Triage forensics has its head in the cloud

With the proliferation of technology, our notion of digital evidence and what constitutes sources of evidence are significantly changing. Traditionally, computer forensic examinations have been performed on systems that have been shut down, such as the content of hard drives extracted from inside computers. Investigators were advised to shut down live computers for fear that digital data might be erased, altered or lost – thereby contravening the guidelines issued in the UK by the Association of Chief Police Officers (ACPO).

However, in recent times there has been a requirement to perform live or ‘triage’ analysis on powered-on systems, to prevent loss of evidence. Many current attacks against computer systems leaving no trace on a computer’s hard drive; an attacker exploits information using the computer’s memory or RAM (random access memory). If data stored solely in RAM is not recovered before powering down, it may be lost forever. The answer is to collect volatile data from the computer at the onset of the response.

Some forensic practitioners state that the collection of RAM or volatile data is not an acceptable practice, due to its instability, lack of verification and inability to be reproduced. However, at the scene of an incident we need to preserve as much evidence as possible within the permitted timeframe. After all, you wouldn’t ignore a footprint in the snow at a murder scene, just because in due course it will change and disappear. Preservation, recording and exhibit integrity are cornerstones of any investigation.

With that in mind, forensic practitioners have to consider a response to the complexities of how to deal with investigations involving the volatility of online data centres known as ‘the cloud’. By centralising the storage of digital information, cloud computing promises to dramatically reduce data promiscuity. Cloud computing replaces the download with the stream, and that means that, as people come to use the cloud as their default data store, the proliferation of files and artefacts found on an individual’s hard drive is going to be greatly reduced.

Apple’s new iPad, which recently arrived with much fanfare, provides a good example of where computing is heading. The iPad is much more of a player than a recorder. It has a much smaller storage capacity than traditional desktops and laptops, because itís designed on the assumption that more and more of what we do with computers will involve streaming or accessing data over the net, rather than storing it on devices, coupled with the usage of online applications.

So, as forensic investigators we are going to have to get our heads into the cloud, and deal as first responders to incidents, giving consideration to the use of triage forensic tools to prevent loss of evidence.

4MAT Data Solutions provides a triage forensics service, and can supply first responders and legal services departments with incident response tools, review platforms, and training.

Legal News