Jan 012014

Please help DigitalFIRE Labs understand the current state of Mutual Legal Assistance Requests relating to digital evidence, and be entered for a chance to win a FIREBrick write-blocker or an Amazon gift card.

The survey on Mutual Legal Assistance Requests Concerning Digital Evidence can be found here: http://goo.gl/gnrJtN

Mutual Legal AssistanceThis survey has been commissioned by the United Nations Office on Drugs and Crime (UNODC) in conjunction with the Digital Forensic Investigation Research Laboratory (DigitalFIRE) to assess existing approaches to requesting and obtaining electronic evidence in international cooperation under the conditions of Mutual Legal Assistance Treaties. The survey consists of 36 questions, which will take approximately 20 minutes to complete.

For any questions or comments about the following survey, please email joshua@cybercrimetech.com. To help improve the effectiveness of mutual legal assistance requests, please share this survey with your colleagues, thank you.

Image courtesy of mrpuen / FreeDigitalPhotos.net

Aug 122010

This work is in regards to a 2009 project about research into real-world digital forensic practices for the development of highly automated tools to increase speed and efficiency of forensic investigations. A survey was conducted of 30 Law Enforcement officers from different countries in Europe (with 10 respondents). The key findings of the survey are given, with a link to the full document provided.

Key observations:

  • Every country has a different definition of digital crime
  • Every country has different laws relating to digital crime
  • INTERPOL fights international crime by managing resources between countries
  • INTERPOL provides facilitation rather than direct operational capabilities
    • ‘Outsource’ operational needs from member countries

Requirements for Digital Forensic Tools

Out of 30 surveys submitted, 10 were returned. Along with these surveys, informal discussions with practitioners were conducted.

Through the survey and discussions it was found that three primary factors investigators are taken into account when purchasing forensic software:

  1. Feature set
  2. Cost
  3. Ease of use

Cost was found to be a common complaint, and a major concern for almost every practitioner spoken to. However, the most expensive forensic software, Encase, was the primary software chosen by 80% of the organizations. FTK, X-Ways Forensic, and miscellaneous tools were also used, but not nearly as often.

The average percentage of cases in which only the chosen primary software was used is 77.9%. Which suggests that the cost of more expensive software is justified if it can handle the majority of needs the investigator may have. It appears that Encase does, in fact, meet the majority of requirements of the investigator, however, there is still approximately 20% of the cases in which an investigator would need additional features.

This 20% is covered by various secondary software, with FTK being the secondary software of choice. WinHex, Password Recovery/Decryption, Automated Analysis tools, and various Linux-based tools were also used.

The majority of the time an investigator is looking at user documents. Internet traces, passwords and log analysis are a close second.

The group also indicated that they would be more likely to buy a plug-in to their current software-set than to buy a third-party stand alone software. Fitting into their current workflow is a topic of importance.

Timelines of user actions are important to investigators. Some investigators indicated that a timeline of user activities would be useful in up to 70% of their cases.

Also interesting is that currently only 31% of cases involve Windows Registry Analysis. This low number was not shown to correlate with knowledge of the Windows Registry. Responders who claimed to be “very familiar” or “expert” in Windows Registry analysis, employed it just as often as those who were only “somewhat familiar”.

Finally the types of evidence investigators are seeing still consist primarily of Windows computers (87%) with Linux a far second (7%) and Mac last (6%). Of the Windows machines, Windows XP is still the most common OS (58%) with Vista (28%) and Windows 7 (4%) growing, but still not the majority.

For more information and the raw data, please see:
James, J.I. (2009) “Survey of Evidence and Forensic Tool Usage in Digital Investigations”. University College Dublin. [PDF]