In many police investigations today, computer systems are somehow involved. The number and capacity of computer systems needing to be seized and examined is increasing, and in some cases it may be necessary to quickly find a single computer system within a large number of computers in a network. To investigate potential evidence from a large quantity of seized computer systems, or from a computer network with multiple clients, triage analysis may be used.
The current challenges to conducting on-scene investigations is that each system must be booted and examined in turn, many investigation processes are not automated, multiple boot media may be needed, and there is no centralized point where results can be stored. All of these challenges can make the on-scene investigation process very time consuming if the network consists of hundreds of computers divided over several floors. Prior works had a number of foundational benefits, but still had a number of limitations that did not fit our needs. The approach taken in this work was to redesign an open source, forensically sound PXE environment that meets the following conditions:
- Clients are able to boot a “forensic” file-system using DHCP, PXE and TFTP
- Client–server based model: the client and server can communicate with each other
- Network storage between clients and server, to serve files and store search results
- Keyword searching in ASCII and UNICODE
- File hashing and comparing with a centralized hash database
- Clients are accessible through the server via SSH
- Client’s local hard disk drives are accessible as a local disk on the server through ATA Over Ethernet (AoE)
This approach is adopted, not to conduct a full digital forensic investigation on-scene, but to conduct digital forensic triage. Triage is a medical term defined as:
A process for sorting injured people into groups based on their need for or likely benefit from immediate medical treatment. Triage is used in hospital emergency rooms, on battlefields, and at disaster sites when limited medical resources must be allocated (Triage, n.d.).
To derive the definition of digital forensic triage, we apply the medical definition specifically to computer forensics, resulting in:
A process of sorting computer systems into groups, based on the amount of relevant information or evidence found on these computer systems (Koopmans, 2010).
Based on this definition, the goal of the solution is not explicitly for exhibit exclusion purposes, but to sort analyzed systems by likely relevance.
The result is a client-server based solution for automation of basic digital forensic investigation processes on many clients over a network (Figure 1).
A Triage server is placed on a network (preferably a network physically separate to the suspect’s network), and clients (suspect computers) are booted into a live environment via PXE or boot disk. They connect to the Triage server, load data and analysis scripts, and begin to conduct analysis on the suspect machine’s connected hard drives automatically. All results are reported back to the Traige server, and any suspicious hits can be investigated remotely using a verity of standard digital forensic investigation tools.
- Triage. In: Dorland’s medical dictionary for health consumers; n.d.
- Koopmans M. The art of triage with (g)PXE. Dublin: University College Dublin; 2010. p.51
For more information, please see:
Koopmans, M. B., & James, J. I. (2013). Automated network triage. Digital Investigation, 1–9. doi:10.1016/j.diin.2013.03.002