| Article Image |
Item Name- |
 |
Live forensics considers the value of the data that may be lost by powering down a system and collect it while the system is still running. The other objective of live forensics is to minimize impacts to the integrity of data while collecting evidence from the suspect system. |
 |
Having a computer forensic triage model in place for first responders is important. It is also important that the model adheres to commonly held forensic practices and does not interfere with the ability to later analyze the suspect computer more thoroughly back at the lab. Integrity of the suspect... |
 |
Apple has been growing their market share for a number of years now. With the machines becoming more popular there comes the need for specialized forensic tools to analyze evidence on Macs. Agencies are starting to see more and more Macs come through their labs. The Mac OS stores passwords in a... |
 |
Through the use of field triage and live forensics tools, an investigator can not only gather evidence against a suspect but also use the data gathered to access the possible risk that an offender poses to others in society. By evaluating the evidence of crimes committed they can ascertain the... |
 |
Even small errors in the investigative process of a suspects machine may mean the difference between a conviction and a criminal going free. To minimize the risk of errors, automation should be used whenever possible. Products like MacLockPick allow the investigator to choose from many automated... |
 |
Time is a important factor in any criminal investigation. Both in time critical cases such as child abduction, kidnapping, death threats, missing and exploited children, etc and in dealing with the backlog of evidence that many agencies are experiencing in this increasingly digital-based age.... |
 |
Web browsers create a number of artifacts that can be of interest to an investigator during the triage state of an investigation and later on during the formal lab investigation. While different browser applications vary, they all create cookies, caches, and other temporary internet files that can... |
 |
Knowing what a suspect was doing on their computer before an investigation begins can be helpful to most examinations. All running applications open processes on the suspects system. MacLockPick II can capture a list of the processes running on a suspect system to show an investigator exactly what... |
 |
While more traditional workflow's may work for most cases, when it comes to time critical cases such as child abduction, kidnapping, missing persons, death threats, etc, a different approach is needed. These situations require quick acquisition and analysis of the available evidence to give... |
 |
Criminals always leave a trail for investigators to find. Zeroing in on this critical data can be difficult at times but the use of specialize tools can make the search quicker and easier. In cases like murder the investigators may find contents such as the suspects Google search and email history... |
 |
Cell phones have become part of our everyday life's. With the advances made in the last several years, the phones have started storing not just phone numbers but also a wealth of personal information. This information can be helpful to a forensic investigation. Items that may be of interest to a... |
 |
The Computer Forensic Field Triage Process Model (Rogers, Goldman, Mislan, Wedge, Debrota, 2006) outlines the process and phases of a triage investigation. This process model is a general outline for the field triage process. It is important to qualify the needs of the investigations first as this... |
 |
While time is critical in many investigations, it's important to insure that investigation procedures used to minimize the time required to find evidence don't interfere with other important considerations of any investigation. The procedures must still adhere to common forensic principals such as... |
 |
Computers have become more and more common in criminal investigations. Likewise, the number of different operating systems that investigators are coming across has changed too. Only having Windows investigation tools will no longer cut it. There's no need to have multiple tools for each operating... |
 |
The Computer Forensic Field Triage Process Model may be a bit difficult for some investigators to get use to at first as it is a bit backwards from what they have been taught to do in most investigations. In many cases investigators have been taught never to touch a suspect computer and simply... |
 |
Email is a valuable tool for all online users. It's also a common tool used by criminals. The information found in the email messages of a suspect can help to direct an investigation and may help secure a conviction. The procedure to examine email evidence can be time consuming. The use of tools... |
 |
The increase in technology also changes our concept of what constitutes evidence in a criminal investigation. Where previously most evidence was physical document based, the large majority of evidence has now gone electronic and is stored on hard drives, digital media, and web-accounts. Computers... |
 |
There are many benifits to field triage such as on site access to evidence. An additioan benifit to performing triage on the scene is the feedback that can be given to investigators. This allows the computer forensic analyst to modify their search based on feedback from investigators and those that... |
 |
The use of forensic triage tools can increase the effectiveness of any investigation. Through the use of forensic triage tools an investigator can quickly: Gain quick access to evidence that may allow them to secure a warrant or confession. Determine if a computer/system requires further analysts.... |
 |
Financial crimes such as currency counterfeiting, money laundering, intellectual property crime affect all levels of society. When searching for evidence for a financial crime, a search for documents such as spreadsheets and images of checks or potentially fraudulent financial materials may be high... |
 |
Finding useable evidence quickly is one of the most important focuses of field triage and live forensics. Being able to zero in on suspect evidence quickly can be very important to an investigation. It may give an investigator new leads, help secure a confession and conviction, or be the difference... |
 |
First responders must be very aware of their tasks when first arriving to perform forensic triage. The efforts of the first responder is critical to ensure that the evidence is gathered and preserved in a simple, secure, and forensically sound manner. The initial response to an incident is more... |
 |
Field triage and live forensics are key to acquiring critical evidence in an active investigation. This information can be used to guide an investigation. The information obtained through the on site investigation of a suspect computer can give examiners new leads to pursue. The acquired... |
