Introduction
The ability of criminals and terrorists to maximize the opportunities offered by new technologies is constantly evolving. Burying incriminating data within the growing storage capacity of PCs and laptops presents police and law enforcement with new and demanding challenges; challenges that are compounded by the very short time frame in which examinations of seized assets can be carried out. Drawing from experience gained delivering solutions in the UK security and resiliency community, Andrew Nanson presents the top 10 challenges organizations are likely to face when implementing digital forensics solutions.
1. Storage
When each suspect can store more than 10 terabytes of information on home computers, a forensic lab must be able to deal with the loading, retention and manipulation of that data. Relying on local storage for each analyst is no longer viable. Centralized storage is becoming a necessity.
To address this issue, we discuss the benefits of Fiber Channel storage for initial load and subsequent data retention. Fiber Channel storage is fast, reliable, and supports very high input and output levels for multiple applications and intensive processes, such as indexing. This is ideal for forensic labs that must operate on time scales and cannot afford to fail in capacity.
Additionally, we believe it is advisable to supplement Fiber-Channel storage with large amounts of Serial Advanced Technology Attachment (SATA) storage. SATA is cheap and reliable. By providing SATA and Fiber Channel disk storage, it is possible to balance the real needs of a forensic lab, at the best possible price.
The solution has been tested to work alongside forensic analysts using real data at a ListX facility in Bristol.
2. Backup/archive
Forensic labs are now often scaled to hold up to a PetaByte of online storage. We have devised a manageable solution that guarantees against data loss. Furthermore, it does so without affecting the performance of a system; a system that has to be operational 24/7/365.
By taking a “snapshot” of data before sending it to offline media, live storage performance is never degraded. This gives users and the business what they need: a system with no planned downtime.
3. Application performance
The effectiveness of forensic laboratories often depends on the performance of the applications used by forensic analysts. This is because the applications do not
they don’t yet take advantage of modern hardware, or because the nature of their role is such that they will never work as fast as the company would like. To address this problem, VEGA can devise solutions that allow the most intensive forensic applications to be served from powerful servers. This allows applications to run with as little “lag” as possible.
By providing multiple variables from the same application, forensic analysts can initiate multiple actions from a single workstation. This results in much higher productivity, eliminating the “down time” where analysts traditionally had to wait hours before undertaking other activities.
4. Scalability
All technology solutions have their limits and often require a radical change in hardware or software to expand or contract. This can be a prohibitive factor in gradually expanding capabilities due to the cost associated with this radical change.
Therefore, it is essential to develop solutions that are fully scalable, supporting capacity and user expansion/contraction through modularized technology, as they can be designed to scale up to one PetaByte of storage from the outset and can be increased further if required. it is necessary. There is no theoretical limit on the number of users that can be hosted.
Also, since most forensic applications are served, thin clients can be deployed in minutes anywhere, with the full set of forensic tools needed for any investigation.
5. Malware protection
One of the biggest problems for forensic labs is unknown malware. To understand what an unidentified piece of software can do, analysts sometimes need to reverse engineer or run it and monitor what it does. If it turns out to be unknown malware, there is a potential to corrupt the entire forensics lab and call into question the integrity of the environment used to generate evidence.
Even the best antivirus programs only mitigate known risks and attack vectors. Therefore, a number of security hardening functions should always be created that are invisible to the user and allow forensic analysts to examine unknown code without risk to the integrity of the forensic laboratory.
6. Accreditation
High-profile data losses in recent years have pushed the issue of information security to the top of the political agenda. Having designed secure systems for the most sensitive parts of the UK government, we have the experience to create a solution that is compliant with the HMG Manual of Protective Security as well as JSP440. Security enforcement functions mitigate requirements for high confidentiality, integrity, and availability.
7. System integration
Forensic laboratories are typically isolated technical units that use an air gap between themselves and the main desktop infrastructure. A solution may include secure and reliable integration methods that allow organizations to securely transfer data between corporate systems and laboratories. This is based on designing methods to bring together multiple sources of information, to provide a seamless system that meets accreditation requirements as well as expands the information available to users.
8. Support
It is unacceptable that forensic laboratories require a high level of maintenance. The specialists understand this and have created a solution based on Commercial Off The Shelf (COTS) products, which means that customers are not tied to any one provider for long-term support, as the required skills are readily available.
9. Longevity
The rapid development of information technology and the ability of criminals and terrorists to use it to their advantage requires that any digital forensics solution be able to evolve quickly and with minimal disruption. We work with the leading forensic application vendors to ensure we understand how best to improve capacity for users now and in the future. Solutions must take into account the latest hardware in production, software development, and the ever-increasing burden on business and forensic analysts. This long-term planning and investment demonstrates our commitment to this field.
10. Guarantee the best value for money
As public sector budgets come under increasing pressure and expenses come under intense scrutiny, organizations must ensure that their IT investment offers value for money.