Recent events in places such as Indonesia and Kenya have proven the need for forensic capabilities to be rapidly deployed along with trained digital forensics (DF) investigators as well as the need to bring in a large number of lesser-trained reviewers in physically and financially challenging environments.
The difficulties being faced:
- Rise in indiscriminate terrorist attacks
- No local DF labs in all areas of critical incidents
- No local funding for DF in some regions
- Lack of trained DF investigators
- A need for rapid response
- Amount of CCTV (public/private) and body-cam footage captured
- Public evidence acquisition—many people (public/witnesses) instinctively pull out their mobile devices and start recording.
In a recent case of extremism, 600GB of evidence from 450 body-worn video clips and CCTV evidence contributed to a large number of people being charged for violent disorder offences. Combined with cell-phone footage, this can result in a previously insurmountable amount of footage to be analysed manually by a small number of digital forensics experts.
Very often, the areas where indiscriminate attacks take place may have no forensics experience, and no readily accessible hardware in order to deal with the incident.
The Traditional Laboratory
This is an example of the traditional laboratory set-up which has been adopted widely throughout the digital forensics world.
AccessData is unique because we have a unified centralised database that all of our products can leverage. This provides advanced collaboration capabilities through a number of tools and suites that can be highly customised based on evidence types and investigator skill levels. However, this is not feasible to have available in every location where it may potentially be required for some of the following reasons:
- Requires constant maintenance & upkeep
- Cooling/power costs
- Must be scoped large enough to cope with the biggest potential evidential size (TB? PB?)
- Fixed maximum number of reviewers and processing speed
- Ultimately can lie idle for the majority of the time
- Large capital investment
The Mobile Field Lab
This is stage 1 of the solution that can be provided; mobile labs can be held in ready availability for particular regions, countries or by contracted authorities.
Example mobile lab hardware:
- Workstations for standalone forensics tools and AD Lab client
- TreCorder portable workstations for multiple concurrent device acquisition
- Cellphone extraction tools
- Storage/Database server
- Processing servers
- Review server inc. KFF, map-tiles, etc.
- Write blockers, adaptors, JTAG workstation
- Password cracking multi-GPU server
In addition to being able to import data live in the field, because of the unified database, it is possible to export large datasets to more significantly sized labs in potentially difficult locations. AccessData also provides an offline review tool called QView, which allows digital forensics teams to check out subsets of data for offline review on laptops, for example. This data can then be labelled, bookmarked, and then checked back into the case—especially useful where connectivity is an issue.
Benefits of a Mobile Field Lab include:
- Simple Pelican™ case delivery
- Software pre-installed & potentially validated to ISO 17025
- Full lab capabilities
- Begin processing immediately
- AD unified database—export/import
Limitations of the Mobile Lab Solution
Whilst the mobile lab is great for deploying immediate capabilities to the field, it does, of course, have limitations.
The mobile lab may not be able to process data fast enough, as the investigator is limited to the resources within the mobile set-up. The datasets of the modern devices are typically large in size, and complex (in some cases) in structure.
Data security could also be compromised, as the limitations on the security of the data is confined to the mobile lab, and would also need at some point to be transferred out into a more permanent location, or even presented out for use with third parties such as lawyers or courts.
Also, the hardware costs for a longer-term solution could be extremely high based on how long the data would need to be retained within the mobile platform.
One solution for all of these issues could be the cloud.
AccessData Is Now Available in the Cloud!
Benefits of using secure virtual private clouds include:
Simple migration - from mobile lab to cloud for processing, review and storage. Spin up a full environment in just a few hours.
Cheaper - You only pay for what you use, and don’t need to purchase any dedicated hardware.
Scalable - You can scale up and scale down dynamically, based on demand.
Reliable - Cloud processing and storage is offered through multiple availability zones with enhanced security including multi-factor authentication, encryption, logging, least-privilege access, etc.
Collaborative - Permitting hundreds of multi-skill-level investigators to assist globally, through customised Quin-C™ interfaces and task management.
Using AWSⓇ to Transfer Large Datasets into the Cloud
So how do we get the data into the cloud?
Most municipalities will have a high speed internet connection that will allow the upload of data. Video and simple data sources can be uploaded through public sites (examples towards the end of this article).
In cases where you have large amounts of data or are in a remote location where you have poor connectivity, meaning low bandwidth and unreliable connections, it can be difficult to upload data to the cloud and can hinder data review from ground zero. To aid the transfer AWS, for example, provide solutions and whilst the AWS SnowmobileⓇ may struggle in some remote areas, a number of AWS Snowballs can be combined, which are heavy-duty, durable data transfer devices using the AmazonⓇ delivery network and encryption to safely and rapidly transport exported data to the virtual private cloud spun up for the investigation
An AWS Snowball holds 80 TB of encrypted data in all regions. The U.S. also offers a 50 TB Snowball. Encryption is managed through Amazon KMS.
Each AWS Snowmobile comes with up to 100PB of storage capacity housed in a 45-foot-long High Cube shipping container that measures 8 foot wide, 9.6 foot tall and has a curb weight of approximately 68,000 pounds.
