It’s been a busy few weeks which is why I haven’t had a chance to blog for a while. I had the opportunity to present at the ACPO Conference 2 weeks back which is always a good event, with friends and colleagues from many different Forces and Agencies. It is normally a chance for a late night drink but exhaustion from the past few weeks activities had me in bed by 11pm each night.
My brothers company, Bright Forensics, was exhibiting there and had e-fense’s Eric Smith on the stand. Eric is a very talented investigator and has a tremendous knowledge of the forensic world and marketplace. They were focusing on touting e-fenses’ Live Response key. This is a USB key designed for fast and easy acquisition of live and volatile data from a running machine. In my view it is the first tool that provides an ease of use capable of being used by a front line arresting officer. I know that this is a sensitive subject at the moment, but a plug and play device that will grab Internet History, RAM and other useful data, is a very interesting addition to an officers arsenal. Discuss ☺.
The buzz word of the conference was ‘Triage’. In simple terms the phrase is being used to suggest that we could use a device or software tool to ‘search’ a machine and include or exclude it from an investigation, hence shortening backlogs that exist in most HiTech Crime units . Umm. I have a real problem with the idea of triage in this situation. In a hospital or emergency setting triage is used to prioritise not exclude and I think this is where such tools could have a role. If you get 5 machines in for a CP case, prioritising the machines, perhaps quickly locating the one with the primary evidence could work fine. However, I think that we will struggle to never image or investigate those other drives. If I think as a defence expert I may suggest that although there was a large amount of evidence on one drive, evidence existing on the ‘sons’ or ‘lodgers’ computer could lend credence to the fact that someone else used the computer belonging to the accused. I appreciate this is somewhat simplistic and perhaps the initial data might make the chap stick his hand up, but I’m sure that you can still see my concern.
Last week I taught my first Advanced Live Forensics course with a particular focus on RAM analysis. I don’t mean to blow my own trumpet but I think it was a resounding success. A chap from one of the UK Counter-Terrorism units suggested that it should be required learning for all computer forensic people and another was impressed by what he called the ‘first new computer forensic discipline since the advent of disk forensics’. Overall, I was chuffed. Obviously this is rapidly turning into an advertisement which I apologise for but if you would like to come then you can find dates on the www.csitraining.co.uk website!
Thursday, July 9, 2009
ACPO and RAM Analysis course
It’s been a busy few weeks which is why I haven’t had a chance to blog for a while. I had the opportunity to present at the ACPO Conference 2 weeks back which is always a good event, with friends and colleagues from many different Forces and Agencies. It is normally a chance for a late night drink but exhaustion from the past few weeks activities had me in bed by 11pm each night.
My brothers company, Bright Forensics, was exhibiting there and had e-fense’s Eric Smith on the stand. Eric is a very talented investigator and has a tremendous knowledge of the forensic world and marketplace. They were focusing on touting e-fenses’ Live Response key. This is a USB key designed for fast and easy acquisition of live and volatile data from a running machine. In my view it is the first tool that provides an ease of use capable of being used by a front line arresting officer. I know that this is a sensitive subject at the moment, but a plug and play device that will grab Internet History, RAM and other useful data, is a very interesting addition to an officers arsenal. Discuss ☺.
The buzz word of the conference was ‘Triage’. In simple terms the phrase is being used to suggest that we could use a device or software tool to ‘search’ a machine and include or exclude it from an investigation, hence shortening backlogs that exist in most HiTech Crime units . Umm. I have a real problem with the idea of triage in this situation. In a hospital or emergency setting triage is used to prioritise not exclude and I think this is where such tools could have a role. If you get 5 machines in for a CP case, prioritising the machines, perhaps quickly locating the one with the primary evidence could work fine. However, I think that we will struggle to never image or investigate those other drives. If I think as a defence expert I may suggest that although there was a large amount of evidence on one drive, evidence existing on the ‘sons’ or ‘lodgers’ computer could lend credence to the fact that someone else used the computer belonging to the accused. I appreciate this is somewhat simplistic and perhaps the initial data might make the chap stick his hand up, but I’m sure that you can still see my concern.
Last week I taught my first Advanced Live Forensics course with a particular focus on RAM analysis. I don’t mean to blow my own trumpet but I think it was a resounding success. A chap from one of the UK Counter-Terrorism units suggested that it should be required learning for all computer forensic people and another was impressed by what he called the ‘first new computer forensic discipline since the advent of disk forensics’. Overall, I was chuffed. Obviously this is rapidly turning into an advertisement which I apologise for but if you would like to come then you can find dates on the www.csitraining.co.uk website!
My brothers company, Bright Forensics, was exhibiting there and had e-fense’s Eric Smith on the stand. Eric is a very talented investigator and has a tremendous knowledge of the forensic world and marketplace. They were focusing on touting e-fenses’ Live Response key. This is a USB key designed for fast and easy acquisition of live and volatile data from a running machine. In my view it is the first tool that provides an ease of use capable of being used by a front line arresting officer. I know that this is a sensitive subject at the moment, but a plug and play device that will grab Internet History, RAM and other useful data, is a very interesting addition to an officers arsenal. Discuss ☺.
The buzz word of the conference was ‘Triage’. In simple terms the phrase is being used to suggest that we could use a device or software tool to ‘search’ a machine and include or exclude it from an investigation, hence shortening backlogs that exist in most HiTech Crime units . Umm. I have a real problem with the idea of triage in this situation. In a hospital or emergency setting triage is used to prioritise not exclude and I think this is where such tools could have a role. If you get 5 machines in for a CP case, prioritising the machines, perhaps quickly locating the one with the primary evidence could work fine. However, I think that we will struggle to never image or investigate those other drives. If I think as a defence expert I may suggest that although there was a large amount of evidence on one drive, evidence existing on the ‘sons’ or ‘lodgers’ computer could lend credence to the fact that someone else used the computer belonging to the accused. I appreciate this is somewhat simplistic and perhaps the initial data might make the chap stick his hand up, but I’m sure that you can still see my concern.
Last week I taught my first Advanced Live Forensics course with a particular focus on RAM analysis. I don’t mean to blow my own trumpet but I think it was a resounding success. A chap from one of the UK Counter-Terrorism units suggested that it should be required learning for all computer forensic people and another was impressed by what he called the ‘first new computer forensic discipline since the advent of disk forensics’. Overall, I was chuffed. Obviously this is rapidly turning into an advertisement which I apologise for but if you would like to come then you can find dates on the www.csitraining.co.uk website!
Subscribe to:
Posts (Atom)
