This article can also be found in the Premium Editorial Download "Information Security magazine: How to dig out rootkits."
Download it now to read this article plus other related content.
|Complexity hinders Investigations|
Mobile devices and monstrous hard drives are giving specialists fits.
Multiple types of computing devices, bigger hard drives and increased use of encryption are making the job of a digital forensic examiner tougher than ever.
"Go back seven years or so, all forensics in the business world was based on PCs. It was very simple," says Luther Martin, security architect at vendor Voltage Security. "It's a lot more complex today. Now you have PDAs, cell phones, BlackBerries, iPods--all which contain potentially interesting data."
An investigation usually starts with a single system and grows to wherever evidence may reside, which can include digital cameras, USB drives and even printers, says Brian Gawne, managing director of forensics at risk management firm Veritas Global. But the bigger challenge in forensics today is the sheer size of hard drives, he says.
"You're seeing hard drives from desktops and laptops that are 400 gigabytes and growing," he says. "So the amount of data we have to parse through is ever mounting."
The 14 Regional Computer Forensics Laboratories across the U.S., which are jointly operated by the FBI and local law enforcement agencies, processed a whopping 2.8 petabytes of data last year.
| disks getting as big as they are, we're trying to find ways to work smarter, not harder," says Chris Beeson, FBI supervisory special agent and director of the Silicon Valley RCFL. "The days of being able to go through every sector on a drive just don't exist."
One way investigators can work smarter is by tapping databases with hash sets of known software files; the hash values allow them to reduce the number of files they need to inspect, Beeson says. One such database is the National Software Reference Library, a project supported by the U.S. Department of Justice and federal, state and local law enforcement.
But encryption can pose a big problem for investigators. Attackers are encrypting files and stripping out references, which makes analysis harder, says Evan Wheeler, senior consultant in charge of forensics at IT services firm Akibia.
"Encryption can slow us down and stop us in our tracks," Beeson says.
"It just depends on the amount of resources we can plug into that case."
This was first published in September 2007