Forensic Imaging for the 21st Century

How ‘cloud-based forensics’ can accelerate the investigative process.

By Steven Branigan

Speed efficiency and accuracy.  These three characteristics are on everyone’s wish list. Forensic imaging is no different. We want the whole image, fast, and we want to assure its forensic soundness. But there is more to efficiency than just getting the forensic image fast. We can be more efficient by making the forensic image network accessible, which will allow others to help to analyze it and therefore the process is more efficient.

Let me explain. A forensic image has traditionally been captured onto an external disk drive. Investigators have to connect the drives to their analysis system to do any work. If the analysts need information that is on a different drive, such as the forensic image from another individual, they need to retrieve that disk (providing no one else is performing analysis on it) to plug it into their system. Since two people can’t work on the same physical disk at the same time and one investigator might tie up a drive for a day, this is inefficient.

Being a long-time investigator I wanted to find a better way. In addition to making the imaging process faster, I wanted to be able to allow more than one computer to have access to the image. And finally, I wanted to eliminate the need for all those physical drives. They fail, they take up space, they fail, they weren’t where they were supposed to be when you needed them. And did I mention that they also fail with disk errors.

1. Speed and accuracy

FDAS was specially designed to rapidly image disks. In traditional forensic imaging, a subject disk is copied to a target disk. If the target disk drive is faster than the source disk drive, the image can be done quickly. However, if the target disk drive is slower than the source disk drive, the forensic image will be slower than it should be. And, when you add in the fact that data is written to the external disk drive as a file and not directly to the disk, it is almost certain that the process will be slow and inefficient.

By using a RAID array inside a secured unit as the output disk, we were able to dramatically increase the speed of the destination drive. This is why FDAS has unmatched speeds, as demonstrated in a recent faceoff against Tableau’s popular TD2 forensic imaging system.

2. Efficiency from the RAID array.

The first iteration of FDAS, the Fast Disk Acquisition System, addressed some of the efficiency issues. We eliminated the need for a physical disk by having an internal RAID array in a box. This also became a portable storage area network as investigators could access the box via network connection, allowing more than one computer to be able to view the evidence simultaneously

By reengineering the network connection for greater throughput, suddenly we could have images sent directly to a storage area network. Efficiency increased because this eliminated the need to copy an image from a disk to the storage area network.

3. Cloud-based forensics

Being able to upload a forensic image to a storage area network is similar to the cloud model that is now popular. By having the images network accessible using either FDAS’ internal SAN or an enterprise SAN, a single investigator can look at multiple pieces of evidence simultaneously. It can also allow multiple analysts to examine a single image much more efficiently. Basically, this design allows different analyst, each with their own expertise, to analyze a forensic image more efficiently

With a web based front-end, FDAS can also allow a user to make and monitor the forensic imaging process remotely. This enables the cloud process a little more.

Before the release of FDAS, the forensic imaging process could be very slow. Imagine if your protocol required that you needed to check the forensic image that was being made to ensure that it was for the correct system. In that case, you would have had to pause the imaging to examine the target disk and ensure that it contained the correct information. And if it did, you then could go back and restart the imaging process.

Investigators seeking proven equipment that delivers a full, forensically sound image with cutting-edge cloud-based technology need not look any further. CyanLine’s FDAS has arrived.

For more information about this pioneering capability, visit, http://www.CyanLine.com.

Steven Branigan is an author, investigator and founder of Cyanline, a New Jersey-based company that specializes in the prevention, detection and investigation of cyber investigations.

About Cyanline

Based in New Jersey, CyanLine specializes in the prevention, detection and investigation of cyber investigations. Serving both victims of high-tech cyber crime, providing services in both a professional and confidential manner that is client-focused and results-driven. Designed with state-of-the-art technology, CyanLine’s products work to deliver quality, reliable results.

Forensic scientist and licensed private investigator, Steven Branigan, CEO, has made it his mission to create forensically sound products to advance the investigative industry. Renowned speaker and instructor, Branigan is an active member in the High Technology Crime Investigation Association (HTCIA), Federal Bureau Investigation’s Infragard, New Jersey License Private Investigators Association, and on the Digital Forensics Certification Board. Branigan is the author of High Tech Crimes Revealed and recently published an article in the Journal of Forensic Sciences. Branigan has received awards from the U.S. Secret Service and New Jersey State Police.