 |
The use of triage on scene and live forensic tools can identify evidence that can lead to potential charges. Quickly finding proof of a crime committed can help the investigation secure an arrest warrant and bring forth formal charges against a suspect. Live forensics can play a critical role in... |
 |
The use of field triage can help to identify current and possible future victims. By quickly examining the evidence on the scene, a forensic examiner may be able to guide the investigation to possible victims of a crime. They may also be able to those that may be at risk to become future victims. |
 |
Capturing information about the current state of a suspect computer before powering it down is important to a forensic investigation. There is a wealth of volatile data that can be lost once the suspect's computer is powered down. This information may help direct an investigation in the early... |
 |
Instant messaging is a common method of communication on the internet. Many instant message programs store contact lists along with chat histories. This information can be useful to an investigation as it can provide new leads, help secure a confession, or help to prove intent. |
 |
Almost every investigation will involve the analysis of internet artifacts. Web browsing caches store records of sites a suspect has visited. Emails may help to prove intent or correlate other events. Instant message conversations can contain evidence that could help to secure a conviction. The... |
 |
The Apple iPhone has become a popular cell phone for many due to the mass market appeal and the easy of use. It's feature rich and has become much more then just a cell phone for many. This also means it's full of artifacts that are of interest to forensic investigators. By using MacLockPick II, an... |
 |
Triage tools are a powerful addition to any forensic investigators toolbox. One important aspect of a triage tool is that it minimize the chances of costly mistakes and the potential of altering a suspects system that may cause loss of evidence. First responder triage tools like MacLockPick II are... |
 |
One concern some have with live forensics is the risk of modifying data on the suspect machine and there-by making the suspect evidence inadmissible in court. A good live forensics tool should be designed to minimize the footprint on the suspects system and the footprint left by the tool should be... |
 |
In these increasingly connected times, most computers are connected to some sort of network. The information about current network connections can help direct an investigation or show examiners new areas that may be of interest to the investigation. Using a triage tool like MacLockPick II can show... |
 |
Any information that allows an investigator to paint a better picture of a suspects activities can be beneficial to an investigation. The clipboard can often contain contents showing what a suspect was recently doing on their system. A screen shot of the suspect system in it's current state of the... |
 |
When collecting data for a computer forensic investigation you want to collect the most volatile data first as it will be lost the quickest. The order of volatility shows which data will be lost first. Order of Volatility Memory contents Swap files Network processes System processes File system... |
 |
Keeping track of what has been done is an important part of the first responders job. By scripting the procedures required an investigator can make sure no steps were missed. Scripting the processes run on a suspect computer can also help authenticate any changes made to the machine during a live... |
 |
Drug trafficking has reached epidemic levels in some countries. These criminals are also more commonly using digital means to organize their criminal networks. Through the use of specialize forensic tools like MacLockPick II and MacForensicsLab, an investigator can search for evidence common to... |
 |
Child pornography is a serious crime plaguing our society and one of the most commonly investigated crimes for many agencies. Through the use of specialized tools built to target imaged based crimes, like MacLockPick, an investigator can quickly zero in on critical evidence. When time is of the... |
 |
Computer forensic triage is usually defined as the process by which projects or activities are prioritized to determine which should be attempted first, second, etc. and which projects or activities should never be done at all. This process applies to the forensic examination process to determine... |
 |
The triage phase of the investigation is the foundation on which the other phases after it will be built. All potential evidence must be considered (computer systems, disks, CD/DVDs, PDAs, etc) and then prioritized based on the likely hood they contain potential evidence reliant to the... |
 |
Making considerations for the time each process will take within an investigation is important. The time cost of every activity in an examination must be weighed against the potential return of the results of that activity. In general it is best to perform tasks that can be done quickly first. |
 |
Timing is critical throughout an investigation and even more so at the beginning of an investigation. During the early stages of the investigation it is critical to the investigator to have a detailed knowledge of the crime or involvement of the suspect and possible triggers that may increase the... |
 |
The benefits of field triage have been proven. It has been shown that quick and effective analysis of suspect evidence can be critical to a case. The evidence found through live forensics can provide investigative leads that lead to an arrest and conviction. The information found may also protect... |
 |
Triage at the scene helps to provide time sensitive investigative and interview leads. It also helps to provide helpful direction for later investigation back at the lab. The information acquired through the use of triage tools can help direct investigators in the lab to information of relevance to... |
 |
USB has become one of the main standards to connecting all types of devices to computers these days. With the dropping prices of personal flash drives, they've become a popular way to transfer information from computer to computer. With MacLockPick II an investigator can quickly gather information... |
 |
Being able to confirm that there have been no change made to a suspects system or evidence between the time of seizure and the lab investigation can be important should the integrity of evidence be called into question on trial. By using MacLockPick II to record the suspect systems configuration... |
 |
MacLockPick adheres to commonly held forensic principals and does not negate the ability to transfer systems/storage media back to the lab for more detailed investigation after field triage has been concluded. Comprehensive forensic applications such as MacForensicsLab focus on the analysis of... |