Legislation and Data Sovereignty
Previously, the biggest arguments against the cloud have been privacy and data sovereignty. These issues have now been overcome with different solutions to match various data protection compliance across different regions, such as the GDPR for Europe.
An example of this in the US/UK are government certified AWS clouds which can have a dedicated link to police networks. I believe that this will gradually become the natural next step into digital forensics with its near limitless processing power, faster returns and limited overhead costs.
AWS Global Infrastructure Map
Each AWS region has multiple availability zones, and with these, resilience is brought through multiple data centres, each having its own different power provider, separated data connections, and many other resilience mechanisms along with adherence to appropriate ISO standards.
Security/Example Cloud Architecture
Here we can see a common topology for AccessData products within a basic cloud architecture set-up.
It has a secure RDP connection for administration featuring MFA (multi-factor authentication). Access can also be locked down based to access from a specific IP address.
Through AWS cloud trail dumps and access logs to the environment and storage, a full audit trail is always available, and connectivity to the virtual private cloud for the users can be protected using HTTPS, VPN, MFA and extensive firewall configuration options.
AccessData a Forensics leader in the cloud via AWS & Azure Marketplace
If you use the Google™ service to search for “AWS forensics”, you’ll find the AccessData offerings as the only true forensic offering listed on the AWS Forensics site. There are LAB configurations available on AWS as well as Azure.
This is important because deployment of the environment is now fully scripted, meaning that a complete forensic lab capability can be spun up to exactly the required size and processing capability within 24 hours of an incident occurring.
The AccessData team has tested and worked with customers to deploy in AWS as well as Azure via the following forms.
- Via the marketplace.
- Self-hosted environments.
- As isolated SAAS where the environment is presented in its finalized form with little to no management required of the infrastructure by the users.
Benefits of the AccessData Cloud
In terms of dynamic scalability, on physical environments the only way to increase processing and review capability would be to purchase more servers/additional hardware or juggle Virtual Machines within the limits of your host servers.
In the cloud, additional resources can be added and removed both dynamically and automatically as required with the ability to both calculate and limit cost to a set budget.
AccessData Testing Metrics
Customer Testing Metrics
2TB of Data in 2.5 Hours!
During testing on 13 distributed processing engines, AccessData was able to process 500GB of user files in 68 minutes. When testing moved into the cloud, the number of distributed processing engines was able to be increased without limitation and processing speeds of 2TB of data in 2.5 hours were recorded through increasing the number of processing engines in accordance with requirements.
Public Evidence Upload
Traditionally, the way people submit their footage of events, and indeed CCTV evidence, from both public and private sources has been very much a manual process. Due to the cloud infrastructure, AccessData is now able to spin up a public facing website within minutes for evidence upload. This evidence is then automatically placed in a responsive data path, automatically processed with analysis and machine learning techniques and made available instantly to those reviewing the case.
Using AWS, evidence from the public can be uploaded to a custom website straight from mobile devices. Benefits include:
- Rapid collection of eyewitness data while the crime scene is still hot
- Immediate processing of the evidence into the case when the upload is complete (depending on API scripting)
- Investigators have access to the evidence immediately, reducing the “feet on the street” time
Using new facial recognition techniques, thousands of hours of footage can be quickly culled to identify persons of interest using filters based upon trained faces, which can be exported for use in other cases and to other departments of investigators or teams.
With image recognition, we train the system to recognize someone walking with a backpack, for example, and rather than manually scrubbing through thousands of hours of footage, the process can be rapidly automated. Meaning, a suspect's movements could be automatically tracked across evidence.
Quin-C HTML5 Review Platform
With Quin-C, the review capabilities can be expanded out to potentially hundreds of investigators with multiple skill sets who can be tasked individually, or in groups, with reviewing specific data sets through a highly customizable interface. Both trained and untrained reviewers can trawl large amounts of evidence whilst also using machine learning characteristics and in-depth forensic capabilities all through the web browser.
If connectivity is poor, or resources are not available in the affected region, the review platform can be presented to other collaborating teams in different geographical regions if required. Technology such as Amazon CloudFrontⓇ can be leveraged to present this data from nearby AWS regions in order to reduce latency thus increasing performance to the review team to an optimum level.
Being able to collate images into a timeline, along with communications content, call data records, cell tower geolocation, drone data and much more can really assist reviewers and piece together all of the evidence in order to see the full picture.
Full API Support, File Parsing API
With a new flexible and fully functional API, you can now automate workflows and integrate with other software—from case management systems to e-discovery platforms—with ease.
If the investigating authority has their own case management system or need to leverage our file parsing API to understand more locally used apps/custom-made communication platforms this is available.
For a demo of any of these technologies, or to talk about our AccessData in the Cloud, please email [email protected].
About the author:
Jonathan Shorter joined AccessData in June 2012 as International Technical Account Manager, covering all enterprise level accounts outside of North America. Jonathan has spent the last 21 years of his career working in IT with the last 10 specifically in Security, Forensics and E-Discovery. Jonathan has worked in UK Law Enforcement and holds a first-class degree in Forensic Computing. Jonathan, now VP of International Engineering, ensures that AccessData understands the needs, challenges and demands of the customers whether in Law Enforcement, Government or Corporate arenas.