the manager might want to utilize that junior resource to speed the investigation along. For example, the manager could restrict the junior analyst’s access to include only log files, assigning that person to create a timeline over the last month showing each time an instant messenger application had been launched. This more granular security provision is of particular benefit to large corporations or government agencies handling large caseloads with a great deal of confidential or classified information. Web Review and Analysis As discussed earlier, the web review capability is the easiest way to share information and leverage the abilities of non¬technical players in an investigation or computer forensic experts located outside the lab. This functionality is only available with AD Lab, which is designed to handle large caseloads for organizations that have a number of different participants in the investigative process that should be working together. For example, a computer forensic examiner working in New York wants HR and Legal in Los Angeles to review the results of a policy violation investigation quickly and in an easy to consume format. These non-technical participants can log in to the web interface and only see the information the examiner wants them to see. Additionally, large labs dealing with massive datasets need many analysts of varying skill levels to work together simultaneously, in order to efficiently tackle their caseloads. The secure web review interface of AD Lab enables those analysts to collaborate with ease. The following illustrates the functionality available in each of AccessData’s Lab solutions: Lab Functionality Forensic Toolkit (FTK) AD Lab 4 WORKERS EXPANDED 4 SIMULTANEOUS EXPANDED CENTRALIZED CASE AND TASK MANAGEMENT NO YES ROLE-BASED PERMISSIONS TO CONTROL ACCESS AND ACTIVITY NO DATA LEVEL CENTRALIZED DATABASE INFRASTRUCTURE NO YES WEB REVIEW AND ANALYSIS NO UNLIMITED DISTRIBUTED PROCESSING INVESTIGATOR COLLABORATION via FTK © 2015 AccessData Group Detailed Infrastructure AD Lab Workflow • Beth logs in and creates a case on the database. • She processes the evidence or obtains volatile data. • Beth needs Jack to look at email that she processed in her NY office. • Beth gives Jack rights to the case. • Jack logs in. • Jack selects Beth’s database from the database selection panel. • He can now see her list of cases. • Jack selects the case and now sees all the work of Beth did and can perform additional analysis and bookmarking. Note: Because it is a database on the back end, any bookmarks/labels are stored. This also means that multiple examiners can look at the same case at the same time without stumbling over each other. FIG. 4 Cases can be worked individually or collaboratively, while controlling who can access which data. CENTRALIZED PROCESSING FARM CENTRALIZED DATABASE COMPUTER FORENSICS LAB INVESTIGATORS MOBILE ANALYSIS INVESTIGATOR SUBJECT MATTER EXPERT www.accessdata.com DISTRICT ATTORNEY'S OFFICE Summary Benefits “Assembly line” division of labor approach allows the investigation process to be streamlined and cases can be brought to completion more efficiently. Control that can see which information in a given case or across cases. See each other’s results in real time. Non-technical users can easily support the investigative process. As stated earlier, until an organization is able to efficiently leverage existing resources, it will find itself trapped in the vicious cycle of too much work, too few people. Implementing a solution that amplifies existing resources by streamlining the investigative process and getting the most out of an organization’s hardware is a permanent solution. AccessData’s lab solutions are scalable, allowing an organization to build a solution that fits its caseload and resources, then expand as needed. Division of labor, distributed processing, a centralized infrastructure and timely sharing of data are the keys to overcoming the backlog faced by organizations of all kinds. The answer is not simply “more resources.” The answer is efficiently utilizing your resources. Advanced users can work alongside nontechnical resources. Leverage a distributed processing farm to greatly reduce processing time. Take an enterprise approach to controlling data with a centralized infrastructure, instead of each examiner storing data on his or her individual machine. The processing time for the digital evidence in some cases could take up to nine months. We concluded this was too long. Inspector General Glenn Fine Federal Bureau of Investigation Creating a collaborative environment with a shared, centralized infrastructure amplifies existing resources, allowing analysts of all skill levels to work more effectively. LEARN MORE: www.AccessData.com GLOBAL HEADQUARTERS +1 801 377 5410 588 West 300 South Lindon, Utah USA NORTH AMERICAN SALES +1 800 574 5199 Fax: +1 801 765 4370 [email protected] INTERNATIONAL SALES +44 20 7010 7800 [email protected]